Red Star, Schmed Star

 

In MACCDC 2015 Regionals the network started out with the VMs outlined in our team packets. Our team captain was away from our tables handling other administrative duties. An ‘inject’ came through which required us to use “Office Software” to create something, I can’t recall if it was a power point or ‘word’ document, to explain something that was going on with the network or systems. Along with the inject a new VM appeared in our vSphere console. It was a linux system labelled “Red Star”. We quickly launched it and realized this flavor of linux has a GUI vs just a console, but everything was in a different language, a language that our system administrators couldn’t read. We all left our seats and surrounded our teammate to see if it was something maybe we could read but, it wasn’t 😦 We tried carelessly clicking around trying to change the language to English but were failing at doing so.

Redstar3

Our team captain came back from her assignment and needed an update on what we were doing. We explained that we can’t read the language on the new system and were struggling to complete the new inject we received. She was standing over the shoulder of one of our system administrators and looked down at the new linux box. Her eyes focusing on the foreign letters on the screen she exclaimed excitedly “I can read this! Its Korean!”. It was a eureka moment for all of us. It was like when Lex Murphy realized it was a unix system. (https://www.youtube.com/watch?v=dFUlAQZB9Ng)

Our team captain is of Korean decent.

The linux system that was injected into the game was: https://en.wikipedia.org/wiki/Red_Star_OS

It’s not the hard things that trip you up, it’s the small stuff you waste time on.

 

 

Advertisements

What is actually learned from CCDC

A great questions was asked from a Red Teamer on twitter: What is actually learned from CCDC?
(https://twitter.com/carnal0wnage/status/718204762290843648)

I don’t think I could fit an answer into 140 characters so, I took to a blog for a proper response.

If your asking what is actually learned from the red team hacking a bunch of blue teamers…. NOTHING. We know you can do it. You know you can do it.

What we do learn are the things we taught ourselves in preparation for the competition. We don’t directly learn any of the objectives outlined in the CCDC Team Packets. (Did anyone even read them?)

For MACCDC the objectives are outlined as:

  • Build a meaningful mechanism by which institutions of higher education may evaluate their programs
  • Provide an educational venue in which students are able to apply the theory and skills they have learned in their course work
  • Foster a spirit of teamwork, ethical behavior, and effective communication both within and across teams
  • Open a dialog and increase awareness among participating institutions and students

Lets break this down 1 item at a time.

Build a meaningful mechanism by which institutions of higher education may evaluate their programs

Institutions of higher education cannot use CCDC to evaluate their programs. College’s often have guidelines and requirements to stick to course material as provided by their vendors. Sure, some teachers/professors stray from that a little. They do not use CCDC as a gauge to see how well their material is being taught. How well a team performs in CCDC is not a directly correlation to how well those students performs in class thus, it cannot be used for higher education to evaluate their programs.

In fact I’d be interested to find-out how many colleges request pcaps and the scoring metrics to see how their school did and if there is anything that could improve in their programs for next year. They probably don’t and secondly MACCDC probably couldn’t deliver those items.

Provide an educational venue in which students are able to apply the theory and skills they have learned in their course work

I think this statement should be changed from ‘educational venue’ to ‘venue’.

Every experience in life is a learning experience. Everywhere we go and everything we do is learning experience. We don’t call all the places we go ‘educational [place]’. In order for something to be called an “educational [place]” its primary function should be for educating. CCDC is not for educating and should NOT be labelled an ‘educational venue’ instead just ‘venue’.

Now with that statement changed to “Provide a[n] educational venue in which students are able to apply the theory and skills they have learned in their course work”, I can agree with part of it. I can agree with “Provide a venue in which students are able to apply theory and skills they have learned”, that’s it. Believe me, in your ‘course work’ you aren’t studying BigBlueButton, PBX, Cyclos, Request Tracker or JessX. None of these are in any course work I have seen come from any college. Leave me a comment below if you have worked on these boxes as part of your regular studies.

Foster a spirit of teamwork, ethical behavior, and effective communication both within and across teams

This is a mixed message with taken into context with the rules of the game. On page 7 of 2016 Team Packet Final it states:

e. Team members are forbidden from entering or attempting to enter another team’s competition workspace or room during CCDC events

I’m sure this will be twisted into saying ‘this doesn’t mean blue team to blue team, it means blue team to red team and vice-versa’. I’ve had CCDC officials twist things like this.

