SANS Pen Test Poster: Pivots Payloads Boardgame


We are excited to introduce to you the new SANS Penetration Testing Educational Poster, “Pivots & Payloads Board Game”! It is a poster and a board game. How is it a board game? You can lay it down on a table, cut out the game pieces and game modifiers, use a dice to move your piece around the board…and play with your friends, colleagues, and/or family.

The board game takes you through pen test methodology, tactics, and tools with many possible setbacks that defenders can utilize to hinder forward progress for a pen tester or attacker. The game helps you learn while you play. It’s also a great way to showcase to others what pen testers do and how they do it.

We have made the poster/board game available to download, with additional downloads of the cheat sheets, game pieces, and game modifiers. We will add additional content to this blog page as we continue to evolve the board game and improve on it in future versions.

Download PDF of Pivots & Payloads:



Additional Pivots & Payloads:

Desktop Wallpaper



Game Pieces – Print PDF


Cheat Sheets – Print PDF




Pen Test Cheat Sheets:

SANS Pen Test Training:

SANS Pen Test Posters:

Build your Skills (Free):

SANS Penetration Testing Webcasts (YouTube):

Upcoming SANS Special Event – 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen

Mount a Raspberry Pi File System Image

By Josh Wright

Yesterday, I started my yearly Epic Desk Cleanout. This annual ritual is more about holding up a trash can and sweeping everything into it. I really clean, which includes cataloging all the random SD cards I’ve collected throughout the year.

"SD cards" by Seeweb is licensed under CC BY-SA 2.0

For SD cards, I’ll typically dd the contents of the drive to a Linux box, then examine the data from a shell. This year, a lot of those SD cards are Raspberry Pi images. I end up with a file system dump that I need to examine:


Fortunately, the fdisk utility on Linux can read from a physical device, or from a data dump file:


Here, fdisk reveals a few important tidbits about the binary image:

  • The sector size (512 bytes)
  • The partitions in the disk image including file system types
  • The starting offset in sectors for the file systems

Using the sector size (512 bytes) and the start sector for the Linux file system (264192), we can use a little shell-fu to calculate the number of bytes to the beginning of the file system:


The Linux filesystem is 135,266,304 bytes into the pi.img file. Next, we create a mount point (I use mnt from my current directory, but you can use any unused directory) and mount the image, specifying the number of offset bytes to the Linux partition:


Now it’s just a matter of changing to the mnt directory, and exploring the data.

1 SD drive down…1,978 to go.



Upcoming SANS Special Event – 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen

Using the SSH “Konami Code” (SSH Control Sequences)

By Jeff McJunkin

Are you familiar with the Konami code? The one popularized by the Contra video game?

Pictured above: Tangentially related to SSH

If not, let me fill you in.  This code is a sequence of control actions for some video games that’ll let you jump forward in the game (some call it a “cheat,” but I’d rather not judge.).  The code itself is a series of button presses as follows (from Wikipedia):


For me, learning about SSH control sequences felt like finding SSH’s Konami code. First I learned how to kill an SSH client that wasn’t responsive, which was convenient. Then, finding out about changing SSH’s options *after I had established the connection* felt like cheating. Adding SOCKS proxies or local and remote port forwards after I’ve already connected to an SSH server is very useful, and far less annoying than typing my SSH key passphrase again.

So, how do you start a control sequence? First, make sure “Enter” was the last key you pressed, as the SSH client won’t notice the control sequence otherwise. Next, press the tilde character (shift + backtick) followed by another character.

What are the support escape sequences, you ask? Well, press “?” as your second character, and your SSH client will tell you:

Supported escape sequences:
~. – terminate connection (and any multiplexed sessions)
~B – send a BREAK to the remote system
~C – open a command line
~R – request rekey
~V/v – decrease/increase verbosity (LogLevel)
~^Z – suspend ssh
~# – list forwarded connections
~& – background ssh (when waiting for connections to terminate)
~? – this message
~~ – send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

Of these, I use “~.” to kill stubborn SSH clients, “~C” to use additional SSH options (like “-D 8080” to start up a new SOCKS proxy), and rarely “~#” to see what forwards I’ve created.

Here’s an example of me connecting to an SSH server (I set up the alias in my ~/.ssh/config file) and using an SSH control sequence to add a SOCKS proxy on port 9001 retroactively:

Jeff 1

An example of using an SSH escape sequence

Note the line beginning with “whoami”. We were interacting with the SSH client itself at the line beginning with “ssh>”, but when we finished that by pressing Enter, we didn’t get a new prompt from the remote server. The input was still accepted, though, which is why the “whoami” command I typed returned “jeff” in the next line, followed by another newline and the SSH server’s prompt.
Gosh, this is useful stuff.

Thanks for reading along! I hope you find as much use for the SSH Konami Code as I have.

– Jeff McJunkin


Upcoming SANS Special Event – 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen

2015 SANS Pen Test HackFest Twitter Contest

Hey folks… check this out!

We’re delighted to announce a Twitter-based contest here with a fantastic prize. And, participating in this one is really easy.

