Red Teaming at WRCCDC 2016
This year Alex and I put in a ton of preparation on the road to WRCCDC. Our goal was to engineer ourselves past some of the problems CCDC red teams have historically had, such as getting our scanners blocked or missing ubiquitous, co-operative, cross-platform persistence. This led to a number of little creations from the WRCCDC team and even more inspiration for future tools. I'm going to cover some of our simple tools and tricks employed this year, with pictures!
We invented a number of great tools this year, one of which was Alex's Borg. Borg was designed as a distributed bot net, capable of performing a number of red team actions, after which it hopped IP addresses. It would do this gracefully with gratuitous arp scanning so that it wouldn't IP collide with the new addresses that it assigned itself. Borg evolved into a type of distributed / anonymous task engine for the red team, a way to quickly run a single task from a remote machine / IP in the competition environment. The best part about Borg is the interface is a chat bot, so getting Borg to run these commands is very easy and it leaves the logs in an accessible area scoped to those involved in the topic. The X Project, Alex's red team analytics project, is another Borg integration, a server the red team uses for real time communication on Etherpads and scoring our compromises. X contains profiles for each team and integrates into the Borg to receive and host the results in a more permanent / searchable way, as well as letting players interface with X through the Borg chat bot. Check it out:
Another powerful tool we prepared this year was a PowerShell dropper equivalent to a cluster bomb of persistence, based off of our popular linux and autoIT ones from years prior. This dropper was extremely effective on using a one liner to lay all of our persistence on compromised Windows hosts, similar to our Linux capabilities. These droppers also let us collect the entire red team's prepared persistence payloads and combine them to cooperatively harness all of our access and firing power. This made persistence this time around much more ubiquitous and available to the team. I also want to give props to the blue teams who started reversing the droppers to find and remove our persistence mechanisms. That said, there were a good number of binaries in the droppers to reverse and we will be adding obfuscation for nationals.
Team Servers were staged both internally and externally this year, providing us a wide array of persistence and cooperative avenues for continuing to pillage the target network. Our most successful team servers this year proved to be good ole' Metasploit instances and the usage of MSFPro, despite standing up two instances of Cobalt Strike. We also had some really bad ass, cross platform, Golang agents this year, which enabled us to use a common framework regardless of the host we were landing on. These agents proved resilient in both their beaconing and ability to persistent on their targets.
Our tools aside, much of our access this year was again with default creds, simple vulnerabilities, and the wisdom to privilege escalate from seemingly benign access to dangerous levels. This year the teams were as vulnerable as ever, and when the opportunity presented itself to take them all down, we did our part in evening the playing field regarding service uptime. We were also able to do this in some graceful ways that kept our persistence to the box, yet failed the service checks. Other times we just destroyed the machines.
The rest is WRCCDC as usual, in all of its crazy, heated, passion. I do want to clarify one thing, I heard throughout people saying, "the red team always wins." The red team is not competing in any competition, they are a force majeure of the game. Natural disasters do not win or lose, they occur and you do your best to recover and move forward. That's what this competition strives to simulate, that deluge of computer compromise and incident response, in the face of business operations.
I also think Dan Manson captured the action pretty well with the following video:
We invented a number of great tools this year, one of which was Alex's Borg. Borg was designed as a distributed bot net, capable of performing a number of red team actions, after which it hopped IP addresses. It would do this gracefully with gratuitous arp scanning so that it wouldn't IP collide with the new addresses that it assigned itself. Borg evolved into a type of distributed / anonymous task engine for the red team, a way to quickly run a single task from a remote machine / IP in the competition environment. The best part about Borg is the interface is a chat bot, so getting Borg to run these commands is very easy and it leaves the logs in an accessible area scoped to those involved in the topic. The X Project, Alex's red team analytics project, is another Borg integration, a server the red team uses for real time communication on Etherpads and scoring our compromises. X contains profiles for each team and integrates into the Borg to receive and host the results in a more permanent / searchable way, as well as letting players interface with X through the Borg chat bot. Check it out:
Another powerful tool we prepared this year was a PowerShell dropper equivalent to a cluster bomb of persistence, based off of our popular linux and autoIT ones from years prior. This dropper was extremely effective on using a one liner to lay all of our persistence on compromised Windows hosts, similar to our Linux capabilities. These droppers also let us collect the entire red team's prepared persistence payloads and combine them to cooperatively harness all of our access and firing power. This made persistence this time around much more ubiquitous and available to the team. I also want to give props to the blue teams who started reversing the droppers to find and remove our persistence mechanisms. That said, there were a good number of binaries in the droppers to reverse and we will be adding obfuscation for nationals.
Team Servers were staged both internally and externally this year, providing us a wide array of persistence and cooperative avenues for continuing to pillage the target network. Our most successful team servers this year proved to be good ole' Metasploit instances and the usage of MSFPro, despite standing up two instances of Cobalt Strike. We also had some really bad ass, cross platform, Golang agents this year, which enabled us to use a common framework regardless of the host we were landing on. These agents proved resilient in both their beaconing and ability to persistent on their targets.
Our tools aside, much of our access this year was again with default creds, simple vulnerabilities, and the wisdom to privilege escalate from seemingly benign access to dangerous levels. This year the teams were as vulnerable as ever, and when the opportunity presented itself to take them all down, we did our part in evening the playing field regarding service uptime. We were also able to do this in some graceful ways that kept our persistence to the box, yet failed the service checks. Other times we just destroyed the machines.
The rest is WRCCDC as usual, in all of its crazy, heated, passion. I do want to clarify one thing, I heard throughout people saying, "the red team always wins." The red team is not competing in any competition, they are a force majeure of the game. Natural disasters do not win or lose, they occur and you do your best to recover and move forward. That's what this competition strives to simulate, that deluge of computer compromise and incident response, in the face of business operations.
I also think Dan Manson captured the action pretty well with the following video:
