Open Source Intelligence on How to Win Open Source Intelligence in the National Cyber League Games


When I am coaching a group of students for the first time, I always start with the Open Source Intelligence category. Ok, that’s a lie. Let me start over.

Whenever I am coaching a group of students (first time, second time, or tenth time), I always start with Open Source Intelligence (OSI or OSINT). For me, this is the best warm-up exercise to get the juices flowing.

The first thing you must know about OSI is what that phrase means. Open source intelligence is information or data that can be collected from publicly available sources.

Once my students understand that, I like to post a few of the following questions:

  • How would you find out how many inches are in a kilometer?
  • How would you discover the distance between the Earth and Mars.
  • Where would you look to find out the birthday of your favorite celebrity?

I’ll usually continue with this line of questioning until the group knows that the answer to every question is “Google it.”

Just Google It

“Just Google It” is my publicly proposed alternative title for the OSINT section of the NCL Games. This section is based entirely on security trivia or easily researched skills. It should be a low stress category and is the BEST place to start for the person brand new to Information Security.

It’s here I like to add a small caveat. Occasionally, the NCL Game-makers will design an especially hard OSINT trivia challenge. I like to make sure my students know that not being able to find the specific answer NCL is looking for does not make you dumb or incapable. (As someone who is highly critical of myself, I know it can make you feel that way when others try to tell you this is the “easy” category.)

As with all challenges in the NCL Games, if you get stuck for too long or begin to feel frustrated, the best thing you can do is just move on. You can always come back to it later, but don’t let the challenge get the best of you.

So How Can I Prepare?

OSINT is a difficult to predict category. You could try to learn every single detail and fact about every single vulnerability or hacker that has ever existed, but honestly, that’s a lot of work for very little reward. Ultimately, I recommend learning the advanced google operators. A quick google search of my own found this resource, but feel free to search for your own. After all, you will spend a lot of time googling in this category.

Below, I have included some practice challenges to give you an idea of what you might run into in the NCL Games. The following tips, while fantastic for NCL OSINT, apply to every challenge in the game.

Practice Challenges & Pro Tips

Threat Intel

Answer the following questions about security issues. Try your answers here.

  1. (25 points) What is the CVE of the original POODLE attack?
  2. (25 points) What version of VSFTPD contained the smiley face backdoor?
  3. (25 points) What was the first 1.0.1 version of OpenSSL that was NOT vulnerable to heartbleed?
  4. (25 points) What was the original RFC number that described Telnet?
  5. (25 points) How large (in bytes) was the SQL Slammer worm?
  6. (25 points) Samy is my…

Email Header

We have intercepted an email sent between hackers. See what you can find out. Try your answers here.
(use file: NCL-OpenSource-EmailHeader.txt )

  1. (15 points) What is the recipient’s email address?
  2. (15 points) What is the sender’s email address?
  3. (15 points) What IP address retrieves the email?
  4. (15 points) What is the content type of the message?
  5. (15 points) What version of MIME is being used?
  6. (15 points) What day of the week was the message received?

Pro Tips:

You should always look to the category and challenge names for clues. In this instance, knowing what an “Email Header” is could prove helpful, although I did not know what it was when I first saw this challenge.

Most of these are relatively easy to find by skimming the file above. During the actual season, I copied and pasted this text into a notepad file so I could use “Ctrl+F” to search the document for multiple instances of keywords.

For coaches, this is also a good section to talk about persistence, process of elimination, and navigating the Cyber Skyline competition portal. I won’t tell you how to coach these topics as each instructor will take a different approach. If you are reading this as a student, I’ll be brief.

Take a break when stumped, but don’t give up. If there are only four IP addresses in the file and the question asks for an IP address, try the process of elimination and see if you can capture those points (but TRY to figure out WHY that was the correct answer if you use this approach). And definitely make sure you complete the tutorial in Cyber Skyline if it’s your first game. I used to have to coach this, but Cyber Skyline has created a pretty fantastic tutorial for you to use within the platform.

Remember, Cyber Skyline will have a button on the left that will allow you to see all previous attempts. Use this to not waste tries on the same answers more than once.

What Else Might I See in OSINT?

I’ve seen so many different challenges in this category. From extracting metadata on images to calculating subnets to cron jobs to searching for google images of a company to find that one time they took a marketing picture and someone had written the wifi password in the corner of a whiteboard in the background.

At the end of the day, expect anything, but ultimately, use this category to have some fun as a newbie or score some easy points before you try harder challenges.

2 thoughts on “Open Source Intelligence on How to Win Open Source Intelligence in the National Cyber League Games

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.