On November 16th through 23rd, SANS will be running our  third annual Pen Test HackFest Summit and Training event  in Washington DC. We throw everything we’ve got into this extra special event, including:

  • Two days of amazing,in-depth talks by leading minds of the industry, who will give you insight into the offensive tools and tactics being used today to discover an organization’s vulnerabilities to potential adversaries.
  • Six days of training, with  six different classes to choose from.
  • Three nights of  NetWars Tournament challenges  for hands-on fun and learning.
  • One night of  CyberCity missions, where you’ll be defending critical infrastructures against attacks, preventing city-wide mayhem.
  • Coin-A-Palooza: A chance to earn up to FIVE  SANS Pen Test coins  for your collection.
  • One Super-Secret Special Evening: On Nov 17, we’ll be taking a mind-blowing field trip to a clandestine location for a fun-filled hacking adventure.  You don’t wanna miss this.  You’ll get a chance to brag to all your friends that you were there when this happened.  :)

The prize for our new Twitter contest is FREE admission to the two-day session at the start of the HackFest on Nov 16-17. You’ll experience some great talks, learn super useful information, participate in a NetWars evening Nov 16, and join us on the Amazing Secret Special Evening Nov 17.

How do you enter? It’s easy — just snap a picture of yourself with one of the items listed below and tweet the photo to  @SANSPenTest  with the hashtag  #SANSHackFest. Contest runs Friday, September 25 – Friday, October 2:

– Photo of yourself holding a SANS Pen Test Challenge Coin (Just the front!!! Not the back with its sooper sekret cipher) or Coin Sticker or NetWars Sticker.
– Photo of yourself wearing a SANS Pen Test T-shirt or NetWars T-shirt
– Photo of yourself with any SANS item (book, shirt, etc.)
– Photo of yourself with this SANS Pen Test website visible (in a browser, on a screen, or even printed out on paper)
– Photo of yourself with a SANS instructor or SANS staff (if you are at DerbyCon, feel free to stop by the SANS booth and snap a shot with Ed Skoudis, Micah Hoffman, or  Jason Blanchard).



Each person who tweets a photo with the #SANSHackFest hashtag will be entered into a drawing for a chance to win one FREE admission to the Pen Test HackFest Summit Nov 16-17. The contest ends on Friday, October 2, 2015 and we will announce the winner on Friday, October 2, 2015 at 5pm EST via twitter. The more creative the photo, the better…anything goes, just keep it clean and family friendly. Some more detailed rules follow below.

Have fun & good luck!

–Ed Skoudis.


  1. Entry: Contest begins on Friday, September 25, 2015 and ends Friday, October 2, 2015. Responses must be submitted by 4:00pm EST on Friday, October 2. Each participant may enter an arbitrary number of times for the challenge.
  2. Prize: Each person that correctly submits a photo including the hashtag #SANSHackFest will be entered into a drawing to win a FREE seat at the Pen Test HackFest Summit this November. SANS will choose only one winner. The seat is transferable to another in the same organization/company. The winner will be chosen on Friday, October 2 and will be notified via Twitter.
  3. Odds of Winning: The odds of winning the contest depend upon the total number of all eligible entries received in the contest period, regardless of method of participation.
  4. Release of Liability: SANS Institute is not responsible for lost, late, or unintelligible entries, lost connections, miscommunications, failed transmissions, other technical difficulties or failures.

Traffic Lights and Modbus/TCP – A SEC562 CyberCity Hacking Adventure

By Joshua Wright


When the Counter Hack team started building the SEC562: CyberCity Hands-on Kinetic Cyber Range class, I knew I wanted to develop a mission that involved the Industrial Control protocol Modbus/TCP and traffic lights. Because CyberCity is 1:87 scale, I needed to build my own traffic light controller using Modbus/TCP with model-sized traffic lights, and connect them to a Modbus/TCP powered controller.

Traffic light

Part of our goals in writing the SEC562 course is to provide hands-on experience understanding the security of ICS protocols such as Modbus/TCP, CIP, PROFINET, DNP3 and others. This is done through the completion of several missions, where the team of analysts has a defined goal, and has to use offensive or defensive skills to achieve the stated goal. In the case of the traffic light mission, the team has to hack their way into the CyberCity Department of Transportation (DoT) network, pivot from publicly accessible systems to restricted access systems, and use the compromised host to deliver custom a Modbus/TCP exploit that manipulates the traffic light patterns.

I’m biased, but I think these missions are SUPER FUN. Challenging, for sure, but a great opportunity to learn about a whole new realm of interesting protocols (ICS and related technology) that allow you to use hacking to interact with the kinetic world, manipulating systems that move or control things that move (like… traffic lights!). The class itself is 80% hands-on, 20% lecture, so you spend much more time DOING than listening… and falling asleep after eating too much lunch (been there).

In this article, we’ll take a peek at the Traffic Control CyberCity mission. I’m not going to give away everything, but we’ll take a look at how we can combine useful reconnaissance and information gathering, web attacks, privilege escalation, pivoting, and Modbus/TCP exploits effectively.

CyberCity Scoring Server


In the SEC562 class, we don’t just give you a target, shrug, and say “figure it out”. It’s not a good use of your time. Instead, we provide a well-tested environment using the NetWars Scoring Server, that identifies the mission and asks questions in a sequential order that guide you through the mission steps. If you get stuck on a question the automated hint system brings you a little bit closer to the answer with each hint. This way, you can work at your own pace: figure out small portions of the mission on your own, or use hints to get extra assistance where desired. When you answer a question correctly, you get all the hints automatically, just to validate your technique with what we planned for the mission.


Let’s jump in and start answering some questions.



Like any penetration test, you’ll conduct reconnaissance analysis and information gathering before evaluating the target systems for vulnerabilities. For example:

Leverage the FaceSpace site ( to identify three employees working for the CyberCity Department of Transportation. Enter the last name of the DoT employee whose name ends in “be”.”

