TryHackMe: Cyber Defense Learning Path P1D1

01 May, 2021

One of the reasons I like TryHackMe so much, and maybe the main reason, is the Learning Paths it offers. Right now, there are 5 learning paths with different number of rooms, each one. Cyber Defense is the one with the most rooms, 38, and it claims that 48 hours are needed to be completed. A lot of knowledge waits in there to be acquired so… lets start with the first part.

Cyber Defense Introduction

The first part includes basic stuff about networking and the Windows OS, splitted into 6 rooms. According to it's description, we will "Learn the basics of networking, host-based systems, and active directory. These rooms will give you the foundational knowledge needed to grasp more advanced concepts". Now, for a student of informatics, especially for one that follows a networking academic flow, the networking rooms can be fullfiled in minutes. But, for someone that gets she's/he's first impression of networking, it's a really good introduction.

Introductory Networking

Task 2

This task is about the OSI model, the most basic way that data gets partitioned and travels in telecommunications systems. After reading the information for each layer of the model, we will be able to answer the following questions.

Which layer would choose to send data over TCP or UDP?
TCP stands for Transmission Control Protocol and UDP for User Datagram Protocol. Both are protocols of the Transport layer, so the correct answer is 4.
Which layer checks received packets to make sure that they haven't been corrupted?
Data Link layer is the last layer before data gets transmitted through a cable and the first after received. Isn't this the best time to check if something went wrong while data were travelling across the network? That's why data link "serves an important function when it receives data, as it checks the received information to make sure that it hasn't been corrupted during transmission". Correct answer: 2.
In which layer would data be formatted in preparation for transmission?
As we said before, data link is the step before data pass in a cable. The answer, again, is 2.
Which layer transmits and receives data?
Yes, you know the right answer. It's the physical layer, 1.
Which layer encrypts, compresses, or otherwise transforms the initial data to give it a standardised format?
We have encryption, compression or any other way to represent the data? Of course, the Presentation layer, meaning 6.
Which layer tracks communications between the host and receiving computers?
If I wanted to communicate with another computer, in the OSI language I would try to establish a session. You got it, the right answer is 5, the Session layer.
Which layer accepts communication requests from applications?
A layer that speaks with applications? It isn't that hard, right? Layer 7, the higher one in the OSI model, is the Application layer.
Which layer handles logical addressing?
Read the question carefully. We want the layer that understands logical addressing, not physical. A logical address, in the networking world, is an IP address. That can only means one thing. Networking layer, number 3.
When sending data over TCP, what would you call the "bite-sized" pieces of data?
Well, I can't find a good mnemonic way to remember how data are called in each layer, I think is mostly about experience. Any way, scrolling a bit up and we will find the right answer. For the TCP data are called "Segments".
[Research] Which layer would the FTP protocol communicate with?
Some googling and we have the right answer, is the Application layer, 7.
Which transport layer protocol would be best suited to transmit a live video?
I remember a nice meme about Skype and how most of the time of a video call is like "Can you hear me?". A protocol that can ensure data loss but, it's ok, we care mostly for the speed. It's the UDP.

Task 3

In this task we observe the encapsulation progress of data in the OSI model. What happens here is that, from top to bottom, each layer adds a matching header containing information and enhancing security. The complete packet will be transmmited and, when received, de-encapsulated to what the actual payload is.

How would you refer to data at layer 2 of the encapsulation process (with the OSI model)?
The only way to solve this question, as also the rest that follows, is with the help of the image that the room provides. In this case, the right answer is "Frames".
How would you refer to data at layer 4 of the encapsulation process (with the OSI model), if the UDP protocol has been selected?
"Datagrams"
What process would a computer perform on a received message?
The reverse process of encapsulation is, you wouldn't imagine xD, de-encapsulation.
Which is the only layer of the OSI model to add a trailer during encapsulation?
While answering some questions in the previous task, I pointed out the importance of the Data Link layer. Is the last one before data transmission through the Physical layer, thus a lot of important functions are taking place there. Is the layer that delivers the complete data stream to a cable, so is also the one that "closes" the encapsulation progress by adding a trail, as long as with a header.
Does encapsulation provide an extra layer of security (Aye/Nay)?
Aye, aye captain!

Task 4

Networking family time! We get to meet with OSI's predecessor, the TCP/IP model. They maybe look pretty similar, but notice the differences at their highest and lower levels.

