This year's red team was once again a force to be reckoned with, and for good reason — they all were donated to CCDC by SANS, the "…most trusted and by far the largest source for information security training, certification and research in the world." With leading security researchers, trainers and incident handlers from SANS behind the keyboard, the various school teams had much to fear (Figure 3).
Figure 3: The Red Team in Action (William Salusky, Chris Patterson, Omar Fink, Eric Cole, Tim Rosenberg)
As expected, once the red team was let loose they were quickly able to establish a foothold in several systems. As we previously guessed, default passwords and configurations were not the main method of intrusion. Instead, it was the lack of proper security updates and the use of insecure passwords that landed the red team the most points.
However, as luck would have it, seven of the eight teams managed to break their firewalls, which meant the red teams had little to access soon after the event started. For that matter, neither did the scorebot that was used to keep track of the various services each team was supposed to keep up and running. To remedy this issue, each of the firewalls were returned to their default status and the teams were highly advised to focus on the core systems and to leave the firewall alone.
Just like in the previous year, each of the red team members had their favorite tools and techniques. One member stuck solely to Windows and leveraged Core Impact against the students with alarming success. On the other hand, another other team member went to the opposite extreme and setup his own proxy/firewall that he routed his attacks through simply because he does not trust anyone or anything. This particular red team member was also highly versed in IRC bot-based backdoors, and took advantage of the rootkits that were hidden in the teams' systems to further his intrusion. The remaining two team members stuck mainly to Linux-based tools such as Metasploit, Nessus and various other command line programs and were able to get into and maintain control over several systems for the majority of the event.
There were several interesting attacks that combined different techniques and tools together to help the red team with their goals. For example, one red team member used Hydra to brute force attack a group's firewall. Once that SSH password was obtained, he then logged in, wiped the existing logs, and forwarded all new logs to /dev/null (nowhere). At this point he started to sniff for LanMan hashes on the inside network, which he then uploaded to his own server and used a rainbow table to crack. With the user account in hand, he was then able to take over the captured Windows account and infect the system with an IRC bot of his own creation.
Another red team member discovered an un-patched system, exploited it with the DCOM RPC vulnerability in MetaSploit, installed his own account, logged in remotely via RDP, and then used the team's own sniffer to steal the main IMAP account user/pass. Since this is the primary account used to communicate between the scorebot and the teams, including all password changes, the attack was a definite success.
Other noteworthy attacks included finding vulnerable scripts in osCommerce, exploiting the Apache Chunk Overflow vulnerability and then messing with DNS entries to prevent the scoring from working, and finding out that the VNC server was accessible via the user/pass of VNC/VNC. The VNC discovery caused a few laughs as the vulnerable team noticed their cursor moving around (to which their first reaction was "PULL THE PLUG!" Once the panic resided, the red team lost access to the server when one of the students simply disabled the VNC service and broke the connection. However, at this point the intrusion was already scored and the points were added.
One final incident that resonated close to home was when one team decided to reinstall their Windows box — while connected to the network. Having dealt with many system that were infected with the Sasser worm, I know that it only takes minutes for an un-patched system to fall prey to an attacker or some form of malware once it is connected to the internet. Fortunately for this team, it was only the red team that discovered the unprotected system and owned it before it was properly patched. The lesson here is that you should never ever put an unprotected and un-patched system online for any reason. Ensure you are behind a firewall and only access trusted sites if your computer is not fully secure. Otherwise you might as well hang a huge sign on the computer saying "own me."