FaceSpace is our social networking site within CyberCity, complete with thousands of accounts and posts from various CyberCity citizens. FaceSpace is built on the Elgg open-source social networking software, acting both like Twitter and Facebook. Like other social networking sites, FaceSpace is a wealth of sensitive data that is useful for reconnaissance analysis including the disclosure of username information, “friend” associations to identify co-workers, and other sensitive data. Searching for various on “department of transportation” and “DoT” turns up some interesting results.



Looks like Jermaine Strobbe is a new hire for the DoT, and the answer for our question. Let’s move on to some scanning and information gathering.



Later in the mission, we start getting questions like this one:

“Additional informational resources about the structure of systems and traffic light control protocols are stored in non-guest accounts on the site. Access these protected resources and identify the model number for the traffic light controller used by the Cyber City DoT. Enter the numeric portion of the traffic light controller model number.”

The site is used for sharing public resources – it’s the CyberCity version of ownCloud or other cloud storage providers and based on a private cloud system that I got to evaluate for a customer penetration test not long ago. When you visit the site, several files are accessible to guest users as shown here.


When I mouse-over the link for any of the files, I see URLs that look like this:

This looks like a classically bad URL scheme, where the files are in a random-looking directory. Browsing to the directory itself, we get the following:


So, we know we have a directory browsing issue, but we want to get access to other user’s files on this same system. We could mount a password guessing attack against the login screen, but that could take ages and might lock-out user accounts. If we focus on the unpredictable directory portion of the URL, we see the string Z3Vlc3QK. Browsing to small variations on this string only returns 404 errors from the server.

Pasting the value into Burp Suite, we can use the Decoder tool to evaluate how the string decodes in several ways. Most of the options don’t apply (e.g. “Z3Vlc3QK” is not URL, HTML, ASCII hex, Hex, Octal, Binary, or Gzip encoded), but the Base64 option looks interesting. Using Base64 as a decode option, and we see the encoded value returns the string “guest”.

However, we can try different decoding methods to further analyze this content. While the string could just be random lower/upper alphanumeric values, let’s try different decoding options.

Pasting the value into Burp Suite, we can use the Decoder tool to evaluate how the string decodes in several ways. Most of the options don’t apply (e.g. “Z3Vlc3QK” is not URL, HTML, ASCII hex, Hex, Octal, Binary, or Gzip encoded), but the Base64 option looks interesting. Using Base64 as a decode option, and we see the encoded value returns the string “guest”.

Pasting the value into Burp Suite, we can use the Decoder tool to evaluate how the string decodes in several ways. Most of the options don’t apply (e.g. “Z3Vlc3QK” is not URL, HTML, ASCII hex, Hex, Octal, Binary, or Gzip encoded), but the Base64 option looks interesting. Using Base64 as a decode option, and we see the encoded value returns the string “guest”.Blog10

Seeing this, we can use our earlier reconnaissance data of username information for directory path guessing attacks to bypass authentication to access other user cloud files. You can do this manually, or a little shell script can speed things up:

jwright@ccgateway2 ~ $ for username in jstobbe bstobbe jdesoto bdforge rgray ; do
> enc=`echo -n $username | openssl enc -base64` # -n very important here!
> curl -sL -w "%{http_code} %{url_effective}\\n"$enc -o /dev/null
> done

Here, we see mostly 404’s, but one wonderful 200 indicates that we found another encoded directory that was previously hidden from us. Skipping to the pillaging phase, we retrieve all the files in the directory and evaluate them to learn more about the target system. Among other things, we learn that the traffic light system used by the CyberCity DoT is a product from Traffic Control Systems (TCS) that includes an extended Human-Machine Interface (HMI) that allows for online reporting of traffic data. We can further validate that by browsing to the website, shown here.



Looking at the page source, we find another interesting target to explore:





Jumping ahead a little bit, we can explore the target. What we find is a straightforward login page, asking the user to enter credentials for the product management console. If we try to authenticate with a guessed password for a DoT employee, we get an error from the server.



When we fail authentication, we get a <div> on the page letting us know. However, the URL now has a new parameter: msg=loginfail.html.

NOTE: Anytime you see anything that looks like a filename in the URL, try to use the parameter to access other files on the system! Even though it’s 2015, it still happens all the time. Here too, we have a straightforward Local File Include (LFI) issue that allows us to read files outside of the web root:


However, the web user is limited to read files owned by www-data, or with “world” read permission. This limits our ability to get additional access on the target system (e.g. we can’t read the /etc/shadow file, and start password cracking). SEC562 participants have to leverage a second vulnerability to get files uploaded to the target system and then include those scripts in the LFI to gain a shell on the target.



Once we get basic shell access to the box, we can start to pillage the host for information, and use it as a pivot point to attack downstream systems including the individual Modbus/TCP traffic light controllers. Here’s what we find out through pillaging the host:

  • Target OS is Ubuntu 12.04.4 LTS
    • Host has a public interface on the network at
    • Host has a second private interface on the network at
  • PLCs for traffic light controllers exist at,,, and
    • All PLCs are listening on TCP/502 for Modbus/TCP connections
  • TCS traffic reporting software runs from /opt/b2b/lightstatus

Using the cameras that monitor CyberCity in real time, and packet capture data from the traffic light controller PLCs, we can gain some insight into how the Modbus protocol is configured to control the traffic light patterns.