I can say from personal experience we have been instructed not to talk to other blue teams. We couldn’t talk to other blue teams even when trying to troubleshoot an issue where we needed to test connectivity from outside of our own site.

I wasn’t able to attend the Red Team-Blue Team mixer this year but I bet that was the most valuable part.

I wish the ‘teamwork’ extended to inter-team communication not just intra-team communication.

Open a dialog and increase awareness among participating institutions and students

I don’t even know what this means. “Increase awareness” about what? CCDC? Cyber Security?

Just the facts Ma’ma.

Through my CCDC experiences I learned a handful of technical skills that are still with me that I use everyday. Simple Linux administrative tasks, ASA and pfSense administration. The differences between stateful and stateless protocols and how they both work with iptables, Cisco ACL’s & MPF, and pfSense rules.

Being a team leader I learned how to give lectures and create powerpoint presentations and spin up VMs for live demos.

In-order to give a proper and well informed presentation about something you are forced to learn more about it than you ever thought you needed to know. I think a great training exercise for CCDC is to have every student create a presentation about something so they are forced to learn everything about it.

Everything I learned for CCDC is something I taught myself and its those things that stayed with me for life.

As for what I’ve gained from my CCDC experiences. I have gained something no class can teach… friends. I came into the CCDC club for my school and met a bunch of strangers. We made it through qualifiers and into regionals as acquaintances and classmates. We left regionals as friends. Some of those friends I still talk to even though we haven’t see each other in a few years.

In Conclusion

Even though CCDC is flawed(probably throughout the nation) it still offers a place where like minded individuals get together to teach each other and try to reach a higher understanding of the aspects of cyber security that interest them and then ultimately exercise those skills in a place with your friends. This competition is only as fun as you make it. I remember most of our systems had NyanCat across our screen. There was nothing left to do other than the Macerena, so we did. I remember having to leave the pit together for an inject and running through the mezzanine with our arms out like a bunch of airplanes. We always sent the Red Team fun gifts that we contributed to as a team.

If any one wants to share what they’ve learned or has an opinion on what is actually learned from CCDC competitions leave a comment below.

A Face for Radio.

On Friday, I attended, as an observer, the 2016 MACCDC Regionals @ JHU-APL. Upon arrival I was asked to sign in. I was given a visitor’s badge, a pamphlet and a few other flyers. I put the lanyard from the badge over my head, threw the rest in my backpack and proceeded to the mezzanine. I mingled and chatted with old friends: blue teamers, red teamers, black teamers and some sponsors. I hung out for a couple hours and went home to begin my weekend.

Monday morning came around, I was getting my laptop out of my backpack and noticed the MACCDC pamphlet still in my pack. I took it out, put it on the desk. While waiting for my laptop to start, trying to escape the Monday morning fog I was sipping my coffee and openned the MACCDC pamphlet to the table of contents and started reading.

Something caught my eye to the left of the table of contents.

BAM!!!

My picture.

Inside Cover
Inside Cover

To see a full pdf of the Visitor Pamphlet MACCDC_2016_Pamphlet.

Hello Old Friend.

Welcome back!

This site is about sharing the experiences of CCDC. Sharing the experiences from all sides, Red Teams, Blue Teams, Black Teams, White Teams, etc….

This site is about enlightening the freshmen in college who is thinking about joining their CCDC team for what they can expect.

Maybe the white teams can use our opinions here to see how other regional host and hold their competitions so they can all continually improve.

I didn’t want to just regurgitate information that is already out there. I wanted to give a deeper incite to what it is like. If you have built your team right with the correct people the friendships you forge will follow you throughout your career.

I have remained friends with members from all my years of playing and the coaches and staff who support CCDC.

My current job and position all came to me from a recommendation from a former CCDC teammate.

My opinions and advice are only derived from my time participating/attending MACCDC qualifiers and regionals.

My intentions were not to develop a blog site that gave away the secret plans, scripts and guides for ‘winning’ CCDC. There is no secret way to ‘win’ CCDC. You just have to have to most points.

