# NCL (National Cyber League) Comprehensive Study Guide
*Prepared for November 2025 Competition*
<hr style="border: 2px solid orange;">
Not all will be checked due to timeframe and academic respondiblities that lie elsewhere


## Quick Reference Checklist

### Essential Setup
- [ <span style="color:green;">&#x2713;</span> ] Set up Kali Linux VM or ParrotOS
- [ <span style="color:green;">&#x2713;</span> ] Install Wireshark (latest version)
- [ <span style="color:green;">&#x2713;</span> ] Create accounts: TryHackMe, HackTheBox
- [ ] Star all GitHub repositories listed below
- [ ] Download sample PCAP files for practice
- [ ] Set up note-taking system (Obsidian/Notion recommended)

---

## **1. Open Source Intelligence (OSINT)**
*Utilize publicly available information such as search engines, public repositories, social media, and more to gain in-depth knowledge on a topic or target.*

#### YouTube Channels & Videos
- [ ] **The Cyber Mentor** - OSINT playlist
- [ ] **John Hammond** - OSINT challenges and walkthroughs
- [ ] **NahamSec** - Recon and OSINT techniques
- [ ] **SANS DFIR** - OSINT investigations

#### GitHub Repositories <span style="color:gold;">⭐</span>
```bash
# Essential OSINT Tools
jivoi/awesome-osint                 # Comprehensive OSINT resource list
sherlock-project/sherlock          # Find usernames across social networks
laramies/theHarvester             # Email, subdomain and people names harvester
smicallef/spiderfoot              # Automated OSINT collection
sundowndev/phoneinfoga            # Phone number investigation
megadose/holehe                   # Check if email is used on different sites
```

#### Online Tools to Master
- [ ] Shodan.io - Internet-connected device search
- [ ] Google Dorking techniques
- [ ] Wayback Machine
- [ <span style="color:green;">&#x2713;</span> ] Have I Been Pwned (Have used)
- [ ] Maltego Community Edition
- [ ] Social-Searcher
- [ <span style="color:green;">&#x2713;</span> ] TinEye reverse image search

#### Practice Platforms
- [ ] **OSINT Exercises** - gralhix.com
- [ ] **Bellingcat's Online Investigation Toolkit**
- [ ] **Trace Labs** - Crowdsourced OSINT for good

---

## **2. Cryptography**
*Use techniques used to encrypt or obfuscate messages and leverage tools to extract the plain text.*

#### YouTube Channels & Videos
- [ ] **Christof Paar** - Introduction to Cryptography
- [ ] **Khan Academy** - Cryptography course
- [ ] **Computerphile** - Cryptography explanations
- [ ] **LiveOverflow** - CTF crypto challenges

#### GitHub Repositories <span style="color:gold;">⭐</span>
```bash
# Cryptography Tools
Ganapati/RsaCtfTool              # RSA attack tool
hellman/xortool                 # XOR cipher analysis
mozilla/ssh_scan                # SSH configuration scanner
RsaCtfTool/RsaCtfTool          # Automated RSA attack tool
```

#### Essential Concepts to Master
- [ ] **Classical Ciphers**: Caesar, Vigenère, Rail Fence, Substitution
- [ ] **Modern Cryptography**: AES, RSA, DES, 3DES
- [ ] **Hash Functions**: MD5, SHA-1, SHA-256, bcrypt
- [ ] **Encoding**: Base64, Base32, Hex, URL encoding
- [ ] **Steganography**: Hidden messages in images/files

#### Tools to Master
- [ ] **CyberChef** - Online encoding/decoding Swiss knife
- [ ] **Hashcat** - Advanced password recovery
- [ ] **John the Ripper** - Password cracking
- [ ] **OpenSSL** - Command-line crypto toolkit
- [ ] **GPG** - Encryption and signing

#### Practice Platforms
- [ ] **cryptohack.org** - Modern cryptography challenges
- [ ] **cryptopals.com** - Crypto challenges set
- [ ] **PicoCTF** - Crypto category

---

## **3. Log Analysis**
*Utilize the proper tools and techniques to establish a baseline for normal operation and identify malicious activities using log files from various services.*

#### YouTube Channels & Videos
- [ ] **SANS DFIR** - Log analysis techniques
- [ ] **Black Hills Information Security** - SIEM and log analysis
- [ ] **The Cyber Mentor** - Blue team log analysis
- [ ] **John Strand** - Applied Network Security Monitoring

