Low-tech Tooling: Competing From a Device You Can’t Install Tools On

By Taisa


On this page, jump to:

Special Note for Chromebook Users

Browser-based Tools Sorted by Domain


Do any of the following describe you?

  • You can’t access a computer during the Games, just your smartphone or tablet.
  • Your computer is a Chromebook.
  • You’re borrowing a computer and don’t have permission to install goodies on it.
  • You’re looking for cloud-based ways to collaborate with your team.
  • You’re not a cybersecurity student at all—never heard of Kali before—but your friend or teacher wrangled you into NCL, promising it would be fun. (That’s a good friend or mentor you’ve got there!)

The National Cyber League (NCL) Player Ambassadors have sometimes found themselves in situations that limited their tool use during the Games. They’ve played on the road(*), from the back of a minivan(*), on a boat(*), from a tablet(*).

I played my first NCL season in 2018 from a browser-only, older-model Chromebook that I couldn’t install any tools on.

If you’re wondering, “How much can someone even participate in the competition without installing any tools?“—here’s me-from-2018’s answer:

That’s over 65% completion by a newbie on a Chromebook. If it hadn’t been my first season, I suspect I’d have done better, but it’s safe to say that you can conquer more than half of the NCL challenges with just an Internet-connected device and a pocketful of dreams! (Note: You may need to forego a bit of sleep due to having to work some things out on paper.)

How is that possible? Doesn’t Cyber Skyline recommend using Kali on a virtual machine (VM)(*)?

NCL and Cyber Skyline have long labored to make the Games accessible, not only to players of varying skill levels but also to players of varying resources and means. Accordingly, you’ll find built-in tools already embedded in some challenges, and many challenges will require problem-solving skills more than technical expertise.

A Kali VM may be the ideal environment to compete from, but—in cybersecurity especially—you’ll rarely find yourself in ideal situations. That doesn’t mean you’ll give up! It means you’ll take your paperclips and your piece of string and MacGyver your way to victory!

What are we as future cybersecurity professionals if not adaptable? There are always ten different ways to achieve the same end, and all of them (as long as they don’t compromise anyone’s environment or violate your sacred covenant with NCL) are correct!

Indeed, if there is one hill that I’d be willing to die on when it comes to cybersecurity, it’s that you should never trust a single source™. That 800-page Network+ study guide? It got some stuff wrong. Study from more than one guide. That tool that’s producing an answer you’re not 100% sure about? Verify it with a second tool. Last season, there was an NCL challenge that included this footnote to its description: “Note: Twitter post does not provide any additional information.” Except, that’s exactly where critical information was hiding!

I’m telling you, no singular source is to be trusted. That means that even if you are working in an ideal capture-the-flag (CTF) environment, browser-based tools are a great way to check your solutions or even troubleshoot your process. For instance, if DirBuster doesn’t seem to be busting, browser-based tools can help you narrow down where the problem is occurring *Old Woman Yells at ISP*.

Browser-based tools essentially allow you to use someone else’s computer, which can make up for deficiencies in your own environment. However, that said, it’s important to remember that you don’t know who that “someone else” is!

Before you go out to other websites for assistance, check that the URL you intend to visit hasn’t been flagged as unsafe—including the ones in this blog post, because you should never trust a single source™, not even this one!

Here are two browser-based tools to help you screen websites:
VirusTotal
Norton SafeWeb

Actual Pro Tip from @zxlin of Cyber Skyline in Fall 2020:

FINDING ADDITIONAL TOOLS

Cyber Skyline Slack
Most of the tools below are ones I’ve personally used, but several also came recommended by other players on the Cyber Skyline Slack.

If you’re not on the Cyber Skyline Slack yet,
that’s definitely a browser-based tool you don’t want to miss!

OSINT Framework
OSINT Framework is an incredible, free, online infosec tool dedicated to helping you find other incredible, free, online infosec tools.

In the Wild
If you find yourself thinking, “I sure wish a browser-based tool existed for [task I’m trying to accomplish],” try Googling for it—it may exist! “But why even bother Googling for something improbable,” you ask, “like a browser-based tool that converts hex into a file or that triangulates the intersection point of three circles on a map? There couldn’t possibly be such things…“—au contraire, mon frère! The Internet will surprise you, and not always in bad ways.

Here are some good terms to include in a search to help uncover automated online tools:

  • identifier / reader
  • translator / converter
  • calculator
  • decoder
  • analyzer
  • geolocator

On This Blog
Browse through the Low-tech Tools tag!

SPECIAL NOTE FOR CHROMEBOOK USERS

Newer Chromebook models include a Linux terminal!!!

See the list of devices that support Linux (Beta).

