Prccdc 2014 recap
1 / 45

PRCCDC 2014 Recap - PowerPoint PPT Presentation

  • Uploaded on

PRCCDC 2014 Recap. By Scott Amack, Ranger Adams, Jeff Crocker, Ben Cumber, Keith Drew, Heather Haphey , Nate Krussel , and Chris Waltrip ,. Scott Amack – PRCCDC Scenario. Shark Industries Weapon Manufacturer Incomplete Network Map Provided 4 Windows 7 Machines 4 Windows XP Machines

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'PRCCDC 2014 Recap' - eileen

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Prccdc 2014 recap

PRCCDC 2014 Recap

By Scott Amack, Ranger Adams, Jeff Crocker, Ben Cumber, Keith Drew, Heather Haphey, Nate Krussel, and Chris Waltrip,

Scott amack prccdc scenario
Scott Amack – PRCCDC Scenario

  • Shark Industries Weapon Manufacturer

  • Incomplete Network Map Provided

  • 4 Windows 7 Machines

  • 4 Windows XP Machines

  • Plus various network machines

  • File and Mail Server, “HMI” Computer, Domain Controller, VPN Server, Web Server

Scott amack prccdc team preparation
Scott Amack – PRCCDC Team Preparation

  • RADICL Lab Down

  • Prepped Team for Injects

  • Team had to practice on their own VM’S

  • Prepped team to think fast on their feets

  • Lots of quick exercises in prep class

Scott amack prccdc scores
Scott Amack – PRCCDC Scores

  • Team Scored 6th Overall

  • 1st Place in Incident Response

  • 2nd Place in Injects (15 points from 1st)

  • 1st Place in Uptime

  • 11th Place in Attacks against us

Scott amack prccdc lessons learned
Scott Amack – PRCCDC Lessons Learned

  • Need to teach team how to find and eradicate malware

  • Need to defend against RAT’s (Dark Comet and Poison Ivy Variants)

  • Need to learn how Cobalt Strike Beacons can be eradicated

  • Really need a lab environment to practice in

  • Need to learn multiple tools for doing different tasks

Scott amack white team debrief
Scott Amack – White Team Debrief

  • Centralized Leadership was excellent

    • Each Member assigned a specific role works very well

    • Inject with team captain out sick did not work so well for us

  • Liked that we drew diagrams on the board

  • Liked that we asked unauthorized visitors to leave immediately

  • Quick solutions to the right problems is the way to win

Ranger adams responsibilities
Ranger Adams - Responsibilities

  • Going in

    • Web Server (Ubuntu)

    • Maybe MySQL

  • There

    • Web Server (Ubuntu)

    • Web Server (IIS)

    • MySQL Box (Ubuntu)

    • Application Server (IIS)

Ranger adams preparation
Ranger Adams - Preparation

  • Linux

  • PHP/JavaScript

  • Linux Services

  • Basic Windows

Ranger adams mistakes
Ranger Adams - Mistakes

  • UFW blocking MySQL

  • Full control of assets

  • Attention to Windows

  • Windows Firewall

Ranger adams lessons learned
Ranger Adams – Lessons Learned

  • Firewalls are tricky, but powerful

  • Learn more breadth, less depth

Jeff crocker preparation
Jeff Crocker - Preparation

  • Email Server

  • Online Tutorials

  • Veteran Knowledge

  • Presentations

  • Passwords

Jeff crocker mistakes
Jeff Crocker - Mistakes

  • Open Relay Fix

  • Sitting by the phone

  • User Accounts

  • Excessive Passwords

Jeff crocker lessons learned
Jeff Crocker – Lessons Learned

  • Check Assumptions

  • Gear Switching

  • Googling Skills

  • Availability vs. Integrity

Ben cumber responsibilities
Ben Cumber - Responsibilities

Windows File Server

  • Windows 2008 R2server

  • Running freeFTPd

    Windows XP workstations 7 and 8

Ben cumber preparation
Ben Cumber - Preparation

  • Windows hardening guide on personal machine.

  • Read through team binder.

  • Reviewed PRCCDC rules.

Ben cumber mistakes
Ben Cumber - Mistakes

  • Couldn’t RDP to Windows server.

  • Could not connect to file service.

  • Reinstalled file service (wasn’t necessary)

Ben cumber lessons learned
Ben Cumber – Lessons Learned

  • RDP

  • Filezilla and WinSCP

  • Gained a much better understanding of what exactly a file server is.

