This past Saturday (April 10th 2010) I participated on a Red Team (along with about 6 other students from Mississippi State University) for a mock Northwest Collegiate Cyber Defense Competition. Needless to say, it was one of the most fun things I have ever done in my entire life. The Blue teams were composed from students of the University of Fairbanks Alaska, University of Anchorage, the University of Hawaii at Mānoa, and another Hawaiian University (sorry I don’t know their name). If you’ve never heard of the Collegiate Cyber Defense competition, the background on it is there are three teams: (1) a Red team (2) a Blue team (3) a White team. The Blue team has to setup and defend a network that would be similar to a regular information technology network. The Blue team works for the White team and are forced into doing business tasks and server administration to get points for the competition. The Red team gets to attack the Blue team’s network while they are trying to perform business tasks, and attempts to bring the Blue teams services down so that they lose points. The Red team is not in a competition against the Blue team, rather the Blue team is divided into sub teams which compete amongst themselves. The Red teams job is to attack all the sub divided Blue teams networks equally, and report to the White team the damage they do to their network. To get a better idea of what I’m talking about, I highly recommend you watch the videos of last years Mid-Atlantic Collegiate Cyber Defense Competition shown below. If you’re watching them for entertainment the Red team starts at Part 3 and you will probably get some good lulz out of watching how walk all over the Blue team who is obviously ignorant to the types of attacks that they are even getting hit by.
- Part 1 – http://www.youtube.com/watch?v=PDCPrfuf6BY
- Part 2 – http://www.youtube.com/watch?v=kp6bktaB0A4
- Part 3 – http://www.youtube.com/watch?v=38Nv3fg54bs
- Part 4 – http://www.youtube.com/watch?v=7Hr0GykHR9c
Unfortunately for our Red Team, we were set up on virtual machines and had no physical access to the Blue teams network so any physical attacks like rogue USB devices were out of the picture. Because of this restriction, we had a 24 hour grace period to ping the Blue teams network, fingerprint their operating systems and services, and devise a plan of attack. In our reconnaissance, we did DNS zone transfers and figured out the entire structure of their network and what each machine did by looking at its DNS name. For example dns.<blah>.com was obviously a DNS server for the teams. We saw that these were running on windows machines, and that each team had two workstation machines (ws1.<blah>.com, ws2.<blah>.com). These windows machines happened to look like they were running a lot of services that they shouldn’t be, and we noticed the machines were running older versions of Windows XP pre service pack 3.
One of my jobs was to figure out how to maintain access once we exploited the machines. I went root kit shopping and found a lot of junk root kits on http://www.rootkit.com. Many of the tools on this website are not rootkits, but they do have good tools for avoiding virus and rootkit scanners and such. Also the root kits that worked on rootkit.com were services that needed to be connected to from outside the computer they were being hosted on. I prefer root kits that dial out to the owners of the root kits because of the chance that the Blue team may do some interesting firewall rules like blocking all incoming traffic on all ports, but allow all traffic going out. Some of you might be saying, yeah but even if they dial back out to you how are you going to talk back to them if you can’t send traffic in? Well some protocols like SSH are bi-directional protocols, which allow you to evade that requirement so if you’re interested go look into it. Not having much luck at rootkits.com I decided to look at Backtrack and see if it had any good rootkits in it by default. They do have a rootkit called sbd is pretty useful in both Backtrack 3 and Backtrack 4. This rootkit dials out, but the only problem with it is if the server gets restarted the service will die. Thus I also made instructions for how to install this rootkit to the windows registry for the competition to re-run on boot. I also renamed this program to be VMwareGroup.exe, evily making it look like it was installed as part of the VMware tools that were running on the Blue teams machines. They had services like VMwareUser.exe that had to be run in order for their VMs to function properly. A second rootkit that we used extensively throughout the competition was Poision Ivy (http://www.poisonivy-rat.com/). This is the same rootkit that was used in the Mid-Atlantic videos linked to above. It dials back to a number of IP addresses on different ports, installs itself to automagically run when windows starts, installs a VNC-like backdoor (allowing you to control the victims keyboard and mouse), allows you to spawn a windows shell at any time, and many more features! When testing these rootkits in virtual machines, I noticed poision ivy was detected by AVG antivirus. I do not know if this is the case for the professional version, but it is for the free version. Sbd.exe was not detected by AVG antivirus, so I figured these were about the two best root kits I could get for the competition. One that was really loud so that if the Blue team was smart enough they could detect it, and another quieter rootkit so that if the Blue team started to eliminate our poision ivy backdoors, we could still maintain access.