I wanted to create a community. A place where like minded men and women could share their experiences.

I wanted others to share their stories. Stories of:

  • What their teams did for fun?
  • How they practiced?
  • Advice to give to first time blue teamers.
  • What they remember about Qualifiers/Regionals/Nationals?
  • Greatest/Worst moments.
  • How CCDC has helped them: in school/in career?

The bottom line is: I just love CCDC and the friendships and the things learned along the way. That’s why I do this!

Come, share your story. Do you have something you want to share? Reach-out to me in a comment below.

MACCDC: Qualifiers – How to prepare

The regional CCDC qualifying round for the Mid-Atlantic region is dubbed ‘Virtual Qualifiers’, because it is held on virtual servers in Amazon’s EC2 cloud infrastructure.

In order to properly prepare for such an even its best to know a little bit about it. The best source for information is from people who have participated in years past. The second best source is of-course, this site. Familiarize yourself with the historical data I have gathered from the past competitions.

Registration & Scoring:

Registration and scoring is done through threatspace: https://sb2.threatspace.net

Don’t let the day of competition be the first day you’ve looked at threatspace. Make yourself as familiar with it as you can, it will help you to feel comfortable and confident, and can shave time off from trying to figure out their site during the competition.

Scoring is done by something we call ‘scorebot’. It is the name we have given the scoring engine for the MACCDC region because it often uses the username ‘scorebot’ to log into systems. It is an automated system that checks for services that are up. ‘Scorebot’ reports this and displays it in pretty graphs and colors on threatspace’s website. You can change ‘scorebot’s password and I recommend doing so as it is often set to “chiapet1” and has been for years.  [A future post might discuss the necessity for open sourcing the scorebot]

How many systems and which:

Typically you are given 4 systems, 2 windows & 2 *nix. Again, check the resources I have provided, this will help you figure out which systems they like to bring back year after year.

Team Structure:

This has been gone over before in other posts from other sites and I’m sure each school or region will have their own twist on it but, make sure you have the best man/woman for the job. Some members on your team will be good at everything and some will have only a specialty or two. Make sure you put the best person on the keys that needs to be there. In qualifiers there is only 4 systems but there are 8 team members. Naturally we split up into teams of 2 for each system. One person on the keys and the other person as researcher. Unlike MACCDC regionals, you have full-blown internet access, there is no air-gap. The person in the ‘researcher’ role is there to look things up and provide support to the person on the keys. They should not be looking up things like “how to turn on your firewall” or “adding a user in AD” those are things you should already know how to do. Instead they would be most useful looking up how to administer or harden the web-app and back-end for the software that you’ve never seen before.

What to prepare for:

Don’t stand up 12 VMs and base your practice environment off of one of the topologies from the regional competition, until you get there.

Don’t spend your whole time practicing for regionals if you haven’t gotten past qualifiers. Remember you must get past qualifiers first. With that said, you will need to rehearse for regionals in-addition to qualifiers.

How to prepare:

Since qualifiers are held in Amazon’s EC2 cloud infrastructure, so should your practice environment for qualifiers. Go, sign up for the cloud service and stand up 4 VM’s. They have pre-made images for the systems that you will likely see. A couple hundred dollars worth of Amazon credits should get you enough for your team to get plenty of practice. If your school has a cyber security club maybe you can approach them about the possibility of funding such a thing. If not have each person put in $20. It’s not a huge investment and it will get you started.

Schedule:

The MACCDC qualifer is only 4 hours long. Time is of the essence. There is something like 32 schools in the MACCDC region. Generally qualifiers are held ~8 teams per day over 4 days. As a school you have the option of choosing which day you would like to compete on. You don’t always get the day you choose. Some theories range from:

  • Choosing day 1 means this will be a new environment to red team so they won’t be familiar with it, but this means if there is anything wrong with the infrastructure you will be the test dummies to figure it out.
  • Choosing a later day means the infrastructure should be fully tested but the red team will already know all the in’s and out’s of all the systems.
Things I’ve seen go wrong:
  • People getting locked out of their own boxes. (guilty)
  • Overly complex passwords don’t play nice. I’m not sure if it is threatspace’s website, or their database or input sanitization. Passwords with alot of symbols will cause ‘scorebot’ to incorrectly identify a service as being down. Instead choose a long alpha-numeric string.
A word of advice:
  • Do continuous pings to each of your scored systems so you’ll know when they go down. Don’t rely on ‘scorebot’.
  • Do nmap scans of your scored boxes, make sure the services you need up are up and responding. Check them from an outside computer. Do this constantly as things will change often in 4 hours.
  • You only have 4 hours: Keep It Simple Stupid!
  • Eat and go to the bathroom before competition starts. If allowed at your facility have a bottle of water with you.
Red Team activity:

2013: I didn’t participate in competition but friends did and did not remember any particular red team activity in the qualifiers.