Here, the master device (the Ubuntu box at is transmitting a “Write Multiple Coils” message to the target device at In Modbus, a coil is a binary value (on or off), while a register is an analog reading (from Y to Z). Modbus lacks any kind of authentication, encryption, or integrity protection; clearly, this was a protocol that was not written to be used on the same network as a hostile adversary. (Ed. understatement of the year)

While some Modbus/TCP attack tools exist, I typically find it is easiest to build what I want with a quick Python script instead of adapting a different tool for a specific task. First, we can experiment with setting all the bits to the ON position with:

Joshuas-MacBook-Pro-2:~ jwright$ cat
from pymodbus.client.sync import ModbusTcpClient
from time import sleep
import sys
while(i < 30):
    client = ModbusTcpClient(sys.argv[1])
    client.write_coils(0, [True, True, True]*4) # Ref #, followed by coil settings in list form
print "Done"

Here, the list element [True, True, True] represents the Red/Yellow/Green lights, repeated 4 times for the North, South, East, and West directions. When we run the script with the IP address of one of the PLCs, it should change all the traffic lights to the on position.


Viewed through the traffic light reporting page, we see something like this:


This view only shows a single light on for the Quadrant 1 traffic lights (all red). This could be because the monitoring software doesn’t have the logic to keep testing for other lights to be set (since that shouldn’t happen in practice). Viewed through the CyberCity camera, we see a different picture:


It’s a little hard to tell because the LEDs are so bright, but all 12 LEDs are shining strong because of our tool. Now, it’s a simple matter of correlating the traffic lights to the individual IP addresses, and updating the script to manipulate each traffic light per the mission directive.



In this article we looked at some of the techniques used in the SEC562: CyberCity Hands-on Kinetic Cyber Range Exercise. For an attacker, the world of Industrial Control Systems opens up a lot of attack opportunity, both from the ease with which these protocols can be exploited, and the kinetic impact an attacker can produce. Learning about these attacks expands your skillset both as an attacker and as a defender (and, we get to have a lot of fun in the process).

-Joshua Wright


Upcoming SANS Special Event – 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen

The work “Main St Lights” is a derivative of “US Route 6 (2)” by Nicholas A. Tonelli, used under CC BY. “Main St Lights” is licensed under CC BY by Joshua Wright. All other images copyright Counter Hack, Inc., All Right Reserved.

SANS Orlando 2015 Brochure Challenge Answers and Winner

By Mark Baggett

Hello Security Pros!

Many of you have noticed that SANS has included a challenge in this year’s brochure for the Orlando conference.  We had 79 people submit correct answers to the puzzle.  From those names, we chose one name as the grand prize winner and that grand prize winner will receive four months of NetWars Continuous!

Without further ado, here are the results…



The winner of the challenge is…Paolo Balzarini. Congratulations Paolo! And congratulations to all who were able to come up with the answers as well as a big thank you to everyone who participated.

Solution write up:

The puzzle is solved in three parts.  There are many ways you could solve different portions of this puzzle.  Here’s one possible way you could have solved the puzzle.

Part 1: The Brochure Cipher

The first part of the puzzle was available in the Orlando 2015 brochure as well as an electronic version that was available at  Through the magic of the printing process, the brochures mailed to people’s homes had a “BONUS CHALLENGE” that rearranged a few words in the puzzle. Fortunately, the main portions of the challenge were still intact so it was still able to be solved. I’d like to pretend the printing problem never happened and for now take a look at the electronic version of the brochure.

The puzzle is on page six in the PDF.  The instructions on that page give you the url and an image of a scroll with an Adendorff cipher on it.  This is the same type of cipher that Nicholas Cage found on the back of the Declaration of Independence in National Treasure.  It has a series of lines with 3 numbers below it and you’ll see that a few of the words were already completed for you.  The completed words act as a key so you can go through a few iterations of guess and check to determine that the numbers below the line correspond to a specific page number, paragraph, and word.  Then turning the pages in the brochure, you’ll discover  that the words found at the  corresponding page, paragraph and word number will give you the phrase:

The password to the next part is “pywars”.  Be sure to “play fair”

Part 2: The Web Cipher

Turning your attention to the URL, you’ll find the rules of engagement and a link to a second url —  This URL contains the following text:

Solve the challenge below and access the website revealed by the challenge.

fv ps em mk kd ny cf bk pd mc av ac kz dp kd en zk yj bk pd jc zc kx bk pd fc dx be pd fv rm vf lz dp xi dx si jg zs do bk pd gc ez hm zy se pd mh iw nu ob li se pd im nx do nx sj hx sd rx je zj vf ej se sj lz ao nx sd ev je zj sx jw dz sj hx sc gj zc dj hi xs gj zc do nx se da

From here, you’ll need to determine what type of cipher you are dealing with.  The first cipher gives us, The password to the next part is “pywars”.  Be sure to “play fair“.  If you do a quick internet search for “play fair” and “cipher” you’ll find results for the “Playfair” cipher.  The Playfair Cipher was created by Charles Weatstone back in 1854.  It is made up of pairs of letters that act as a row and a column in a table of letters.  The table is built using a shared password that is known by the Encryptor and the Decrypter.  The password provided by the brochure is “pywars”.  There are some online playfair cipher encoders and decoders. Using one of them you could decrypt the text. For example, if you plug the cipher text and the password into this website and click decrypt you get the text:


Reading through this, you can see another URL is being “spoken” to you.  If you translate the word “dot” into a period and words such as “one” into the number 1 then you come up with the URL revealing part 3 of the puzzle.  The playfair cipher often uses the letter X as padding so after you remove all the “x”s from the string you end up with the following URL:

Part 3: The Packet Challenge

Now when you visit the web page revealed by solving part 2, you are given a flag of  “SeeYouInOrlando2015”.  There is also a note from an administrator saying that someone stole the final password using powercat.ps1.  Oh no!  Fortunately, they have full packet captures that caught the password exfiltration.  You are given a link to download a PCAP file so you can download the packets from here  To solve  part 3, you have to analyze the packet to retrieve a flag.

