scieee Science in your language
[en] (orig)

Chapter 3. Cyber polygon as a tool for training cybersecurity professionals

Author: Malitskyi, Bohdan; Cherepov, Oleksandr; Rizak, Vasyl; Rizak, Mykhailo
Publisher: Zenodo
DOI: 10.15587/978-617-8360-16-0.ch3
Source: https://zenodo.org/records/17288393/files/978-617-8360-16-0-chapter-3.pdf
59
CHAPTER 3
CHAPTER 3
DOI: 10.15587/978-617-8360-16-0.CH3
Bohdan Mali skyi, Oleksand Che epo , Vasyl Rizak, Mykhailo Rizak
© The Au ho (s) o chap e , 2025. This is an Open Access chap e dis ibu ed unde he e ms o he CC BY license
CYBER POLYGON AS A TOOL FOR TRAINING CYBERSECURITY
PROFESSIONALS
Abs ac
The con inuous escala ion o cybe h ea s and he e olu ion o a ack me hods on in o ma ion
sys ems necessi a e he aining o highly skilled cybe secu i y p o essionals who can e ec i ely
espond o eal-wo ld h ea s. The e is a need o aining p og ams ha p o ide s uden s no only
wi h heo e ical knowledge bu also wi h p ac ical expe ience in coun e ing cybe a acks. Cybe
polygons se e as a c i ical ool in p epa ing p o essionals, enabling s uden s o de elop ulne abili-
y assessmen skills and implemen de ense s a egies in an en i onmen ha simula es eal-wo ld
a ack and de ense scena ios.
This s udy is based on he cybe polygon o he Depa men o Solid-S a e Elec onics and
In o ma ion Secu i y, which includes a comp ehensi e sui e o aining scena ios co e ing a ious
aspec s o cybe secu i y. Th ee key scena ios a e ou lined in his wo k. The i s in ol es web ap-
plica ion ulne abili y scanning using Qualys, allowing s uden s o lea n isk assessmen and de elop
ecommenda ions o enhancing secu i y. The second scena io u ilizes Me asploi able 2 as a simu-
la ion pla o m o p ac icing ne wo k a ack and de ense echniques. The hi d scena io, de eloped
in collabo a ion wi h Unde De ense, in ol es asks ela ed o Gi Lab and Ac i e Di ec o y, whe e
s uden s engage in e hical hacking wi hin a co po a e in as uc u e.
Th ough he use o he cybe polygon, s uden s gain p ac ical skills in ulne abili y de ec ion,
isk assessmen , and he applica ion o comp ehensi e p o ec ion me hods. They also acqui e expe-
ience in managing Ac i e Di ec o y in as uc u e, using LDAP o emo e access, analyzing Gi Lab
secu i y, and pe o ming a acks in ealis ic ne wo k en i onmen s. Team compe i ions and wo k
on a ious scena ios enable s uden s o mas e bo h o ensi e and de ensi e echniques, including
b u e o cing, emo e code execu ion (RCE), Se e Message Block (SMB), and local p i ilege
escala ion (LPE), s eng hening hei p epa edness o ca ee s in cybe secu i y.
The aining scena ios de eloped on he basis o he depa men ’s cybe polygon p o ide s u-
den s wi h he necessa y expe ience o wo k in he ield o cybe secu i y, deepening hei unde -
s anding o isks and p o ec ion me hods. The skills acqui ed enhance hei compe i i eness in he
job ma ke , equipping hem o add ess in o ma ion sys em secu i y challenges in con empo a y
en i onmen s. The cybe polygon no only builds p o essional compe encies bu also os e s eam-
wo k and s a egic hinking, which a e c i ically impo an o a success ul ca ee in cybe secu i y.
60
PROFESSIONAL EDUCATION AND PERSONNEL TRAINING
CHAPTER 3
KEYWORDS
Cybe polygon, cybe secu i y, ulne abili ies, Ac i e Di ec o y, Gi Lab, Qualys, Me asploi able 2,
e hical hacking, isk assessmen , eam compe i ions, Ke be oas ing, pen es ing, web applica ion
secu i y, RCE, SMB, p i ilege escala ion, LLMNR, educa ional p ocess, p ac ical aining.
In oday’s wo ld, cybe secu i y occupies a cen al posi ion among he s a egic di ec ions in
he de elopmen o in o ma ion echnologies. The ising numbe o cybe h ea s and he apid
sophis ica ion o cybe c iminal ac ics unde sco e he demand o skilled p o essionals. Each yea ,
he e is an inc ease in a acks on co po a e, go e nmen , and pe sonal sys ems, highligh ing he
need o expe s who a e capable no only o p o ec ing ne wo ks and in as uc u es bu also
o an icipa ing po en ial h ea s. To mee hese needs, s uden s mus acqui e no only heo e -
ical knowledge bu also p ac ical skills in iden i ying ulne abili ies and secu ing sys ems unde
ealis ic condi ions.
The p ima y objec i e o his chap e is o desc ibe he me hodology o cybe secu i y aining
acili a ed by he cybe polygon o he Depa men o Solid-S a e Elec onics and In o ma ion Se-
cu i y. This cybe polygon p o ides s uden s wi h he oppo uni y o s udy mode n secu i y ools
while imme sing hem in p ac ical a ack and de ense scena ios, which s eng hens hei knowledge
and enhances hei analy ical and echnical skills.
The chap e p esen s he aining me hods u ilized wi hin he cybe polygon, including he use
o specialized ools and he o ganiza ion o eam compe i ions, which aid s uden s in mas e ing
e hical hacking and cybe de ense skills.
The Depa men o Solid-S a e Elec onics and In o ma ion Secu i y (he eina e , SSEIS) a
Uzhho od Na ional Uni e si y ac i ely inco po a es he cybe polygon in o he educa ional p ocess
o ensu e he p ac ical p epa a ion o s uden s. This cybe polygon, de eloped using he la es
echnologies and me hodologies in cybe secu i y, se es as he ounda ion o aining s uden s
h ough he simula ion o eal-wo ld scena ios. I allows s uden s no only o s udy he heo e ical
ounda ions o in o ma ion secu i y bu also o apply hei knowledge in p ac ice, p o iding be e
p epa a ion o hei u u e ca ee s.
The chap e is o ganized in o se e al key sec ions, each de ailing a speci ic aspec o he
aining p ocess on he cybe polygon. The i s sec ion p o ides a de ailed desc ip ion o he cybe
polygon and he p inciples behind i s ope a ion. Subsequen sec ions ocus on speci ic aining sce-
na ios: he me hodology o ulne abili y scanning using he Qualys sys em, which enables s uden s
o gain skills in analyzing he secu i y o web applica ions; he p ocess o se ing up a local ne wo k
and es ablishing condi ions o eam compe i ions in ol ing a ack and de ense exe cises, demon-
s a ed h ough he use o Me asploi able 2. The inal sec ion explo es a new scena io de eloped in
collabo a ion wi h Unde De ense, whe e s uden s wo k wi h Gi Lab and Ac i e Di ec o y, lea ning
con empo a y me hods o a ack and de ense wi hin co po a e sys ems.
