Security Laboratory

Security Laboratory

Sec Lab: Attacks and Defense at Integrated Cyber Exercises

As in real life, there are no declared winners and losers in cyber defense games designed by WhiteWolf Security, but everyone learns something from the experience. In the real world, on real networks, the game never ends, making it impossible to declare a winner. All anyone can do is to perform their skills to the best of their ability, support the team, continue to learn and acquit themselves with honor.

Other Related Articles in Sec Lab: Attacks and Defense at Integrated Cyber Exercises


SANS Provides Red Cell for Cyber Game


By Stephen Northcutt

Certification certainly matters as a SANS trained, GIAC certified team provided the attacks for a cyberdefense game last weekend. Mid Atlantic college teams descended on the Community College of Baltimore County (CCBC) to work on their cyber warfare skills March 9-11, 2007. The schools listed on the CCDC web site were:

  • Anne Arundel Community College
  • Bowie State University
  • Community College of Baltimore County
  • George Mason University
  • Howard Community College
  • James Madison University
  • Millersville University
  • Towson University
"Unlike traditional 'hack and defend' or 'capture the flag' contests, this competition tested each team's ability to operate, secure, manage, and maintain a corporate network. This competition was the first to create, as closely as possible, a realistic corporate administration and security experience - giving the competitors a chance to compare their education and training against their peers and the real world challenges that await them."2 "The rules were fairly simple -- at least at first glance. Basically, the Red Team could do anything but hurt someone or perform a denial of service attack (network flood). The student teams were a bit restricted, with regard to changing IP addresses and messing with the infrastructure."3

White Wolf Security and the CyberWATCH Center provided services to help CCBC host the 2nd Mid-Atlantic Regional Collegiate Cyber Defense Competition. The SANS Institute provided the attackers called the red cell. According to Tim Rosenberg from White Wolf Security, "this year, the Red Cell used a wider variety of penetration tools and techniques than last year. Also, of the 8 teams in attendance over the weekend, more than half were repeat teams from last year. In other words, they knew what they were in for and were significantly better prepared. As such, the Red Cell needed a 'bigger and deeper bag of tricks' to not only compromise the systems, but also to maintain access. We had a little 'unauthorized' physical entry after hours last year as the Red Cell took the spirit of the competition to heart. As anyone in the biz will tell you, finding competent hackers is one thing. Finding competent hackers that are manageable and professional is another matter all together. The team from SANS this year combined the best of both worlds. Enough technical skills to get the job done, enough good spirited maliciousness to make evidence of the intrusions fun and entertaining, and professional all the way. Another issue is keeping track of Red Cell activity. Since the teams are scored based on keeping the Red Cell out, each time one of them got in, we needed to document the IP of the victim, how they were exploited and any files/user accounts, etc. that were modified. Most penetration testers just go full bore after root access. Having run several of these, this is one instance where the Red Cell needed very little direction. There were some questions about ground rules and IP addresses and documentation. After that, the Red Cell went to work AND kept up their own documentation. Every so many hours, a stack of compromise worksheets would land in my lap with enough detail that I could then sit down with our guy running the Scoring Engine and update the score in near-time."5

One of the red cell members, Omar Fink works for SAIC, assigned as a technical advisor to a Veterans Affairs security inspection team. He started out in the days of mainframes and punch cards and with over twenty years of professional computer experience, has managed a technical support department, performed many database operations, survived code red and nimbda in a web hosting data center, developed Lotus Notes applications, worked in an intrusion detection watch office for a large enterprise, and participated in security inspections at facilities across the country. Now specializing in security, he holds GCIH, GAWN and GCIA certs from SANS, is a member of the SANS advisory board and spends too much time gazing intently at wireless packets.