Setup is simple! Just log into your Chromebook (because the feature is not supported when you browse as a guest), go into the settings for Chrome, and install Linux (Beta).

DISCLAIMER

These are not official tool recommendations from NCL or Cyber Skyline. The foremost recommendation is to use Kali on a VM(*), and the Gym offers additional suggestions for specific websites and tools. This is just a compilation of browser-based tools that I or other players have gotten some mileage out of.

Always use your own best judgment!

This list is nowhere near exhaustive! What tool(s) would you include?
Please share your recommendations on Slack *nudge-nudge* 😉 or in the comments!


BROWSER-BASED TOOLS SORTED BY DOMAIN

OPEN SOURCE INTELLIGENCE

Search Engines
Google is a popular go-to, but try DuckDuckGo and Bing for not just different results, but also for different operators for advanced searching.
Google
DuckDuckGo
Bing
• SecurityTrails – Exploring Google Hacking Techniques
• Ahrefs Blog – Google Search Operators: Complete List

Reverse Image Search
Did you know you can search the Internet using a picture as your search criteria? Some search engines like Bing and Yandex will even let you search for just part of an image! Look for the camera icon next to the search boxes.
Google Images
Bing Visual Search
Yandex
TinEye

Map Search
Click the little yellow dude in the bottom, right-hand corner of Google Maps to virtually wander streets and view building exteriors at ground level.
Google Maps

Metadata Viewer
There are many different metadata viewing tools online, including ones for specific file types, e.g. images, documents, PDFs. Jeffrey’s Image Metadata Viewer comes recommended by Cyber Skyline for the Open Source Intelligence domain, and FotoForensics has several nifty tools in its toolkit. Scroll down to Forensics in this blog post for more!
Jeffrey’s Image Metadata Viewer
FotoForensics

WHOIS and DNS Queries
WHOIS and DNS queries return information on domain names, IP addresses, name servers, etc. Some tools are more verbose than others. These may also come in handy for the Scanning domain.
• ICANN Lookup – Domain Name Registration Data Lookup
DNS Checker
WHOis.net
• DomainTools – Whois Lookup

More OSINT Tools
Awesome OSINT is “a curated list of amazingly awesome open source intelligence tools and resources.”
• github.com/jivoi – Awesome OSINT


Read More on CryptoKait.com
JeanaByte – Google Fu: A Tour of Google Dorking
CryptoKait – Open Source Intelligence on How to Win Open Source Intelligence
Paul Buonopane – Open Source Intelligence for the National Cyber League Games

CRYPTOGRAPHY

More so than any other domain, with Cryptography I find situations in which only one in twenty tools will do the job, and in NCL it’s rarely the same tool twice. One season, I came across an online tool that could only perform the decoding portion of a challenge correctly, while a different online tool could only perform the encoding portion correctly, though in theory both tools should have been a one-stop shop. If you don’t seem to be getting results with one tool, try about a dozen others!

“The Cyber Swiss Army Knife” of Conversion Tools
I recommend practicing with this mega-set of tools designed by the British Intelligence Agency (GCHQ) before the Games start, because the amount of features CyberChef contains can take a little getting used to!
CyberChef

Base Conversion
You’ll find other recommendations for online base conversion tools in the Gym, but my one true love is Multi-Dec’s Multi-Conv. “Convert text to/from ASCII in decimal, binary, hex, octal, base32, base64 … in all directions“—and on a single pane of glass! ❤
Multi-Conv

Decoding
Once you get used to the layout, dCode’s powerful and exhaustive set of decoding tools is second-to-none!
dCode

Fictional Alphabets
That strange language you’re trying to decipher won’t necessarily be on Omniglot, but Omniglot can still serve as great inspiration for coming up with the right search terms to track down what you’re looking for.
Omniglot

Steganography
Without the ability to install tools on your device, Steganography won’t be your #1 jam in NCL, but occasionally an online tool will crack a Stego challenge, and just those few extra points can rocket you up the leaderboard several places. Try running the image through these tools, and also search for any new browser-based tools that may have come out.
CyberChef (try Extractor > Extract Files)
StegOnline
James Stanley’s Image Steganography
They Live Steganography
StegoSaurus
Photopea (check Layers)

If your Chromebook supports Linux (Beta)
Try installing steganography tools like steghide, foremost, and zsteg. 0xRick has a neat list of command-line (and other) steganography tools to try.

