Defcon 11 CTF Review

1
Defcon 11 CTF Review

• LCDR Eagle

2
Packet Capture Review

• Packet captures available here
• http//www.shmoo.com/cctf/mirrors.shtml
• Files split up by team
• Scoring system IP 192.168.102.2
• Easy to filter scoring traffic from player traffic

3
Blue Team Lessons Learned

• Too many open ports at comex
• mysql port open to incoming traffic
• Took 1.5 hours before attackers were logging in
  to our unsecured databases
• Took us another 145 to get our databases secured
• Passwords changed
• Not until 2110 on day 2 did we block incoming
  mysql
• We continued to log into some teams mysql servers
  through 1150 on the last day

4
MySql Attacks

• Against us, only "attack" queries seen were to
  update flag in jobs database
• No sql attacks against news database
• No sql attacks against ads database
• Some "drop table" attacks
• Overall
• Additional attacks against psl_story and
  ads_images, admin_pw, ads_config tables
• Lots of badly formed sql

5
ttl Issues

• Scoring system ttl was 63 in all but 9 packets
  (of 40741 total to blue team)
• From opponents
• 308468 total incoming packets to server
• 134928 had ttl ! 63
• Almost 44 of all incoming traffic could have
  been dropped based on ttl alone

6
Search.cgi

• Buffer overflow published 6/13
• No evidence that anyone used it
• Some long strings with
• qltlong stringgt
• wfltlong stringgt
• Dave Aitel's discovery

7
Http Host Header

• Scoring system always used
• Host blue.rootfu.jp
• In 3 days only 32 http requests came in from
  players using Host blue.rootfu.jp
• All others used Host 192.168.5.2
• Proper Apache VirtualHost configuration would
  have sent all but 32 requests to a decoy site

8
Summary

• Look like the scoring system when you attack
• Block/Redirect traffic that does not look like
  the scoring system

9
Building a CTF Network

• Firewall your server
• Must be able to selectively block incoming
  traffic
• By protocol, ports, ttl
• You want more control than a DSL/VPN firewall
  will give you

10
Defenders

• Put them in the server zone
• Disallow all outbound traffic at the firewall
• Defenders can ssh into the server
• Use static arp in server zone to reduce traffic
• Less traffic for packet monitors to sort through

11
Attackers

• Outside firewall
• Allows them to test server
• Can have a firewall of their own but not required

12
CTF Network
Game feed
sniff here, it may be useful to see how you are
being attacked
Note use of switches reduces the amount of
traffic seen at the sniffers
switch
Server fw
switch
Attackers
sniff here, this is the traffic you need to worry
about and also indicative of your firewall
performance
server
Defenders
13
Responsibilities

• Group into attacker/defender pairs
• Sit next to each other
• How is service scored
• Changes to secure service
• Firewall maintainer
• Keep notes
• Server maintainer
• Overall configuration tracking
• Coordinate with individual service defenders
• Observe server activity

14
Miscellaneous

• Bring enough power strips
• Extension cords
• Bring enough cat-5
• Long ones too
• Crossover cables
• CD burner
• Blank CDs!
• O/S software
• Team will need internet access for reference