My tool of choice for unusual packet analysis is scapy.  It is Python based so I can easily manipulate packets and extract useful data from them.  So, let’s start Python and then import the scapy modules.  To do this, I type “python” to start a Python interactive shell. Then “from scapy.all import *” makes all that scapy awesomeness available in my python shell.  Next, I type “packets = rdpcap(“brochure_part3_final.pcap”)”.   This reads the packets into memory and creates a reference to them in a variable called packets.  Packets is a special data structure called a scapy.plist.PacketList.  A scapy.plist.Packetlist is similar to Python lists and I can step through them like I would a normal list so I can look at the packet at position 1 by referencing the packets variable with square brackets and the position number.  Packets[0] shows me the first packet, and packets[1] shows me the second packet.  Here’s what it looks like in my shell.  (I’ve cut off the information on the right to focus your attention to the commands being used).

Blog 2

Here you can see a reference to a domain named in the packets. The domain name is preceded by a hexadecimal blob. Take a look at a couple of them. Running the command ls(packets[0]) or packets[0].display() will show you the domain information being transmitted in the field .qd.qname. I type packets[0].qd.qname and I get the requested name in the first packet and packets[1].qd.qname shows the second packet while packets[2].qd.qname shows me the 3rd packet. Packets 0 and 1 both have a single host name but the third packet has a very long host name (note: image is truncated).

Blog 3

Now take packets[2] and decode those hexadecimal host names before Since scapy is Python, I can use the python command .split(“.” ) to convert this string into a Python list of subdomains. Then, I can slice off the last 4 parts of that list by adding [:-4].  This will leave me with just the list of hexadecimal names.  After that, I use “”.join() to turn them into a long string of hexadecimal and .decode(“HEX”) to convert it into ASCII.  I am assuming you know a little Python here.  If this part is confusing check out my Python class this September.  So this is what that looks like in my shell.

Blog 4

The text of packets[2] reveals a Microsoft Copyright notice that you see when you open up a command prompt on a Windows machine.  This technique of hex encoded data as host names is typical of DNSCAT2 traffic.  The note from the administrator said that he believed the attackers used powercat.ps1.  So what is power cat?  You can take a look at the script here:   It is netcat written in PowerShell.  The tool was coauthored by Mick Douglas and Luke Baggett.  It also supports DNSCAT2 as one of its communications mechanisms.

With this syntax we can decode DNSCAT traffic in 4 simple lines of Python.  Two of them you have already typed  “from scapy.all import *” to load the scapy module into Python.   Then packets = rdpcap(“brochure_part3_final.pcap”)  to load the PCAP file into the variable packets.  Now, you can use a simple for loop to step through all the packets and print the decoded host names.

Blog 5

This will print all of the decoded DNSCAT traffic to the screen so you can observe the command typed by the attacker and the response.  At one point, we see the attacker type the contents of a file called “no_the_flag.txt”.  If you didn’t fully decrypt all the packets so you could see what he was doing, you might incorrectly see the content of that file and think it was the flag.  Next, the attacker sends in the command “dir” followed by “type brochure_flag.txt”.  Looking through the data we see the response with the contents of the file “FLAG=BrochureSwanMickey”.

Blog 6


Armed with the 3 passwords: “pywars”, “SeeYouInOrlando2015” and “BrochureSwanMickey”, you were able to submit your name for the drawing for the grand prize.

Want to learn more about Python? Check out SEC573 in Las Vegas this September! Sign up now for an early-bird discount!

-Mark Baggett

Follow me on Twitter @markbaggett

SANS 2015 Shmoo Challenge Winners and Official Answer

by Jeff McJunkin

Greetings! Those of you who attended ShmooCon this year may have noticed a challenge from SANS included in your Shmoo bags. If you didn’t attend and you want to walk through the challenge yourself for some fun, I’d recommend you look at the challenge description  and avoid reading the official write-up at the end of this post until you’ve looked at the challenge itself.

We’re always excited to see the new ways our participants will solve our challenges, and the Shmoo crowd certainly didn’t disappoint! We had lots of great entries which were a pleasure to read through.

As written in the original description, the first ten participants who solved the challenge will receive a free SANS NetWars t-shirt. If you see your name below, you will also have an email sent to orchestrate the details of getting your prize to you.

Accordingly, here are those ten winners!

1. Annah Waggoner
2. Brad Berkemier
3. Karl Olson
4. Todd Carlson
5. Chris Gaal
6. Brian Lintz
7. Tsvetelin Choranov
8. Matthew B.T.
9. Mouza Romaithi
10. Colin Edwards

Congratulations to each of our ten winners!

One lucky winner, though, will receive a GRAND PRIZE of a free subscription to NetWars Continuous, valued at $2,499! This winner will have four full months of access to our CtF environment, including automated hints and support from our staff to ensure a Stuck-Free Experience(tm).

