文中介绍的所有工具,均在压缩包中,结合本文更便于大家下载使用,快速上手。
CTF common tools download
Common tools necessary for CTF competitions
-
- 1. What is CTF
- 2. The importance of tools in the game
- Three, commonly used MISC (miscellaneous) tools
-
- 1. Audacity (Auxiliary tool for extracting Morse code)
- 2. stegsolve (image steganalysis tool)
- 3. QR_Research (QR code tool)
- 4. ZipCenOp.jar (verify whether it is a fake encryption tool)
- 5. AAPR (rar password cracking tool)
- 6. Ziperello (zip password cracking tool)
- 7. Winhex (program viewing and debugging tool)
- 8. RouterPassView (router configuration viewing tool)
- Four, commonly used REVERSE (reverse) tool
-
- 1. ExeinfoPe (judging the software version and whether it has a shell)
- 2. IDA64 bit
- 3. IDA32 bit
- Five, ctf commonly used scanning dictionary
1. What is CTF
In the problem-solving mode CTF competition system, participating teams can participate through the Internet or on-site network. This mode of CTF competition is similar to the ACM programming competition and the Informatics Olympiad. The ranking is based on the score and time for solving network security technology challenges. Usually used for online tryouts.
It mainly includes six categories: PWN, CRYPTO (decryption), REVERSE (reverse), WEB, MISC (miscellaneous)
.REVERSE(逆向)和MISC(杂项),在比赛中要使用大量的辅助工具,才能快速解题。本文章也主要聚焦这两类赛题的工具。
2. The importance of tools in the game
-
Friends who have participated in CTF competitions know that when every second counts in a competition but has no clue, a suitable tool can often directly determine the result of the competition.
-
This is especially true for many friends who are new to CTF. The problem itself is difficult. If we don't even have the basic tools, it will be very difficult to find the problem in the first step, let alone solve the problem.
本文就给大家介绍几款CTF比赛中常用的工具,
文中介绍的所有工具,均在压缩包中,结合本文更便于大家下载使用,快速上手。
[CTF common tools download]
What is introduced in this article
常用且基础的工具, maybe you have better and more powerful tools, you might as well share them and learn and progress together. But before the competition, the basic tools introduced in this article are not available on the computers of the students, so it is still a bit sloppy, haha.
Three, commonly used MISC (miscellaneous) tools
1. Audacity (Auxiliary tool for extracting Morse code)
When encountering an audio file in a question and hearing sounds of different lengths, it is often a Morse code question. Are you still foolishly relying on your own ears to hear how long or short it is? Stop dreaming, you're not a spy, you can't handle it. Just drag the file into this software, as shown in the picture below, it is clear at a glance.
2. stegsolve (image steganalysis tool)
This software is very commonly used. It is recommended to search online to learn how to use it after downloading it.
The simple introduction is: select suspicious pictures to open. Use four functions to see various information hidden in the picture.
Open the suspicious animation
because it is an animation, choose to view it frame by frame, and it turns out that information is hidden one after another starting at frame 21
()
3. QR_Research (QR code tool)
A tool for finding QR code information, select a screenshot in the tool to view the QR code
4. ZipCenOp.jar (verify whether it is a fake encryption tool)
Some archives are pseudo-encrypted. The manifestation is that the compressed package needs to decompress the password, but the cracking tool cannot find the password. If it is pseudo encryption, in fact, as long as a certain bit in the hex file is changed to an even number, it can be opened without a password. The specific principle can be searched by yourself. (For details on how to modify, see the introduction of the Winhex tool below)
5. AAPR (rar password cracking tool)
The rar compressed package is encrypted and cannot be opened, it does not matter, use this tool to easily crack
6. Ziperello (zip password cracking tool)
The usage method is similar to the above software, but this speed is faster, close to the cracking speed of quasi-industrial level, which is amazing.
7. Winhex (program viewing and debugging tool)
It is very simple to use, just drag the file into winhex. As in the above question, drag the pseudo-encrypted compressed package into this file, modify the hex (just change the odd number to an even number), and crack the encryption protection.
Before modification, the last blue line is 09 00.
