View
221
Download
0
Category
Tags:
Preview:
Citation preview
Strategic Security, Inc. © http://www.strategicsec.com/
Preparing For The Strategic Security CTF
Presented By: Joe McCray
joe@strategicsec.comhttp://www.linkedin.com/in/joemccray
http://twitter.com/j0emccray
Strategic Security, Inc. © http://www.strategicsec.com/
Generic CTF Prep
CTF Overview
• What Is A CTF?• Generic CTF Prep• Strategic Security Specific CTF Prep• Incident Response• System Hardening• System Logging• Intrusion Detection System• Attacking Systems• Maintaining Access
Strategic Security, Inc. © http://www.strategicsec.com/
What We Will Be Covering Today
Today We Will Be Covering
• What Is A CTF?• Generic CTF Prep• Strategic Security Specific CTF Prep• Incident Response• System Hardening• System Logging• Intrusion Detection System• Attacking Systems• Maintaining Access
Strategic Security, Inc. © http://www.strategicsec.com/
What is A CTF?
Strategic Security, Inc. © http://www.strategicsec.com/
What Is A CTF?
According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag
In computer security, Capture the Flag (CTF) is a computer security competition.
CTF contests are usually designed to serve as an educational exercise to
give participants experience in securing a machine, as well as conducting and
reacting to the sort of attacks found in the real world.
Reverse-engineering, network sniffing, protocol analysis, system administration,
programming, and cryptanalysis are all skills which have been required by prior
CTF contests at DEF CON.
There are two main styles of capture the flag competitions: attack/defense
and jeopardy.
Strategic Security, Inc. © http://www.strategicsec.com/
What Is A CTF?…(cont.)
According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag
Jeopardy style competitions usually involve multiple categories of problems, each of which contains a variety of questions of different point values.
Teams race to be the first to solve the most number of points, but do not directly attack each other.
Strategic Security, Inc. © http://www.strategicsec.com/
What Is A CTF?…(cont.)
According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag
In an attack/defense style competition, each team is given a machine (or a small network) to defend on an isolated network.
Teams are scored on both their success in defending their assigned machine and on their success in attacking other team's machines.
Image from:
http://ctf.itsec.rwth-aachen.de/vpn/
Strategic Security, Inc. © http://www.strategicsec.com/
What Is A CTF?…(cont.)
According to Wikipedia: http://en.wikipedia.org/wiki/Capture_the_flag
Depending on the nature of the particular CTF game, teams may either be attempting to take an opponent's flag from their machine or teams may be attempting to plant their own flag on their opponent's machine.
Image from:
http://ctf.itsec.rwth-aachen.de/vpn/
Strategic Security, Inc. © http://www.strategicsec.com/
Generic CTF Prep
Strategic Security, Inc. © http://www.strategicsec.com/
Generic CTF Prep
Jeopardy Style CTF Prep
Similar to preparing for the TV Show Jeopardy: http://ken-jennings.com/faq
• Really hard to cram for so hit the common trivia stuff
• Hacker history
• High profile attacks/vulnerabilities
• Hacker movies
• Skip the protocol/programming stuff – either you know it or you don’t
Network Attack/Defense Prep
• Download all patches for common OSs, or build your own repos
• Organize your incident response tools
• Have trusted binaries for most common Oss
• Organize your exploitation/post-exploitation tools/scripts
Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security CTF Prep
Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security CTF Prep
Step 1: Start with the basics
• Verify that the place you will be playing from has fast/stable internet
• Verify that the network that you will be playing from is secure/safe
• Create a separate subnet for yourself (cheap router)
• Turn off or firewall all of the other computers in your subnet
• Make sure no one else is using your subnet during the game
• Verify that the attack workstation/Virtual Machine you will be using has at least 2GB of RAM
• Verify that the defensive server has at least 4GB of RAM
• Download/Install the latest version of VMWare Workstation or Player
Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security CTF Prep
Step 2: Get Your Team Organized
• Set up a means for your team to interactively communicate in real time
• Google Hangout, Skype, IRC, etc
• Set up a means for your team to share resources (docs, tools, etc)
• Google Hangout, Google Docs, Sharepoint, Wiki
• Understand that some teammates may be in different timezones
• Break your team up by function(s)
• Attackers
• Defenders
• Systems Administrators
• Researchers
Strategic Security, Inc. © http://www.strategicsec.com/
Strategic Security CTF Prep
Step 2: Get Your Team Organized (Cont.)
• Players that do not have a team will be placed on teams by Thursday 5 Dec.