Read More on CryptoKait.com
CryptoKait – An Introduction to Cryptography

PASSWORD CRACKING

Hash Identifier
Not sure what sort of hash you’re looking at? The TunnelsUp Hash Analyzer may be able to help, or you can also try a manual comparison using hashcat’s “Example hashes” page.
• TunnelsUp – Hash Analyzer
• hashcat – Example hashes

Hash Calculator
Similar to my lovey-dovey at Multi-Dec, Browserling offers a single-pane-of-glass solution for generating hashes. Just be careful to copy the right hash to your clipboard! (Because I’ve never made that mistake… *avoids eye contact*)
• Browserling – All Hash Generator

Password Hash Crackers
CrackStation will uncover the majority of simpler passwords. For trickier NTLM hashes, use the cloud version of Ophcrack if you can, but be aware that it often has a queue and sometimes goes down—once for an entire competition weekend! I’d recommend starting with Ophcrack early in the competition and during off hours.
CrackStation
Ophcrack

Read More on CryptoKait.com
MistressVenom – Online Password Cracking

LOG ANALYSIS

Ye Olde-Fashioned Way
Cyber Skyline provides a built-in text viewer for most of the logs. If it’s a small log, you may be able to sift through it manually. Use CTRL + F with it to find things faster.

Notepad
Sometimes when doing Log Analysis, there’s nothing I want more than a no-frills notepad. Type this into your browser’s URL bar (where the address of an HTTP/S website would normally go) to turn that browser tab into a notepad:

data:text/html,<html contenteditable>

Spreadsheets
CryptoKait has pro tips for doing Log Analysis in Excel, which you might want to try out in Google Sheets!
Google Sheets

Command-line Terminal
If you’re not on a Chromebook that supports Linux (Beta), there is a remarkable online Linux terminal, linked below, which you can upload your log files to, and it comes with the bc tool already installed! *giddy* You can’t install any tools that aren’t already there, but in Fall 2020 I was able to complete every NCL Log Analysis challenge using Fabrice Bellard’s JSLinux as-is. Be sure to check out the FAQ—it includes tips for how to change the screen size and make other modifications.
• Fabrice Bellard – JSLinux

Regex Testing
When you’re parsing your logs using command line, this browser-based tool will help you figure out if you’re getting your regex right. It even includes a handy quick reference guide!
regular expressions 101

User Agent Parser
This online tool can decipher the strange, alien language of user agent strings:
• WhatIsMyBrowser – Parse a User Agent String

SQLite Database Viewer
You may have run into a Gym challenge which asked you to analyze a SQLite database file. Just as an example of the kinds of awesome, browser-based tools that exist for specific tasks and file types, try solving that challenge using this online SQLite database viewer:
SQLite Online

Read More on CryptoKait.com
• WebWitch – Leaping into Log Analysis
• John McGill – Sharpening the Axe: How to Cut and Carve Logs in the NCL
• Taisa – Command-line Log Analysis FOR THE WIN (Blog Series)

NETWORK TRAFFIC ANALYSIS

Packet Analyzer
Cyber Skyline includes a built-in tool for the Network Traffic Analysis challenges called CloudShark—and it’s out for blood! *rimshot* CloudShark has built-in analysis tools (such as Zeek, which generates logs automatically); you can apply any of the Wireshark filters; you’re able to follow streams; you can use CTRL + F to find packets in the center pane; and the “frame contains” filter will search the contents of all packets for any word you supply. Here are some helpful reference guides for using filters in CloudShark:
• CloudShark – Using filters for navigation and sharing
• CloudShark – Search for *anything* in a capture
Wireshark DisplayFilters

PCAP Analysis
From the makers of VirusTotal comes PacketTotal, an online tool which “leverages multiple detection engines to locate suspicious traffic, enumerate protocol information, and extract artifacts found within pcap files.” It’s as cool as it sounds and will help you to notice things, but you’ll still need to know what you’re looking at, so check the Read More on CryptoKait.com blog post linked at the bottom of this section for some pro tips from ghostinth3machine. My don’t-tell-anyone pro tip is this: If you have a .cap file extension and rename the file to have a .pcap file extension instead, PacketTotal will let you upload it.
PacketTotal

Subnet Calculator
These are the ones I use, but Google around if you’re at all dissatisfied, because there are lots of similar tools out there:
IP Subnet Calculator
• ARIN – CIDR Calculator

Read More on CryptoKait.com
ghostinth3machine – Spotting Anomalies in PCAPs

FORENSICS

Metadata Viewer
Try Googling for a metadata viewer specifically for the type of file you’ve got. Here’s one for images, and another for .docx files:
FotoForensics
• GroupDocs – DOCX Document Metadata Editor & Cleaner

Hex Editor
This hex editor can help you analyze small files, but what’s extra cool is that if you open more than one file and right-click one of the tabs, there’s an option to compare the two files for differences.
Hex-works

Command-line Terminal
If you’re using a Chromebook and can set up Linux (Beta), that will be your best bet. The online JSLinux terminal will limit your options because you can’t install tools on it, and it doesn’t come with things like exiftool or binwalk, but you’ll still be able to unzip archives, check file types, compare md5sums, and possibly do some interesting things with the mount command.
JSLinux

Read More on CryptoKait.com
NCL just recently introduced its Forensics domain in Fall 2020. Watch the blog this season, because we’ll be debriefing Hush1e and Paul Buonopane on what they learned!