61
chap e 3. CYBER POLYGON AS A TOOL FOR TRAINING CYBERSECURITY PROFESSIONALS
CHAPTER 3
3.1 O e iew o he cybe polygon
The SSEIS cybe polygon is a mul i unc ional en i onmen designed o simula e eal-wo ld cybe
h ea scena ios and ain indi iduals in e ec i e esponse echniques. The main objec i es o he
cybe polygon include: de eloping s uden s’ p o essional skills and ad ancing he quali ica ions o cy-
be secu i y specialis s; conduc ing scien i ic esea ch and es ing new in o ma ion p o ec ion ech-
nologies; aining and e aining go e nmen employees, municipal o icials, and mili a y e e ans in
cybe secu i y; and p omo ing cybe secu i y awa eness and he p o ession o cybe secu i y expe s.
The cybe polygon is ailo ed o p ac ical exe cises, co e ing aspec s o e hical hacking, ne -
wo k science, and in as uc u e p o ec ion. Wi hin his en i onmen , a ious scena ios o di e ing
complexi y a e implemen ed, b inging s uden s close o he ac ual challenges aced by cybe secu i y
p o essionals. These scena ios allow pa icipan s o e ine hei o ensi e and de ensi e skills, os e -
ing c i ical and s a egic hinking, quick decision-making, and adap abili y in he ace o cybe inciden s.
All scena ios on he cybe polygon closely esemble eal-wo ld cases and encompass a ull spec-
um o asks ha cybe secu i y p o essionals may encoun e . T aining asks include bo h o ensi e
echniques (such as po scanning and ulne abili y exploi a ion) and de ensi e measu es (such as
i ewall con igu a ion, blocking suspicious IP add esses, and a ic moni o ing). Each scena io is de-
signed o build skills in isk assessmen and he de elopmen o co esponding de ense s a egies.
The SSEIS cybe polygon consis s o an ex ensi e a chi ec u e ha inco po a es a ious de ic-
es and ne wo k equipmen , p o iding bo h a ack and de ense eams wi h he necessa y esou ces
o simula e cybe a acks and de ensi e measu es. The cybe polygon’s a chi ec u e is segmen ed
be ween de ices o he de ense eam and de ices o he a ack eam, enabling he se up o
symme ical engagemen s in a secu e en i onmen .
The cybe polygon includes se e al ypes o de ices o he blue eam (de ense), each se ing
a speci ic unc ion:
1. Wo ks a ions o each de ense eam membe : hese wo ks a ions allow each de ense eam
membe o ca y ou asks such as a ic analysis and a ack de ec ion and blocking. They a e
con igu ed o handle complex moni o ing and da a p ocessing ools ha equi e high compu a ional
powe and e iciency. The echnical speci ica ions o he wo ks a ions a e as ollows:
– CPU: Quad Co e P ocesso o highe , ensu ing as p ocessing o la ge da a olumes and
suppo ing mul i asking;
– RAM: minimum o 8 GB, essen ial o he s able ope a ion o a ic analysis and moni o ing
applica ions;
– s o age: 128 GB SSD o mo e, p o iding quick da a ead and w i e speeds du ing a ack
simula ions;
– g aphics adap e : any ype o g aphics adap e o suppo g aphical in e aces o moni o ing
so wa e.
2. Honeypo s: honeypo s se e o c ea e decep i e a ge s o he a ack eam. Placed
wi hin he ope a ional ne wo k, hese de ices mimic ac i e sys ems wi hou ac ual unc ionali y,
62
PROFESSIONAL EDUCATION AND PERSONNEL TRAINING
CHAPTER 3
which can con use a acke s and lead hem o spend ime in es iga ing hese decoys. This ap-
p oach allows he de ense eam o ocus on eal h ea s while using honeypo s o enhance analy-
ical hinking.
The echnical speci ica ions o honeypo s include:
– CPU: Dual Co e P ocesso o be e , as he wo kload on hese de ices is minimal;
– RAM: 2–4 GB, su icien o suppo ing basic sys em unc ions;
– s o age: 64 GB SSD, p o iding adequa e s o age o minimal unc ionali y.
3. Se e – co e o he de ense sys em: he se e is he main asse o be p o ec ed, housing
he a ge da a. As he p ima y a ge o he a ack eam, he de ense eam’s ole is o ensu e
i s secu i y and ope a ional s abili y. This se e ypically handles high a ic olumes, making i a
po en ial a ge o DDoS a acks. To wi hs and such a acks, he se e is equipped wi h high-le el
esou ces. The echnical speci ica ions o he se e a e as ollows:
– CPU: Quad Co e P ocesso o highe , o endu e hea y loads;
– RAM: minimum o 16 GB, necessa y o p ocessing in ensi e a ic and main aining s abili y
unde DDoS condi ions;
– s o age: 256 GB SSD, p o iding su icien speed and s o age capaci y o sa egua ding
c i ical da a.
On he cybe polygon, lap ops se e as endpoin s o he ed eam (a acke s), allowing eam
membe s o simula e a ious ypes o a acks and a emp o gain access o he p o ec ed e-
sou ces o he de ense eam. The ed eam’s asks in ol e ne wo k scanning, ulne abili y disco -
e y, execu ing a acks, and pene a ing he a ge se e . Lap ops o A ack Team Membe s: Each
membe o he a ack eam is p o ided wi h a pe sonal lap op, enabling hem o pe o m di e en
ypes o a acks, such as po scanning, iden i ying ulne able se ices, and u ilizing exploi s o
pene a e he ne wo k. These asks equi e high-pe o mance de ices o ensu e smoo h ope a ion
o a ack and scanning ools. The echnical speci ica ions o he lap ops used by he a ack eam
a e as ollows:
– CPU: Quad Co e P ocesso o highe , allowing as da a p ocessing and e icien ope a ion
o a ack so wa e;
– RAM: minimum o 8 GB, essen ial o s able pe o mance o scanning ools like nmap,
Me asploi , and o he s;
– s o age: 128 GB SSD o mo e, ensu ing quick access o sa ed da a and scan esul s;
– g aphics adap e : basic g aphics ca d, su icien o suppo he in e ace o scanning and
a ack simula ion ools.
Role o i ual machines in A ack Team asks: all ac ions by he a ack eam a e pe o med
on i ual machines wi hin Vi ualBox, ensu ing he secu i y o he cybe polygon’s p ima y in a-
s uc u e and allowing quick sys em ese s o he ini ial s a e. Each eam membe uses a i ual
machine unning Kali Linux, a specialized dis ibu ion o secu i y es ing. Kali Linux includes a sui e
o a ack and analysis ools, such as nmap, Me asploi , and Wi esha k, enabling he ed eam o
conduc a ull a ack cycle.