• Get your new teammates integrated quickly
• Job role(s)
• Access to team resources
• Get everyone’s tools, scripts together and try to get them documented so team members can know how to use them and more importantly what they look like to your defensive mechanisms
Strategic Security, Inc. © http://www.strategicsec.com/
Incident Response
Strategic Security, Inc. © http://www.strategicsec.com/
Incident Response
Step 3: Prepare For Incident Response
• The first critical skill required of this game will be incident response
• Your system will be backdoored
• Your system will be rootkited
• Your system will be loaded with vulnerabilities
• Everything from weak passwords, to custom buffer overflows
Required Incident Response Skills
• Your team will have to be able to quickly find and remove backdoors
• Your team will have to be able to quickly find and remove rootkits
Strategic Security, Inc. © http://www.strategicsec.com/
Incident Response
The Methodology (Step 1: List all running processes)
• GUI Tools
• Task Manager
• Process Explorer:
• http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
• Command-line Tools
• Tasklist Command:
• http://technet.microsoft.com/en-us/library/bb491010.aspx
• PsList:
• http://technet.microsoft.com/en-us/sysinternals/bb896682.aspx
Strategic Security, Inc. © http://www.strategicsec.com/
Incident Response
The Methodology (Step 2: Identify malicious processes)• Look up every process that is running to see if it is legitimate
• Resources:
• http://www.fileresearchcenter.com/
• http://www.neuber.com/taskmanager/process/index.html
• http://www.liutilities.com/products/wintaskspro/processlibrary/
• Of course Google!
Strategic Security, Inc. © http://www.strategicsec.com/
Incident Response
The Methodology (Step 3: Kill all malicious processes)
• GUI Tools
• Task Manager
• Process Explorer:
• http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
• Command-line Tools
• Taskkill Command:
• http://technet.microsoft.com/en-us/library/bb491009.aspx
• PsKill
• http://technet.microsoft.com/en-us/sysinternals/bb896683.aspx
Strategic Security, Inc. © http://www.strategicsec.com/
Incident Response
The Methodology (Step 4: Find All Malicious Connections)• TCPView (GUI Tool):
• http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
• Netstat Command:
• http://windowsitpro.com/windows/using-netstat-get-list-open-ports
• https://isc.sans.edu/forums/diary/Fun+With+Windows+Netstat/1911• http://computer-networking.wonderhowto.com/how-to/detect-hackers-with-netstat-262222/• http://www.dti.ulaval.ca/webdav/site/sit/shared/Librairie/di/operations/informatique/windows/netstat_results.htm
• During the game – take note of your teammates’ IP addresses
• If there is an IP that doesn’t belong to your teammates connected to your server – that is probably an attacker from another team and you should kill that connection
Strategic Security, Inc. © http://www.strategicsec.com/
Incident Response
The Methodology (Step 5: Kill All Malicious Connections)• TCPView (GUI Tool):
• http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
• Taskkill Command
• wKillcx
• http://wkillcx.sourceforge.net/
Strategic Security, Inc. © http://www.strategicsec.com/
Incident Response
The Methodology (Step 6: Find Malicious Services)• References:
• http://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/
• http://www.addictivetips.com/windows-tips/smartly-analyze-windows-local-services-for-malware-rootkits-more/
• http://reverseengineering.stackexchange.com/questions/2019/debugging-malware-that-will-only-run-as-a-service
Strategic Security, Inc. © http://www.strategicsec.com/
Incident Response
The Methodology (Step 7: Find Rootkits)• References:
• http://www.computerweekly.com/feature/Rootkit-and-malware-detection-and-removal-guide
Strategic Security, Inc. © http://www.strategicsec.com/
Incident Response Resources
Good Technical Incident Response Resources
• References:• http://www.slideshare.net/pmelson/malware-analysis-made-simple-presentation• http://computer-forensics.sans.org/summit-archives/DFIR_Summit/Finding-Malware-Like-Iron-Man-Corey-Harrell.pdf
Strategic Security, Inc. © http://www.strategicsec.com/
What Are We Covering Today
Today We Will Be Covering
• What Is A CTF?• Generic CTF Prep• Strategic Security Specific CTF Prep• Incident Response• System Hardening• System Logging• Intrusion Detection Systems• Attacking Systems• Maintaining Access
Strategic Security, Inc. © http://www.strategicsec.com/
System Hardening
Strategic Security, Inc. © http://www.strategicsec.com/
System Hardening
The Methodology (Step 1: Create Hardening Checklists)• STIG
• http://iase.disa.mil/stigs/
• Hardening Guides• http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml
• https://secure.ericade.net/security/index.php/Windows_Hardening_Guide
• https://benchmarks.cisecurity.org/downloads/benchmarks/
• Generic Hardening Resources
• http://www.xmarks.com/topic/server_hardening
Strategic Security, Inc. © http://www.strategicsec.com/
System Hardening
The Methodology (Step 2: Organize Your Tools and Scripts)
• MBSA
• http://www.microsoft.com/en-us/download/details.aspx?id=7558
• Benchmark Assessment Tools• http://benchmarks.cisecurity.org/downloads/audit-tools/
Strategic Security, Inc. © http://www.strategicsec.com/
