If you’ve ever attended an infosec or hacker conference, you’re sure to have seen the Capture the Flag or CTF. As with anything in this industry, there are ebbs and flows in the debate of the value of the competitions. Some argue that they are unrealistic. Others champion them for the skills required and the creative thinking.

Let’s be real for a moment. When is the last time that a penetration tester found the output of /etc/passwd in the comments section of a website? I know there may be fringe cases, but this is not the “norm.”

The reality is that many are thematic and fun. Traditional Capture the Flag competitions typically have some of the same elements:

• Scanning and Enumeration
• Web Application
• Cryptography
• Steganography
• Exploitation
• Scripting
• Reverse Engineering

It’s kind of ironic that scanning and enumeration and exploitation are in bold. Why? They are parts of the “Ethical Hacking process,” as shown below:

As time progressed, we have moved from basic CTFs to several varieties:

• Network King of the Hill (NetKOH)
• Social Engineering (SECTF) [Note: I may know a thing or two about these, especially the 2017 DerbyCon SECTF.]
• OSINT CTF
• Forensics CTF

The Value and the Series

So, what am I getting at? They are not precise mirrors of real life. That is not what they are meant to be. They are meant to be challenges to both your technical skill and creativity. Some are more “fun,” and others are more about “street cred.”

In this series, I will be discussing how Capture the Flag exercises work and some common tools and techniques used in them. For starters and a sneak preview, here are my planned topics:

• (Theoretical Ideas) ARP Scanning with netdiscover and arp-scan
• NMAP
• Nikto
• Dirbuster and dirb
• Burp Suite
• (Read more...)