Network Security
Module B
Cybersecurity incident response, digital forensics investigations, and application security
directory
Module B Competition Project Sample Questions 2
Equipment and Materials Required 2
Part 1 Network Security Incident Response 3
Material list for this task: WebServer server virtual machine ( Linux or Windows operating system) 3
List of materials for this task : memory mirroring (*. vmem ), storage mirroring (*. img , etc.) 4
Task 3: Network packet analysis and forensics 4
List of materials for this task : Captured network packet files (*.pcapng , *.pcap , etc.) 4
Task 4: Computer stand-alone forensics 4
List of materials for this task : Forensic image files (*. e 01, *. img , etc.) 5
Task 5: Application Security Analysis 5
Material list for this task : Application files ( ELF , *.exe , * .sys, etc.) 5
List of materials for this task: source code snippets (php, python, c, java, etc.) 6
Module B Competition Project Sample Questions
This file is: Questions for the Network Security Project of the Third Guangdong Vocational Skills Competition-Module B Sample Questions The duration of this competition is 4 hours .
Competitions have fixed start and end times, and teams must decide how to allocate time efficiently. Please read the following guidelines carefully!
(1) When the competition is over, please do not turn off the phone when leaving;
( 2) All configurations should be valid after reboot ;
( 3 ) Please do not modify the configuration of the physical machine and the hardware settings of the virtual machine itself.
Equipment and Materials Required
All test items can be completed by competitors with the equipment and software specified in the infrastructure list.
According to the standard specification of the skill competition in the current technical description, the module score of this test item is 35 points.
With the continuous development of the network and informatization level, network security incidents are also emerging one after another . Various network attacks such as network malicious code transmission, information theft, information tampering, remote control, etc. have seriously threatened the confidentiality of information systems. completeness and availability. Therefore, technical work such as combating network attacks, organizing emergency response to security incidents, and collecting electronic evidence is an important part of network security protection. Now, Group A has suffered an illegal malicious attack from an unknown organization. Your team needs to help Group A trace the source of this network attack, analyze the evidence clues of malicious attacks, and find out the loopholes or malicious attacks in the operating system and applications Code to help it consolidate its network security defenses.
The task is divided into the following parts:
● Response to network security incidents
● Digital forensics investigation
● Application Security
The test materials for each task in this part have been placed in the corresponding task directory of the contestant’s operating machine. After the contestant completes the task, please fill in the answer on the computer desktop in “The Third Guangdong Province Vocational Skills Competition Network Security Project-Module B Answer Sheet” middle.
The software required for the competition is already provided on the competitor
Part I Cyber Security Incident Response
The Web Server of Group A was hacked, the web application system of the server was uploaded with malware, and the system files were damaged by malware. Your team needs to help the company trace the source of this network attack and conduct comprehensive inspection on the server. , including log information, process information, system files, malicious files, etc., so as to analyze the hacker's attack behavior and the remaining key evidence information.
List of materials for this task: WebServer server virtual machine ( Linux or Windows operating system)
The attacked WebServer server has been packaged into a VMWare virtual machine, please start the virtual machine and enter the operating system for analysis.
Operating system login username/password: root/123456
Please complete the task of this part according to the requirements of the answer sheet.
Task 1 : Emergency Response |
||
serial number |
mission requirements |
the answer |
1 |
Please submit the IP address of the attacker |
|
2 |
Please write down the operating system used by the attacker |
|
3 |
Please submit the name of the Trojan file written by the attacker |
|
4 |
...... |
Part II Digital Forensics Investigation
A computer system of Group A was attacked and controlled by malicious persons. It is suspected that it has carried out sabotage operations and stolen sensitive information within the group. Please analyze the system image and memory image provided by Group A to find the malware in the system image and analyze it. Malware behavior.
Material list : memory image ( *.vmem) , storage image ( *.img, etc.)
Please complete the task of this part according to the requirements of the answer sheet.