63
chap e 3. CYBER POLYGON AS A TOOL FOR TRAINING CYBERSECURITY PROFESSIONALS
CHAPTER 3
Tools used by he A ack Team:
– nmap: o ne wo k scanning, iden i ying ac i e endpoin s, open po s, and se ices;
– me asploi : o execu ing exploi s and es ing se e and ne wo k de ice ulne abili ies;
– Bu p Sui e, Hyd a, SQLmap: addi ional ools o web applica ion a acks, passwo d
b u e- o cing, and da abase ulne abili y analysis.
Wi h his se up, he a ack eam can simula e ull-scale cybe h ea s, allowing pa icipan s o
de elop p ac ical e hical hacking skills and unde s and s a egies o a acking ne wo k in as uc u es.
Va ious ypes o ne wo king equipmen a e used o in eg a e all de ices on he cybe poly-
gon in o a single ne wo k and con ol access. The cybe polygon includes i ewalls, swi ches, and
ou e s, enabling he c ea ion o a mul i-laye ed ne wo k wi h high le els o secu i y and lexibili y:
1. Fi ewall: he Cisco ASA 5506 i ewall is used on he cybe polygon o p o ec he de ense eam’s
ne wo k om ex e nal a acks and con ol access o i . The i ewall is a p ima y secu i y ool, as i
limi s he ed eam’s access o he de ense ne wo k, educing he likelihood o unau ho ized in usion.
Key speci ica ions o he Cisco ASA 5506:
– Da a T ans e Ra e: 750 Mbps, p o iding a s able connec ion du ing high- a ic a ack
simula ions;
– Fi ewall Th oughpu : 250 Mbps, enabling he p ocessing o a la ge numbe o ne wo k eques s;
– IDS/IPS Th oughpu : 125 Mbps, allowing he use o in usion de ec ion and p e en ion ools
e ec i ely;
– E he ne Po s: 9, suppo ing he connec ion o a ious de ense eam de ices and p o ec ing
he ne wo k in as uc u e;
– VPN Connec ions: Up o 50, enabling secu e access channels be ween subne wo ks;
– VLAN Connec ions: Up o 30, acili a ing he c ea ion o i ual ne wo ks o imp o ed isola-
ion o de ense eam de ices.
The Cisco ASA 5506 allows o he con igu a ion o i ewall ules ha can es ic access o
c i ical ne wo k componen s and con ol a ic be ween subne wo ks. Depending on he ain-
ing scena io, i ewall con igu a ion can be pe o med ei he by ins uc o s o s uden s, p o iding
hands-on lea ning oppo uni ies.
2. Swi ches: swi ches a e used o connec he endpoin s o bo h he a ack and de ense
eams in o a uni ied ne wo k. Ope a ing a he da a link laye o he OSI model, swi ches acili a e
e icien da a ans e be ween de ices wi hin he same eam. Swi ches also suppo ne wo k
segmen a ion, p o iding lexibili y in con igu ing he ne wo k en i onmen o bo h eams.
3. Rou e s: ou e s enable connec i i y be ween he subne s o he a ack and de ense eams,
c ea ing a uni ied ne wo k ha allows o in e ac ion be ween he wo eams. This se up is es-
sen ial o execu ing a ious a ack ypes ha equi e di ec connec ions be ween ne wo ks. The
cybe polygon u ilizes Cisco and D-Link ou e s, suppo ing bo h s a ic and dynamic ou ing modes,
which o e adap abili y du ing simula ions o di e en h ea ypes.
To ensu e he cybe polygon’s secu i y, he ne wo ks o he a ack and de ense eams a e
ully isola ed om he depa men ’s eal ne wo k, mi iga ing isks ela ed o in il a ion in o he

64
PROFESSIONAL EDUCATION AND PERSONNEL TRAINING
CHAPTER 3
co po a e o ex e nal ne wo ks. Ne wo k isola ion p o ides pa icipan s wi h comple e eedom
o in e ac wi h ulne able sys ems and model a acks, ensu ing ha aining ou comes ha e no
impac on he depa men ’s co e in as uc u e.
All p ac ical asks on he cybe polygon a e ca ied ou in a i ualized en i onmen using he
Vi ualBox pla o m, ensu ing in as uc u e secu i y and lexibili y in scena io con igu a ion. The
use o i ual machines allows o quick c ea ion and es o a ion o aining en i onmen s, g an ing
pa icipan s ull au onomy wi hin a secu e and isola ed se ing.
The use o Vi ualBox in conjunc ion wi h Kali Linux enables he c ea ion o ep oducible en i-
onmen s o each s uden o g oup o s uden s. Ins uc o s can p epa e i ual machines wi h a
p e-ins alled sui e o so wa e and ne wo k con igu a ions ailo ed o speci ic aining scena ios.
Upon comple ion o each session, he sys em can be e e ed o i s ini ial s a e using snapsho s,
elimina ing he need o p olonged se up imes.
Vi ualiza ion and he specialized so wa e Kali Linux p o ide s uden s wi h a unique oppo uni y
o wo k wi h eal cybe secu i y ools in a secu e en i onmen ha closely simula es he ac ual
wo king condi ions o a p o essional.
The ne wo k opology c ea ed o he SSEIS cybe polygon is shown in Fig. 3.1.
Pa icipa ing in he aining scena ios on he cybe polygon o e s s uden s in aluable hands-on
expe ience wi h eal cybe secu i y ools and a deep unde s anding o ne wo k p o ec ion p inciples
and ulne abili y assessmen . Wo king on he cybe polygon allows s uden s o mas e he ull cy-
be secu i y cycle – om a ack simula ion o de eloping de ense s a egies. Below, we will e iew
he p ima y scena ios used on he SSEIS cybe polygon.
 Fig. 3.1 Ne wo k opology o he SSEIS cybe polygon
65
chap e 3. CYBER POLYGON AS A TOOL FOR TRAINING CYBERSECURITY PROFESSIONALS
CHAPTER 3
3.2 Me hodology o web applica ion ulne abili y scanning
Scanning web applica ions o ulne abili ies is a co e esponsibili y o in o ma ion secu i y
specialis s. Mode n web applica ions ha e become one o he mos common en y poin s o a -
acke s a emp ing o access con iden ial in o ma ion, inancial da a, o o he c i ical esou ces.
Wi h he ise o digi al echnologies, web applica ions a e now in eg al o almos e e y iel – om
inance o heal hca e. Ensu ing hei secu i y is he e o e a p io i y, as iden i ying and elimina ing
ulne abili ies allows specialis s no only o p o ec in o ma ion asse s bu also o p e en po en ial
losses ha may esul om success ul a acks.
The p ima y educa ional goal o he web applica ion ulne abili y scanning ask is o de elop
s uden s’ skills in iden i ying and analyzing ulne abili ies ha may comp omise he secu i y o
in o ma ion sys ems. This ask is an in eg al pa o he SSEIS cybe polygon aining p og am,
whe e s uden s lea n o use ad anced ools o au oma ed scanning and esul s analysis. They
also gain insigh in o he ac o s ha con ibu e o ulne abili ies, he po en ial consequences, and
me hods o mi iga e isk.