#### GitHub Repositories <span style="color:gold;">⭐</span>
```bash
# Log Analysis Tools
elastic/elasticsearch           # Search and analytics engine
graylog2/graylog2-server       # Log management platform
ossec/ossec-hids               # Host-based intrusion detection
Neo23x0/sigma                  # Generic signature format for SIEM
```

#### Essential Skills
- [ ] **Common Log Formats**: Apache, Nginx, Windows Event Logs, Syslog
- [ ] **SIEM Platforms**: Splunk, ELK Stack, Graylog, QRadar
- [ ] **Windows Event IDs**: Authentication (4624, 4625), Process creation (4688)
- [ ] **Linux Logs**: /var/log/auth.log, /var/log/syslog, /var/log/apache2/access.log
- [ ] **Network Logs**: Firewall logs, DNS logs, Proxy logs

#### Tools to Master
- [ ] **Splunk** (Free license available)
- [ ] **ELK Stack** (Elasticsearch, Logstash, Kibana)
- [ ] **Graylog** - Open source log management
- [ ] **AWK/SED/GREP** - Command-line log parsing
- [ ] **PowerShell** - Windows log analysis

#### Practice Resources
- [ ] **Boss of the SOC** (Splunk)
- [ ] **CyberDefenders** - Blue team challenges
- [ ] **LetsDefend** - SOC analyst simulator

---

## <span style="color:red">**4. Network Traffic Analysis**</span> ⭐ **(WIRESHARK FOCUS - Teammates mentioned that this is a weakpoint historicly)**
## Remember don't use this on public wifi
*Identify malicious and benign network traffic to demonstrate an understanding of potential security breaches.*

#### YouTube Channels & Videos (Priority Order)
1. [ ] **Wireshark University** - Official tutorials
2. [ ] **Chris Sanders** - Practical packet analysis
3. [ ] **Laura Chappell** - Wireshark expert tutorials

#### GitHub Repositories <span style="color:gold;">⭐</span>
```bash
# Network Analysis Tools
wireshark/wireshark             # The essential tool
SecureAuthCorp/impacket        # Network protocol implementations
robertdavidgraham/masscan      # Fast port scanner
nmap/nmap                      # Network discovery and auditing
```

### <span style="color:red;">❗ **WIRESHARK MASTERY ROADMAP** (Competitive Edge)</span>

#### Week 1: Fundamentals
- [ <span style="color:green;">&#x2713;</span> ] Install Wireshark and capture first packet
- [ ] Learn the Wireshark interface (Packet List, Details, Bytes)
- [ ] Understand basic protocols: HTTP, DNS, TCP, UDP, ICMP
- [TLS  <span style="color:green;">&#x2713;</span>   ] Practice basic display filters

#### Week 2: Display Filters Mastery
```wireshark
# Essential Display Filters to Memorize
ip.addr == 192.168.1.1          # Specific IP
tcp.port == 80                   # HTTP traffic
http.request.method == "POST"    # POST requests
dns.qry.name contains "malware"  # DNS queries containing text
tcp.flags.syn == 1               # TCP SYN packets
http.response.code == 404        # HTTP 404 errors
!arp and !dns                   # Exclude ARP and DNS
tcp.stream eq 0                  # Follow specific TCP stream
```

#### Week 3: Advanced Analysis
- [ ] **Following Streams**: TCP, UDP, HTTP, TLS
- [ ] **Statistical Analysis**: Conversations, Endpoints, Protocol Hierarchy
- [ ] **Exporting Objects**: Files from HTTP, SMB, TFTP
- [ ] **Time Analysis**: Response times, connection establishment

#### Week 4: Malware Traffic Analysis
- [ ] Practice with samples from **malware-traffic-analysis.net**
- [ ] Identify C2 communications
- [ ] Extract IOCs (Indicators of Compromise)
- [ ] Recognize encrypted vs. unencrypted traffic

## <font color="green">Essential Wireshark Skills Checklist</font>
- [ ] **Basic Navigation**
- [ ] Packet list navigation (Ctrl+Up/Down)
- [ ] Time column customization
- [ ] Column customization for efficiency

- [ ] **Display Filters** (Practice until muscle memory)
 - [ ] - [ ] Logical operators (and, or, not)
 - [ ] Comparison operators (==, !=, <, >)
 - [ ] Protocol-specific filters
 - [ ] Regular expressions in filters

- [ ] **Stream Following**
 - [ ] TCP streams (Right-click → Follow → TCP Stream)
 - [ ] HTTP streams for web traffic
 - [ ] TLS streams for encrypted traffic

