Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

The Mid-Atlantic Regional CCDC 2010 Event - Part I

How to Score at a Hacking Competition

Over the past weekend I participated in my second CCDC, or Collegiate Cyber Defense Competition.The event put college students in a defending role in five “Blue teams” and "real-world attackers" in the offensive role (pun intended) as the “Red team”. Points are incurred against the Blue teams when their systems become compromised, services are unavailable, or their systems go down. The defending team with the lowest score wins and is sent to a national "cyber exercise" competition. The event hosts a job fair, keynotes by speakers such as Marcus Ranum, a full spectator area and this year hosted two film crews who interviewed players and captured the action. You can watch the videos from last year's CCDC event on their YouTube channel.

At a hacking challenge it can be tough to keep the Red team in line and following the rules. However, the very nature of hacking involves breaking the rules! All of the Red team members did an excellent job of being hackers, and being responsible. While there is no Red team winner, we had some of the highest scoring Red teams in the event's history. You can read more about the Blue team winner and rankings on the CCDC web site.

Hacking challenges have become a bit of a hobby to me in the past few years. I've participated in two previous events and wrote about them here on the Tenable blog. The first was the NYC Capture the Flag event and the second was "Cyberdawn", a diverse cyber exercise. I learn so much by attending these events and participating as a "Red team" member. As the Red team, we set out to compromise systems, run a program that would update a scoring engine, maintain access and disrupt services and operations. It’s a tough balance to maintain; the more aggressive you become on the systems, the more the defending teams notice. Changing a password and locking the teams out incurs points, however they will notice and reset a password. Smart Red team members implant different ways to access the system, such as SSH key trusts and rootkits, to gain a foothold on the systems throughout the competition.

As the Red team captain, I developed a strategy for guiding and organizing the Red team members. We divided into sub-teams and assigned the following roles to each of the members:

  • Recon - The person assigned to this role is constantly scanning and probing the network to find available targets. They keep track of available systems and services, noting when a service goes offline and when it comes back. This keeps the rest of the Red Team from wasting time going after targets that do not exist. In a more realistic environment, this role would have been more valuable. However, it was quickly eliminated when the Red team compromised each Blue team's Nagios servers and used them to monitor for targets throughout the competition. In addition, the IP addresses, operating systems and open ports were given to the Red team before the competition, limiting the usefulness of this role. I do believe this role is perfect for someone just beginning to learn about penetration testing and vulnerability assessments, as it introduces some basic scanning tools and techniques.

IPv6 was in play for the competition and was enabled on the network and all target hosts. One Red team member figured out that most of the teams did not apply any firewall rules to stop IPv6 traffic. Several tools, including Nessus, have been updated to run on IPv6 networks. This enabled the Red team to compromise several systems and ignore the IPv4 firewall rules.

  • Vulnerability Identification - Once the IP addresses, operating systems and open ports have been enumerated, the next step is to identify vulnerabilities. This can encompass everything from default or easily guessable passwords, remote buffer overflow vulnerabilities or SQL injection flaws in a web application. Conceivably this role could be performed by the same person doing recon. Most teams ran a vulnerability scan at the beginning of the competition and used that as a guide throughout the game. However, I believe some vulnerabilities were missed as the competition progressed and Blue teams changed configurations and exposed new services.
  • Exploitation - This sub-team is tasked with exploiting vulnerabilities. The level of difficulty for exploitation varies. For example, a default password is trivial to exploit. However, exploitation can become very complex in regard to a web application. If a XSS or SQLi vulnerability is found in a web application, it can take some time to develop a client-side attack or figure out how to use SQLi to gain shell. Unfortunately, the web applications were highly unstable during the competition. In fact, on the final day there was not one web application hosted by any team that was operational. In addition, common web application vulnerabilities did not translate into the game very well. For example, a SQLi vulnerability that allowed the Red team to download all records in a database did not have any bearing on the score, nor did it contain data that was helpful to the Red team during the competition. This issue will be addressed in future versions of the exercise.
  • Post-Exploitation - This is perhaps the single most important role in the competition. The hardest part of the competition is keeping access to systems. The Blue teams are constantly adjusting the firewalls, killing connections on the machines and rebooting. This activity makes it difficult to gain persistent access. Common practices involve installing rootkits, hiding processes, running programs and then hiding them with trojaned binaries (such as netstat), and using trojan logon processes. For example, one Red team member installed a trojaned SSH server that had a "magic" password, allowing the Red team to login with a password, regardless of any other account and password settings on the system.

Virtual systems have changed many aspects of computing, including hacking. Almost all of the Red team members were running multiple operating systems on one host to provide specific functions. For example, a BackTrack distribution was running to take advantage of many of the pre-configured tools. Additionally, if we needed a Windows host to test commands or programs, it ran on a virtual machine. Without VMware and similar technologies we would have needed a much larger room to house all of the systems we were using!

In Part II of this post we will explore the RFID hacking component of the competition and some methods used by the Red team to compromise systems.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.