The ask is conduc ed using he Qualys pla o m, a leading ool o au oma ed ulne abili y scan-
ning widely adop ed in he cybe secu i y indus y. I p o ides solu ions o de ec ing, assessing,
and managing ulne abili ies ac oss IT in as uc u es, including ne wo ks, se e s, wo ks a ions,
and web applica ions. Th ough his pla o m, s uden s become amilia wi h an indus y-s anda d
ool and lea n o apply i unde eal-wo ld condi ions.
In he aining p ocess, using Qualys allows o au oma ed secu i y checks, enabling s uden s
o ocus on analyzing iden i ied issues. The Qualys in e ace allows s uden s o easily isualize
disco e ed ulne abili ies, assess hei c i icali y and impac on he sys em, and o e s de ailed
ecommenda ions o emedia ion. These ea u es a e aluable o de eloping p ac ical skills, as
hey enable s uden s o unde s and he comple e ulne abili y managemen cycle – om iden i i-
ca ion o esolu ion.
This ask speci ically uses he Qualys Web Applica ion Scanne (WAS), a cloud-based se ice
o au oma ed ulne abili y scanning o web applica ions and APIs. Qualys WAS helps de ec a wide
ange o ulne abili ies, including:
1. OWASP Top 10 Vulne abili ies ( he mos common h ea s o web applica ions), such as SQL
injec ion, c oss-si e sc ip ing (XSS), and insecu e dese ializa ion.
2. Sensi i e Da a Exposu es (PII leaks), which could lead o iola ions o GDPR, HIPAA, and PCI
DSS equi emen s.
3. Malicious So wa e – de ec ion o malicious code embedded in web applica ions ha could
jeopa dize use secu i y and ha m he company’s epu a ion.
4. Insecu e Con igu a ions and Se ings ha could lea e he web applica ion ulne able o a acks.
By iden i ying hese h ea s, s uden s gain a deepe unde s anding o he p ocesses in ol ed
in secu ing web applica ions, de elop skills in ulne abili y analysis and emedia ion, and p epa e
hemsel es o p o essional oles in cybe secu i y.
66
PROFESSIONAL EDUCATION AND PERSONNEL TRAINING
CHAPTER 3
Be o e beginning he asks in his scena io, use s need o selec a a ge web applica ion o be
es ed using Qualys’ au oma ed ools. One op ion is he specialized websi e o he SSEIS depa -
men , designed o help s uden s p ac ice skills in bo h a acking and de ending, making i an ideal
pla o m o scanning. Addi ionally, s uden s a e encou aged o c ea e hei own web applica ions
as scanning a ge s. This app oach allows s uden s o de elop hei own p ojec s – anging om
a simple landing page o a mo e complex web applica ion wi h au hen ica ion and a da abase. Once
de eloped, he web applica ion is hos ed on he depa men ’s cloud se e s, ensu ing accessibili y
o subsequen scanning wi h he Qualys sys em.
To s a using Qualys, each use mus c ea e an accoun wi h hei ins i u ional email. Qualys
p o ides a ee ial ha allows o limi ed es ing o applica ions wi hin a se ime ame, enabling
s uden s o scan hei own web applica ions wi hou he need o paid se ices.
A e accoun c ea ion, use s p oceed o he Web Applica ion Scanning sec ion, whe e hey
ca y ou all p ima y s eps o he ask. The main s ages o his p ocess include:
1. C ea ing a web applica ion eco d in he Qualys sys em.
2. Con igu ing scan pa ame e s (“Op ion P o ile”).
3. Pe o ming “Disco e y” and “Vulne abili y” scans o iden i y elemen s o he web applica ion
and assess exis ing ulne abili ies.
4. Gene a ing a comp ehensi e epo based on he ulne abili y scan o u he analysis.
5. Analyzing he epo and o mula ing ecommenda ions o imp o e he web applica ion’s
secu i y.
This app oach enables s uden s o expe ience he ull cycle o wo king wi h a web applica ion
om a cybe secu i y pe spec i e: om de eloping hei own p oduc o scanning and analyzing i s
secu i y using he p o essional ool Qualys.
Qualys p o ides a de ailed app oach o c ea ing a web applica ion eco d, allowing lexible
cus omiza ion o he scanning p ocess. In he i s s ep, use s choose whe he o c ea e a new
eco d “ om sc a ch” o in eg a e elemen s om p e iously es ed web applica ions. Wi hin his
scena io, s uden s use he “clean” eco d op ion o amilia ize hemsel es wi h all he cus omiza-
ion ea u es Qualys o e s o c ea ing a web applica ion eco d.
Main Reco d Con igu a ion S ages:
1. Asse De ails: in his sec ion, use s en e he web applica ion’s name, URL, and a ibu es
o acili a e easy iden i ica ion o his eco d among o he s in he Qualys sys em.
2. Applica ion De ails: his sec ion allows con igu a ion o he web applica ion’s scan s uc u e.
He e, use s can selec speci ic URLs o scan, de ine he API ype (o lea e i unse i no applica-
ble), which is con enien o simple web applica ions like landing pages. Fo complex applica ions,
co ec ly con igu ing his sec ion helps ocus on c i ical componen s, op imizing scanning ime.
3. Scan Se ings: Scan se ings can be con igu ed la e i needed, bu he e, use s can: add an
Op ion P o ile o u u e scanning; selec he ype o scanne – ex e nal ( ecommended), in e nal ( o
ne wo ks), o a scanne appliance; assign a scanne o he eco d o p e en changes by o he use s;
se a ime limi o he scan; add obo s. x and si emap.xml iles; and con igu e heade injec ions.
67
chap e 3. CYBER POLYGON AS A TOOL FOR TRAINING CYBERSECURITY PROFESSIONALS
CHAPTER 3
4. C awl Se ings: de ines c awling op ions o es ing scena ios. In eg a ing Selenium sc ip s
o au oma ed es ing ac ions wi hin he web applica ion allows o pe sonalized scanning scena ios.
5. Redundan Links: excludes unnecessa y links om he scan p ocess, which can educe scan
ime and ocus a en ion on he c i ical pa s o he applica ion.
6. Au hen ica ion: se s au hen ica ion pa ame e s such as login c eden ials. Fo simple web-
si es, his sec ion may o en be op ional.
7. Exclusions: selec s scan exclusions, allowing use s o skip ce ain ulne abili ies and con-
cen a e on c i ical a eas.
8. Ad anced op ions: addi ional pa ame e s such as DNS O e ide and scan o ms, which allow
o mo e de ailed scan con igu a ion.
9. Malwa e moni o ing: enables malwa e moni o ing, a aluable ool o ongoing secu i y mon-
i o ing, especially du ing he de elopmen s age and when es ing new upda es.
These se ings allow s uden s o con igu e he web applica ion eco d in Qualys o ocus he
scanne on ele an aspec s, a oid edundan ac ions, and ensu e a high le el o de ail in he
scanning p ocess.
