Re: Best attack strategy for a Red Team?

[Mike Acker <macker () internap com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guys,

'Read a book' provides nothing of value. This is a fun competition, and 
as red team captian of the Pacific Rim CCDC last year, we had everyone 
from professional pentester to forensics analysis to a  few poeple who 
were simply interested and really didnt do anything. Our competition 
covered 5 states, and this year wining team is supposed to go onto 
nationals in TX.

That being said, looking for folks in Seattle who want to participate on 
the red team March 28th-29th. Email me directly for info or the vid of 
last year, my server will get crushed.

I find hiding a magnets a bit funny, I won't even go into that. These 
competitions are great learning tools, which many of us in our younger 
years did not have the opportunity for. Anyone responded thus far, it is 
doubtful they have participated in one (who uses magnets?).

Students get a series of 'injects', while they have to defend against 
the red team. Injects are typically daily tasks, such as 'company had a 
merger, add these people, remove these, set up email for this persom, 
etc. The 'pods' (i.e. typically about 10 computers) are equal for all 
teams, but the ports, services, etc change over team depending on 
configurations and injects. These pods run a number of services, ports, 
etc.

For strategy, you need to be fair to each team. So if a hack is 
sucessful on one 'pod' or university, do the same to each one of the 
others. The goal IS NOT to stop services/downtime, though they loose 
points, the goal is to have creative fun hacks, turn in a paper to the 
scorers, and they keep track of it - those all effect points. Show them 
whats really possible - DOS/DdOS is just lame, as are releasing viruses 
(not allowed per rules).

It doesnt make sense for 10 red team members to go in and start nmapping 
all the boxes - one person map out the network first, you will be 
provided an IP 
range of boxes so you dont attack the scoring engine. Take it from 
there. I would disagree that going through milw0rm was the best 
approach, if you want the quickest way, use backtrack + autopwn or 
fast-track. Read a book too, but anyone is welcome to be part of any 
team. Everyone started somewhere. The best things are the small things, 
some examples:

- - flip their screen upside down, no downtime

- - Leave a text file on the desktop saying fuck you

- - take over their dns and use it for yourself

- - check out the 'white team people' - they give out the injects... we 
brought a 
printer, duplicated the injects, and had some random dude (who we gave a 
matching shirt too) our fake injects, instructing them to set up 
accounts for us. Some bought it. Easy access, have fun from there.

- - Once in a box, upload a complete vpc image created beforehand, and 
upload it to a box. Hide it using a rootkit so its undetectable, unless 
they run things like blacklight or a couple others. Do it to multiple 
boxes, then create a networked botnet out of virtual OS machines - fun 
stuff. 

- - Once in, do something like crank up the volumne and play something 
inappropiate - that one always gets them.

I can't even count how many students came up to us after the competition 
last year to shake our hand, eeryone just had sooo much fun. And some go 
to DC, blackhat and stuff but for many, it was their deciding factor to 
focus strictly on security.

Let's face it, none of us are going to be around forever.

Thats my thoughts, sorry if anyone is offended.

- -macker

Scott 
<opiesan () gmail com> wrote [03.10.09]:
> I use the term "Red Team" loosely here (apologies to all the real pen
> testers/red team folks on the list). Very few people on the team are
> professional pen testers, if any.  Some of them do it for the company
> they work for but I doubt any of us are paid to run pen tests on other
> companies. We're all volunteers to help give the student teams
> experience dealing with a live opponent. For the sake of the
> discussion let's call it the attack team instead.
>
> Thanks for the book recommendation. I've seen/read plenty that talk
> about the tools and how to perform specific actions (buffer overflows,
> password cracking, social engineering, etc.) but few of them went
> through the proper approach and methodology for deciding which path to
> take. This book seems to do that along with some of the more specific
> information. Have you read this one personally or is it generally
> considered an appropriate book for the pen testing field?
>
> Scott
>
> On Tue, Mar 10, 2009 at 7:58 AM, Stack Smasher <stacksmasher () gmail com> wrote:
> > This seems like a very basic question for someone on a "Red" team. I would
> > suggest learning to walk before you try to run. Start with some basic pen
> > testing books before asking questions like this.
> >
> >
> > http://www.amazon.com/Penetration-Testing-Network-Networking-Technology/dp/1587052083/ref=pd_bbs_sr_2?ie=UTF8&s=books&qid=1236686211&sr=8-2
> >
> >
> >
> >
> > On Mon, Mar 9, 2009 at 1:55 PM, Scott <opiesan () gmail com> wrote:
> > > Howdy folks!
> > >
> > > I'm part of a Red Team for the Mid-Atlantic region CCDC competition
> > > (Collegiate Cyber Defense Competition). There are some pretty talented
> > > folks on the team and I'm arguably the least experienced (for now).
> > > The short version explanation is that teams of college students are
> > > tasked with operating and defending a "corporate" network of systems
> > > ranging from web, email, DB, MS Domain servers, VoIP, and normal
> > > workstations. They have to patch a wide variety of holes while keeping
> > > designated services available for scoring. The team with the most
> > > uptime wins. Meanwhile, the red team is busy attacking these services
> > > along with anything else we can get into and create havoc for the
> > > student teams.
> > >
> > > My question to all of you is what you would recommend for an attack
> > > strategy here. In previous competitions it's been challenging to know
> > > where to start as there are many options. Should I find a hole and dig
> > > in with backdoors, create new user accounts, take over the admin
> > > accounts and lock out the student teams??? Technically the red team is
> > > supposed to bring down or deny access to the services the students are
> > > scored on (primary objective). There's always more going than that
> > > however. I'd like to stay focused when we go into the 3 day event this
> > > month so I need a plan.
> > >
> > > How would you do it if you didn't know more than possibly what types
> > > of systems you'll find on the target networks? Thanks.
> > >
> > > Scott
> >
> >
> >
> > --
> > "If you see me laughing, you better have backups"

- -- 

Mike Acker, GIAC
Information Security Analysis
Internap Network Services, Inc.
(c) 206.226.9727


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iEYEARECAAYFAkm5jSwACgkQBFfbgm5FXkV5EwCfS8Ss6w5OBs1kNj73WQDUJblH
WqYAnRZRgALDrE1UYg4uVH8jybKLerQ0
=J1E3
-----END PGP SIGNATURE-----