MSU Red Team – Fun, Success

The guys that I brought together here at Mississippi State to serve as a Red Team for University of Alaska Fairbanks’ CCDC had a great time Saturday.  This CCDC was a “practice” run for two Alaskan teams and two Hawaiian teams, and I believe we gave them a good taste of what they’d likely face in regional and national CCDCs if they decide to run it again for-real next year and send a team to regionals (which I hope they do!).

I gathered up a team of skilled students here that had performed well in past CTF events we’ve held here at MSU, or otherwise shown some aptitude (such as the guy who developed our SCADA radio attacks).  With a good team in place, we prepared our attack with the following goals in mind:

• Fair distribution of attacks – If we were able to compromise a team’s system, once we were in, we tried to run the same kind of attack against all of the other teams.  If a team escaped the evil treatment we gave another team, it was because they had defended themselves against it, and not due to arbitrary choices of who we pick on.
• Annoyance, not destruction - Once we were in, we were careful to not do anything that the teams could not recover from.  No “rm -rf” or dropping tables.
• Increasing levels of noise – Early in the game, our goal was to get in and subvert things quietly.  As the game progressed, I instructed my Red Team to get increasingly “loud” and annoying, to see at what point the teams realized there was a compromise, and observe how they would react.

I won’t go into too much detail about the scenario, in case they want to re-use parts of it, but I can give a good summary of things from the Red Team perspective without getting into spoilers.  On our end, we set up shop in the MSU NFTC’s forensics lab (our security lab is isolated from the public Internet), and connected to the CCDC network remotely using the VMWare vSphere client.  There, the organizers had set the red team up with a number of Backtrack 4 and Windows XP virtual machines.

The defending teams were given a 30 minute grace period, during which we were only allowed to perform recon.  We took the time to scan the network, and get Metasploit and other tools ready to go.  I quickly knocked together a phishing site based off the web applications the teams had to maintain.

Within the first five minutes of our attack, members of the Red Team had compromised all four teams’ DNS servers and installed back-door software that maintained access for most of the competition.  This allowed us to point the teams’ domain for web access (www.) to the phishing site I created and set up before the attack.  This site logged usernames and passwords for all teams throughout the competition, and served as a nice central place to deface and taunt them (with the phished account list) once we decided to get noisy.

While we waited for the central DNS server to update its cache for the teams’ web servers, I managed to break their web apps, so that if they did manage to point them back to the right location, they’d still have some work to do.  They were running a web hosting business that allowed new clients to select the subdomain they wanted to host their site.  I registered an account on the first team’s site and requested the “www.” subdomain.  This instantly replaced their web app with an Apache test page.  Delighted, I moved on and broke the others in the same way.  Only one team’s app survived this, but only because they had broken account creation and login (likely, by trying to secure Apache or Django’s config).

From this point on, we played cat-and-mouse with the teams on their other systems, but they never resumed business operations.  One thing we discussed with them in our post-game wrap-up was a sense of priority.  I’m not sure how it would reflect in the scoring of a regional or national CCDC, but at least in the real world, the focus should have been on getting their web sites back up and operational so that business could continue.  Everything else could work, but if you can’t sign up new clients or provide service, you’re dead in the water.  Most of the other stuff we did (compromising the mail server to send resignation letters and rude emails to the CCDC organizers on behalf of the teams, fighting for control/chatting with team members on their workstations) were distractions to keep them from kicking us out of the systems that really mattered.

Overall, though, the teams did a good job of not panicking in a bad-and-rapidly-deteriorating situation.  By the end, a couple of the teams had managed to kick us out of their DNS servers and given some more time, would have been able to restore operations.  They all seemed to be good sports about it too :)

As for my Red Team, I’m very proud.  They held it down, but kept things fair and didn’t make things hopeless for the defenders.  They quickly executed our planned attacks and kept their eyes on the goal: disrupting business, not just owning boxes.