2010-09-22

Experiences from the red team.

My experiences from the red team:
Ax0n posted his experiences at CyberRaid 0 and I totally agree, leadership and coordination make a big difference. I am not an experienced penetration tester so my efforts were mostly for naught. The red team had some very talented people but we didn't coordinate our efforts until it was too late.

Shenanigans :
Before the game, unbeknownst to every one, a red teamer spread around a bunch of authentic looking USB keys with some uber proprietary security software. Complete down to the holographic tamper evident tape. He also placed a power strip which had a baby monitor built into it. The baby monitor was ineffective, it was on the 49Mhz band which is horrible for indoor reception. Because the blue team was separated from the game network this did not work either but any one running the dongle got hit with a Trojan horse / remote control app. The USB keys were confiscated by the FBI (literally).

Wasted time:
The scoring system was down, and DNS was not working so in effect the contest didn't start until after lunch. This was poor planning on the contest promoters. The network connection kept going down so that was even more wasted time. The bulk of the points were scored by a group who concentrated on the default password angle. Alot of people were using Metasploit and once the egress filtering kicked in that halted all progress on that front.

MOAR SHENANIGANS !
Ax0n pretty much confirmed my suspicions, (at least from his team) that most services were firewalled off in addition to egress filtering with the exception of services needed to score. This method of defense really hamstrung red teams efforts in that it prevented the scoring mechanism from working. That combined with shall we say, creative interpretation of the rules made it tough going on every one.

What were you expecting?
On day one and the tail end of day two, law enforcement came in looking for mac-addresses and IP addresses, and came up empty handed every single time. The first time we learned that a team caught some one hitting their web apps with a web app vulnerability scanner. They collected a mac address and an IP and turned it into the cops. The mac address was the Cisco switch (duh, routed network) and the IP address has been tossed long ago. The following attempts of catching the l33t hax0r also ended in utter failure. Mostly because Mac addresses are easily changed, especially on virtual machines. They were getting no where and really should have concentrated on doing their job.

After learning about the total ineffectiveness of the blues attempts of catching people most people just opened up on them, full blown Fasttrack scans ...etc

In the end ...
In the last hour we did what we should have done from the start, we talked. The networks were mostly patched and firewalled all to hell so really we were down to actions of last resort. One item of interest was looking for a machine with poorly configured IP forwarding and bounce crafted packets off of it to the scoring server. I think a large part of our lack of success was stepping on each others toes and poor communication.

What I took away from this event:

  • Teamwork!
  • Communication!
  • Egress filtering hamstrung people using remote exploits.
  • IDS's only work if you can use them.
  • Law enforcement is worthless unless you have done the leg work and provide them with useful information.
  • Be professional, being childish gets you nowhere.
  • Beware of default logins and bad configurations.

blog comments powered by Disqus