Preparing For The Strategic Security CTF Presented By: Joe McCray joe@strategicsec.com http://www.linkedin.com/in/joemccray http://twitter.com/j0emccray Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ Generic CTF Prep CTF Overview What Is A CTF? Generic CTF Prep Strategic Security Specific CTF Prep Incident Response System Hardening System Logging Intrusion Detection System Attacking Systems Maintaining Access Strategic Security, Inc. © http://www.strategicsec.com/
What We Will Be Covering Today Today We Will Be Covering What Is A CTF? Generic CTF Prep Strategic Security Specific CTF Prep Incident Response System Hardening System Logging Intrusion Detection System Attacking Systems Maintaining Access Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ What is A CTF? Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF? According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag In computer security, Capture the Flag (CTF) is a computer security competition. CTF contests are usually designed to serve as an educational exercise to give participants experience in securing a machine, as well as conducting and reacting to the sort of attacks found in the real world. Reverse-engineering, network sniffing, protocol analysis, system administration, programming, and cryptanalysis are all skills which have been required by prior CTF contests at DEF CON. There are two main styles of capture the flag competitions: attack/defense and jeopardy. Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF?…(cont.) According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag Jeopardy style competitions usually involve multiple categories of problems, each of which contains a variety of questions of different point values. Teams race to be the first to solve the most number of points, but do not directly attack each other. Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF?…(cont.) According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag In an attack/defense style competition, each team is given a machine (or a small network) to defend on an isolated network. Teams are scored on both their success in defending their assigned machine and on their success in attacking other team's machines. Image from: http://ctf.itsec.rwth-aachen.de/vpn/ Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF?…(cont.) According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag Depending on the nature of the particular CTF game, teams may either be attempting to take an opponent's flag from their machine or teams may be attempting to plant their own flag on their opponent's machine. Image from: http://ctf.itsec.rwth-aachen.de/vpn/ Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ Generic CTF Prep Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ Generic CTF Prep Jeopardy Style CTF Prep Similar to preparing for the TV Show Jeopardy: http://ken-jennings.com/faq Really hard to cram for so hit the common trivia stuff Hacker history High profile attacks/vulnerabilities Hacker movies Skip the protocol/programming stuff – either you know it or you don’t Network Attack/Defense Prep Download all patches for common OSs, or build your own repos Organize your incident response tools Have trusted binaries for most common Oss Organize your exploitation/post-exploitation tools/scripts Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security CTF Prep Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security CTF Prep Step 1: Start with the basics Verify that the place you will be playing from has fast/stable internet Verify that the network that you will be playing from is secure/safe Create a separate subnet for yourself (cheap router) Turn off or firewall all of the other computers in your subnet Make sure no one else is using your subnet during the game Verify that the attack workstation/Virtual Machine you will be using has at least 2GB of RAM Verify that the defensive server has at least 4GB of RAM Download/Install the latest version of VMWare Workstation or Player Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security CTF Prep Step 2: Get Your Team Organized Set up a means for your team to interactively communicate in real time Google Hangout, Skype, IRC, etc Set up a means for your team to share resources (docs, tools, etc) Google Hangout, Google Docs, Sharepoint, Wiki Understand that some teammates may be in different timezones Break your team up by function(s) Attackers Defenders Systems Administrators Researchers Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security CTF Prep Step 2: Get Your Team Organized (Cont.) Players that do not have a team will be placed on teams by Thursday 5 Dec. Get your new teammates integrated quickly