Behind the CTF Guide “Breaking & Entering: A Pocket Guide for Friendly Remote Admins"

At DEF CON 29, we gave away physical copies of the pocket-sized capture-the-flag (CTF) guide, “Breaking & Entering: A Pocket Guide for Friendly Remote Admins.” I am happy to announce that the PDF version of that CTF guide is now available for download!

Download "Breaking & Entering"

 

How This CTF Guide Came to Be

This project has been a personal labor of love for me. I created “Breaking & Entering” as a pocket reference that provides cybersecurity and sysadmin professionals a concise and comprehensive collection of technical information, tables, commands, and techniques for CTF engagements. My ultimate goal was to produce an attractive, easy-to-navigate guide that could be just as helpful to security professionals as "The Little Know It All: Common Sense For Designers" is to graphic designers.

Designed to serve as a complete CTF engagement roadmap, someone participating in a CTF competition could use this asset as either a step-by-step guide or as a reference during any given phase. The book encompasses the OSINT and reconnaissance phase, host enumeration and post-exploitation actions, secure pivoting (tunneling), and exfiltration. Finally, it also provides technical documentation references (such as NIST publications, tunneling worksheets, etc).

How to Use This CTF Guide

So how can you practically use “Breaking & Entering” while competing in a CTF or during an actual security engagement? Read on to see how the contents of this guide correspond to various phases of an engagement.

  • OSINT/Recon. Here, the guide focuses on Google Hacking. Also known as “Google Dorking,” Google Hacking is a convenient feature of the Google search engine. While this feature allows for the use of more advanced operands to query the indexed results that Google maintains, it is frequently used for quick and easy enumeration. These searches can be as simple as looking for all PDFs currently hosted on a given domain such as `site:sans.org filetype:pdf,’ or as complex as queries that look for files that contain potentially sensitive information, with a given extension, seen in the last x amount of day(s).

  • Networking. Networking is fundamental to offensive security. You’re not hacking anything without it, and you’re certainly not hacking anything well without understanding it. As the communication rules of the digital road, you need to understand the different protocols and procedures that make packets move. The guide touches on routing protocols, Ethernet and Wi-Fi types, and IPv6 fundamentals. It also has a few convenient tables of reference information; it even contains a color-coded table that breaks out various packet headers.

  • Tunneling. Tunneling (encapsulation) is the use of (hopefully secure) connections between two systems to move data from one host or network to another. This is the primary means of connecting to and moving through a network. The guide covers the essential tools that can be used to build tunnels. There are other methods available, but this guide tries to stick to the most common ones.

  • Windows. It’s impossible to understand how to use a system – much less how to exploit one – without first enumerating it. This guide includes a thorough initial list of commands to use to investigate a host system. It also includes information on examining and understanding process lists, an SMB/Kernel version chart for matching enumerated information to system versions, common registry locations, and other nuggets of Windows wisdom. These all help make querying and sorting through information much faster and more effective. The guide also offers up a few methods of doing this (like WMIC, PowerShell, CMD), which become more important as a user encounters older systems.
  • Nix. The guide includes a healthy list of commands and methods for enumerating a host. These are often the commands that are automated into a script for accuracy and consistency, and aid in locating binaries or other files that will allow you to escalate privileges and migrate to other hosts on the network (or more importantly, determine what is preventing privesc).

What’s Coming in Version 2.0

In an upcoming version 2.0, I plan to include new topics such as Amazon Web Services (AWS)/Microsoft Azure, Shodan searching, and more. My foremost hope for V2 is to add in more cloud security content and search templates for using the Shodan web interface.

No matter how much information is added in the upcoming edition, I intend to keep “Breaking & Entering” lightweight and streamlined, making sure it remains an effective resource that is organized and efficient.

If you have any ideas or suggestions, please reach out to me via my GitHub or Twitter.

Follow Bishop Fox on social media (Twitter and Discord) to keep tabs on when the updated version 2.0 goes live.

Download “Breaking & Entering"