Prccdc 2013
This presentation is the property of its rightful owner.
Sponsored Links
1 / 36

PRCCDC 2013 PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

PRCCDC 2013. PRCCDC Team. Overview. Competition Summary Individual Team Notes Team I mprovement Competition improvement. Day 1. Breakfast/Competition Brief Hospital Scenario with Warm Site. All Cloud Based Start of Competition One hour head start Chaotic

Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Prccdc 2013





  • Competition Summary

  • Individual Team Notes

  • Team Improvement

  • Competition improvement

Day 1

Day 1

  • Breakfast/Competition Brief

  • Hospital Scenario with Warm Site.

    • All Cloud Based

  • Start of Competition

    • One hour head start

    • Chaotic

    • Changed passwords and began hardening

    • Bricked one Workstation

Day 1 network layout

Day 1 – Network Layout

Day 11

Day 1

  • Generator Issues due to SQL Injection

  • SmoothWall – Blocked 172.x.x.x

    • Still had packets coming through

Day 2

Day 2

  • Problems in the Morning

    • Slow Internet (7Kbps)

    • EMR Issues

    • Scoring Engine (could not connect)

  • One Snapshot and One Reset Per machine per hour

  • SmoothWall cannot traffic shape per interface

Day 21

Day 2

  • BackTrack traffic rerouted

    • (didn’t get its password changed)

  • Couple of rootkits

  • Rooted sessions

    • They were given our passwords for the last 30 minutes

Day 2 debrief

Day 2 - Debrief

  • Red team didn’t mention much

    • Phishing

  • Drill everything

  • Task Organization

    • Delegate with Feedback

    • Follow up

    • Verify

Day 2 debrief1

Day 2 - Debrief

  • Quality Control

    • Read Forward for grammar and flow

    • Read Backward for Spelling

  • Change Log from beginning

    • Automated?

Team member presentations

Team Member Presentations

Team member presentations1

Team Member Presentations

  • Pre-CCDC Prep

    • WordPress/Apache/MySQL

    • Windows Server 2008

      • Security Configuration

  • Time Mostly Spent:

    • Changing passwords. yOungOrbitt3l3phOn3Occ!siOn!lly will forever haunt me.

    • Downloading Windows Updates and Microsoft Security Essentials and MSE Updates (Waiting on internet)

    • Monitoring success/fail server traffic

    • Injects

  • Web Server:

    • Simple HTML hosted on Windows Server 2008 R2

    • Website defaced. Misspellings? “Exploit Older Than 1 month”


Team member presentations2

Team Member Presentations

  • Injects

    • Company Security Policy (150/150)

      • Gmail slow, failed to submit on time. Surprisingly got all points.

    • Alert banner on website (100/100)

    • Records Retention Policy (63/125)

      • Lost points:1 year vs. 3 years retention policy.

      • Lesson learned: read documentation closely.

    • Website email form w/captcha(0/300)

      • Submitted late, minus captcha

      • I wish I had known php


Perimeter security

Perimeter Security

Smoothwall Firewall & AlienVault OSSIM


Initial tasks

Initial Tasks

  • Break my box… and lock myself out

  • Familiarize myself to SW and AV

  • Determine hostile and safe networks

  • Browse topologies and traffic routes

  • Create plan for traffic blocking and shaping




Packets fly – Block known dangerous subnets

  • Bad packets still ingressing…???

  • Block all networks including the “Safe” 172.x .. No change

  • Apply QoS to to links – can’t apply QoS to certain subnets but all equally 

  • Block devices per service – can’t block by type (TCP/UDP)

    - Block specified hosts for a business inject – full points




  • Utilize AlienVault to monitor our subnets

  • View in real time as packets hit each device

  • Utilize logs and dashboard to determine which attacks were deployed and against which machine

  • Utilize logs for a business inject – never awarded


For improvement

For improvement

  • Create ACL’s for each service to each box – give example

  • Lock down backtrack as my second priority

  • Copy team competition docs in a clean manner

  • Test SmoothWall and AlienVault before use if time allows


What i learned

What I learned

  • Need to prioritize hardening

  • Check for services being up after each step

  • Need to map network immediately

  • Don’t assume failures are from attacks

  • Don’t count on the internet working

  • Create a file repository on file server

  • Backup, Backup, Backup (One per hour)


