1 / 20

Root-Fu ; Rise of the Ninjas

Root-Fu ; Rise of the Ninjas. Introduction to Root-Fu DCX -> interz0ne -> DC11 Show me the sploitage! Rants, Raves, and Moving Forward. Introduction to Root-Fu. What is a hacker challenge? How it used to be… What is Root-Fu?. What is a Hacking Challenge?. What is a hacker?

ringo
Download Presentation

Root-Fu ; Rise of the Ninjas

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Root-Fu ; Rise of the Ninjas • Introduction to Root-Fu • DCX -> interz0ne -> DC11 • Show me the sploitage! • Rants, Raves, and Moving Forward

  2. Introduction to Root-Fu • What is a hacker challenge? • How it used to be… • What is Root-Fu?

  3. What is a Hacking Challenge? • What is a hacker? • Deep knowledge • Finding exploits • Breaking in • Fixing • Classical hacking • Lock picking • Dumpster diving • Social Engineering • Phreaking

  4. What is hacking challenge? How to test this in 2-3 days? • No script kiddy bull shit • Finding and developing exploits • Teamwork (WTF?) • Integration of classical hacking • Fast paced game

  5. What it used to be… • Single network on switch/hub • Teams hacked into random shit • Goons scored game by hand, paper “flags” • DOS, DOS, and DOS some more • Bust out that script kiddy y0j0 • Palante BOFH, only fun part of CTF (8 million ;)

  6. What is Root-Fu?Goals of the Game • Exercise multiple skills associated with hacking • Mix known exploits with on the spot analysis, development, and usage of unknown vulnerabilities • Try and follow “real world” if possible • Detection of attacks • Plugging security holes • Work in classical skills

  7. 1 common server distro Gogo vmware Not platform dependent 8 NAT’d networks Physical interfaces galore Scoring system Automated scoring Keep those distro’s up people! Scoreboard server Neet’o visual representation WTF does it all mean anyways? What is Root-Fu?What does it look like?

  8. What is Root-Fu?The layout(add pics) Green Orange Yellow Proj. Router Score Board Red Cable DNS Score Sys

  9. DCX -> interz0ne -> DC11 • Type of game • Script Kiddie vs. Hacker • Distractions

  10. Type of Game: DCX • From FreeBSD to Redhat in 24 hrs • Distro Leaked? • Known exploits ruled the day • Planted stuff largely over looked • Distractions • Dumpster diving • Lockboxes • Information destruction • BSA audit • Teamwork??

  11. Type of Game: interz0ne ii • Re run of DCX game with new distro • Unofficial game • Didn’t hit 4 team minimum • Stock distro as forth team • Digital Revelation telecommutes • Infrastructure issues • This is not the bandwidth you are looking for…

  12. Move away from stock vulnerabilities OpenBSD Unknown software Introducing vulnerabilities Application Centric What distractions? Multiple roots per server Morphing flag keys Unknown ownership Even more cryptic scoring State kills the reboot Type of Game: DC11

  13. Show me the roots Prior to Root-Fu, max roots 6-7 DCX – 15 wins the day DC11 – 42 wins, 12 average Actual on the spot exploit development occures (dc11) Defense From rebooting to securing Immunix ports to secure linux Patching in production Auditing of applications Script Kiddie vs. Hacker

  14. Distractions • Dumpster diving • Hard drive destruction • Lock picking • BSA Software audits • Where did they go @ DC11?

  15. What we saw • Exploits • DOS • Team Strategy

  16. Exploits • Syslogd - Owning everyone, but no “root”s? • Sql injection? • Heh, I like mudz • >> INSERT MORE CONTENT <<

  17. DOS • Bandwidth • Deleting mysql dbs • Rm -rf / • Tracking ‘em down…

  18. Team Strategy • Getting there… much improvement from DCX • A security team could still rule

  19. Rants, Raves, and Moving Forward • Is this hacking or admining? • Nice graphics, but what does that thing say? • Can we trust GHI to run a fair competition? • Where are we going with this?

More Related