How to Score at a Hacking Competition
Over the past weekend I participated in my second CCDC, or Collegiate Cyber Defense Competition.The event put college students in a defending role in five “Blue teams” and "real-world attackers" in the offensive role (pun intended) as the “Red team”. Points are incurred against the Blue teams when their systems become compromised, services are unavailable, or their systems go down. The defending team with the lowest score wins and is sent to a national "cyber exercise" competition. The event hosts a job fair, keynotes by speakers such as Marcus Ranum, a full spectator area and this year hosted two film crews who interviewed players and captured the action. You can watch the videos from last year's CCDC event on their YouTube channel.
Hacking challenges have become a bit of a hobby to me in the past few years. I've participated in two previous events and wrote about them here on the Tenable blog. The first was the NYC Capture the Flag event and the second was "Cyberdawn", a diverse cyber exercise. I learn so much by attending these events and participating as a "Red team" member. As the Red team, we set out to compromise systems, run a program that would update a scoring engine, maintain access and disrupt services and operations. It’s a tough balance to maintain; the more aggressive you become on the systems, the more the defending teams notice. Changing a password and locking the teams out incurs points, however they will notice and reset a password. Smart Red team members implant different ways to access the system, such as SSH key trusts and rootkits, to gain a foothold on the systems throughout the competition.
As the Red team captain, I developed a strategy for guiding and organizing the Red team members. We divided into sub-teams and assigned the following roles to each of the members:
- Recon - The person assigned to this role is constantly scanning and probing the network to find available targets. They keep track of available systems and services, noting when a service goes offline and when it comes back. This keeps the rest of the Red Team from wasting time going after targets that do not exist. In a more realistic environment, this role would have been more valuable. However, it was quickly eliminated when the Red team compromised each Blue team's Nagios servers and used them to monitor for targets throughout the competition. In addition, the IP addresses, operating systems and open ports were given to the Red team before the competition, limiting the usefulness of this role. I do believe this role is perfect for someone just beginning to learn about penetration testing and vulnerability assessments, as it introduces some basic scanning tools and techniques.
- Vulnerability Identification - Once the IP addresses, operating systems and open ports have been enumerated, the next step is to identify vulnerabilities. This can encompass everything from default or easily guessable passwords, remote buffer overflow vulnerabilities or SQL injection flaws in a web application. Conceivably this role could be performed by the same person doing recon. Most teams ran a vulnerability scan at the beginning of the competition and used that as a guide throughout the game. However, I believe some vulnerabilities were missed as the competition progressed and Blue teams changed configurations and exposed new services.
- Exploitation - This sub-team is tasked with exploiting vulnerabilities. The level of difficulty for exploitation varies. For example, a default password is trivial to exploit. However, exploitation can become very complex in regard to a web application. If a XSS or SQLi vulnerability is found in a web application, it can take some time to develop a client-side attack or figure out how to use SQLi to gain shell. Unfortunately, the web applications were highly unstable during the competition. In fact, on the final day there was not one web application hosted by any team that was operational. In addition, common web application vulnerabilities did not translate into the game very well. For example, a SQLi vulnerability that allowed the Red team to download all records in a database did not have any bearing on the score, nor did it contain data that was helpful to the Red team during the competition. This issue will be addressed in future versions of the exercise.
- Post-Exploitation - This is perhaps the single most important role in the competition. The hardest part of the competition is keeping access to systems. The Blue teams are constantly adjusting the firewalls, killing connections on the machines and rebooting. This activity makes it difficult to gain persistent access. Common practices involve installing rootkits, hiding processes, running programs and then hiding them with trojaned binaries (such as netstat), and using trojan logon processes. For example, one Red team member installed a trojaned SSH server that had a "magic" password, allowing the Red team to login with a password, regardless of any other account and password settings on the system.
In Part II of this post we will explore the RFID hacking component of the competition and some methods used by the Red team to compromise systems.