The goal of the competition for the Blue team was to host a website hosting company. They were given thirty minutes to secure their networks without us launching any attacks against them. In the six hour competition, we took their website hosting business down for all teams within the first 15 minutes of attacking them. They did not fix their business for the rest of the competition. This means their website downtime was 5 hours and 15 minutes.
Taking down their websites was easy. We used metasploit’s feature autopwn to automatidly own their windows DNS servers (which they did not have time to patch, or didn’t want to suffer the downtime to patch them in after their 30 minutes of safety time from the Red team was up). After getting on their DNS servers, we installed poision ivy and maintained access for almost the entire competition with it. We also owned some teams workstations and installed poision ivy on their workstations too. While some of us on Red team were doing this, some other of our members were hacking their linux machines and intercepting the emails the Blue team was supposed to receive from the White team to do business tasks. We replied to the White team as the Blue team telling them “You can take this job and shove it. We quit”. There was a point in the competition where I don’t think the White team believed that we had successfully penetrated the machines the Blue team was using, so they told us to start making some noise. We fired up the poision ivy shells and started changing their desktop backgrounds to lawlcat pictures, fighting for control of their keyboard and mouse, and talking to some of the teams over notepad. They asked us over notepad “how did you get in?”, well I hope they read my blog lol. On the linux machines, there was also a VNC service running with no password so we were also annoying them on their linux boxes in a similar fashion.
Only one team managed to actually figure out the reason their website was broken was because we changed their DNS. We identified this team later on to be UH Mānoa Hawaii. They did do a decent job at keeping us out of their boxes. They were the only sub team of the Blue team to erase our root kits (toward the end of the competition). They were surprised after erasing our root kits off their workstations that we still had poision ivy dialing out to us on their DNS server. If we wanted to, we could have installed sbd so they would not have found us, but seeing as there was only an hour left in the competition we figured we tortured them enough and let them close us out of their network. They get a very small kudos for this, but I retract that in a few paragraphs and you will see why.
Now, I’m not sure if it was the White team’s true intention to score this competition or not. We were told at the begninning of the competition that the competition would be scored and that this was being conducted just like a Collegiate Cyber Defense Competition. The White team decided at the end they were not going to score the competition. With the Blue teams website business task being down for 5 hours and 15 minutes and all of them getting bombarded by the Red team through multiple security vulnerabilities the Blue teams did not patch, it is fair to say they would have low scores if this were a real competition. All the Blue teams have a lot of practice to do if they want to be in a real Northwest Collegiate Cyber Defense Competition. Nevertheless the 6 of us that were on the Red Team from Mississippi State University respect them for trying to better themselves at defending against hackers (by doing this competition) and we welcomed them to challenge us whenever they would like to do another event like this.
This blog post showed up a few days later from UH Mānoa:
I’m just going to leave it up to you (the reader) to decide what you think about that one. This is why I say I retract my kudos to UH Mānoa. Wesley Mcgrew (http://www.mcgrewsecurity.com), who headed up our Red Team found this post by them and told us about it so I saved it for my records. Since Wesley notified the point of contact for UH Mānoa’s blog post, they have changed their tune: http://www.hawaii.edu/news/article.php?aId=3560 .
The White team was supposed to mail Wesley some incident reports. Incident Reports are what the Blue team had to file everytime the Red Team successfully penetrated their machine. They do this to get points back. I have not heard from him to see if he got them. If I ever do I will post them here.