NetWars Core is an industry leading multi-disciplinary cyber range that covers a wide range of subject matter. It is the most comprehensive and diverse of the NetWars focus areas. NetWars Core is recommended for all infosec practitioners.

NetWars Core Version 8 Overview

SANS NetWars Core Version 8 is a new and exciting Cyber Range from SANS. Featuring AWS cloud content and more — it has fun story driven challenges to keep you engaged in learning and practicing your essential cybersecurity skills. We’ve also eliminated the need to download large VM files locally — 100% browser based challenges!

NetWars Core Version 8 Story

A next-generation hacker, Trace R. Tee, was destined for great things until someone started messing with the timeline. Travel through time and assist a doctor in setting things right. Stop the bad actors, find out who’s behind the attacks on Trace, and become the new assistant the universe needs!

Example Topics in NetWars Core Tournament:

• Bash and PowerShell skills
• Windows and Linux memory forensics
• Web application challenges
• A “smart home” mobile application
• Vulnerable connected cameras
• Layer 2/DHCP attacks
• BloodHound for Active Directory analysis
• Kerberoasting as an Active Directory attack
• Injection attacks
• Windows exploitation
• Network traffic capture and analysis
• Command Line Kung Fu
• Penetration testing
• Advanced database hacking
• Common Management System vulnerability exploitation
• Reverse engineering and debugging
• Threat detection through log analysis
• Binary exploitation
• Windows and Linux privilege escalation
• Firewall fundamentals
• Cryptographic security and exploitation
• Fuzzing
• Advanced malware analysis
• Social engineering
• Intrusion detection
• WAF evasion
• Linux fundamentals
• Scanning/Enumeration

NEW TOPICS FOR NETWARS CORE V8:

• Linux and Windows basics
• DNS analysis
• Regular expressions
• Light and heavy web application testing (GraphQL included)
• Malware analysis on Windows with SysInternals
• Malware analysis on Linux with common Linux tools
• Exploit/shellcode development
• Network traffic analysis and manipulation with
  
  TCPDump, Wireshark, Tshark, Scapy, and Zeek
• Ngrok for reverse shell handling
• SOCKS proxy creation for pivoting
• Log4Shell exploitation of off-the-shelf
  
  (Apache Solr) and a custom application
• AWS credential abuse
• Kerberoasting in Windows Active Directory
• SMB fileshare exploration for sensitive information

Computer Requirements:

A modern web browser

Optional: Players may use their own systems and tools for certain challenges

NetWars Core Continuous is an extension of Core Tournament, meant solely for individuals, and covers an even wider range of subject matter for deeper skills assessment and practice. It is for all individual infosec practitioners and offers the convenience of 4 months of extended access, anywhere in the world.

Extended topics in NetWars Core Continuous include:

• Powershell offense, defense, survival
• API Manipulation
• Hash extension exploitation & Cryptographic security controls
• Linux terminal
• check file contents with head, tail, cat, less, and wc
• check OS version with uname and lsb_release
• verify basics with hostname and whoami
• searching environment variables with env and grep
• verifying user data with /etc/passwd
• testing file access controls with su
• elevated permissions with sudo
• file analysis with strings
• running process analysis with ps
• stopping processes with kill
• command history analysis with .bash_history and grep
• inspecting insecure password storage with recursive grep
• comparing files with diff
• modifying file permissions with chmod
• file integrity checking with md5sum
• Base64 encoding/decoding with base64
• output manipulation with sed, awk, rot13, sort, uniq, tr, and cut
• binary analysis with xxd
• task scheduling with cron
• PowerShell terminal
• filesystem analysis
• environment variable analysis
• running process analysis
• stopping processes
• Base64 encoding/decoding
• searching for files with given name/contents
• file integrity checking
• command history analysis
• compressed file manipulation
• loop operations
• conditional operations
• web requests
• alternate data streams (ADS)
• Packet capture analysis
• analysis with Wireshark
• file extraction from stream with Wireshark
• basic traffic filtering with Wireshark/Tshark display filters
• advanced traffic filtering with Wireshark/Tshark display filters
• malicious traffic identification
• HTTP(S) analysis
• identifying vulnerabilities and flaws with Wireshark and Tshark
• server-side JavaScript Injection (SSJS)
• SQL Injection (SQLi)
• Remote File Inclusion (RFI)
• Insecure File Upload
• Command Injection
• HTTP requests with cURL
• deobfuscating JavaScript with web browser developer tools
• manipulating JavaScript objects with web browser developer tools
• HTTP2 analysis
• vulnerability scanning with Nikto and wpscan
• cookie manipulation
• Network Analysis
• raw connections with netcat
• network connection status with netstat
• port and version scanning with Nmap
• secure file transmission with scp
• dynamic proxies
• malicious traffic matching with Snort
• packet capture with Tcpdump
• filtering traffic with Berkeley Packet Filters (BPF)
• DNS querying with dig, nslookup, and nsupdate
• network defense with iptables
• packet dissection and crafting with Scapy
• application fuzzing with boofuzz
• SMB connections with smbclient
• Penetration testing (system, network, and web application)
• password cracking with John the Ripper
• password guessing with THC Hydra
• password guessing with wfuzz
• exploit research with online, open databases
• exploitation with Metasploit
• SQL database exploitation manually and with SQLMap
• social engineering with the Social Engineering Toolkit (SET)
• cookie stealing with cross-site scripting (XSS)
• malware generation with msfvenom
• LDAP injection
• API manipulation
• deserialization attacks
• manual Windows vulnerability enumeration and exploitation
• privilege escalation
• Scripting
• Python scripting
• Perl scripting
• Forensics
• file forensics with Volatility
• file extraction with Scalpel
• Linux executable analysis with GDB
• Data analysis
• database analysis with SQLite
• regular expressions (regex)
• metadata analysis with exiftool
• PDF analysis with pdftotext
• JSON manipulation with jq
• QR code generation
• Cryptography
• securing data with gpg
• hash extension exploitation

Computer Requirements:
Processor
64-bit, x86, 2.0 GHz+

Memory
16GB*

HD
40GB+ Free

Operating System
Windows 10 or later, Mac OS 10.15 or later, Linux

Software for Range
VMware Virtualization

* 8GB is possible with reduced performance

NetWars Cyber Defense is specifically focused on cyber defense and threat detection; prevent, defend, and analyze increasingly more complex, real-world attack scenarios against your enterprise, from simplistic, brute-force attacks to ransomware campaigns.

Professionals who should consider taking NetWars Cyber Defense include experienced Security Administrators, Enterprise Defenders, Architects, Network Engineers, Incident Responders, Security Operations Specialists, Security Analysts, and Builders and Breakers.

Example topics in NetWars Cyber Defense Tournament include:

• Cyber Defense
• Threat Hunting
• Log Analysis
• Packet Analysis
• Cryptography
• Windows Administration
• Linux Administration
• Network Security Monitoring
• Continuous Security Monitoring
• Steganography

Computer Requirements:
Processor
64-bit, x86, 2.0 GHz+

Memory
16GB*

HD
40GB+ Free

Operating System
Windows 10 or later, Mac OS 10.15 or later, Linux

Software for Range
VMware Virtualization

* 8GB is possible with reduced performance

NetWars DFIR is specifically focused on digital forensics, incident response, threat hunting, and malware analysis, that is tool-agnostic, from low level artifacts to high level behavioral observations.

Professionals who should consider taking DFIR NetWars include experienced Digital Forensic Analysts, Forensic Examiners, Media Exploitation Examiners, Malware Analysts, Incident Responders, Threat Hunters, Security Operations Center (SOC) Analysts, Law Enforcement Officers, Federal Agents, Detectives, and Cyber Crime Investigators.