- [ ] **Statistical Analysis**
 - [ ] Statistics → Conversations
 - [ ] Statistics → Endpoints
 - [ ] Statistics → Protocol Hierarchy
 - [ ] Statistics → I/O Graphs

- [ ] **File Extraction**
 - [ ] File → Export Objects → HTTP
 - [ ] Extracting malware samples
 - [ ] Extracting transferred files

#### Practice PCAP Files (Download These)
```bash
# Essential Practice Sources
[https://malware-traffic-analysis.net/training-exercises.html](https://malware-traffic-analysis.net/training-exercises.html)
[https://www.tcpreplay.appneta.com/wiki/captures.html](https://www.tcpreplay.appneta.com/wiki/captures.html)
[https://wiki.wireshark.org/SampleCaptures](https://wiki.wireshark.org/SampleCaptures)
[https://github.com/markofu/pcaps](https://github.com/markofu/pcaps)
```

#### Wireshark Shortcuts to Memorize
 - [ ] `Ctrl + F` - Find packet
 - [ ] `Ctrl + G` - Go to packet number
 - [ ] `Ctrl + L` - Go to line
 - [ ] `F3` - Find next
 - [ ] `Ctrl + M` - Mark packet
 - [ ] `Ctrl + Shift + N` - Next marked packet

---

## **5. Scanning**
*Identify and use the proper tools to gain intelligence about a target including its services and potential vulnerabilities.*

#### YouTube Channels & Videos
 - [ ] **IppSec** - Reconnaissance techniques
 - [ ] **The Cyber Mentor** - Ethical hacking course
 - [ ] **NetworkChuck** - Nmap tutorials
 - [ ] **HackerSploit** - Penetration testing basics

#### GitHub Repositories <span style="color:gold;">⭐</span>
```bash
 # Scanning Tools
nmap/nmap                       # Network discovery and security auditing
robertdavidgraham/masscan      # Fast port scanner
projectdiscovery/subfinder     # Subdomain discovery
projectdiscovery/httpx         # HTTP toolkit
projectdiscovery/nuclei        # Vulnerability scanner
OWASP/Amass                    # Attack surface mapping
```

#### Essential Scanning Techniques
- [ ] **Port Scanning**: TCP SYN, TCP Connect, UDP, Service detection
- [ ] **Host Discovery**: Ping sweeps, ARP scans
- [ ] **Service Enumeration**: Banner grabbing, version detection
- [ ] **Vulnerability Scanning**: Automated vs. manual approaches
- [ ] **Web Application Scanning**: Directory brute-forcing, parameter discovery

#### Tools to Master
- [ ] **Nmap** - Network mapper and port scanner
- [ ] **Masscan** - High-speed port scanner
- [ ] **Gobuster** - Directory/file brute-forcer
- [ ] **Nikto** - Web server vulnerability scanner
- [ ] **Dirb/Dirbuster** - Web content scanner

---

## **6. Forensics**
*Utilize the proper tools and techniques to analyze, process, recover, and/or investigate digital evidence in a computer-related incident.*

#### YouTube Channels & Videos
- [ ] **SANS DFIR** - Digital forensics techniques
- [ ] **13Cubed** - Digital forensics tutorials
- [ ] **Joe Helle** - Memory forensics
- [ ] **The Cyber Mentor** - Digital forensics basics

#### GitHub Repositories <span style="color:gold;">⭐</span>
```bash
 # Forensics Tools
volatilityfoundation/volatility    # Memory forensics framework
sleuthkit/sleuthkit                # Digital forensics library
simsong/bulk_extractor            # Digital forensics tool
log2timeline/plaso                # Timeline analysis
```

#### Essential Forensics Areas
- [ ] **Disk Forensics**: File system analysis, deleted file recovery
- [ ] **Memory Forensics**: RAM analysis, process investigation
- [ ] **Network Forensics**: Packet analysis, session reconstruction
- [ ] **Mobile Forensics**: iOS/Android investigation
- [ ] **Steganography**: Hidden data in files

#### Tools to Master
- [ ] **Autopsy** - Digital forensics platform
- [ ] **Volatility** - Memory forensics
- [ ] **Binwalk** - Firmware analysis
- [ ] **Foremost** - File carving
- [ ] **Steghide** - Steganography tool

---

## **7. Password Cracking**
*Identify types of password hashes and apply various techniques to efficiently determine plain text passwords.*


#### YouTube Channels & Videos
- [ ] **The Cyber Mentor** - Password cracking techniques
- [ ] **John Hammond** - CTF password challenges
- [ ] **IppSec** - Hash cracking in practice
- [ ] **NetworkChuck** - Hashcat tutorials

