Monday, October 28, 2013

Incidents.org's 2001 Wargames

This is about our first CTF on Sepetember 22, 2001 back when CTFs were little known. Ghetto Hackers would start organizing CTFs for Defcon the following year.

Jason and myself participated in the event, along with Wigginx (who we recently ran into the Wifi CTF) and a few others. We were told there would be two corporate networks and an at-large hacker network. With this we expected to make up the at-large hacker network and test the corporate network attempts at security. However, when we arrive, lugging around heavy desk-top machines, we discovered we were the only ones there by a few hours. So we helped out with creating the network, and volunteered to be one of the corporate networks.

Being on a corporate network changed our perspective as we were now suppose to only attack half the targets (at-will hackers were off-limits as companies could only attack each other), and we also had to play defense. We weren't allowed to patch the target systems or configure the firewall, because the organizers wanted people to be able to hack something, but we were able to place a machine on the same subnet if we didn't mind it being attacked as well.

The target systems were all running in VMs. Each corporate network would have an unpatched IIS 5 web server with DNS, a Windows 2000 workstation, and a Linux mail server. However the organizers were never able to get the Linux VM working. This was a major disappointment for me, because most of my knowledge was in hacking and administrating Unix systems. At my previous job I assisted with running a 25 workstation Solaris network. This event would always be the turning point in my life where I realized that Microsoft's market penetration meant that I would need to learn how to hack Windows systems as well.

Since I was useless in terms of attacking the Windows systems. I placed my machine on the corporate subnet to perform IDS monitoring. Initially, my thoughts were to identify the attacks, so that I could inform my team of attacks that could work on the opposite corporation. However, even that was unnecessary as these systems were completely vulnerable.

An idea occurred to me to use Ettercap to kill attacks and backdoor traffic. I didn't have enough time, or knowledge of Snort back then to script this, so I would use screen to watch both and kill traffic as it generated alerts. However, because I was doing this manually some attacks did get through, but I was still able to watch and kill the traffic....until they began setting up netcat shells over UDP.

Disrupting UDP traffic is a challenge. However, UDP is easily spoofable. So I relayed the connection information over to another member, who then spoofed the connections and sent random characters.

This event would birth an idea in me to create what I called a "passive firewall." To kill malicious connections that was allowed by normal firewalls. But I didn't pursue it further because I thought it would only be useful at CTFs, which back then weren't as frequent. Years later a similar idea would rise called an Intrusion Prevention System (IPS). Again proof that I lack any business sense.

I don't remember there being any scoring. I'm pretty sure it was a "fun exercise" tied in with SANS hacking courses.

The original post with my atrocious spelling can be found on archive of METF's website.
More information about the IO Wargame is also available on an archive of incidents.org.

No comments:

Post a Comment