Which model was introduced first, OSI or TCP/IP?
A lot simpler than the 0SI model, TCP/IP was introduced some years before.
Which layer of the TCP/IP model covers the functionality of the Transport layer of the OSI model (Full Name)?
Transport is transport, no matter of the model.
Which layer of the TCP/IP model covers the functionality of the Session layer of the OSI model (Full Name)?
OSI's Session, Presentation and Application layers are all included into TCP/IP's Session layer.
The Network Interface layer of the TCP/IP model covers the functionality of two layers in the OSI model. These layers are Data Link, and?.. (Full Name)?
Try not to get confused here. TCP/IP's Network Interface is NOT the OSI's Network layer. In contrast, it includes the Data Link and Physical layers.
Which layer of the TCP/IP model handles the functionality of the OSI network layer?
Keep staying focused, in TPC/IP model the network layer is called Internet.
What kind of protocol is TCP?
I hope you didn't miss the picture that describes the TCP 3-Way Handshake Process. One of my favorite things about TCP, it's Connection-based. Do you remember the Skype meme?
What is SYN short for?
My beloved handshake again, we said 3-way right? Starting from the SYN, which stands for "Synchronise".
What is the second step of the three way handshake?
"Did you just sent me a SYN? Do you ACKnowledge that?" The answer is SYN/ACK.
What is the short name for the "Acknowledgement" segment in the three-way handshake?
"Oh, yes sir. I ACKnowledge".

Task 5

We are about to get our hands dirty with one of the most, or probably THE most, used tools of the networking world. Ping!

What command would you use to ping the bbc.co.uk website?
Action starts here. Try to ping bbc.co.uk
Ping muirlandoracle.co.uk. What is the IPv4 address?
You have to ping it if you want to get the answer. The address is 217.160.0.152.
What switch lets you change the interval of sent ping requests?
Try ping -h or man ping. You will find the answer, as long as what the "interval of sent ping requests" is. You are looking for -i.
What switch would allow you to restrict requests to IPv4?
Are you looking only for IPV4 addresses? Try -4.
What switch would give you a more verbose output?
I believe, almost every terminal tool has this "verbose" option. And, it's always -v.

Task 6

Another very usefull and popular networking tool. With traceroute one can observe the "path" a request follows.

What switch would you use to specify an interface when using Traceroute?
Traceroute has a man and help page, as well. There you will find that, if you need to specify an interface, you need the -i switch.
What switch would you use if you wanted to use TCP SYN requests when tracing the route?
We want to trace the first step of the 3-way TCP handshake. We can do that with the -T switch.
[Lateral Thinking] Which layer of the TCP/IP model will traceroute run on by default (Windows)?
Focus! TCP/IP model AND logical addresses. You are in the Internet layer.

Task 7

Can you ask "Who is Facebook?". Well, in a terminal strange things can happen!

What is the registrant postal code for facebook.com?
I told you, you just have to ask "whois facebook.com". Whois is such a gossipy tool. The answer is 94025.
When was the facebook.com domain first registered?
For people feeling old, Facebook first registered at 29/03/1997.
Which city is the registrant based in?
I know where you live, Microsoft. Redmond is the answer.
[OSINT] What is the name of the golf course that is near the registrant address for microsoft.com?
OSINT means google time. Try google maps. There is a fine golf place located near Microsoft's building, it's called Bellevue Golf Course.
What is the registered Tech Email for microsoft.com?
Scroll a bit and you will find msnhst@microsoft.com.

Task 8

One more interesting tool. We have some reading to do here but, believe me, information gathering is one of the most valuable skills in this field.

What is DNS short for?
I would say that the S in DNS stands for savior, as it saves us from a lot of trouble. But that's not the case, as DNS stands for Domain Name System.
What is the first type of DNS server your computer would query when you search for a domain?
If the domain is not already stored in your computer's local cache, the next step will be to request it from a recursive DNS server.
What type of DNS server contains records specific to domain extensions (i.e. .com, .co.uk*, etc)*? Use the long version of the name.
Besides .com and .org, there are a lot of other extensions that could conclude a domain. Thus, every Top-Level Domain server handles only specific extensions.
Where is the very first place your computer would look to find the IP address of a domain?
You computer's Local Cache may contains a lot of interesting information.
[Research] Google runs two public DNS servers. One of them can be queried with the IP 8.8.8.8, what is the IP address of the other one?
Seek and... answer. Besides the most popular 8.8.8.8 DNS server, there's also the 8.8.4.4.
If a DNS query has a TTL of 24 hours, what number would the dig query show?
Networking time passess fast. Time To Live is measured in seconds, so you just have to compute 3600 x 24 = 86400.

Congrats, we just finished the first room! A lot of reading and some practice to build a strong knowledge base on networking.