System Hardening
The Methodology (Step 3: Focus on Scripting)
• Scripting For Security
• http://www.sans.org/reading-room/whitepapers/scripting
• http://blog.commandlinekungfu.com/p/index-of-tips-and-tricks.html
• http://technet.microsoft.com/en-us/scriptcenter/dd742377.aspx• http://www.sans.org/reading-room/whitepapers/auditing/simple-windows-batch-scripting-intrusion-discovery-33193
• Interesting Book I Came Across Today• http://www.amazon.com/Perl-Scripting-Windows-Security-Monitoring/dp/159749173X
• Haven’t read it
• Don’t know the author
• But looks interesting and may help with this game
Strategic Security, Inc. © http://www.strategicsec.com/
System Hardening
The Methodology (Step 4: Focus on Continuous Monitoring)
• Be conscious of the potential skill of the attackers
• Consider yourself breached at all times during the game
IMPORTANT
• Throughout the game be sure to constantly verify that your security configurations have not changed
Strategic Security, Inc. © http://www.strategicsec.com/
System Hardening
The Methodology (Step 1: Create Hardening Checklists)• Stigs
• http://iase.disa.mil/stigs/
• Hardening Guides• http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml
• https://secure.ericade.net/security/index.php/Windows_Hardening_Guide
• https://benchmarks.cisecurity.org/downloads/benchmarks/
• Generic Hardening Resources
• http://www.xmarks.com/topic/server_hardening
• Blah
Strategic Security, Inc. © http://www.strategicsec.com/
System Logging
Strategic Security, Inc. © http://www.strategicsec.com/
System Logging
The Methodology (Step 1: Understand Windows Logging)
• Windows Logging Basics
• http://www.windowsecurity.com/articles-tutorials/windows_os_security/Understanding_Windows_Logging.html
• http://www.sans.org/security-resources/idfaq/logging-windows.php
• http://en.wikipedia.org/wiki/Event_Viewer
• Event ID Listings
• http://www.eventid.net/• http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
Strategic Security, Inc. © http://www.strategicsec.com/
System Logging
The Methodology (Step 2: Organize Log Analysis Tools)
• Free Tools
• http://www.microsoft.com/en-us/download/details.aspx?id=24659
• http://www.lizard-labs.net/log_parser_lizard.aspx
• http://visuallogparser.codeplex.com/
• Learn To Use Log Parser and Log Parser Lizard• http://computer-forensics.sans.org/blog/2011/02/10/computer-forensics-howto-microsoft-log-parser
• Take it to the next level with Splunk
• https://www.sans.org/reading-room/whitepapers/logging/setting-splunk-event-correlation-home-lab-34422
Strategic Security, Inc. © http://www.strategicsec.com/
System Logging
The Methodology (Step 3: Organize Important Queries)
• Good queries to run:
• http://aggressivevirusdefense.wordpress.com/2010/04/23/log-parser/
• http://www.codinghorror.com/blog/2005/08/microsoft-logparser.html
Strategic Security, Inc. © http://www.strategicsec.com/
System Logging
The Methodology (Step 4: Set Up Automated Tasks)
• Windows Automation Basics
• http://www.techradar.com/us/news/software/applications/how-to-automate-tasks-in-windows-1107254
• http://www.iopus.com/guides/winscheduler.htm
• http://stackoverflow.com/questions/6933698/automate-services-restart-in-windows-server-2003
Strategic Security, Inc. © http://www.strategicsec.com/
Intrusion Detection Systems
Strategic Security, Inc. © http://www.strategicsec.com/
Intrusion Detection Systems
The Methodology (Step 1: Start With The Basics)
• Do you have the resources to run an IDS?
• VMWare Workstation or ESXi (recommended)
• At least 2GB of RAM to allocate to the IDS
• Run on the same host machine as your team server (eases network configuration issues)
• Are you willing to build it/debug it now?
• Probably want a full day or 2 to just to play around with it if this is your first time
• Run attacks with metasploit and get a feel of what alerts look like and how fast they come in
Strategic Security, Inc. © http://www.strategicsec.com/
Intrusion Detection Systems
The Methodology (Step 2: Decide What To Deploy)
• Lots of IDSs to choose from
• Network Based
• Snort http://snort.org/
• Suricata http://www.openinfosecfoundation.org/index.php/download-suricata
• Bro http://www.bro.org/
• Host-Based
• OSSEC http://www.ossec.net/
Strategic Security, Inc. © http://www.strategicsec.com/
Intrusion Detection Systems
The Methodology (Step 2: Decide What To Deploy - Cont)
• Network based IDS are good, but are highly prone to false positives
• Host-Based IDS are great, but require something running on the host
• The best option is to combine the two IDS types, but that can be a lot of work
• The problem with deploying both of them is that it can be a lot of work
Strategic Security, Inc. © http://www.strategicsec.com/
Intrusion Detection Systems
The Methodology (Step 3: Deploy with bang for buck in mind)
• Use something that gives you the most bang for your buck (tools/features)
• Use something that you can build quickly
• My Recommendations:
• Security Onion: http://blog.securityonion.net/p/securityonion.html
• OSSIM: http://www.alienvault.com/open-threat-exchange/projects
Strategic Security, Inc. © http://www.strategicsec.com/
Contact Me....
Toll Free: 1-866-892-2132
Email: joe@strategicsec.com
Twitter: http://twitter.com/j0emccray
LinkedIn: http://www.linkedin.com/in/joemccray
Recommended