CTF Friday Morning: The Ballad of Team Firewall

 CTF  1 Response »
Apr 162010
 

The meta-game of sniffing and counter-sniffing on our CTF normally makes teams paranoid about submitting flags early in the game.  This paranoia even outweighs the main benefit of submitting early: ties are broken by the time of last submission.  At this point in the game scores are normally low.

This is not a normal instance of CTF, though.  One team, Team Firewall has embraced the risks and run up their score early.  As of this morning at 8:15 AM, the scores are as follows:

  1. Team Firewall – 24 points
  2. Team Wireshark – 3 points
  3. Team Sniffer – 1
  4. Team Burp Suite – 1
  5. Team Nmap – 0
  6. Team Tracker – 0

This year, initial team names were chosen by the security class’ professor, Dr. Ray Vaughn.  The names don’t reflect any association with the listed open-source projects (though if the members want to work out endorsement deals, they are welcome to!).

In true nerd fashion, we’ll see how much activity we have in CTF over the weekend with the university’s Super Bulldog Weekend festivities going on.

 Posted by wesley at 7:24 am

Spring 2010 MSU Capture the Flag

 CTF  3 Responses »
Apr 152010
 

Today, immediately after my rules lecture to the 9:30AM (Central) information security class, the Spring 2010 iteration of Capture the Flag here at Mississippi State University will begin.  While I have handed off much of the responsibility for running CTF to Chris Vance, our Security Lab Administrator, I will still be covering the event on this blog, much like I did last year.

The format is the same as last semester: 6 teams, trying to capture as many “flags” (10-digit hexadecimal strings. For example: 489066dd35) as possible.  They submit these flags to a scoring server that also happens to be in the target network.  There is always a very interesting meta-game between the teams, as they try to figure out how to submit their flags securely.

Last semester was the first CTF to run for multiple days, and I believe it was a huge success.  We’re continuing this time format, and the current CTF will run until 9:30 AM on Tuesday.  I will update this site with scores and a bit of commentary (though I won’t be spending as much time in the lab this time as I did last semester).

Here’s a list of posts from last semester’s CTF:

 Posted by wesley at 7:09 am

Interesting Reading, and Red Team Action

 CTF, exploitation, fun, links  1 Response »
Apr 092010
 

I’ve been busy this week teaching part of the intro series of courses we have at the National Forensics Training Center, but I still wanted to post a quick update.  I figured I’d share a few interesting things I read this week, and talk a bit about some extracurricular activities going on in our lab tommorow.

For a couple of weeks now, I’ve been using Instapaper to mark articles and sites to “Read Later”.  The benefit of Instapaper is, with the integration and sync’ing between all the different computers I use and (crucial) my iPod Touch, I actually wind up reading things that I intend to read later, instead of them just getting bookmarked and forgotten.  While I’m on WiFi I can sync them all up to the iPod and read them anywhere, offline, where I don’t have the distractions of grabbing new emails and messages.

Some things I star’d and enjoyed recently:

  • Should I Learn Assembly Language – HD Moore tackles the question of whether or not penetration testers have a need to learn assembly language.  Spoiler: The answer is, essentially: you can get away with not knowing it if you just use the shellcode in Metasploit, but it’s a must if use public-sourced exploits or just want to understand how the shellcode works (which you should).
  • Network Time Protocol (NTP) Fun – Cool little writeup over at the carnal0wnage blog about a new module in Metasploit that performs some information gathering over NTP.
  • Clueless FUD Article… – In which Steve Manzuik points out that there is a lot more information sharing going on behind the scenes in infosec than you might be aware of (or at least more than the author of a specific DarkReading article is aware of)

Tomorrow afternoon, a group of guys (who have historically done well in past CTF events here at the university) and I will be acting as the red team for a cyber-defense exercise being hosted by the University of Alaska Fairbanks.  They have a nice VMWare setup in Fairbanks that all of the teams will be remoting into, and we’re really looking forward to giving the participating universities a hard time.  If you happen to be one of the readers that local enough to Mississippi State University to drop by for a visit, feel free to come by the forensics lab in Butler Hall tomorrow between 1:30 and 7:30 PM to see how things are going.