The nex s ep is o c ea e an Op ion P o ile, which is a se o ins uc ions de ining he scanning
con igu a ion o he web applica ion in Qualys (Fig. 3.2). The Op ion P o ile includes all he neces-
sa y pa ame e s o speci y which aspec s should be scanned and wi h wha le el o in ensi y. This
se up allows he scan p ocess o be ailo ed o he unique needs o he web applica ion, imp o ing
he accu acy o ulne abili y de ec ion.
 Fig. 3.2 C ea ing a web applica ion eco d in he Qualys sys em
74
PROFESSIONAL EDUCATION AND PERSONNEL TRAINING
CHAPTER 3
2. Vulne abili y iden i ica ion in disco e ed se ices. A e iden i ying he se e unning
Me asploi able 2 and ga he ing in o ma ion abou open po s, se ice names, and e sions, he
a ack eam p oceeds o sea ch o ulne abili ies in one o mo e o he disco e ed se ices. Each
eam membe ypically ocuses on a di e en se ice, wi h each ask di ec ed a explo ing speci ic
ulne abili ies wi hin ha se ice. This app oach allows he eam o le e age he ull po en ial o
Me asploi able 2 and gain comp ehensi e hands-on expe ience.
By di iding asks among membe s, he ed eam can sys ema ically in es iga e a wide ange o
se ices, analyzing each o known ulne abili ies ha could be exploi ed. This a ge ed explo a ion
p o ides a holis ic iew o ulne abili y managemen and pene a ion es ing, enhancing he eam’s
abili y o iden i y, assess, and exploi po en ial weaknesses in a eal-wo ld simula ion en i onmen .
 Fig. 3.7 Example o nmap scan esul s o Me asploi able 2
Me asploi able 2 con ains an ex ensi e lis o ulne able se ices ac oss a ious po s. Fo
each se ice, de ailed in o ma ion is a ailable, helping he a ack eam unde s and which ulne a-
bili ies can be exploi ed o gain access o he se e . This in o ma ion se es as a c i ical guide o
a ge ing speci ic se ices and planning e ec i e exploi a ion s a egies (Table 3.1).

75
chap e 3. CYBER POLYGON AS A TOOL FOR TRAINING CYBERSECURITY PROFESSIONALS
CHAPTER 3
 Table 3.1 In o ma ion on En y Poin s in Me asploi able 2
Po No. Se ice Ve sion Exploi e
21 FTP ( s pd) 2.3.4 s pd 2.3.4 Backdoo
22 SSH OpenSSH 4.7p1 Debian Debian OpenSSL P edic able RNG
23 Telne Linux elne d No di ec exploi
25 SMTP (Pos ix) Pos ix 2.9.6 No di ec exploi
53 DNS (Bind) 9.4.2 BIND TSIG Remo e DoS
80 HTTP (Apache) 2.2.8 Apache Tomca Manage Exploi
111 RPCbind 2.0 RPC DCOM Remo e O e low
139 Ne BIOS/SMB Samba 3.0.20 Samba T ans2open O e low
445 SMB Samba 3.0.20 Samba T ans2open O e low
512 exec BSD exec Remo e Command Execu ion
512 login Linux login se ice No di ec exploi
513 login BSD login Remo e Command Execu ion
514 shell BSD sh Remo e Command Execu ion
1099 RMI Regis y Ja a RMI Ja a RMI Se e Insecu e
1524 Ing eslock Ing es Da abase Ing eslock Backdoo
2049 NFS Ne wo k File Sys em No di ec exploi
2121 FTP (P oFTPD) 1.3.1 P oFTPD 1.3.1 Mod_copy Command Execu ion
3306 MySQL 5.0.51a MySQL Remo e Roo Exploi
5432 Pos g eSQL 8.3.0 Pos g eSQL Pwnage
5900 VNC VNC VNC Au hen ica ion Bypass
6000 X11 X11 Se e Open X11 Se e Exploi a ion
6667 IRC (Un ealIRCd) Un ealIRCd 3.2.8.1 Un ealIRCd Backdoo Command Execu ion
8180 HTTP (Tomca ) Apache Tomca 5.5 Tomca Manage Applica ion Exploi
3. Exploi a ion and Pe sis ence o Access. Using he ga he ed in o ma ion on ulne abili ies,
he a ack eam deploys app op ia e exploi s o gain access o Me asploi able 2 (Fig. 3.8). This
ask ypically in ol es c ea ing a “ ace” – a ile ha logs de ails such as he po numbe , se ice
name, e sion, he exploi used, and he imes amp o he in usion. I access is gained h ough a
da abase (such as MySQL o Pos g eSQL), he ask migh include adding an en y o a able ha
has been p e-c ea ed by ins uc o s.
76
PROFESSIONAL EDUCATION AND PERSONNEL TRAINING
CHAPTER 3
A his s age, he a ack eam achie es i s objec i e by secu ing access o he se e and lea -
ing a ace in he o m o a ile o da abase en y. This ace se es as e idence o ask comple ion,
ma king he success ul execu ion o he a ack scena io.
 Fig. 3.8 Example o SSH Vulne abili y Exploi a ion Using he Me asploi F amewo k
De ense Team asks di ided by knowledge le el:
1. Moni o ing and documen ing A ack Team ac ions: o en y-le el blue eam membe s, he
p ima y ask is o moni o and documen he ac ions o he a ack eam in de ail. This app oach
is c ucial o cybe secu i y p o essionals, as a comp ehensi e cybe inciden epo , p esen ed in
clea language, enables managemen o unde s and he issue’s na u e and decide on p e en i e
measu es o he u u e. E ec i e epo w i ing equi es he abili y o include all essen ial in o -
ma ion abou he h ea sou ce, a ack me hods, and po en ial impac s.
2. Ac i e coun e measu es agains he A ack Team: o hose wi h su icien knowledge, he
blue eam membe s can di ec ly coun e he ac ions o he a ack eam. This includes ac i ely mon-
i o ing he a acke s’ ac ions, analyzing se e ulne abili ies, quickly pa ching hese weaknesses,
77
chap e 3. CYBER POLYGON AS A TOOL FOR TRAINING CYBERSECURITY PROFESSIONALS
CHAPTER 3
and blocking unau ho ized access o he ne wo k. In case an a ack does occu , he de ense eam
can block access o hei in as uc u e using he a acke s’ IP o MAC add esses.
The de ense eam uses Wi esha k, a ool o in-dep h packe analysis, o ac i e ne wo k mon-
i o ing. Wi h Wi esha k, he blue eam can: de ec anomalies in ne wo k a ic ha may indica e
unau ho ized access a emp s (Fig. 3.9). Cap u e packe s ha could con ain exploi s o signs o
po scanning. Iden i y he a acke s’ IP and MAC add esses, allowing o apid localiza ion o he
a ack sou ce.
Tools such as Su ica a and Sno o e au oma ed h ea de ec ion by analyzing a ic in
eal- ime, making hem aluable addi ions o ad anced ne wo k moni o ing and s eng hening he
de ense eam’s capabili ies agains complex a acks.
