Prccdc 2014 recap
This presentation is the property of its rightful owner.
Sponsored Links
1 / 45

PRCCDC 2014 Recap PowerPoint PPT Presentation


  • 58 Views
  • Uploaded on
  • Presentation posted in: General

PRCCDC 2014 Recap. By Scott Amack, Ranger Adams, Jeff Crocker, Ben Cumber, Keith Drew, Heather Haphey , Nate Krussel , and Chris Waltrip ,. Scott Amack – PRCCDC Scenario. Shark Industries Weapon Manufacturer Incomplete Network Map Provided 4 Windows 7 Machines 4 Windows XP Machines

Download Presentation

PRCCDC 2014 Recap

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


PRCCDC 2014 Recap

By Scott Amack, Ranger Adams, Jeff Crocker, Ben Cumber, Keith Drew, Heather Haphey, Nate Krussel, and Chris Waltrip,


Scott Amack – PRCCDC Scenario

  • Shark Industries Weapon Manufacturer

  • Incomplete Network Map Provided

  • 4 Windows 7 Machines

  • 4 Windows XP Machines

  • Plus various network machines

  • File and Mail Server, “HMI” Computer, Domain Controller, VPN Server, Web Server


Scott Amack – PRCCDC Team Preparation

  • RADICL Lab Down

  • Prepped Team for Injects

  • Team had to practice on their own VM’S

  • Prepped team to think fast on their feets

  • Lots of quick exercises in prep class


Scott Amack – PRCCDC Scores

  • Team Scored 6th Overall

  • 1st Place in Incident Response

  • 2nd Place in Injects (15 points from 1st)

  • 1st Place in Uptime

  • 11th Place in Attacks against us


Scott Amack – PRCCDC Inject Scores


Scott Amack – PRCCDC Uptime Scores


Scott Amack – PRCCDC Lessons Learned

  • Need to teach team how to find and eradicate malware

  • Need to defend against RAT’s (Dark Comet and Poison Ivy Variants)

  • Need to learn how Cobalt Strike Beacons can be eradicated

  • Really need a lab environment to practice in

  • Need to learn multiple tools for doing different tasks


Scott Amack – White Team Debrief

  • Centralized Leadership was excellent

    • Each Member assigned a specific role works very well

    • Inject with team captain out sick did not work so well for us

  • Liked that we drew diagrams on the board

  • Liked that we asked unauthorized visitors to leave immediately

  • Quick solutions to the right problems is the way to win


Ranger Adams - Responsibilities

  • Going in

    • Web Server (Ubuntu)

    • Maybe MySQL

  • There

    • Web Server (Ubuntu)

    • Web Server (IIS)

    • MySQL Box (Ubuntu)

    • Application Server (IIS)


Ranger Adams - Preparation

  • Linux

  • PHP/JavaScript

  • Linux Services

  • Basic Windows


Ranger Adams - Mistakes

  • UFW blocking MySQL

  • Full control of assets

  • Attention to Windows

  • Windows Firewall


Ranger Adams – Lessons Learned

  • Firewalls are tricky, but powerful

  • Learn more breadth, less depth


Jeff Crocker - Responsibilities

  • Email Server


Jeff Crocker - Preparation

  • Email Server

  • Online Tutorials

  • Veteran Knowledge

  • Presentations

  • Passwords


Jeff Crocker - Mistakes

  • Open Relay Fix

  • Sitting by the phone

  • User Accounts

  • Excessive Passwords


Jeff Crocker – Lessons Learned

  • Check Assumptions

  • Gear Switching

  • Googling Skills

  • Availability vs. Integrity


Ben Cumber - Responsibilities

Windows File Server

  • Windows 2008 R2server

  • Running freeFTPd

    Windows XP workstations 7 and 8


Ben Cumber - Preparation

  • Windows hardening guide on personal machine.

  • Read through team binder.

  • Reviewed PRCCDC rules.


Ben Cumber - Mistakes

  • Couldn’t RDP to Windows server.

  • Could not connect to file service.

  • Reinstalled file service (wasn’t necessary)


Ben Cumber – Lessons Learned

  • RDP

  • Filezilla and WinSCP

  • Gained a much better understanding of what exactly a file server is.