 Posted by wesley at 9:18 am

Capture the Flag: Final Scores – Ring 0 Wins!

 CTF  9 Responses »
Nov 232009
 

Ring 0 pulled it off in the end, with VM to VM flag submission to prevent their own flags from going out on the wire, thwarting the McGrewchebag’s attempts at automated sniffing/resubmission.  They were here all night hacking away and their devotion paid off.  I expected to find them face-down on the keyboard when I got back to the lab at 7AM, but they were still going, fueled by caffeine.

In the last moments of the game, with “Eye of the Tiger” playing from an unidentified laptop, the two top teams submitted all of the flags they had been afraid to submit earlier, along with plenty of cover traffic.  The scoring server creaked and groaned under the pressure, and I closed all of the other VMs to help out a bit.  When the clock hit 9:00 AM, I pulled the power to the hub, cutting the VM server off from the rest of the network.  The two teams congratulated each other, and we all went down to the classroom for the awards ceremony.

The final scores:

  1. Ring 0 : 29 Flags
  2. McGrewchebags: 23 Flags
  3. Where’s Jerry?: 12 Flags
  4. Team 3: 6 Flags
  5. Team 5: 4 Flags
 Posted by wesley at 10:27 am

CTF Weekend Update: Sunday 2:30 PM

 CTF  1 Response »
Nov 222009
 

The lab has been very busy this weekend.  Yesterday at 3PM I received an email asking me to drop by and reboot the VMs due to sluggish performance, and I expected a handful of people in here when I arrived.  When I got to the lab, I was very surprised to see a little over half the class hacking away.  There were still several people around when I left at 8PM.

After looking into it, we have found that the “Jerry” of “Where’s Jerry”‘s name dropped the class some time back.  That team is on an even footing with the others with 4 members, so there is no injustice there.  I originally had a 1 flag bounty on Jerry’s head, if they could bring him to me, though with these circumstances, I’ve raised the bounty to 2.

Ring 0 was just awarded a flag for a social engineering attempt that I was deliberating on for a while, and another flag for something I cannot disclose at this time.  Right now, it’s a very close three-team race for first place, although it’s hard to say how many unsubmitted flags the teams could be sitting on.

The scores as of this moment:

  1. McGrewchebags : 17 Flags (Time of last capture: 3:46 PM Saturday)
  2. Ring 0 : 14 Flags (Time of last capture: 11:30 PM Saturday)
  3. Where’s Jerry?: 12 Flags (Time of last capture: 1:51 PM Sunday)
  4. Team 3: 6 Flags (Time of last capture: 8:22 PM Saturday)
  5. Team 5: 4 Flags (Time of last capture: 11:57 AM Saturday)
 Posted by wesley at 2:34 pm

CTF Update: Friday 5:00 PM

 CTF  2 Responses »
Nov 202009
 

After a very busy morning, the number of students in the lab hacking away at CTF went down in number, but up in rowdiness.  There are three close “top” teams now, with “Where’s Jerry?” (formerly known as Team 4, name in reference to a missing member) joining McGrewchebags and Ring 0 in being very active.  ”Where’s” is not to be underestimated, having run their score up to the current value in a very short period of time.

The teams are getting more and more humorous with their trash talking.  It’s all in the spirit of the competition, though, as they’re being very friendly and sportsman-like to each other.  Earlier, I was witness to a member of Ring Zero sharing his copy of Fyodor’s nmap book with a member of McGrewchebags.

There was a bit of social engineering action today (bribery, etc.), and a small handful of points were handed out.  The best social engineering attempt, a survey sent to us, was actually rewarded by providing the team with an answer to one of their survey questions, rather than a “social engineering flag”.  That answer might serve them well.  It’s difficult to judge the social engineering attempts objectively, so I simply go with my gut.  Occasionally students protest about perceived uneven applications of rules and rewards, but it all evens out in the end.  Either way, there’s no way to appeal my decisions :)

Teams are getting a good handle on their sniffing and packet analysis skills, and are falling into a good routine on that front.  Most of the teams appear to be working well with each other as a team, and continue to put in some long hours.  I wouldn’t be surprised to see a sleeping bag in here the next time I drop by to see what’s going on.

I will be dropping by at least once tommorow and Sunday, and will post updates then.