Without further ado, and with the thanks of’s “True Random Number Generator“, the winner of a free NetWars Continuous subscription is…

(This is the part where you do a drum roll in your head. We don’t skimp on special effects!)

…Colin Edwards!

Colin, along with being remarkably lucky, did a great job with his write-up. There were several parts of the challenge that he solved in a unique way.

Accordingly, I’m very happy to declare Colin’s Submission  as the official answer guide to the SANS 2015 ShmooCon Challenge!

Thanks to everyone who participated!
— Jeff McJunkin and the Counter Hack Challenges team

P.S. If you found this kind of challenge interesting, you might want to look at SANS course offerings for other opportunities to learn! We have lots of great upcoming courses at SANS   Pen Test Austin  in May including a SPECIAL NetWars Event…

We’ve got a really special event coming up with a TON of NetWars, CyberCity, and SANS Pen Test coins.  We call it SANS Pen Test Austin, and we’ve loaded it with the best SANS pen test courses and a bunch of outstanding evening events. From May 18 to 23, you’ll get to participate in:

*SANS Top Courses focused on Pen Testing: Learn hands-on skills that you can directly apply the day you get back to your job.
*NetWars, NetWars, NetWars: Enjoy three exciting nights of NetWars challenges, where you can have some fun while building serious infosec skills.
*Coin-a-palooza: Earn up to four additional SANS pen test challenge coins (each with an integrated cipher challenge) based on your performance in SANS NetWars!
* CyberCity Missions: Work through an evening of cyber missions that have a direct kinetic impact on the miniature SANS CyberCity environment with a real power grid, water reservoir, military base, and more!
* Lock Pick Evening: Get a chance to pick some locks one evening. Whether it’s your first time picking locks or you’re a seasoned expert, you’ll have a ton of fun hanging out with other infosec pros refining your skills.

Hope to see you in Austin!

2014 SANS Holiday Hack Winners and Official Answers

[Editor’s Note: Every year for eleven seasons now, SANS creates a Holiday Hack challenge for you to build your skills with real-world infosec tools and techniques, all the while having some good holiday-inspired fun, for everyone to participate in, no charge at all.  If you haven’t checked out our most recent SANS Holiday Hack Challenge, you should definitely read through it.  This years’ challenge was written by Ed Skoudis and Josh Wright, with support from Tom Hessman and the vocal stylings of James Lyne.  We’ll keep the challenge itself, the target servers, and the file system image available for as long as possible, so you can continue to work through it, either on your own, or referencing the official answers cited below.  Have fun!!!  Following immediately below is  our official announcement of winners and answers.  –Ed.]

Lynn Cratchit emerged from the rather toasty Secret Room, a gentle smile lighting up her countenance.

“Mr. Scrooge… have you finished judging this year’s SANS Holiday Hack Challenge entries?” she inquired.

A bedraggled Scrooge looked up wearily from his desk, surrounded by piles upon piles of papers stacked high all about. An increasingly healthy Tiny Tom looked upon the scene whilst holding an impossibly cute orphaned puppy, awaiting Scrooge’s answer.

The old man began to speak slowly, “All told, we received an avalanche of responses to our challenge, several hundred people from around the globe sending in their answers. Their response was both overwhelming and…” the old man paused… “Wonderful.” His eyes, I tell you, started to sparkle.

“I’m deeply touched by the outpouring of technical wizardry, analytical excellence, whimsical wit, and outright humor in these answers! Some were marvels of concision, while others were detailed treatises several dozen pages long. Many were straight arrow, while others plunged for the jugular of hilarity. Think about it! Those ghosts posed challenges from many different skill sets: social engineering, penetration testing, packet analysis, forensics analysis, and so much more! But, all in all, these very entries have shown beyond a doubt the great skill, extreme discipline, special patience, good will, and amazing character of people in our community. Why, one joker even posited this preposterous thing in his answers:

The characters in the story appear to be a loose portrayal of the staff of Counter Hack Challenges: Skoudis as Scrooge, Tom Hessman as Tiny Tom (rather than Tiny Tim), and Lynn Schifano as Mrs. Lynn Cratchit; and apparently, Ed keeps the secret room at the office a little cold for Lynn and Tom.”

“What nonsense!” laughed Cratchet, as  her new heater chugged away spreading its radiant warmth throughout the Secret Room.

After a hearty guffaw, Tiny Tom asked the most pertinent question, “So… do we have a winner, Dear Scrooge?”

“Why yes, we do! There were so many great entries. Behold, here are the lists of noteworthy responses and our winners.” Scrooge handed a scroll to Ms. Cratchit bearing the following proclamation….

Ebenezer Scrooge here… I’m delighted to announce this year’s honorable mentions and winners for the 2014 Holiday Hack Challenge, “A Christmas Hacking Carol.”

