The Mid-Atlantic Regional CCDC 2010 Event - Part I
How to Score at a Hacking Competition
Over the past weekend I participated in my second CCDC, or Collegiate Cyber Defense Competition.The event put college students in a defending role in five “Blue teams” and "real-world attackers" in the offensive role (pun intended) as the “Red team”. Points are incurred against the Blue teams when their systems become compromised, services are unavailable, or their systems go down. The defending team with the lowest score wins and is sent to a national "cyber exercise" competition. The event hosts a job fair, keynotes by speakers such as Marcus Ranum, a full spectator area and this year hosted two film crews who interviewed players and captured the action. You can watch the videos from last year's CCDC event on their YouTube channel.
Hacking challenges have become a bit of a hobby to me in the past few years. I've participated in two previous events and wrote about them here on the Tenable blog. The first was the NYC Capture the Flag event and the second was "Cyberdawn", a diverse cyber exercise. I learn so much by attending these events and participating as a "Red team" member. As the Red team, we set out to compromise systems, run a program that would update a scoring engine, maintain access and disrupt services and operations. It’s a tough balance to maintain; the more aggressive you become on the systems, the more the defending teams notice. Changing a password and locking the teams out incurs points, however they will notice and reset a password. Smart Red team members implant different ways to access the system, such as SSH key trusts and rootkits, to gain a foothold on the systems throughout the competition.
As the Red team captain, I developed a strategy for guiding and organizing the Red team members. We divided into sub-teams and assigned the following roles to each of the members:
- Recon - The person assigned to this role is constantly scanning and probing the network to find available targets. They keep track of available systems and services, noting when a service goes offline and when it comes back. This keeps the rest of the Red Team from wasting time going after targets that do not exist. In a more realistic environment, this role would have been more valuable. However, it was quickly eliminated when the Red team compromised each Blue team's Nagios servers and used them to monitor for targets throughout the competition. In addition, the IP addresses, operating systems and open ports were given to the Red team before the competition, limiting the usefulness of this role. I do believe this role is perfect for someone just beginning to learn about penetration testing and vulnerability assessments, as it introduces some basic scanning tools and techniques.
- Vulnerability Identification - Once the IP addresses, operating systems and open ports have been enumerated, the next step is to identify vulnerabilities. This can encompass everything from default or easily guessable passwords, remote buffer overflow vulnerabilities or SQL injection flaws in a web application. Conceivably this role could be performed by the same person doing recon. Most teams ran a vulnerability scan at the beginning of the competition and used that as a guide throughout the game. However, I believe some vulnerabilities were missed as the competition progressed and Blue teams changed configurations and exposed new services.
- Exploitation - This sub-team is tasked with exploiting vulnerabilities. The level of difficulty for exploitation varies. For example, a default password is trivial to exploit. However, exploitation can become very complex in regard to a web application. If a XSS or SQLi vulnerability is found in a web application, it can take some time to develop a client-side attack or figure out how to use SQLi to gain shell. Unfortunately, the web applications were highly unstable during the competition. In fact, on the final day there was not one web application hosted by any team that was operational. In addition, common web application vulnerabilities did not translate into the game very well. For example, a SQLi vulnerability that allowed the Red team to download all records in a database did not have any bearing on the score, nor did it contain data that was helpful to the Red team during the competition. This issue will be addressed in future versions of the exercise.
- Post-Exploitation - This is perhaps the single most important role in the competition. The hardest part of the competition is keeping access to systems. The Blue teams are constantly adjusting the firewalls, killing connections on the machines and rebooting. This activity makes it difficult to gain persistent access. Common practices involve installing rootkits, hiding processes, running programs and then hiding them with trojaned binaries (such as netstat), and using trojan logon processes. For example, one Red team member installed a trojaned SSH server that had a "magic" password, allowing the Red team to login with a password, regardless of any other account and password settings on the system.
In Part II of this post we will explore the RFID hacking component of the competition and some methods used by the Red team to compromise systems.
Related Articles
How A CNAPP Can Take You From Cloud Security Novice To Native In 10 Steps
May 23, 2024Context is critical in cloud security. In a recent RSA presentation, Tenable's Shai Morag offered ten tips for end-to-end cloud infrastructure security.
Logs of Our Fathers
September 22, 2009<p>At USENIX in Anaheim, back in 2005, George Dyson treated us to a fantastic keynote speech about the early history of computing. You can catch a videotaped reprise of it <a href="http://www.ted.com/talks/lang/eng/george_dyson_at_the_birth_of_the_computer.html" target="_blank">here, on the TED site</a>. I highly recommend it - there's lots of interesting and quirky stuff. I managed to talk him into giving me a copy of his powerpoint file, and subsequently tracked him down and am re-posting this material with his permission.</p> <h3>November, 1951 </h3> <p style="TEXT-ALIGN: center"><a href="http://www.ranum.com/security/computer_security/papers/ur-syslogs/first_syslog.jpg" target="_blank"><img border="0" height="375" src="http://www.ranum.com/security/computer_security/papers/ur-syslogs/t/first_syslog.jpg" width="500" /></a> <br /><strong>Machine Log #1</strong></p>
ShmooCon 2009 - Playing Poker for Charity
February 12, 2009Tenable sponsored a booth at this year's ShmooCon and ran a Texas Hold'em table to help raise money for the Hackers for Charity organization. We raised close to $400 from conference attendees ...
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
- Conferences
- Events
- Nessus