Task 2 : OS Forensics |
||
serial number |
mission requirements |
the answer |
1 |
Please submit the last command executed by the attacker |
|
2 |
Please write down the Flag information hidden in a file on the desktop , submit format : Flag {...} |
|
3 |
Please indicate the PID of the malicious process in memory |
|
4 |
...... |
Task 3: Network packet analysis and forensics
The network security monitoring system of Group A found that malicious attackers attacked the official website of the group and captured some suspicious traffic packets. Based on the captured traffic packets, please search for network attack clues and analyze the malicious behavior of hackers.
Material list for this task : captured network packet files ( *.pcapng , *.pcap, etc.)
Please complete the task of this part according to the requirements of the answer sheet.
Task 3 : Network packet analysis and forensics |
||
serial number |
mission requirements |
the answer |
1 |
Please submit the time when the attacker successfully attacked, format: ( YYYY - MM - DD HH : mm : SS . SSSSSS ) |
|
2 |
Please indicate the file name |
|
3 |
Please decrypt the encrypted data content returned by the server |
|
4 |
...... |
Task 4: Computer stand-alone forensics
Analyze a given forensic image file and search for evidence keywords (clue keywords are " evidence 1", " evidence 2", ..., "evidence 10", in text form or image form, case-insensitive), please Extract and fix the target evidence files required by the competition
accounted for no less than 15%. Forensic information may be hidden in normal, deleted or damaged files, and you may need to use transcoding techniques, encryption and decryption techniques , steganographic techniques, data recovery techniques, and familiarity with commonly used file formats (such as office documents, compressed documents, pictures, etc.).
List of materials for this task: Forensic image files ( *.e01 , *.img, etc.)
Please complete the task of this part according to the requirements of the answer sheet.
evidence number |
Filenames in the forensic image |
Hash code of the original file in the image ( MD 5 , case insensitive ) |
evidence1 |
||
evidence2 |
||
evidence3 |
||
evidence4 |
||
evidence5 |
||
evidence6 |
||
evidence7 |
||
evidence8 |
||
evidence9 |
||
evidence10 |
Note: Each piece of evidence must have both the file name and the Hash code correct to be scored.
Task 5 : Application Security Analysis
Group A found suspicious application samples during the network monitoring process. Your team needs to assist Group A to conduct reverse analysis of the suspicious application, conduct investigation and evidence collection of hacker attacks, and submit relevant information forensics analysis reports.
Material list for this task: application files ( ELF , *.exe , *.sys, etc.)
Please complete the task of this part according to the requirements of the answer sheet.
Task 5 : Application Security Analysis |
||
serial number |
mission requirements |
the answer |
1 |
Please write the name of the file written by the malicious program (without the path) |
|
2 |
Please write the server domain name of the remote communication of the malicious program |
|
3 |
Please point out the destructive behavior of the malicious program |
|
4 |
...... |
代码审计是指对源代码进行检查, 寻找代码存在的脆弱性, 这是一项需要多方面技能的 技术 。作为一项软件安全检查工作, 代码安全审查是非常重要的一部分, 因为大部分代码从 语法和语义上来说是正确的, 但存在着可能被利用的安全漏洞, 你必须依赖你的知识和经验 来完成这项工作。
请按答题卡的要求完成该部分的工作任务。
任务 6: 代码审计 |
||
序号 |
任务要求 |
答案 |
1 |
请指出存在安全问题的代码行 (只写一行) |
|
2 |
请写出该行代码存在什么漏洞或弱点 |
|
3 |
...... |
序号 |
描述 |
分值 |
B |
网络安全事件响应 、数字取证调查 、应用程序安全 |
35 |
B1 |
应急响应 |
8 |
B2 |
操作系统取证 |
6 |
B3 |
网络数据包分析取证 |
6 |
B4 |
计算机单机取证 |
7 |
B5 |
应用程序安全分析 |
6 |
B6 |
代码审计 |
2 |