Current scores:

  1. McGrewchebags – 15 Flags (Last capture, 7:39 AM)
  2. Ring 0 – 9 Flags (Last capture, 11:31 AM)
  3. Where’s Jerry? – 8 Flags (Last capture, 11:25 AM)
  4. Team 5 – 3 Flags (Last capture, 12:16 PM)
  5. Team 3 – 1 Flag (Last capture, 2:46 PM)
 Posted by wesley at 4:56 pm

CTF Update: Friday Morning

 CTF  2 Responses »
Nov 202009
 

Activity has seriously picked up after this morning’s brief class meeting.  I discussed the events of my previous updates with them, clarified some rules, talked about useful tools, and gave a brief ramble on ways to effectively keep Wireshark from overwhelming them with data (or from crashing).  Members of the previously less active teams are in here now, as they become free of their weekday obligations.  There’s still plenty of time over the weekend for hacking!

Current scores as of 10:04 this morning:

  1. McGrewchebags: 14 flags (Time of last capture: 7:39 AM)
  2. Ring 0: 7 flags (Time of last capture: 9:53 AM)
  3. Team 4: 4 flags (Time of last capture: 9:38 AM)
  4. Team 3: 1 flag (From yesterday, when they weren’t here)
  5. Team 5: Nothin’!

I’ll likely update again this evening at 5PM.

 Posted by wesley at 10:06 am

CTF Update: Thursday 5:00 PM

 CTF  No Responses »
Nov 192009
 

Today has been a busy day, but with slight movement to the scores.  The two busiest teams, McGrewchebags and Ring 0, have been at work re-evaluating and re-deploying their sniffing and counter-sniffing measures.  Representatives of two other teams have been by to poke at the network and their own reserved computers, yet remain quiet on the scoreboard.

Three flags were submitted for scoring today.  This includes one flag each by Ring 0 and the McGrewchebags, 30 minutes apart from each other.  The remaining flag is more interesting for one reason: it was credited to Team 3, who had no members in the room at that time.  I know the reason for this, along with many other CTF secrets that I cannot reveal until after the closing ceremony.  For now, it is an exercise for the readers and other teams to figure it out.

Network traffic is picking up with “cover traffic”, designed to confuse other sniffing teams.  If it begins to get out of hand, I will need to start unplugging network cables, but so far so good.  The active teams are learning a lot about filtering through packet logs.

Soon, it seems, teams will be getting very serious about attacking target VMs and actually capturing flags for themselves ;)

The scores as of 5:00PM:

  1. McGrewchebags – 13 Flags
  2. Ring 0 – 5 Flags
  3. Team 4 – 1 Flag (Time of last capture NULL, only flag is social eng. granted)
  4. Team 3 – 1 Flag (Time of last capture: 2:46PM, no members present!)
  5. Team 5 – 0 (Sleeper cell, or just asleep?)
 Posted by wesley at 4:57 pm

CTF Update: Thursday Morning

 CTF  1 Response »
Nov 192009
 

I arrived to an empty lab this morning, just before 8AM, and the target VMs were running very sluggish.  Rather than spending a lot of time diagnosing the exact problem, I felt it would be quicker to just shut the VMs down, restart VMWare, and bring them back up to see if they would spring back to life.  They did.  I got the (happy) feeling that these targets had been well abused during the night, and I believe I was right.

The students of team Ring 0 have made their presence known on the scoreboard, now in a distant second place with 4 flags.  Don’t let the word “distant” fool you, though.  They were in here and working on it for a good while last night, indicated by their time of last flag submission: 12:42 AM.  The flags they submitted last night were likely just the ones they didn’t mind the other teams’ sniffers catching.  I am certain they have more.

A flag was awarded last night to Ring 0 for a social engineering attempt that I interfered with.  The team registered a gmail account in my name, and planned on posting a letter on the door of the lab, from “me”, informing the other teams that the lab was closed temporarily, due to damage caused by the “disqualified” Ring 0.  They were not sure if the letter would violate the spirit of the CTF rules against interfering too much with other teams, so they consulted with me before putting the sign up.  I thought it was a cool idea, but I didn’t want to cut into other teams’ time in the lab, so I thanked them for the attempt, told them to not put up the sign, but awarded them a flag for their efforts.

I look forward to today’s activity.

The scoreboard, as it stands this morning:

  1. McGrewchebags – 12 flags
  2. Ring 0 – 4 flags
  3. Team 4 – 1 flag
  4. Team 3 – 0
  5. Team 5 – 0
I arrived to an empty lab this morning, just before 8AM, and the target VMs were running very sluggish.  Rather than spending a lot of time diagnosing the exact problem, I felt it would be quicker to just shut the VMs down, restart VMWare, and bring them back up to see if they would spring back to life.  They did.  I got the (happy) feeling that these targets had been well abused during the night, and I believe I was right.
The students of team Ring 0 have made their presence known on the scoreboard, now in a distant second place with 4 flags.  Don’t let the word “distant” fool you, though.  They were in here and working on it for a good while last night, indicated by their time of last flag submission: 12:42 AM.  The flags they submitted last night were likely just the ones they didn’t mind the other teams’ sniffers catching.  I am certain they have more.
A flag was awarded last night to Ring 0 for a social engineering attempt that I interfered with.  The team registered a gmail account in my name, and planned on posting a letter on the door of the lab, from “me”, informing the other teams that the lab was closed temporarily, due to damage caused by the “disqualified” Ring 0.  They were not sure if the letter would violate the spirit of the CTF rules against interfering too much with other teams, so they consulted with me before putting the sign up.  I thought it was a cool idea, but I didn’t want to cut into other teams’ time in the lab, so I thanked them for the attempt, told them to not put up the sign, but awarded them a flag for the great idea.
The scoreboard, as it stands this morning
 Posted by wesley at 9:13 am

CTF Update: Wednesday 5:00 PM

 CTF  3 Responses »
Nov 182009
 

It’s time for me to leave the lab for the evening, but Capture the Flag and the participating teams march on.

After a briefing on the rules of CTF to the students from 9:00 to 9:45 this morning, this semester’s marathon Capture the Flag began.  The five teams have until 9:00 Monday morning to rack up their score.  There is plenty of time to go, although some teams are getting an early start.

The McGrewchebags (I love their name) have had an excellent start.  Members have been in the lab working on it ever since the end of the initial briefing, and have found most of the publicly available flags along with a handful of flags on the isolated CTF network.  They are also the very first team to break the scoring server in such a way that they could end the game right then and there.  The game was quickly repaired and the McGrewchebags were rewarded 2 points on the spot.

The teams that have been on the network have quickly realized that having an entirely hubbed network (one large broadcast domain) and the lack of a secure way to submit flags for scoring presents an interesting set of opportunities and challenges.  Passive monitoring is allowed, and each team is laying claim to one computer in the lab from which to run scripts and sniffers.  Espionage and communications security are top concerns for some of the teams, with counter-measures and counter-counter-measures being discussed in hushed tones.

The only team to submit flags to the scoring server, the McGrewchebags, are in the lead, although it is not known how many flags other teams are “sitting on” at the moment.  It’s a battle of nerves, as ties are broken by the earliest time of last submission.

The un-named Team 4 was just (50 minutes ago) awarded with one flag for a nice social engineering attempt.  This team sent me an email, spoofed to appear as though it was from the professor of the class, informing me that Team 4 deserved points because “they got me earlier” (meta-social-engineering!).  The email wasn’t perfect.  The headers didn’t match Dr. Vaughn’s usual emails, and they accidentally double-spaced his signature, but it was a pretty good attempt and earned them a flag.

Ring 0 just chose their name, and appear to be in a sort of set-up stage.  They may be a little slower to jump in than the McGrewchebags, but I get the impression that they are very serious about winning.

Scores as of Wednesday 5:00PM:

  1. McGrewchebags : 12 points
  2. Team 4 : 1 point
  3. Ring 0 : 0 points
  4. Team 3 : 0 points
  5. Team 5 : 0 points

If everything stays up and running, and I don’t get any emergency calls, I will be back on the CTF network in the morning, and will keep my readers up to date with scores and commentary.

 Posted by wesley at 4:34 pm
 Newer Entries
© 2012 McGrew Security Suffusion theme by Sayontan Sinha