Fo ulne abili y analysis, he de ense eam can use nmap o ga he in o ma ion on open po s
and se ices, as well as o iden i y ou da ed o ulne able componen s. nmap’s insigh s help he
eam be e unde s and ne wo k opology and ind weaknesses in he con igu a ion.
Upon de ec ing unau ho ized access a emp s, he de ense eam can implemen se e al block-
ing me hods:
1. Blocking he a acke s’ IP o MAC add esses a he i ewall le el o es ic ne wo k access.
2. Se ing up a ic il e ing o limi access om suspicious IP add esses o ne wo k segmen s
used by he a ack eam.
3. Using Ne wo k Access Con ol (NAC) o es ic ne wo k access o au ho ized MAC ad-
d esses o acco ding o speci ic access policies.
These measu es help isola e he in as uc u e om po en ial h ea s and main ain ne wo k
con ol, e en in case o in usion.
 Fig. 3.9 Example o Using Wi esha k o Ne wo k T a ic Analysis
78
PROFESSIONAL EDUCATION AND PERSONNEL TRAINING
CHAPTER 3
Th ough pa icipa ion in he ed and blue eam compe i ion, s uden s gain aluable hands-
on expe ience in con igu ing ne wo k de ices, iden i ying ulne abili ies, and secu ing ne wo k
in as uc u e.
Th oughou he exe cise, s uden s de elop skills in ne wo k scanning, a ic analysis, and
h ea de ec ion, which p o ides hem wi h a deepe unde s anding o ne wo k ope a ions and
secu i y me hods.
Red eam membe s lea n o apply scanning echniques, iden i y ulne abili ies in se ices un-
ning on open po s, and use exploi s o pene a e ulne able sys ems. They gain p o iciency wi h
ools like nmap and Me asploi , unde s and e hical hacking me hods, and app ecia e he impo ance
o ulne abili y emedia ion, helping hem g asp he mindse o po en ial ad e sa ies.
The blue eam hones i s skills in ac i ely de ending he ne wo k, iden i ying cybe h ea s,
esponding swi ly o inciden s, and documen ing cybe inciden s in a clea and accessible manne .
By wo king wi h ools like Wi esha k, Su ica a, and Sno , s uden s p ac ice echniques o a ic
analysis and a ack blocking, enabling hem o ope a e e ec i ely bo h in moni o ing mode and in
ac i e de ense agains a acke s.
This aining o ma p o ides s uden s wi h a comp ehensi e unde s anding o cybe secu i y,
os e ing s a egic hinking and eamwo k skills essen ial o eal-wo ld cybe secu i y oles.
3.4 P ac ical Cybe De ense Scena io o Co po a e In as uc u e De eloped in
Collabo a ion wi h Unde De ense
A new aining scena io on he SSEIS cybe polygon, de eloped in pa ne ship wi h Unde De-
ense, ocuses on in-dep h cybe secu i y skills, pa icula ly in de ec ing and exploi ing ulne abili ies
wi hin complex ne wo k in as uc u es. This scena io is designed o hands-on lea ning o e hical
hacking me hods and p o ec ion o c i ical sys ems, such as Gi Lab se e s and Windows Ac i e
Di ec o y (AD) in as uc u e. S uden s pa icipa ing in his scena io gain p ac ical knowledge
o a ack and de ense s ages wi hin co po a e ne wo ks, aligning hei expe ience closely wi h
eal-wo ld cybe secu i y asks.
The p ima y goal o he scena io is o amilia ize s uden s wi h comp ehensi e echniques
ha allow hem o unde s and he a chi ec u e o mode n co po a e ne wo ks, iden i y po en ial
h ea s, and implemen e ec i e secu i y measu es. Th ough his scena io, s uden s de elop he
ollowing key skills:
1. Iden i ying ex e nal pe ime e ulne abili ies: using b u e- o cing echniques o loca e se -
ices and exploi ing ulne abili ies o emo e code execu ion (RCE).
2. Gi Lab and SSH ope a ions: explo ing open eposi o ies o con iden ial da a (e.g., SSH keys)
and accessing he se e h ough SSH.
3. P i ilege escala ion on Ubun u se e : u ilizing known exploi s, such as pkexec (LPE), o gain
ele a ed p i ileges.
79
chap e 3. CYBER POLYGON AS A TOOL FOR TRAINING CYBERSECURITY PROFESSIONALS
CHAPTER 3
4. Ac i e di ec o y (AD) a acks: disco e ing and exploi ing weaknesses in SMB con igu a ions,
execu ing Ke be oas ing, and using echniques o ob ain adminis a i e igh s.
5. T a ic moni o ing and in e cep ion: analyzing da a, including LDAP eques s, o p ac ice
in o ma ion p o ec ion skills.
The scena io’s de elopmen was made possible h ough collabo a ion wi h Unde De ense, a
company ha p o ides cybe secu i y suppo and expe ise in e hical hacking me hodologies. Un-
de De ense con ibu ed expe knowledge in a ack scena io o mula ion, ulne able sys em se up,
educa ional case c ea ion, and access o up- o-da e ulne abili ies, pa icula ly wi h Gi Lab and Ac-
i e Di ec o y. This collabo a ion ensu es ha he aining asks mee mode n indus y s anda ds
and cybe secu i y needs.
Scena io Componen s: ex e nal and in e nal ne wo k pe ime e s:
1. Ex e nal pe ime e : he ex e nal pe ime e includes an Ubun u 20.04 se e hos ing Gi Lab,
wi h a P e-Au h RCE ulne abili y (CVE-2021-22205) and o he exploi s like pwnki o p i ilege
escala ion. In his phase, s uden s use b u e- o cing me hods o loca e Gi Lab, access an SSH key,
es ablish a connec ion wi h he se e , and subsequen ly ele a e p i ileges o an adminis a o le el.
2. In e nal pe ime e (AD ne wo k): he in e nal pe ime e con ains an Ac i e Di ec o y-based
ne wo k, including a Domain Con olle (DC) and wo wo ks a ions. S uden s explo e SMB signing
issues, LLMNR, and pe o m a ious AD a acks, such as Ke be oas ing, a ic in e cep ion, and
NTDS.DIT ex ac ion. This s age simula es eal h ea s a ising om imp ope co po a e ne wo k
con igu a ions.
This scena io allows s uden s o p ac ice ne wo k in il a ion ac oss di e en complexi y le els
and de elop a comp ehensi e app oach o iden i ying, analyzing, and mi iga ing cybe secu i y h ea s.
In his scena io, he ex e nal pe ime e is ep esen ed by an Ubun u 20.04 se e wi h Gi Lab
ins alled, se ing as he p ima y ex e nal a ge o he ed eam. The se e con igu a ion is
speci ically designed o illus a e key p inciples o e hical hacking and assess he secu i y o an o -
ganiza ion’s ex e nal in as uc u e. The se e includes se e al known ulne abili ies ha s uden s
can le e age o comple e hei asks.