Example topics in NetWars DFIR Tournament include:

• Digital Forensics
• Incident Response
• Threat Hunting
• Malware Analysis
• SIFT Workstation (sans.org/tools/sift-workstation)
• Smartphone Forensics
• Windows Forensics
• MacOS and iOS Forensics
• Network Forensics
• Media Exploitation
• Artifact Analysis
• Rapid Triage
• Database Analysis
• Log analysis
• Malicious attacks
• Network traffic analysis
• Reverse engineering and debugging
• Intrusion detection

Computer Requirements:
Processor
64-bit, x86, 2.0 GHz+

Memory
16GB*

HD
200GB+ Free. Approximately 50GB download of evidence files and virtual machines.

Interface
USB 3.0 | Type-A or dongle with Type-A

Operating System
Windows 10 or later, Mac OS 10.15 or later, Linux

Software for Range
VMware Virtualization. Participants are expected to either provide their own forensics tools, or use the local VMware VM tools that we provide.

* 8GB is possible with reduced performance.

NetWars ICS is specifically focused on industrial control systems and operational technology. It employs a literal cookie factory to unite the ICS/OT factions over the one true sweet treat; nom nom cookies. End goal: get the factory machinery working correctly so you and your peers can be rewarded with fresh baked cookies. ICS NetWars will bring players onto the factory floor and expose them to physical equipment and manufacturing components as they work through the NetWars scenario.

Professionals who should consider taking ICS NetWars include experienced Process Control Engineers, ICS/OT cybersecurity practitioners working in operational facilities, and IT cybersecurity professionals supporting ICS environments.

Example topics in NetWars ICS Tournament include:

• Blue Team (Defender) actions
• Asset discovery and infrastructure mapping
• Identifying adversary actions
• log and file analysis
• Endpoint forensics
• ICS-specific malware detection
• Engineering application use
• Process restoration

Computer Requirements:
Processor
64-bit, x86, 2.0 GHz+

Memory
16GB*

HD
40GB+ Free

Operating System
Windows 10 or later, Mac OS 10.15 or later, Linux

Software for Range
VMware Virtualization

* 8GB is possible with reduced performance

NetWars GRID is similar to NetWars ICS in that it is focused on industrial control systems and operational technology. However, the NetWars GRID scenario is designed around the complex nature of distributed wide-area control systems found in critical infrastructure sectors like electric system operations. Utilizing a variety of real-world technologies found in electrical generation and distribution systems, the challenges are themed to the power system scenario, though the technology, protocols, architectures, and lessons learned are applicable across numerous critical infrastructure sectors beyond the electric sector.

Professionals who should consider taking GRID NetWars include experienced IT and OT cybersecurity professionals supporting SCADA communications and control, field technicians, instrumentation and control, ICS field or plant control systems, and control center OT support teams.

Example topics in NetWars GRID Tournament include:

• Adversary actions
• ICS Stage 1 and Stage 2 kill chain
• Spear phishing
• Command and control
• Credential theft
• Lateral and vertical movement
• Security configuration modification
• Process manipulation
• Situational awareness impacts
• Reliability effects
• System integrity impacts
• Blue Team (Defender) actions and Red Team (adversary) actions*

  *Variations of Netwars Grid exists

NetWars Mini is a text-based cyber range that is story-driven. It features rich storylines, hints, TAs and game servers similar to other NetWars ranges. However, NetWars Mini is browser based for easier access and deployment.

Example topics in NetWars Mini include:

• Linux command line tools and tricks
• Linux file system permissions and administration
• Command reference/main page treasure hunt
• JSON parsing with “jq”, including bash scripting and database loading
• Firmware analysis
• Reverse engineering/binary exploitation
• Packet captures and “tshark”
• OSINT/exposed Git exploitation
• MySQL analysis/exploitation
• Web app pen testing
• OSINT in social media, metadata, DNS records
• Bash script/menu exploitation
• Redis/PHP database exploitation
• COBOL analysis/programming
• HTTP request smuggling

Computer Requirements:
Internet Access and Chrome, Firefox, Safari, or Edge browsers.