After modification, it is 08 00. Then save it as a compressed file, open it directly, and no password is required. The pseudo-encrypted compressed package is just such a paper tiger, nothing more.
This article focuses on the use of tools. The detailed principles of pseudo-encryption can be found online, and there are many introduction articles.
8. RouterPassView (router configuration viewing tool)
I have worked so hard to get some configuration files for routers and switches, but they either cannot be opened or are garbled. Might as well try this tool that specializes in viewing the configuration files of certain brands of routers. See the picture below, at a glance:
Four, commonly used REVERSE (reverse) tool
REVERSE (reverse) is a tiankeng. This article does not involve the detailed explanation of the principle, but only introduces the software and some basic operations. Otherwise, even writing a series is not enough.
It doesn't matter if you get the REVERSE (reverse) topic, just follow the routine:
- The first choice is to use the tool exeinfoPe to determine whether the program to be cracked has a shell, 32-bit or 64-bit
- If you want to unpack, you can use kali's own command upx -d filename
- Then open the corresponding 32-bit or 64-bit IDA PRO
- Follow up to see everyone's reverse skills and luck.
1. ExeinfoPe (judging the software version and whether it has a shell)
Judging two points, the display is simple and clear at a glance
1. 32-bit or 64-bit software
2. Whether there is a shell.
2. IDA64 bit
If the file is 64-bit, it must be opened with 64-bit IDA.
-
Press shift+F12 in IDA to enter the Strings window to view sensitive strings
-
Double-click the suspected sensitive string to enter another page, right-click List cross references to on that line, and then click ok.
- Press F5 to turn into pseudocode, and then see everyone's skills...
The 32-bit IDA operation is also the same.
3. IDA32 bit
The operation is the same as above and will not be repeated here. Whether it is 32-bit or 64-bit IDA software has integrated pseudo-code function, which can be used with confidence.
Five, ctf commonly used scanning dictionary
This dictionary is very small. The key is that there is not a lot of time spent on scanning during the competition, so it is short and concise, with high accuracy. Currently, only 247 paths or files are included, all of which have appeared in previous competitions. For reference. , according to your actual situation, you can continuously add to it.
If you have a better game-specific dictionary, you can share it.
文中介绍的所有工具,均在压缩包中,结合本文更便于大家下载使用,快速上手。
CTF common tools download
Digression
Many people who are new to the computer industry or graduates of computer-related majors have encountered obstacles everywhere due to lack of practical experience. Let's look at two sets of data:
-
The 2023 national college graduates are expected to reach 11.58 million, and the employment situation is severe;
-
According to the data released by the National Network Security Publicity Week, by 2027, the shortage of network security personnel in my country will reach 3.27 million.
On the one hand, the employment situation of fresh graduates is severe every year, and on the other hand, there is a gap of one million cyber security talents.
On June 9, the 2023 edition of the Employment Blue Book of MyCOS Research (including the 2023 Employment Report for Undergraduates in China and the Employment Report for Higher Vocational Students in China in 2023) was officially released.
Top 10 Majors with Higher Monthly Salary for 2022 College Graduates
The monthly income of undergraduate computer science majors and higher vocational automation majors is relatively high. The monthly income of the 2022 class of undergraduate computer science and higher vocational automation majors is 6,863 yuan and 5,339 yuan, respectively. Among them, the starting salary of undergraduate computer majors is basically the same as that of the 2021 class, and the monthly income of higher vocational automation majors has increased significantly. The 2022 class of overtaking railway transportation majors (5295 yuan) ranks first.
Specifically, depending on the major, the major with a higher monthly income for undergraduates in 2022 is information security (7579 yuan). Compared with the class of 2018, undergraduate majors related to artificial intelligence, such as electronic science and technology, automation, performed well, and their starting salaries increased by 19% compared with five years ago. Although data science and big data technology are newly added majors in recent years, they have performed well, and have ranked among the top three majors with higher monthly income half a year after graduation for the 2022 class of undergraduates. The only humanities and social science major that entered the top 10 undergraduate high-paying list five years ago-French has dropped out of the top 10.
"There is no national security without cybersecurity". At present, network security has been elevated to the height of national strategy and has become one of the most important factors affecting national security and social stability.