We asked Omar what his initial reaction was when he got our note inviting him to be on the red cell. Omar stated, "I was unsure that I was qualified to be part of the team, having no real 'hacking' or pen-testing experience, with only classroom study and some lab work at home in my basement. Having tucked three GIAC certs under my belt in the last two years gave me the confidence to volunteer anyway. I've also done a lot of work with wireless/wardriving and actually taught a mini-class to my co-workers and some friends and was hoping they'd have wireless included this year. They did have wireless but it turned out to be mostly a non-factor."6

We also asked what he did to prepare: "I trained as hard as I could for the four weeks leading up the CCDC event, dusting off some old tools and skills and learning new ones. I have a nice new laptop (from my company) that became my primary attack platform and brought two old, lower powered laptops with me; one for wireless capture and analysis, and the other for recon stuff and to backup the primary attack system. The primary attack system has windows installed on it and full disk encryption that prevents using a dual boot config, so I tracked down and installed windows versions of nmap, nessus, metasploit, ettercap, john, and even aircrack-ng. I already had cain&abel and ethereal on it and about a week before the event, got canvas up and running. The wireless system was using the Backtrack live CD with its marvelous selection of tools and your choice of several wifi cards based on atheros and prism chipsets. I also brought a yagi antenna and gps sensor but found no use for them in such a small environment. The recon system posed a dilemma. It already had windows installed and could be dual-booted but was slow and underpowered. After some discussion with a linux guru friend, I settled on XUbuntu because of it's ease of use and light resource footprint. (NUbuntu is another good option, but I didn't find out about it in time) I installed nmap, nessus, metasploit, wireshark, john, canvas, and many more tools that I did not use. I had a handful of Backtrack and older Auditor live CDs ready to use. Between dual boot configs and live CDs, all three systems could run either windows based tools or some version of linux based tools.

Canvas was the most exciting new addition, with it's 'autohack' script and the ability to install a backdoor service to enable 'pivot' attacks from one compromised host to another new target. And finally, I was able to get the bugs worked out of a wireless packet replay attack in the lab and managed to collect 130k ivs and crack a 128 bit wep key in under 6 minutes. I struggled with nessus and canvas, never using them as effectively as I had in my lab practice. (the way of the world?) Eric and Chris pointed out that nessus can return false positives. This in turn, (I suspect) led me to waste much time pursuing 'holes' that weren't there. On the other hand, an old friend and lower-level tool, cain&able was very easy to use with great effect. Once we had established a user account on a system and added it to the admin group, it was simple to connect with cain and install abel as a backdoor. With that backdoor in place, cain gives you a gui to launch a command console window, dump the password hashes, start and stop services and more. One team finally noticed the abel service running and turned it off, so I turned it back on. Then they disabled it, so I removed it and re-installed it. They then removed it and I re-installed it and turned it back on once again. In the meantime, William was running their password hashes through his rainbow crack tables.

The other guys on the red-cell team were awesome and inspiring to work with. Eric is amazing and articulate. Chris has a pen-testing background and knows lots of little tricks that work.
William probably thinks in binary and is funny at the same time. (no small feat!) The event organizers, Tim Rosenburg (White Wolf Security) and Casey O'Brien (CyberWatch) did an amazing job of organizing the event and making it happen. This is something I hope we'll see a lot more of in the future. Some other areas have already organized state by state eliminations just to get into a regional semi-final event like this one and I suspect soon we'll see the same thing for Virginia, Maryland, Pennsylvania, etc. I hope SANS will continue to get more involved with these events all over the country."

The event was exciting and fun and a terrific learning experience for the students who participated. You could really see this when after the debriefing at the end of the event, clusters of students thronged around the red-cell area asking questions about what had happened and how things worked.


1 http://student.ccbcmd.edu/~cobrie12/ccdc/index.html
2 http://utsa.edu/cias/CCDC/
3 http://www.ciscopress.com/articles/article.asp?p=462526&seqNum=3&rl=1
4 http://www.whitewolfsecurity.com/
5 Email, March 13, 2007 Rosenberg to Northcutt
6 Email, March 13, 2007 Fink to Northcutt