Honorable Mentions

All of these dear people correctly solved each challenge and recovered every one of the ghosts’ secrets. They are worthy of praise and have earned an honorable mention:

Anthony Canino Joshua Roark
Ben Allen Kerem Kocaer
Brad Berkemier Mark Elliott
Brian Boswell Mark Guth
Brian Wiltse Martin Tyrer
Bryan Rhodes Matt Edmondson
Bryan Smith Matt Keyser
Charles.L.Rice Michael Dyrmose
Chris Wallace Mohammed Faiz Ahmed Quadri
Christopher Dubsky Nick McKerrall
Dan Cândea Pgntest
Davide Berra Piotras
Dominick Barbuscio Richard Tafoya
Giacomo Milani Thomas Herrell
jane doe Tom Pohl
Johnny Medina Tyler Halfpop
Jon Searles Warren J Raquel
Joshua Roark Yassine id bougnoun
Kerem Kocaer

REALLY Honorable Mentions

In this next group, we have people whose answers included some extra special narrative or deep technical insights. These folks have earned a REALLY Honorable Mention:

Annah Waggoner Josh V
Anthony Magnus Lund Jacobsen
Austyn Krutsinger Mario Acosta Arteaga
Carrie Roberts Michael Pella
Chris Andre Solberg Dale Nick McKerrall
Christian Bajada Patrick Mooney
Delaney Ng Paul M. Goffar
Dinesh Peter Dayok
Eddy Vanlerberghe Richard Gold
Gebhard Zocher Rick El-Darwish
Harinderjeet Singh Ronnnie Friis Salomonsen
Ian Spyder Lovecraft Fabrizio
Jam4ar Tsvetelin Choranov
Jonas Strand

Stunning Awesomeness

This next group of answers exhibited simply stunning awesomeness. Each was a contender for the top slot, and it was a true honor  to read their answers.

Anatolie Prisacaru (shark0der): A wealth of technical insight in this one.  The Force is strong with its author, for sure!

Andrew Rowbotham: This solution is brilliantly laid-out and nicely detailed, with XKCD to boot!

Chris Eckert: This is a GREAT write-up, complete with hilarious memes from throughout the Internet… a pleasure to read and absorb.

Jeremy Galloway (Cypher G): The animation in this solution is infectious with excitement.  What a joy to read!

david switzer: Interested in some awesome rhyme, along with technical analysis?  You gotta check this one out then!

Don C. Weber: This report is stunningly good, a virtuoso performance with an impressive style and format for incident response, along with recommendations for preventing future occurrences of ghastly hacking interventions.

Jerome Kleinen: With its alternative ending, this solution makes for very fun and compelling reading.

Jim Herubin: What a GREAT, detailed, and well-formatted solution.  Nice work!

Joshua Tomkiel: This solution is smooth throughout, with a great description of each step, plus an excellent and clear format.

Rich Cassara: The 1940’s Private Eye Film Noir feel to this solution was awesome, bringing a smile. Plus, he re-imagined the entire point of the challenge, wherein a team tricks Scrooge through the use of an Oculus Rift, rather creative pharmacology, and even a trebuchet to simulate all of the ghastly action.  Simply amazing!

The Winners

And now… Our winners.

Random Draw

We’ll start with our Random Draw winner, who will receive an autographed copy of the Counter Hack Reloaded book.  Using a random number chosen by the fine folks at, our winner is….

Matt Keyser

Most Creative Answer

Next up is our Most Creative Answer that is Technically Correct, who will also receive the Counter Hack Reloaded book. The winner for this one is a simply delightful and hilarious story full of Dr. Who and even some Star Wars references. We smiled and laughed our way through this great set of answers. It’s AWESOMELY creative!  And the winner is….

Mike Cecil

Best Technical Answer

Competition here was fierce, with so many strong contenders. But, in looking through them all, we received a very special entry that graphically illustrated the solution to each and every challenge, step-by-step with FANTASTIC  figures. If you’d like a quick and handy reference guide on how to conquer each challenge, you should definitely read this set of answers. Our best technical answer winner, who will also receive the Counter Hack Reloaded book, is….

Masashi Fujiwara

GRAND Prize Winner

And finally we have our GRAND Prize winner, who receives a free SANS OnDemand course. This entry covers each and every twist of the challenge and its solution, highlighting all of the subtleties that Josh Wright and Ed Skoudis buried in the challenge. In fact, the answer is so good that we consider it the OFFICIAL answer for this year’s SANS Holiday Hack challenge. If you are looking for how to conquer each and every one of the ghost’s secrets, we urge you to read the GRAND Prize winning answer by…

Dave Lassalle

Congrats to all our winners!scrooge

The entire team here wishes to thank everyone who worked through the challenge! Josh Wright, Tom Hessman, Lynn Schifano, Tim Medin, Jeff McJunkin, Tom VanNorman, and me (old Ebenezer Scrooge) are truly honored that you invest your time each year developing your skills and having fun with our quirky creations. For each Holiday Hack, we try to create a little Christmas world, distinct from each of our previous challenges with brand new technical twists, offering you an opportunity to dig in and develop real-world information skills based on very recent attacks, tools, and techniques. Our goal is to create the very best challenges we are able to muster to spread some unique holiday fun by varying the style, technical approach, tools, and techniques every year. Also, we leave our challenges up for as long as possible. Feel free to work through them again, or even go through our previous ones, such as our 2013 installment (It’s a Hackerful Life featuring attacks against Industrial Control Systems), 2012’s challenge (The Year without a Santa Hack, focussed on web app pen testing), or 2011’s missive (Grandma Got All Haxx0red by a Reindeer, chock full of in-depth packet analysis).

Oh, and one more thing… We’re already starting work on our 2015 challenge, our best ever, which will feature some really distinct delights, including some whacky wireless, a little firmware analysis, and an Internet-wide scavenger hunt for special stuff we’re going to squirrel away so that Santa himself couldn’t find it. We’ll launch it the second week of December, 2015.  I can’t wait!