Keith Drew - Responsibilities

  • Maintain Logs of System Changes

  • Maintain Telephone Logs

  • Windows Workstation Hardening


Keith Drew - Preparation

  • Documentation

  • Mini Lab on Personal Computer

  • Developed Hardening Guides


Keith Drew - Mistakes

  • Not killing malicious process

  • Not utilizing all tools available to me (Vsphere Client)


Keith Drew – Lessons Learned

  • How attacks are performed


Heather Haphey - Responsibilities

  • Smoothwall Virtual Router

  • Handle injects

    • Policy writing

    • Report generation

    • Briefing

  • Binder creation


Heather Haphey - Preparation

  • Researched Smoothwall and Virtual Routing

  • Reviewed and rewrote real policies

  • Practiced briefing

  • Collected and created binder materials

  • Read offensive and defensive tactics


Heather Haphey - Mistakes

  • Learned wrong Virtual Router

    • Vyatta instead of Smoothwall

  • Didn’t back up editable sample documents

  • Realized the router GUI too late

  • Not prepared to detect and prevent attacks


Heather Haphey – Lessons Learned

  • More research about red team tools

  • Back up anything useful

  • Snapshot -> Harden-> Snapshot

  • Get injects done ASAP, use full time

    • Review requirements part-way through

  • Stay focused on AOR, remain calm

  • ASK ASK ASK and trust intuition

  • Get into the scenario, seek real answers


Nate Krussel - Responsibilities

  • Windows Active Directory

    • Group Policies

    • Domain Knowledge

  • Team Co-Captain

    • Help in team preparation

    • Back up to Scott

  • Knowledge Transfer

    • Sharing experience and strategies that have worked or not worked in past competitions


Nate Krussel - Preparation

  • Doing Previous Years injects

    • Even if not exactly the same may be fairly close

  • Read up require services/ports

    • Often the competition has more open things than needed to run the require service

  • Industry hardening guides

    • Give the quick and useful information on hardening

  • Acquired General Knowledge

    • Easier stepping into Scotts shoes if need be


Nate Krussel - Mistakes

  • Firewall Rules

    • Need to only allow certain IP’s to be allowed to access domain, and domain resources

    • Should slow down the red team

  • To much time as Domain Admin account

    • Much easier for red team to steal credentials if they break into the box

  • Not checking schedules tasks

    • Allowed red team to manipulate our firewalls across domain

  • Didn’t lock out all additional user accounts that weren’t required for score bot or us

    • Not how a normal business runs, but works well for the competition


Nate Krussel – Lessons Learned

  • Always scan inside and outside your network and speak up if a new box appears

  • If given vsphere client, turn off servers RDP and ssh abilities (if possible) and use the client

  • Check firewall rules regularly

  • Use virtual router to try and limit access by port level if possible, reduces attack surface greatly

  • Always communicate and make sure to get conformation of a task that needs to be done to make sure the message got across

  • Easier to have the DC auto update the group policy instead of having everybody update it themselves


Chris Waltrip – Responsibilities

  • Kali Linux VM

    • Outside of Corporate Network

    • Used to see what is visible from the outside

      • Port Scanning

      • Network Sniffing

      • Vulnerability Analysis

  • Windows Server 2008 R2 (HMI Server)

    • Not initially planned


Chris Waltrip - Preparation

  • Learned the basics of Nmap and Wireshark

  • Researched Web Application Firewall

    • Specifically ModSecurity

    • Never actually used

  • Created Cheat Sheets

    • Useful Tools

    • Common & Useful Commands


Chris Waltrip - Mistakes

  • Didn’t see VPN on Second Day

    • Nmap Port Scans

    • Wireshark DNS Traffic

  • HMI Server

    • Saw server, but thought was Vyatta Firewall

    • Didn’t know Default Credentials

      • Attached to Domain

  • Cobalt Strike Beacons


Chris Waltrip – Lessons Learned

  • Tons!

  • Nmap and Wireshark

  • Team Dynamics & Collaboration

  • Cobalt Strike’s Beacon

    • Has its own packaged DNS server

  • How Effective Our Countermeasures Were


Pictures from Event


  • Login