Prccdc 2014 recap
This presentation is the property of its rightful owner.
Sponsored Links
1 / 45

PRCCDC 2014 Recap PowerPoint PPT Presentation


  • 52 Views
  • Uploaded on
  • Presentation posted in: General

PRCCDC 2014 Recap. By Scott Amack, Ranger Adams, Jeff Crocker, Ben Cumber, Keith Drew, Heather Haphey , Nate Krussel , and Chris Waltrip ,. Scott Amack – PRCCDC Scenario. Shark Industries Weapon Manufacturer Incomplete Network Map Provided 4 Windows 7 Machines 4 Windows XP Machines

Download Presentation

PRCCDC 2014 Recap

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Prccdc 2014 recap

PRCCDC 2014 Recap

By Scott Amack, Ranger Adams, Jeff Crocker, Ben Cumber, Keith Drew, Heather Haphey, Nate Krussel, and Chris Waltrip,


Scott amack prccdc scenario

Scott Amack – PRCCDC Scenario

  • Shark Industries Weapon Manufacturer

  • Incomplete Network Map Provided

  • 4 Windows 7 Machines

  • 4 Windows XP Machines

  • Plus various network machines

  • File and Mail Server, “HMI” Computer, Domain Controller, VPN Server, Web Server


Scott amack prccdc team preparation

Scott Amack – PRCCDC Team Preparation

  • RADICL Lab Down

  • Prepped Team for Injects

  • Team had to practice on their own VM’S

  • Prepped team to think fast on their feets

  • Lots of quick exercises in prep class


Scott amack prccdc scores

Scott Amack – PRCCDC Scores

  • Team Scored 6th Overall

  • 1st Place in Incident Response

  • 2nd Place in Injects (15 points from 1st)

  • 1st Place in Uptime

  • 11th Place in Attacks against us


Scott amack prccdc inject scores

Scott Amack – PRCCDC Inject Scores


Scott amack prccdc uptime scores

Scott Amack – PRCCDC Uptime Scores


Scott amack prccdc lessons learned

Scott Amack – PRCCDC Lessons Learned

  • Need to teach team how to find and eradicate malware

  • Need to defend against RAT’s (Dark Comet and Poison Ivy Variants)

  • Need to learn how Cobalt Strike Beacons can be eradicated

  • Really need a lab environment to practice in

  • Need to learn multiple tools for doing different tasks


Scott amack white team debrief

Scott Amack – White Team Debrief

  • Centralized Leadership was excellent

    • Each Member assigned a specific role works very well

    • Inject with team captain out sick did not work so well for us

  • Liked that we drew diagrams on the board

  • Liked that we asked unauthorized visitors to leave immediately

  • Quick solutions to the right problems is the way to win


Ranger adams responsibilities

Ranger Adams - Responsibilities

  • Going in

    • Web Server (Ubuntu)

    • Maybe MySQL

  • There

    • Web Server (Ubuntu)

    • Web Server (IIS)

    • MySQL Box (Ubuntu)

    • Application Server (IIS)


Ranger adams preparation

Ranger Adams - Preparation

  • Linux

  • PHP/JavaScript

  • Linux Services

  • Basic Windows


Ranger adams mistakes

Ranger Adams - Mistakes

  • UFW blocking MySQL

  • Full control of assets

  • Attention to Windows

  • Windows Firewall


Ranger adams lessons learned

Ranger Adams – Lessons Learned

  • Firewalls are tricky, but powerful

  • Learn more breadth, less depth


Jeff crocker responsibilities

Jeff Crocker - Responsibilities

  • Email Server


Jeff crocker preparation

Jeff Crocker - Preparation

  • Email Server

  • Online Tutorials

  • Veteran Knowledge

  • Presentations

  • Passwords


Jeff crocker mistakes

Jeff Crocker - Mistakes

  • Open Relay Fix

  • Sitting by the phone

  • User Accounts

  • Excessive Passwords


Jeff crocker lessons learned

Jeff Crocker – Lessons Learned

  • Check Assumptions

  • Gear Switching

  • Googling Skills

  • Availability vs. Integrity


Ben cumber responsibilities

Ben Cumber - Responsibilities

Windows File Server

  • Windows 2008 R2server

  • Running freeFTPd

    Windows XP workstations 7 and 8


Ben cumber preparation

Ben Cumber - Preparation

  • Windows hardening guide on personal machine.

  • Read through team binder.

  • Reviewed PRCCDC rules.


Ben cumber mistakes

Ben Cumber - Mistakes

  • Couldn’t RDP to Windows server.

  • Could not connect to file service.

  • Reinstalled file service (wasn’t necessary)


Ben cumber lessons learned

Ben Cumber – Lessons Learned

  • RDP

  • Filezilla and WinSCP

  • Gained a much better understanding of what exactly a file server is.