#### GitHub Repositories <span style="color:gold;">⭐</span>
```bash
# Password Cracking Tools
hashcat/hashcat                   # Advanced password recovery
openwall/john                     # John the Ripper
berzerk0/Probable-Wordlists      # Password wordlists
danielmiessler/SecLists          # Security wordlists collection
```

#### Hash Types to Recognize
- [ ] **MD5** - 32 character hex
- [ ] **SHA-1** - 40 character hex
- [ ] **SHA-256** - 64 character hex
- [ ] **NTLM** - Windows password hashes
- [ ] **bcrypt** - Blowfish-based hashing
- [ ] **Linux Shadow** - $6$ (SHA-512 crypt)

#### Attack Methods
- [ <span style="color:green;">&#x2713;</span> ] **Dictionary Attacks** - Wordlist-based
- [ ] **Brute Force** - Try all combinations
- [ ] **Mask Attacks** - Pattern-based guessing
- [ ] **Rule-based Attacks** - Transform wordlists
- [ ] **Hybrid Attacks** - Combine methods

#### Tools to Master
- [ ] **Hashcat** - GPU-accelerated cracking
- [ ] **John the Ripper** - CPU-based cracking
- [ ] **CrackStation** - Online hash lookup
- [ ] **Hash Identifier** - Identify hash types

---

## **8. Enumeration and Exploitation**
*Identify actionable exploits and vulnerabilities and use them to bypass the security measures in code and compiled binaries.*

#### YouTube Channels & Videos
- [ ] **IppSec** - HackTheBox walkthroughs
- [ ] **The Cyber Mentor** - Practical ethical hacking
- [ ] **John Hammond** - CTF exploitation techniques
- [ ] **LiveOverflow** - Binary exploitation

#### GitHub Repositories <span style="color:gold;">⭐</span>
```bash
# Exploitation Frameworks
rapid7/metasploit-framework       # Exploitation framework
sqlmapproject/sqlmap             # SQL injection tool
SecureAuthCorp/impacket          # Network protocol attacks
rebootuser/LinEnum               # Linux enumeration
PowerShellMafia/PowerSploit      # PowerShell exploitation
```

#### Vulnerability Categories
- [ ] **Web Applications**: SQLi, XSS, CSRF, RFI/LFI
- [ ] **Network Services**: SMB, SSH, FTP, Telnet
- [ ] **Buffer Overflows**: Stack and heap-based
- [ ] **Privilege Escalation**: Local and remote
- [ ] **Binary Exploitation**: Format strings, ROP chains

#### Essential Exploits to Understand
- [ ] **EternalBlue** (MS17-010)
- [ ] **Shellshock** (CVE-2014-6271)
- [ ] **Heartbleed** (CVE-2014-0160)
- [ ] **Log4Shell** (CVE-2021-44228)

---

## **9. Web Application Security**
*Identify actionable exploits and vulnerabilities and use them to bypass the security measures in online services.*

#### YouTube Channels & Videos
- [ ] **PortSwigger Web Security** - Burp Suite tutorials
- [ ] **PwnFunction** - Web security concepts
- [ ] **The Cyber Mentor** - Web app penetration testing
- [ ] **STÖK** - Bug bounty and web hacking
- [ ] **NahamSec** - Web application security

#### GitHub Repositories <span style="color:gold;">⭐</span>
```bash
# Web Security Tools
sqlmapproject/sqlmap             # SQL injection automation
portswigger/backslash-powered-scanner  # Burp extensions
swisskyrepo/PayloadsAllTheThings # Web attack payloads
danielmiessler/SecLists          # Web fuzzing wordlists
```

#### OWASP Top 10 (2021) - Master These
1. [ ] **A01: Broken Access Control**
2. [ ] **A02: Cryptographic Failures**
3. [ ] **A03: Injection** (SQL, NoSQL, LDAP, OS command)
4. [ ] **A04: Insecure Design**
5. [ ] **A05: Security Misconfiguration**
6. [ ] **A06: Vulnerable and Outdated Components**
7. [ ] **A07: Identification and Authentication Failures**
8. [ ] **A08: Software and Data Integrity Failures**
9. [ ] **A09: Security Logging and Monitoring Failures**
10. [ ] **A10: Server-Side Request Forgery (SSRF)**
 

<hr style="border: 2px solid orange;">
#
# *Remember: <span style="color:#28a745;">Focus extra time on Wireshark since that's the identified competitive advantage.</span>*