Job role(s) Access to team resources Get everyone’s tools, scripts together and try to get them documented so team members can know how to use them and more importantly what they look like to your defensive mechanisms Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response Step 3: Prepare For Incident Response The first critical skill required of this game will be incident response Your system will be backdoored Your system will be rootkited Your system will be loaded with vulnerabilities Everything from weak passwords, to custom buffer overflows Required Incident Response Skills Your team will have to be able to quickly find and remove backdoors Your team will have to be able to quickly find and remove rootkits Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 1: List all running processes) GUI Tools Task Manager Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx Command-line Tools Tasklist Command: http://technet.microsoft.com/en-us/library/bb491010.aspx PsList: http://technet.microsoft.com/en-us/sysinternals/bb896682.aspx Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 2: Identify malicious processes) Look up every process that is running to see if it is legitimate Resources: http://www.fileresearchcenter.com/ http://www.neuber.com/taskmanager/process/index.html http://www.liutilities.com/products/wintaskspro/processlibrary/ Of course Google! Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 3: Kill all malicious processes) GUI Tools Task Manager Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx Command-line Tools Taskkill Command: http://technet.microsoft.com/en-us/library/bb491009.aspx PsKill http://technet.microsoft.com/en-us/sysinternals/bb896683.aspx Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 4: Find All Malicious Connections) TCPView (GUI Tool): http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx Netstat Command: http://windowsitpro.com/windows/using-netstat-get-list-open-ports https://isc.sans.edu/forums/diary/Fun+With+Windows+Netstat/1911 http://computer-networking.wonderhowto.com/how-to/detect-hackers-with-netstat-262222/ http://www.dti.ulaval.ca/webdav/site/sit/shared/Librairie/di/operations/informatique/windows/netstat_results.htm During the game – take note of your teammates’ IP addresses If there is an IP that doesn’t belong to your teammates connected to your server – that is probably an attacker from another team and you should kill that connection Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 5: Kill All Malicious Connections) TCPView (GUI Tool): http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx Taskkill Command wKillcx http://wkillcx.sourceforge.net/ Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 6: Find Malicious Services) References: http://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a- service/ http://www.addictivetips.com/windows-tips/smartly-analyze-windows- local-services-for-malware-rootkits-more/ http://reverseengineering.stackexchange.com/questions/2019/debuggin g-malware-that-will-only-run-as-a-service Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 7: Find Rootkits) References: http://www.computerweekly.com/feature/Rootkit-and-malware- detection-and-removal-guide Strategic Security, Inc. © http://www.strategicsec.com/
Incident Response Resources Good Technical Incident Response Resources References: http://www.slideshare.net/pmelson/malware-analysis-made-simple-presentation http://computer-forensics.sans.org/summit-archives/DFIR_Summit/Finding-Malware-Like-Iron-Man-Corey-Harrell.pdf Strategic Security, Inc. © http://www.strategicsec.com/
What Are We Covering Today Today We Will Be Covering What Is A CTF? Generic CTF Prep Strategic Security Specific CTF Prep Incident Response System Hardening System Logging Intrusion Detection Systems Attacking Systems Maintaining Access Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 1: Create Hardening Checklists) STIG http://iase.disa.mil/stigs/ Hardening Guides http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml https://secure.ericade.net/security/index.php/Windows_Hardening_Guide https://benchmarks.cisecurity.org/downloads/benchmarks/ Generic Hardening Resources http://www.xmarks.com/topic/server_hardening Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 2: Organize Your Tools and Scripts) MBSA http://www.microsoft.com/en-us/download/details.aspx?id=7558 Benchmark Assessment Tools http://benchmarks.cisecurity.org/downloads/audit-tools/ Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 3: Focus on Scripting) Scripting For Security http://www.sans.org/reading-room/whitepapers/scripting http://blog.commandlinekungfu.com/p/index-of-tips-and-tricks.html