2014: We didn’t see any red team activity, that is, we didn’t see any red team activity.

2015: There was a lot of red team activity. I have made blog posts about it, and so have others. Also, on one of our windows boxes they kept standing up a telnet server.

Feedback:

How do you prepare for the qualifiers? What are the qualifiers like in your region? Leave a comment below.

Summer Break: Stay busy

As I wrapped up my final exam and went to the Green Turtle with a classmate I was introduced to some people who were interested in playing CCDC in 2016. They knew I participated in the 2 previous years and wanted to know how they should be doing to prepare over the summer before join the CCDC club in the fall. I forget what I actually told them but after thinking about it, why didn’t I have a long list of items prepared to tell them? Hence this post.

Summer really is a great time to start preparing for the next years CCDC. Most people have off in the summer which normally means a little more free time. Think about what role you might want to play in CCDC then steer your training towards it. You should naturally gravitate to something that interests you. You will always put more into something if it interests you. Here are some ideas:

  • Firewall administration: Cisco ASA, pfSense, iptables
  • Windows Server Active Directory
  • Database: MSSQL, MySQL, postgres
  • Webserver administration: Apache, IIS, NGinx
  • Mailserver administration: owa, squirl mail
  • Forensics: memory analysis, pcaps, log analysis
  • Windows Sys-Admin: firewall, users, services
  • *nix sys-admin: iptables, pf, users, groups, services

Find something you like and dig-in. Summer break is time for you to really explore, because when school starts you won’t have the same freedom in your schedule.

Start or join a CTF team. People who are naturally good at team-based CTFs will often be good at CCDC, since they are similar.

CCDC takes alot of time. Practicing takes time. Setting up environments takes time. Just because CCDC limits you to 8 players doesn’t mean you can only have 8 people in your CCDC club. The more people to spread responsibility on the more time you’ll have.

Treat CCDC like a sports team. You have to show up for practice or you can’t play in the big game. Doing CTFs and CCDC rehearsals will weed-out who is willing to commit and who doesn’t have time for it. It will also help resolve personality conflicts sooner rather than later.

Test each-other:

Create VM’s on flash drives and trade them with each other. Seem if you can figure out what is mis-configured and what needs to be done to harden that system. This is also a good way to practice forensics. As you guys work on hacking each other’s VMs capture the traffic in pcaps and do memory dumps give those to the forensics person/s and see if they can identify what is going on without telling them. You can never have enough practice standing-up, configuring and securing a LAMP server. Make sure you know how to test and patch heartbleed and shellshock.

Challenge others to write small scripts to automate things. As you perform repetative task you’ll see where you can use scripts and where you can’t. Don’t try to automate everything, that plan will fail. Writing scripts will help you practice working at a command line, troubleshooting and regex. Start with log files:

tail -f /var/log/auth.log | grep Failed

Summer time is for learning. Fall is for practicing. Spring time is for performing.

In closing: find a group of friends you can get together with and have fun solving challenges together. You’ll find your groove, have fun.

Teams who win CCDC stay sharp all year.

How do you plan on staying sharp this summer? Do you have any advice for would be competitors? Leave a comment below.

Post CCDC Survey

The 2015 CCDC season is finally over. A new season looms over the horizon.

I have created a short survey (<10 minutes).

I tried to cover items that are not talked about in slides for debriefings or ‘how to prepare for ccdc’ guide. I also try to include questions so we can find out a little-bit about the competitors instead of the competition.

Past and present competitors please take a minute and checkout the survey: http://goo.gl/forms/TAuQS7pr5D

All responses are private. None of the question are required, all are optional