Gi Lab se es as one o he p ima y se ices commonly used in eal co po a e in as uc u es
o code hos ing, p ojec managemen , and collabo a ion. In his scena io, Gi Lab is con igu ed as a
publicly accessible se ice on he Ubun u se e , allowing s uden s o use subdomain enume a ion
and isible se ice analysis echniques o loca e Gi Lab wi hin he ne wo k. Once de ec ed, s u-
den s can a emp o exploi Gi Lab ulne abili ies o gain access o he se e .
The se e uns an ou da ed e sion o Ubun u 20.04 LTS, con aining se e al c i ical ul-
ne abili ies ha can be used o p i ilege escala ion. One majo ulne abili y is pwnki ( ela ed
o he pkexec command), which enables Local P i ilege Escala ion (LPE). Pwnki is a well-known
ulne abili y ha allows a non-au hen ica ed use o gain oo access o he sys em by exploi ing a
miscon igu a ion in he pkexec command.
This se e se up, which includes such ulne abili ies, enables s uden s o p ac ice exploi ing
weaknesses in ou da ed so wa e. The p ima y objec i e o his phase is o each s uden s he

80
PROFESSIONAL EDUCATION AND PERSONNEL TRAINING
CHAPTER 3
impac o hese ulne abili ies on in as uc u e secu i y and o demons a e how a lack o egula
upda es can c ea e en y poin s o a acke s.
The a ack phases on he ex e nal pe ime e in his scena io a e s uc u ed o allow s u-
den s o comple e he ull cycle om se ice de ec ion o sys em con ol h ough ulne abili y
exploi a ion. Each s ep is based on eal-wo ld pene a ion me hods, allowing s uden s o gain
hands-on expe ience wi h cybe secu i y ools:
1. Disco e y phase using u : in he ini ial phase, he a ack eam uses u (Fas web Fuzze )
o b u e- o ce subdomains and i ual hos s o loca e he Gi Lab se e , which will be he a ge
o u he pene a ion. Wi h u , s uden s sea ch o exis ing subdomains and hidden se ices
ha may no always be isible h ough s anda d scans. This s age helps s uden s de elop skills
in ac i e in o ma ion ga he ing and con igu ing u o disco e ing subdomain a ia ions ha may
house c i ical se ices.
2. Exploi a ion o he P e-Au h RCE ulne abili y (CVE-2021-22205): a e loca ing he Gi Lab
se e , he nex s ep is exploi ing he P e-Au h RCE ulne abili y (CVE-2021-22205). This ulne -
abili y allows command execu ion on he se e wi hou equi ing au hen ica ion. S uden s can use
his ulne abili y o gain ini ial access o he se e , highligh ing he se e e consequences o no
egula ly upda ing Gi Lab. In his phase, s uden s lea n o use public exploi s o RCE ulne abili ies
and gain an unde s anding o he impo ance o p ope se e con igu a ion.
A e gaining access, s uden s con inue hei in es iga ion by e iewing he con en s o Gi
eposi o ies, which may con ain con iden ial in o ma ion. One possible way o ob ain SSH access is
by inding SSH keys ha we e acciden ally le in a public eposi o y. A e loca ing and e i ying he
SSH key, s uden s es ablish an SSH connec ion o he se e using he disco e ed key, g an ing
hem ull access o he sys em. This s ep emphasizes he impo ance o p ope access key man-
agemen and emo ing sensi i e in o ma ion om public eposi o ies.
The inal s age in ol es p i ilege escala ion on he se e o ob ain oo -le el access. S uden s
exploi he pkexec ulne abili y (a law in pwnki ) ha allows Local P i ilege Escala ion (LPE) on
Ubun u. Using his ulne abili y, s uden s can escala e p i ileges and gain comple e con ol o e
he se e . This s age in oduces s uden s o he isks associa ed wi h ou da ed so wa e and
p o ides insigh in o me hods o mi iga ing such ulne abili ies.
By ollowing hese s eps, s uden s lea n he ull p ocess o pene a ing he ex e nal pe-
ime e o a co po a e ne wo k, which includes ac i e a ge disco e y, ulne abili y exploi a-
ion o access, sea ching o sensi i e da a in eposi o ies, and p i ilege escala ion o es ablish
sys em con ol.
The in e nal pe ime e o he co po a e ne wo k in his scena io is ep esen ed by an Ac i e
Di ec o y (AD) in as uc u e ha includes one AD se e and wo wo ks a ions. This se up mimics
a ypical co po a e ne wo k a chi ec u e, which is o en a a ge o a acks aimed a gaining ac-
cess o in e nal esou ces. The main objec i e o he a ack eam is o comp omise AD and access
use da a, while he de ense eam’s goal is o p e en a acks and p o ec c i ical in as uc u e
componen s.
81
chap e 3. CYBER POLYGON AS A TOOL FOR TRAINING CYBERSECURITY PROFESSIONALS
CHAPTER 3
The in e nal ne wo k is di ided in o se e al componen s ha eplica e a eal co po a e sys em
en i onmen . In his pa o he scena io, s uden s wo k wi h ypical AD con igu a ions and common
ulne abili ies ha o en emain exposed in ne wo ks due o miscon igu a ions:
1. Ac i e di ec o y (AD) se e : he AD se e unc ions as a cen alized managemen sys-
em esponsible o use au hen ica ion, access con ol, and pe missions managemen wi hin he
in e nal ne wo k. The AD se e s o es use accoun s, secu i y policies, and o he con igu a ions,
making i a p ima y a ge o a acks aimed a accessing c i ical in o ma ion. S uden s explo e
a ack me hods on AD, such as Ke be oas ing and in o ma ion ga he ing h ough LDAP que ies, o
unde s and ulne abili ies cha ac e is ic o his in as uc u e.
2. Two wo ks a ions: he wo ks a ions a e componen s o he in e nal ne wo k and play an
impo an ole in his scena io. They a e used as in e media e a ge s h ough which he a ack
eam can each he AD se e o o he esou ces. In a eal co po a e en i onmen , wo ks a ions
a e o en a acked due o accessible esou ces, SMB se ings, and o he se ices. In his scena io,
s uden s exploi ulne abili ies ela ed o he absence o SMB signing and LLMNR (Link-Local Mul-
icas Name Resolu ion) o access in e nal esou ces and ga he in o ma ion abou o he de ices
on he ne wo k.
SMB Signing and LLMNR Con igu a ion. SMB Signing: The lack o SMB signing on wo ks a ions
makes hem ulne able o a acks ha allow ad e sa ies o in e cep o modi y da a ans e ed
be ween de ices.
In his scena io, s uden s exploi his ulne abili y o conduc a Pass- he-Hash a ack, en-
abling hem o comp omise wo ks a ions and use he cap u ed hashes o access o he esou ces.
LLMNR (Link-Local Mul icas Name Resolu ion): LLMNR is a p o ocol used o esol ing local names
wi hin a ne wo k, bu i can become a secu i y isk i no p ope ly p o ec ed. S uden s lea n o
use LLMNR o cap u e accoun hashes and pe o m a acks ela ed o local name esolu ion imple-
men a ion. This p o ocol allows a acke s o ga he in o ma ion o u he a acks on AD o o he
ne wo k esou ces.