NetWars Healthcare is based on the technologies and systems found in the medical field. It still features the rich storylines, hints, TAs and game servers as other NetWars ranges, but is browser-based for easier access and deployment.

Example topics in NetWars Healthcare include:

• Telemedicine and web app security
• EMR and incident analysis
• Medical device IoT security
• Ransomware analysis and decryption
• Hospital incident investigation with Windows domain event log analysis

Computer Requirements:
Internet Access and Chrome, Firefox, Safari, or Edge browsers.

All varieties of NetWars are PCTE compatible.

Persistent Cyber Training Environment (PCTE) is a training platform that supports Joint Cyberspace Operations Forces by providing individual sustainment training, team certification, mission rehearsal, and the foundation for collective training exercises. It leverages existing connectivity to facilitate the sharing of resources, and provides additional cyber “maneuver space.” PCTE enables realistic training with variable conditions to increase readiness and lethality of our Cyberspace Operations Forces, while standardizing, simplifying, and automating the training management process.

PCTE supports the United States Cyber Command (USCYBERCOM) by enabling a critical need for the DoD and Joint Cyberspace Operations Forces to train at the individual, team, and force level. PCTE is one of the five elements of the Joint Cyber Warfighting Architecture (JCWA), provides a comprehensive, integrated cyberspace architecture to achieve and sustain the insight, agility, and lethality necessary for maintaining a competitive advantage against near-peer adversaries. PCTE will integrate and be inter-operable with the other JCWA elements to enable teams to train and rehearse using the available JCWA operational tools and capabilities.

CyberCity is a hands-on, kinetic cyber range for learning how to analyze, assess, and defend control systems and operational infrastructure, as well as how to identify vulnerabilities that could result in significant kinetic impacts. It also guides students on strategies for conveying findings to leadership and public planners on the potential kinetic impacts of vulnerabilities and cyber attacks.

CyberCity is a 1:87 scale miniaturized physical city controlled by the same equipment found in cities and municipalities around the globe, featuring SCADA-controlled electrical power distribution, as well as water, transit, hospital, bank, retail, and residential infrastructures. CyberCity challenges participants to defend the city’s infrastructure from terrorist cyber attacks, and to use offensive tactics to retake or maintain control of critical assets.

The Cyber Situational Training eXercise (Cyber STX) is SANS’s premiere in-depth training and validation cyber range. Teams of participants engage in an active Red-on-Blue team battle. Cyber STX provides a week of intense attack and defense of the critical cyber terrain. The red team develops and deploys a comprehensive campaign based on one or more specific advanced persistent threat(s) (APTS), utilizing their same tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IOCs) as the given APTs. The blue team is challenged to defend against the red team attack.

SANS instructors and teaching assistants (TAs) play the part of blue team coaches and red team/OPFOR operators, creating a highly realistic environment that can measure the capabilities of a blue team and its tools and communications, as well as the effectiveness of their TTPs. Additionally, the Cyber STX can take red teamer skills to the next level. SANS offers the Cyber STX on-site for private events, virtually in a cloud-based environment, or in a mixed mode with participants both local and remote. Cyber STX can include both Information Technology (IT) and Operations Technology (OT) infrastructures, depending on the specific environments participants are called on to protect. From an OT perspective, SANS runs Cyber STX missions with Industrial Control System (ICS) devices for power distribution, power generation, water refinement, port crane operations, manufacturing systems, and more.

Professionals who should consider taking Cyber STX include experienced Military groups seeking in-depth training and validation, cyber protection teams, government agencies with responsibilities for defending critical systems, and large private industry organizations protecting complex infrastructure.

In most cases, SANS is able to craft a custom range challenge to meet the needs of the customer. Custom range requests require a customer meeting with the Cyber Range team to scope the project and provide options. Additionally, during the meeting SANS will help define learning objectives, develop scorecards, and configure the content and platform.