Keith drew responsibilities

Keith Drew - Responsibilities

  • Maintain Logs of System Changes

  • Maintain Telephone Logs

  • Windows Workstation Hardening


Keith drew preparation

Keith Drew - Preparation

  • Documentation

  • Mini Lab on Personal Computer

  • Developed Hardening Guides


Keith drew mistakes

Keith Drew - Mistakes

  • Not killing malicious process

  • Not utilizing all tools available to me (Vsphere Client)


Keith drew lessons learned

Keith Drew – Lessons Learned

  • How attacks are performed


Heather haphey responsibilities

Heather Haphey - Responsibilities

  • Smoothwall Virtual Router

  • Handle injects

    • Policy writing

    • Report generation

    • Briefing

  • Binder creation


Heather haphey preparation

Heather Haphey - Preparation

  • Researched Smoothwall and Virtual Routing

  • Reviewed and rewrote real policies

  • Practiced briefing

  • Collected and created binder materials

  • Read offensive and defensive tactics


Heather haphey mistakes

Heather Haphey - Mistakes

  • Learned wrong Virtual Router

    • Vyatta instead of Smoothwall

  • Didn’t back up editable sample documents

  • Realized the router GUI too late

  • Not prepared to detect and prevent attacks


Heather haphey lessons learned

Heather Haphey – Lessons Learned

  • More research about red team tools

  • Back up anything useful

  • Snapshot -> Harden-> Snapshot

  • Get injects done ASAP, use full time

    • Review requirements part-way through

  • Stay focused on AOR, remain calm

  • ASK ASK ASK and trust intuition

  • Get into the scenario, seek real answers


Nate krussel responsibilities

Nate Krussel - Responsibilities

  • Windows Active Directory

    • Group Policies

    • Domain Knowledge

  • Team Co-Captain

    • Help in team preparation

    • Back up to Scott

  • Knowledge Transfer

    • Sharing experience and strategies that have worked or not worked in past competitions


Nate krussel preparation

Nate Krussel - Preparation

  • Doing Previous Years injects

    • Even if not exactly the same may be fairly close

  • Read up require services/ports

    • Often the competition has more open things than needed to run the require service

  • Industry hardening guides

    • Give the quick and useful information on hardening

  • Acquired General Knowledge

    • Easier stepping into Scotts shoes if need be


Nate krussel mistakes

Nate Krussel - Mistakes

  • Firewall Rules

    • Need to only allow certain IP’s to be allowed to access domain, and domain resources

    • Should slow down the red team

  • To much time as Domain Admin account

    • Much easier for red team to steal credentials if they break into the box

  • Not checking schedules tasks

    • Allowed red team to manipulate our firewalls across domain

  • Didn’t lock out all additional user accounts that weren’t required for score bot or us

    • Not how a normal business runs, but works well for the competition


Nate krussel lessons learned

Nate Krussel – Lessons Learned

  • Always scan inside and outside your network and speak up if a new box appears

  • If given vsphere client, turn off servers RDP and ssh abilities (if possible) and use the client

  • Check firewall rules regularly

  • Use virtual router to try and limit access by port level if possible, reduces attack surface greatly

  • Always communicate and make sure to get conformation of a task that needs to be done to make sure the message got across

  • Easier to have the DC auto update the group policy instead of having everybody update it themselves


Chris waltrip responsibilities

Chris Waltrip – Responsibilities

  • Kali Linux VM

    • Outside of Corporate Network

    • Used to see what is visible from the outside

      • Port Scanning

      • Network Sniffing

      • Vulnerability Analysis

  • Windows Server 2008 R2 (HMI Server)

    • Not initially planned


Chris waltrip preparation

Chris Waltrip - Preparation

  • Learned the basics of Nmap and Wireshark

  • Researched Web Application Firewall

    • Specifically ModSecurity

    • Never actually used

  • Created Cheat Sheets

    • Useful Tools

    • Common & Useful Commands


Chris waltrip mistakes

Chris Waltrip - Mistakes

  • Didn’t see VPN on Second Day

    • Nmap Port Scans

    • Wireshark DNS Traffic

  • HMI Server

    • Saw server, but thought was Vyatta Firewall

    • Didn’t know Default Credentials

      • Attached to Domain

  • Cobalt Strike Beacons


Chris waltrip lessons learned

Chris Waltrip – Lessons Learned

  • Tons!

  • Nmap and Wireshark

  • Team Dynamics & Collaboration

  • Cobalt Strike’s Beacon

    • Has its own packaged DNS server

  • How Effective Our Countermeasures Were


Pictures from event

Pictures from Event


  • Login