Red Teaming at NCCDC 2014
This year I got to join the red team at the National Collegiate Cyber Defense Competition. I wanted to briefly cover my approach and some techniques I used, that I considered to be real-world and novel for this competition. Aside from the well documented tactics regarding the rush for default credentials, un-patched systems, and persistence tactics, which I will have links to at the end of the post for completeness, I took a slightly different approach.
I personally started with a top down approach and began enumerating web services, directories, software platforms, and functionality. I quickly stumbled across numerous applications, running Wordpress, OTRS, and custom configurations. Through these applications I was able to upload my own files and get remote code execution in the form of web shells. I quickly peppered the applications with multiple web shells, including embedding new shells in existing pages, using the shells I just put up. With these web shells, I was then able to read raw source code and used this to extract database connection details out of the web applications. Once I was connected to the databases, I did the typical looting of PII and CCs, but then stayed quiet not to give up my access. This is when things got interesting, rather than deface the web services or bring them down to take points away from the teams, I decided to do a somewhat taboo watering hole attack. I used the site to hide BeEF hooks and then infected the browsers of blue team members and orange team members as they browsed the site. Using these techniques I was able to fingerprint the browsers, track their actions, steal cookies, and launch classics such as the java signed applet attack. This was a really fun attack vector, I think it's fairly novel for this competition, but also very very real world.
The best defense for this sort of attack, from a client perspective, would to be run something like NoScript in Firefox or Iceweasel. NoScript will not only help the client browser stop the malicious scripts, but it could help blue team members detect the malicious javascript as they browse their own site. Another approach to finding malicious web source code by hand would be to open up your web root in a text editor, such as sublime text and do a multi-file search. You would want to search for potentially malicious functions, such as javascript src, include, iframe, exec, base64_decode, and many other platform dependent commands. A great approach is to automate this, in either a simple script, host IDS, or by catching the traffic with a network IDS.
All in all, I had a blast at this competition and kept the smackdown on my team, taking over 2500pnts from them throughout the competition, from numerous user, root, and credit card compromises. I've included some additional screen shots and photos from the competition below. I also want to thank everyone that participated, this is a fantastic competition full of smart and approachable people. Big shoutout to my team-mate Alex Levinson, this dude is a champ and set up most of the infrastructure the red team used throughout the competition, meaning he's a big part of how the red team was able to be as organized as it was with over 30 members.
Below are some really great write ups, from my friend Sam Cappella regarding his involvement with these compitions and interactions with Raphael Mudge. When I saw Mudge at this competition he spoke very highly of Sam, which I'm sure anyone who knows Sam also does :)
http://www.samcappella.com/seccdc2014/
http://www.samcappella.com/palmetto-cyber-defense-competition-2014/
Following that are two presentations by Raphael, detailing some more of the tactics and dirty tricks the red team pulled out on the blue teams. I hope you enjoy this as much as I have :D
I personally started with a top down approach and began enumerating web services, directories, software platforms, and functionality. I quickly stumbled across numerous applications, running Wordpress, OTRS, and custom configurations. Through these applications I was able to upload my own files and get remote code execution in the form of web shells. I quickly peppered the applications with multiple web shells, including embedding new shells in existing pages, using the shells I just put up. With these web shells, I was then able to read raw source code and used this to extract database connection details out of the web applications. Once I was connected to the databases, I did the typical looting of PII and CCs, but then stayed quiet not to give up my access. This is when things got interesting, rather than deface the web services or bring them down to take points away from the teams, I decided to do a somewhat taboo watering hole attack. I used the site to hide BeEF hooks and then infected the browsers of blue team members and orange team members as they browsed the site. Using these techniques I was able to fingerprint the browsers, track their actions, steal cookies, and launch classics such as the java signed applet attack. This was a really fun attack vector, I think it's fairly novel for this competition, but also very very real world.
The best defense for this sort of attack, from a client perspective, would to be run something like NoScript in Firefox or Iceweasel. NoScript will not only help the client browser stop the malicious scripts, but it could help blue team members detect the malicious javascript as they browse their own site. Another approach to finding malicious web source code by hand would be to open up your web root in a text editor, such as sublime text and do a multi-file search. You would want to search for potentially malicious functions, such as javascript src, include, iframe, exec, base64_decode, and many other platform dependent commands. A great approach is to automate this, in either a simple script, host IDS, or by catching the traffic with a network IDS.
All in all, I had a blast at this competition and kept the smackdown on my team, taking over 2500pnts from them throughout the competition, from numerous user, root, and credit card compromises. I've included some additional screen shots and photos from the competition below. I also want to thank everyone that participated, this is a fantastic competition full of smart and approachable people. Big shoutout to my team-mate Alex Levinson, this dude is a champ and set up most of the infrastructure the red team used throughout the competition, meaning he's a big part of how the red team was able to be as organized as it was with over 30 members.
Below are some really great write ups, from my friend Sam Cappella regarding his involvement with these compitions and interactions with Raphael Mudge. When I saw Mudge at this competition he spoke very highly of Sam, which I'm sure anyone who knows Sam also does :)
http://www.samcappella.com/seccdc2014/
http://www.samcappella.com/palmetto-cyber-defense-competition-2014/
Following that are two presentations by Raphael, detailing some more of the tactics and dirty tricks the red team pulled out on the blue teams. I hope you enjoy this as much as I have :D