Mistakes i made

Mistakes I made

  • Not knowing how scoring system worked

  • Not updating passwords in scoring engine

  • Not asking enough questions

  • Did not verify service’s being up from outside of server

  • Did not Log Everything

  • Eating the lasagna for lunch


Things to do for next year

Things to do for next year

  • Learn specific admin roles

  • Learn popular software packages for DC, Mail, Web services etc

  • How to run backtrack GUI over SSH

  • Create a script to check for server uptime

  • Monitor Traffic constantly

  • Practice Competition with other Schools




  • Better preparation

  • Infrastructure

  • Connection to servers

  • Injects

  • Presentation

    • Less organized than last year

  • Blue Team Debrief


Next year suggestions

Next Year Suggestions

  • Analyze infrastructure

  • Keep a change log

  • Delete unnecessary users immediately

  • Drill on reporting passwords

  • Larger font passwords

  • Watch time

  • Drill machine lock down more




  • Don’t trust White Team

    • Specifically, executables they give us

  • If Gmail or similar is used next time, allot more time for sending inject emails before the deadline

    • Slow internet led to late submissions


Prccdc events


Morgan Weir


Opening hand

Opening Hand

  • Generator duty

  • Directions were specific, but also not entirely inclusive

  • Port closing inject

  • ACCESS!! And Denied

  • Note, get there faster!


With assistance

With Assistance

  • Encrypted mySQL password

  • Checked PHP code for funny business


Back in business

Back in Business

  • Began and completed hardening procedures on CentOS server

  • Performed injects

  • Performed constant checks


Day 22

Day 2

  • Regular checking of who was logged in

  • Regular checking of system

  • Program Inject

  • More infrastructure issues




  • CONSTANT scans and log checking

  • Insuring IP was constant logged in

  • Conclusions

    • Find a way to read full team packet

    • Harden mySQL server against SQL injection

    • Scoring engine password change after reset

    • Insure white team has access as well as you!


Domain controller

Domain Controller

  • Positives

    • Never had machine taken over

    • Had a fairly high uptime

    • All domain controller injects completed successfully

    • No successful attacks against the DC


Domain controller1

Domain Controller

  • Negatives

    • Windows updates affected uptime (30 minutes per restart)

      • Part of which may have been the infrastructure

    • Had to rollback to beginning of competition after there was an issue with DNS and GPO’s not being applied properly

    • Server had slow reaction time a lot of the time, made it difficult to do a lot.


Domain controller2

Domain Controller

  • Improvements for next time

    • Try to just do service pack updates as close together as possible (not using windows update)

    • If infrastructure is slow, only do restarts when absolutely necessary and at convenient times (lunch/dinner)

    • Learn to use the security configuration wizard better.

    • Be able to restore domain connection with out having to go to each individual machine.


Team improvements

Team Improvements

  • Better Password Management

    • Suggestion from Captain Aaron Garner

    • Easier to type?

  • Change database settings in the first 60min

  • Check websites for sanitization in first 60min

  • Familiarization with soft Firewalls/routers/switches

Team improvements1

Team Improvements

  • Diagram Network on Board

    • Kerckhoffs’ Principle

  • Quickly disseminate default usernames and passwords

  • Create new GPOs for Domain Server

  • Pay attention to Snapshot policy

Competition improvements

Competition Improvements

  • Better Communication

    • Prior to Competition

      • Team Leaders don’t really need to be there

    • During competition

      • White team and Black team not very forthcoming

      • Didn’t let tell us not to change email password

  • Injects

    • Some injects were not sensible for competition

      • (ex. Recommendations about cloud services during crisis situation)

Competition improvements1

Competition Improvements

  • Better Infrastructure

    • Completely cloud based system??? with HIPPA???

    • Slow Internet

    • Remote Desktop within Remote Desktop is slow

    • BackTrack through PuTTY is limiting

    • Scoring Engine Issues

  • Login