Characteristics of the network security industry
1. The employment salary is very high, and the salary rises quickly. In 2021, Liepin.com released the highest employment salary in the network security industry, which is 337,700 yuan per capita!
2. There is a large talent gap and many employment opportunities
On September 18, 2019, the official website of the "Central People's Government of the People's Republic of China" published: my country needs 1.4 million cyberspace security talents, but schools across the country train less than 1.5 million people each year. Liepin.com's "Cyber Security Report for the First Half of 2021" predicts that the demand for cyber security talents will be 3 million in 2027, and there are only 100,000 employees currently engaged in the cyber security industry.
The industry has a lot of room for development and many jobs
Since the establishment of the network security industry, dozens of new network security industry positions have been added: network security experts, network security analysts, security consultants, network security engineers, security architects, security operation and maintenance engineers, penetration engineers, information security management Data Security Engineer, Network Security Operations Engineer, Network Security Emergency Response Engineer, Data Appraiser, Network Security Product Manager, Network Security Service Engineer, Network Security Trainer, Network Security Auditor, Threat Intelligence Analysis Engineer, Disaster Recovery Professional , Actual combat offensive and defensive professionals...
Great career potential
The network security major has strong technical characteristics, especially mastering the core network architecture and security technology in the work, which has an irreplaceable competitive advantage in career development.
With the continuous improvement of personal ability, the professional value of the work will also increase with the enrichment of one's own experience and the maturity of project operation, and the appreciation space is bullish all the way, which is the main reason why it is popular with everyone.
To some extent, in the field of network security, just like the doctor profession, the older you are, the more popular you become. Because the technology becomes more mature, the work will naturally be valued, and promotion and salary increase are a matter of course.
How to Learn Hacking & Cyber Security
Today, as long as you give my article a thumbs-up, I will share my private collection of online security learning materials with you for free, so let’s see what is there.
1. Learning Roadmap
There are also many things to learn in attack and defense. I have written all the specific things to learn in the roadmap above. If you can learn them, you will have no problem getting a job or taking private jobs.
2. Video Tutorial
Although there are many learning resources on the Internet, they are basically incomplete. This is a video tutorial on cyber security recorded by myself. I have a supporting video explanation for every knowledge point in the above roadmap.
The content covers the study of network security law, network security operation and other guarantee assessment, penetration testing basics, detailed explanation of vulnerabilities, basic computer knowledge, etc., which are all learning contents that must be known when getting started with network security.
(It’s all packed into one piece and cannot be unfolded one by one. There are more than 300 episodes in total)
Due to limited space, only part of the information is shown, you need to click the link below to get it
CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing
3. Technical documents and e-books
The technical documents are also compiled by myself, including my experience and technical points of participating in large-scale network security operations, CTF and SRC vulnerability mining. There are also more than 200 e-books. Due to the sensitivity of the content, I will not show them one by one.
Due to limited space, only part of the information is shown, you need to click the link below to get it
CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing
4. Toolkit, interview questions and source code
"If you want to do a good job, you must first sharpen your tools." I have summarized dozens of the most popular hacking tools for everyone. The scope of coverage mainly focuses on information collection, Android hacking tools, automation tools, phishing, etc. Interested students should not miss it.
There is also the source code of the case and the corresponding toolkit mentioned in my video, which can be taken away if needed.
Due to limited space, only part of the information is shown, you need to click the link below to get it
CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing
Finally, there are interview questions about Internet security that I have sorted out in the past few years. If you are looking for a job in Internet security, they will definitely help you a lot.
These questions are often encountered in interviews with Sangfor, Qi Anxin, Tencent or other major companies. If you have good questions or good insights, please share them.
Reference analysis: Sangfor official website, Qi Anxin official website, Freebuf, csdn, etc.
Content features: clear organization, including graphic representation, which is easier to understand.
Summary of content: Including intranet, operating system, protocol, penetration test, security service, vulnerability, injection, XSS, CSRF, SSRF, file upload, file download, file inclusion, XXE, logic vulnerability, tool, SQLmap, NMAP, BP, MSF…
Due to limited space, only part of the information is shown, you need to click the link below to get it
CSDN spree: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" free sharing