Keith drew responsibilities
Keith Drew - Responsibilities

  • Maintain Logs of System Changes

  • Maintain Telephone Logs

  • Windows Workstation Hardening

Keith drew preparation
Keith Drew - Preparation

  • Documentation

  • Mini Lab on Personal Computer

  • Developed Hardening Guides

Keith drew mistakes
Keith Drew - Mistakes

  • Not killing malicious process

  • Not utilizing all tools available to me (Vsphere Client)

Keith drew lessons learned
Keith Drew – Lessons Learned

  • How attacks are performed

Heather haphey responsibilities
Heather Haphey - Responsibilities

  • Smoothwall Virtual Router

  • Handle injects

    • Policy writing

    • Report generation

    • Briefing

  • Binder creation

Heather haphey preparation
Heather Haphey - Preparation

  • Researched Smoothwall and Virtual Routing

  • Reviewed and rewrote real policies

  • Practiced briefing

  • Collected and created binder materials

  • Read offensive and defensive tactics

Heather haphey mistakes
Heather Haphey - Mistakes

  • Learned wrong Virtual Router

    • Vyatta instead of Smoothwall

  • Didn’t back up editable sample documents

  • Realized the router GUI too late

  • Not prepared to detect and prevent attacks

Heather haphey lessons learned
Heather Haphey – Lessons Learned

  • More research about red team tools

  • Back up anything useful

  • Snapshot -> Harden-> Snapshot

  • Get injects done ASAP, use full time

    • Review requirements part-way through

  • Stay focused on AOR, remain calm

  • ASK ASK ASK and trust intuition

  • Get into the scenario, seek real answers

Nate krussel responsibilities
Nate Krussel - Responsibilities

  • Windows Active Directory

    • Group Policies

    • Domain Knowledge

  • Team Co-Captain

    • Help in team preparation

    • Back up to Scott

  • Knowledge Transfer

    • Sharing experience and strategies that have worked or not worked in past competitions

Nate krussel preparation
Nate Krussel - Preparation

  • Doing Previous Years injects

    • Even if not exactly the same may be fairly close

  • Read up require services/ports

    • Often the competition has more open things than needed to run the require service

  • Industry hardening guides

    • Give the quick and useful information on hardening

  • Acquired General Knowledge

    • Easier stepping into Scotts shoes if need be

Nate krussel mistakes
Nate Krussel - Mistakes

  • Firewall Rules

    • Need to only allow certain IP’s to be allowed to access domain, and domain resources

    • Should slow down the red team

  • To much time as Domain Admin account

    • Much easier for red team to steal credentials if they break into the box

  • Not checking schedules tasks

    • Allowed red team to manipulate our firewalls across domain

  • Didn’t lock out all additional user accounts that weren’t required for score bot or us

    • Not how a normal business runs, but works well for the competition

Nate krussel lessons learned
Nate Krussel – Lessons Learned

  • Always scan inside and outside your network and speak up if a new box appears

  • If given vsphere client, turn off servers RDP and ssh abilities (if possible) and use the client

  • Check firewall rules regularly

  • Use virtual router to try and limit access by port level if possible, reduces attack surface greatly

  • Always communicate and make sure to get conformation of a task that needs to be done to make sure the message got across

  • Easier to have the DC auto update the group policy instead of having everybody update it themselves

Chris waltrip responsibilities
Chris Waltrip – Responsibilities

  • Kali Linux VM

    • Outside of Corporate Network

    • Used to see what is visible from the outside

      • Port Scanning

      • Network Sniffing

      • Vulnerability Analysis

  • Windows Server 2008 R2 (HMI Server)

    • Not initially planned

Chris waltrip preparation
Chris Waltrip - Preparation

  • Learned the basics of Nmap and Wireshark

  • Researched Web Application Firewall

    • Specifically ModSecurity

    • Never actually used

  • Created Cheat Sheets

    • Useful Tools

    • Common & Useful Commands

Chris waltrip mistakes
Chris Waltrip - Mistakes

  • Didn’t see VPN on Second Day

    • Nmap Port Scans

    • Wireshark DNS Traffic

  • HMI Server

    • Saw server, but thought was Vyatta Firewall

    • Didn’t know Default Credentials

      • Attached to Domain

  • Cobalt Strike Beacons

Chris waltrip lessons learned
Chris Waltrip – Lessons Learned

  • Tons!

  • Nmap and Wireshark

  • Team Dynamics & Collaboration

  • Cobalt Strike’s Beacon

    • Has its own packaged DNS server

  • How Effective Our Countermeasures Were