SCANNING AND RECONNAISSANCE

Directory Enumeration
Always check for a robots.txt file to see if there are any pages not directly linked to the main page.

Direction Enumeration – Brute Force Edition
Pay attention to any themes you’ve noticed throughout the Game—are there a lot of challenges related to a certain holiday, meme, video game, etc.? One time, I brute-forced my way into 4 out of 5 directories just by guessing their names based on the theme that season. (Meaning, I manually typed URL guesses out in the browser until I found flags. I’m both proud and not proud of that. Please don’t judge me.)

Port Scanner
Doing port scanning for free online requires a little elbow grease on the UDP side of things, but it can be done!
• hidemy.name – Port scanner (TCP)
• STANDING Tech – Port scanner (UDP)

Running Services
Try visiting websites at their open ports to gain intelligence on the running service.

Read More on CryptoKait.com
If you’re using a Chromebook with Linux (Beta) installed, try using nmap:
WebWitch – Intro to Scanning for the National Cyber League Games

WEB APPLICATION EXPLOITATION

Fingerprinting
The browser-based tool below can help you run passive scans. If you’re on a Chromebook and you have permission to install browser extensions, you can install WhatWeb and Wappalyzer directly and also look around for other web app analysis extensions to try.
• Hacker Target – WhatWeb & Wappalyzer Scan

Source Code
Right-click on the body of a webpage and select “View page source” to get a gander at the source code.

Developer Tools
Chrome and Firefox both have a set of tools built-in to help web developers with design and debugging. Right-click on the body of a webpage and select the option to “Inspect.”

SQL Injection
Knowing SQL could come in handy. Try these resources for learning SQL to help you get started:
SQL Zoo
• w3schools.com – SQL Tutorial
• SQL Tutorial – SQL Cheat Sheet

Read More on CryptoKait.com
Paul Buonopane – Breaking Web Applications for Beginners

ENUMERATION AND EXPLOITATION

Code Detector
You can usually determine what programming language you’re looking at by Googling the names of built-in functions that seem unusual or unique—and you may need to do that if NCL throws you a curve ball—but this online tool can help with identifying common languages:
Code Detector & Formatter

XORing
XORing by hand is good, clean fun for the whole family, and I’ll be the first to lament a missed opportunity to fleXOR my XOR, but—only because you’re in a time crunch during the Games—you might want a browser-based tool to help you perform those calculations.
XOR Calculator
CyberChef (Arithmetic/Logic > XOR)

Unicode Lookup
I started out doing Unicode conversions manually using the pictured table! (Again, #proudnotproud.) If you’re not completely comfortable using a programming language yet (which I wouldn’t know anything about *avoids eye contact*), then this browser-based tool is a gentle introduction to Unicode code point values, and a bit less manual than the table:
Unicode Lookup

Python
Python is widely used, in demand, and generally accepted as the best programming language to learn first, so you’ll definitely come across it during the Games (and in your careers!). If you pick up just one language, make it Python. Once you know Python, you’ll be able to unravel the mysteries of other languages, too. All programming languages are basically extensions of the same underlying computer logic and just using different syntax to represent it. Learning Python will give you an excellent glimpse into the way computers think.
• OnlineGDB – Online Python Compiler
repl.it – a free, collaborative, in-browser IDE
• Free Beginner Python Training:
Sololearn’s bite-sized training modules – for learning on your phone and on the go
— NCL Player Ambassador wolfshirtz – Beginner Python Bootcamp
— Python Tutor – Visualize Code Execution – shows you what’s happening as the computer runs each line of code

Decompiler and Disassembler
A decompiler takes an executable file and tries to turn it back into source code. A disassembler is similar, converting a binary into assembly language. Basically, these tools try to turn machine-level code into something more human-readable.
Decompiler.com
Online Disassembler

Binary Analysis
Binary Ninja Cloud is a “completely free, online, collaborative reverse engineering suite, which uses Binary Ninja for analysis.” Its goal is to collect data on how people reverse engineer software, to inform machine learning and create a product that performs RE automagically.
Binary Ninja Cloud

Read More at CryptoKait.com
WebWitch – Turning That Code Inside Out: A Look at Reverse Engineering


PARTING THOUGHT

Not having a device you can install tools on means you’ll face some unique challenges.

We’re rooting for you to find creative solutions.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.