http://technet.microsoft.com/en-us/scriptcenter/dd742377.aspx http://www.sans.org/reading-room/whitepapers/auditing/simple-windows-batch-scripting-intrusion-discovery-33193 Interesting Book I Came Across Today http://www.amazon.com/Perl-Scripting-Windows-Security-Monitoring/dp/159749173X Haven’t read it Don’t know the author But looks interesting and may help with this game Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 4: Focus on Continuous Monitoring) Be conscious of the potential skill of the attackers Consider yourself breached at all times during the game IMPORTANT Throughout the game be sure to constantly verify that your security configurations have not changed Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 1: Create Hardening Checklists) Stigs http://iase.disa.mil/stigs/ Hardening Guides http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml https://secure.ericade.net/security/index.php/Windows_Hardening_Guide https://benchmarks.cisecurity.org/downloads/benchmarks/ Generic Hardening Resources http://www.xmarks.com/topic/server_hardening Blah Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ System Logging Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 1: Understand Windows Logging) Windows Logging Basics http://www.windowsecurity.com/articles- tutorials/windows_os_security/Understanding_Windows_Logging.html http://www.sans.org/security-resources/idfaq/logging-windows.php http://en.wikipedia.org/wiki/Event_Viewer Event ID Listings http://www.eventid.net/ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 2: Organize Log Analysis Tools) Free Tools http://www.microsoft.com/en-us/download/details.aspx?id=24659 http://www.lizard-labs.net/log_parser_lizard.aspx http://visuallogparser.codeplex.com/ Learn To Use Log Parser and Log Parser Lizard http://computer-forensics.sans.org/blog/2011/02/10/computer-forensics-howto-microsoft-log-parser Take it to the next level with Splunk https://www.sans.org/reading-room/whitepapers/logging/setting-splunk- event-correlation-home-lab-34422 Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 3: Organize Important Queries) Good queries to run: http://aggressivevirusdefense.wordpress.com/2010/04/23/log-parser/ http://www.codinghorror.com/blog/2005/08/microsoft-logparser.html Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 4: Set Up Automated Tasks) Windows Automation Basics http://www.techradar.com/us/news/software/applications/how-to- automate-tasks-in-windows-1107254 http://www.iopus.com/guides/winscheduler.htm http://stackoverflow.com/questions/6933698/automate-services-restart- in-windows-server-2003 Strategic Security, Inc. © http://www.strategicsec.com/
Intrusion Detection Systems Strategic Security, Inc. © http://www.strategicsec.com/
Intrusion Detection Systems The Methodology (Step 1: Start With The Basics) Do you have the resources to run an IDS? VMWare Workstation or ESXi (recommended) At least 2GB of RAM to allocate to the IDS Run on the same host machine as your team server (eases network configuration issues) Are you willing to build it/debug it now? Probably want a full day or 2 to just to play around with it if this is your first time Run attacks with metasploit and get a feel of what alerts look like and how fast they come in Strategic Security, Inc. © http://www.strategicsec.com/
Intrusion Detection Systems The Methodology (Step 2: Decide What To Deploy) Lots of IDSs to choose from Network Based Snort http://snort.org/ Suricata http://www.openinfosecfoundation.org/index.php/download-suricata Bro http://www.bro.org/ Host-Based OSSEC http://www.ossec.net/ Strategic Security, Inc. © http://www.strategicsec.com/
Intrusion Detection Systems The Methodology (Step 2: Decide What To Deploy - Cont) Network based IDS are good, but are highly prone to false positives Host-Based IDS are great, but require something running on the host The best option is to combine the two IDS types, but that can be a lot of work The problem with deploying both of them is that it can be a lot of work Strategic Security, Inc. © http://www.strategicsec.com/
Intrusion Detection Systems The Methodology (Step 3: Deploy with bang for buck in mind) Use something that gives you the most bang for your buck (tools/features) Use something that you can build quickly My Recommendations: Security Onion: http://blog.securityonion.net/p/securityonion.html OSSIM: http://www.alienvault.com/open-threat-exchange/projects Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security, Inc. © http://www.strategicsec.com/ Contact Me.... Toll Free: 1-866-892-2132 Email: joe@strategicsec.com Twitter: http://twitter.com/j0emccray LinkedIn: http://www.linkedin.com/in/joemccray Strategic Security, Inc. © http://www.strategicsec.com/