Er… I mean…



p.s., If you like this kind of thing and want to build your skills through some excellent training, please do check out SANS course offerings, especially those in the Pen Test Curriculum.  We’ve got lotsa great in-depth offerings to choose from, including SANS Security 560 on Network Pen Testing (which I’m teaching in Feb in Scottsdale AZ, March in Baltimore, April in Orlando, and May in Austin TX), SANS Security 575 on Mobile Device Security & Pen Testing, and SANS Security 660 on Advanced Pen Testing!

Using Built-Ins to Explore a REALLY Restricted Shell

By Ed Skoudis and Josh Wright

Josh Wright and I were working on a project recently which involved a target machine with a really restricted shell environment. I’m not talking about a mere rbash with some limits on the executables we could access, but instead a shell so restricted we could not run any binaries at all, save for the shell itself. No ls…  no cat… no netcat… we could access very little. It was some sort of ghastly chroot specter.

Still, Josh and I wanted to explore the target machine as much as we could given these shell restrictions. Of course we could have tried escaping our restricted shell (as Doug Stilwell describes in more detail here) and even doing privilege escalation, but before that, we wanted to just look around. Thankfully, we had many shell built-in capabilities we could rely on.

For the uninitiated, shell built-ins are features of the shell that don’t rely on separate binaries in the system. For example, in bash, commands such as alias, printf, and echo are built-ins, which the shell can do itself, without calling a separate program. While some of these built-ins also have a binary of the same name (/bin/echo for example), your shell can rely on the built-in independently from the binary. Indeed, it can perform the task even if the binary isn’t available. Turns out, you can do a whole lot with these shell built-ins.

A handy list of bash built-ins is available here, and can be quite an inspiration when faced with a task like that before Josh and me.

We started by looking around in the file system, using the following well-known trick as our rough “ls” equivalent:

$ echo *

We then wanted to look at the contents of file.txt, so we ran:

$ while read line; do echo "$line"; done < file.txt
Hello World!
This is a nice file.
Happy Holidays!

We then wanted to search through a file to find a specific string, rather like grep:

$ while read line; do if [[ $line == *"nice"* ]]; then echo $line; fi; done < ./file.txt
This is a nice file.

Want a count of the number of lines in a file (rather like wc -l)? Use something like:

$ i=0; while read line; do i=$(($i+1)); done < ./file.txt; echo $i  

Want your UID number? You should try:

$ echo $UID

Wanna do a whoami? If you have access to the world-readable /etc/passwd, you could build on what we saw above with:

$ while read line; do if [[ $line == *":x:$UID:"* ]]; then echo ${line%%:*}; fi; done < /etc/passwd

Those are just a few of the useful items we performed with built-ins. Got any more you’d like to share? Please do provide them in the comments below.


— Ed Skoudis & Josh Wright

Winner and Official Answer to 2014 SANS Network Security Brochure Challenge

By Jeff McJunkin

Ladies. Gentlemen. Tim Medin. May I have your attention please? I’m excited to say that the time to select our SANS Brochure Challenge winners has come! If you’ll remember, we started this challenge back in late July and we did something very new – we made the challenge start from within the pages of the actual SANS brochures!

We had some FABULOUS write-ups submitted, and we’d like to thank everyone who took part in the challenge. I was happily surprised to see participants using so many ways to approach the pieces of the challenge. Many folk found even easier ways than what was intended!

So, without delaying any further, I’d like to introduce our categories and winners…

For the best technical write-up, after long consideration between the Counter Hack judges, we’d like to award Dave Lassalle with the prize! Congratulations, Dave! With every successful submission, I reminded the finisher that the technical report could be edited and re-submitted at any time before the challenge closed. After taking some time to recover his breath from his original submission, Dave re-submitted a FRIGGIN’ FANTASTIC report in blog form. His report was so good, in fact, that we’ve made it into the official answers for this challenge.

Dave’s report is available here as well as on his own blog. Please take a look! If you were stuck at any point, Dave’s post should definitely help you out!

For winning the best technical write-up category, Dave will receive a signed copy of the “Counter Hack Reloaded” book, written by the Great and Powerful Oz… er, rather, written by Ed “Will Hack Josh Wright’s Sushi” Skoudis.

Our random draw winner, by the powers of, is Juan Manzano! Juan finished just two days after the challenge started, and included a great write-up. Congratulations, Juan! Juan will also receive a signed copy of “Counter Hack Reloaded.”

Only one person can win our GRAND PRIZE, however – a free, all expenses-paid (digital) four month long trip through NetWars Continuous. Our winner for first place finish goes our first ever DOUBLE WINNER – Dave Lassalle. Dave smashed through our challenge in the very first day it was released, submitted a report, (available here) and then (one can assume) collapsed into sleep. Considering the challenge started on a Tuesday, I think we can safely assume that Dave didn’t get much work done that day!

For being the first to finish, Dave will receive the free NetWars Continuous package, valued at over $2,000! He’ll have plenty of new challenges to develop his skills further while practicing against our online cyber range, especially since NetWars Continuous includes our automated “Stuck-Free” hint system!

Finally, we have two honorable mentions – Patrick Neise and Roy Luongo. Patrick submitted a very detailed technical write-up (available here) that nearly won the best technical write-up category. Roy’s write-up (available here) was also very thorough, and it got bonus points for including Roy’s own set of memes!

Congratulations to all of our participants! We’ll be reaching out to our winners shortly.

–Jeff McJunkin and the Counter Hack Challenges team