The AD se e is he main a ge ha he a ack eam aims o each. Comp omising i p o ides
access o all use accoun s and c i ical in o ma ion abou he in e nal ne wo k.
Wo ks a ions a e used as in e media e a ge s o ga he ing in o ma ion, b eaking use ac-
coun s, and accessing he AD se e . S uden s lea n o le e age weak con igu a ions o g adually
pene a e he ne wo k, which helps hem de elop skills in p i ilege escala ion and iden i ying ul-
ne abili ies in Windows-based en i onmen s.
A acks on he in e nal AD ne wo k pe ime e in his scena io in ol e g adual ne wo k pene-
a ion h ough ulne abili y disco e y, c eden ial comp omise, and access o c i ical sys ems. This
p og ession allows s uden s o expe ience he ull escala ion pa h wi hin a co po a e en i onmen
and gain p ac ical skills wi h eal a ack me hods.
In he i s s age, he a ack eam scans he ne wo k o ulne abili ies o iden i y secu i y
miscon igu a ions on h ee hos s wi hin he in e nal ne wo k, speci ically:
1. Lack o SMB signing, allowing a acke s o in e cep o al e da a exchanged be ween hos s.
82
PROFESSIONAL EDUCATION AND PERSONNEL TRAINING
CHAPTER 3
2. Ac i e LLMNR (Link-Local Mul icas Name Resolu ion), which can be used o in e cep
hos name eques s and cap u e accoun hashes.
Using hese ulne abili ies, s uden s lea n o gain ini ial access o hos s, which is an essen ial
s ep o u he escala ion.
A e iden i ying ulne abili ies, he a ack eam conduc s an SMB p o ocol a ack by exploi ing
he lack o signing o cap u e use 1 accoun hashes. This phase eaches s uden s Pass- he-Hash
echniques, allowing hem o au hen ica e using cap u ed hashes wi hou knowing he passwo d.
The ob ained hashes can hen be c acked wi h passwo d eco e y ools, p o iding comp omised
c eden ials ha g an access o AD.
The nex s ep in ol es execu ing a Ke be oas ing a ack, which allows a acke s o eques
Ke be os icke s o p i ileged accoun s (speci ically o use 2, who is a local adminis a o on
machine1). A Ke be os icke may con ain he accoun ’s hash, which is used o sys em au hen i-
ca ion. This phase helps s uden s lea n how o le e age Ke be os o access ulne able accoun s,
especially in ne wo ks whe e local adminis a o s a e p esen on di e en hos s.
A e ob aining use 2’s hash, s uden s use ools o c ack he Ke be os hash o e ie e he
passwo d o use 2, who has adminis a o igh s on machine1. Adminis a o access allows he
a ack eam o examine he hos con igu a ion, modi y secu i y se ings, and u he pene a e he
AD in e nal ne wo k. This s age demons a es he c i ical impo ance o p ope ly con igu ing and
secu ing adminis a o accoun s.
A his poin , he a ack eam uses he sec e sdump ool o ex ac sensi i e da a om ma-
chine1, whe e use 2 has adminis a o igh s. Wi h sec e sdump, s uden s e ie e accoun da a,
including hashes o use 3, which can hen be used o access machine2 ia RDP. This expands he
a acke s’ con ol o e addi ional ne wo k hos s, p o iding access o impo an esou ces.
The inal phase in ol es using LDAPExplo e 2.exe o access he LDAP se e while in e cep ing
a ic. Once connec ed, he a ack eam can que y da a h ough he LDAP p o ocol and se up
hei own LDAP lis ene o collec accoun in o ma ion. A e his, he a acke s can log in o he
Domain Con olle (DC) and download he NTDS.DIT ile, which con ains c i ical domain accoun
da a, including passwo d hashes o all use s.
This scena io equi es a ious so wa e and ools o c ea e a ealis ic aining en i onmen
ha mi o s co po a e ne wo k in as uc u e. All componen s a e con igu ed o ensu e access
con ol, secu i y moni o ing, and en i onmen al isola ion, allowing s uden s o sa ely p ac ice cy-
be secu i y asks:
1. Windows Se e ( e sions 2016, 2019, o 2022): Windows se e s a e essen ial o build-
ing an Ac i e Di ec o y (AD) in as uc u e, widely used in co po a e se ings. The choice o e -
sion (2016, 2019, o 2022) depends on he aining equi emen s and allows s uden s o become
amilia wi h di e en AD ea u es and adminis a i e me hods, as well as con igu ing Domain
Con olle s (DC), managing G oup Policies, and se ing secu i y pa ame e s.
2. Windows 10 P o: Windows 10 P o se es as he ope a ing sys em o wo ks a ions in he
in e nal ne wo k. This OS is widely used in co po a e en i onmen s and p o ides he necessa y
83
chap e 3. CYBER POLYGON AS A TOOL FOR TRAINING CYBERSECURITY PROFESSIONALS
CHAPTER 3
unc ionali y o model ypical wo ks a ions. Windows 10 P o suppo s SMB and RDP p o ocols,
and allows o secu i y policy con igu a ion, making i ideal o s udying ulne abili ies like SMB
and LLMNR.
3. Ubun u 20.04: an ou da ed e sion o Ubun u 20.04 is used in he scena io, which is ulne -
able o p i ilege escala ion exploi s (e.g., pwnki ). This OS is ins alled on he Gi Lab se e and ac s
as he a ack en y poin . Ubun u 20.04 allows s uden s o explo e open-sou ce sys ems, analyze
Linux ulne abili ies, and wo k wi h se ices such as SSH and Gi Lab.
4. LDAPExplo e 2.exe: a ool o wo king wi h LDAP que ies, LDAPExplo e 2.exe enables s u-
den s o que y Ac i e Di ec o y, analyze AD s uc u e, e ie e accoun da a, and ga he sensi i e
in o ma ion. This ool helps s uden s unde s and LDAP au hen ica ion mechanisms and clien -se -
e in e ac ions.
5. Wazuh: a secu i y moni o ing and inciden managemen sys em, Wazuh enables log analysis
and ne wo k ac i i y moni o ing (Fig. 3.10). I p o ides de ailed ne wo k e en in o ma ion, helping
s uden s in es iga e secu i y logs, de ec anomalies, and espond o inciden s.
 Fig. 3.10 Example o Wazuh In e ace
To suppo a ealis ic and secu e lea ning en i onmen , an isola ed ne wo k has been
c ea ed, ully sepa a ed om he uni e si y o co po a e in as uc u e. This ne wo k isola-
ion ensu es sa e y and allows s uden s o p ac ice complex cybe ope a ions wi hou isking
o he ne wo ks.
LLMNR and SMB: he LLMNR (Link-Local Mul icas Name Resolu ion) and SMB p o ocols
a e con igu ed o ease o use in aining, speci ically o demons a ing ulne abili ies associa ed