Security Reference Guide

The Collegiate Cyber Defense Competition Year 3: Revenge of the Red Cell

Last updated Jan 25, 2008.

The Collegiate Cyber Defense Competition is an annual national event that tests the abilities of college students to work together, overcome some very difficult technical challenges, and deal with an onslaught of nasty attacks from a seasoned group of security professionals.

Prior to the nationals, several regional events are completed to determine which schools from around the nation get to participate. We attended the Mid-Atlantic CCDC event, which is developed and maintained by CyberWATCH, who funds the event via a grant from the Nation Science Foundation. To facilitate this, both White Wolf Security and the Community College of Baltimore County come together to orchestrate and create a game that will meet the requirements of the competition.

According to CyberWATCH, the CCDC event was created for the following reason:

In this update we are going to give you a behind-the-scenes look at the third installment of this story as we go to the State Qualifying Rounds and join up with the Red Cell to infiltrate the students’ networks.

In the two previous years we attended the competition as an observer and basically operated as a technical reporter for the event. The first year was a learning experience for everyone involved and included a few surprises that no one saw coming. One of these was to recognize the fact that a Red Cell will operate within the constraints of the rules, and if there isn't a specific set of guidelines, well, everyone had better watch out. In addition to this, the organizers quickly discovered that college students should not be given enterprise level firewalls/routers to configure, as they will most likely break them. Since all firewalls/routers are online and in production, there are no second chances when you "commit" a bad choice of rules.

However, and perhaps because of the dynamics of the first year of the CCDC, the second year was twice as popular. Again, some more lessons were learned, but overall the event went much more smoothly. The Red Cell was given specific instructions as to what was, and what was not permitted. The White Cell (operators of the event) knew what to expect and were ready with a wide range of challenges to inject into the games. And finally, the students had some idea of what to expect as they walked into the event and prepared to compete against other colleges in the area.

Once again, news of the event spread and more colleges signed up. So, in order to keep a grasp on the chaos that ensues at these events, a preliminary day-long qualifying event was designed to determine which college groups had the best chance of winning the regionals. From each of the two qualifying events, two college teams would be selected to go on to the regional CCDC in March 2008. It was the second qualifying event that we attended, except this time we joined the Red Cell and enjoyed some of the action instead of just standing by the sidelines and watching. The following is basic timeline of the events and how the day unfolded.

8:00

I woke up at a normal time on Saturday 19^th of January, after a restless night that was more filled with attack scenarios than sleep. However, by the time I got to White Wolf Security, where the event was held, I was ready to go. Several other members of the Red Cell were there, so we started to discuss the attack strategy.

Since this was the second pre-regional event for most of the Red Cell members, they had learned what didn't work and what worked well. One of the key tools that we all decided to use to gain initial access was CORE IMPACT, which is the most powerful consumer-based (i.e. for sale) penetration testing tool on the market. Unfortunately, two members of the group had some issues getting the software to run correctly, which was compounded by the fact that for as straight forward as the program is to use, learning the ins and outs of CORE in less than 30 minutes is not really feasible.

However, in between troubleshooting connectivity problems, getting setup, and getting familiar with CORE, we discussed various strategies and decided to split up the four target networks (one network per student group) among the four present Red Cell members. And then we waited...

8:45

Prior to the GO point we were allowed to perform non-invasive reconnaissance on our targets. This basically meant we were allowed to scan their system for open ports and running services; active attacks were off limits. The end result was that we had a fingerprint of our targets by the time we were allowed to pull the trigger.

In order to understand the next part, you need to realize that these events are not designed to be a competition between the Red Cell and the student teams. The Red Cell simply serves as a part of the challenges the students must recognize, deal with, and overcome. Since this was a preliminary event that was only slated to last eight hours, the organizers wanted to mainly test the students on a few key aspects. First, can the team handle intense pressure and not panic? A team that doesn't have the ability to step back from the situation and think reasonably will not survive in the regional event, much less the nationals. Second, can the team handle a foreign landscape of systems, services, and business injects (e.g. install a Wiki, change user accounts, setup and install a program) on the fly? This aspect to the game requires the coming together of the students to work together and use their skills wisely. And finally, do they have the ability and knowledge to deal with security threats that include an understanding of what is most important from a business aspect? For example, sometimes it makes sense to take an infected machine offline for a few minutes and suffer the short term consequences than to allow an insecure machine to stay online just to keep a service available.

So, why do we mention all this? Well, at 8:45am the Red Cell was let loose on a network with a wide range of unprotected services and unpatched systems (Figure 1). Oh, and all systems and services were setup with default passwords. As you can imagine, the first hour or so was very eventful. If anything, the low hanging fruit was soooo plentiful that none of us could really get enough.

Within the first five minutes, CORE IMPACT had found and exploited at least three Windows machines on each of the team's networks. With shell access gained, local accounts as well as administrator and domain administrator accounts were added. In addition to this, the Red Cell gained control over the firewalls and had installed a few extra accounts into the BSD/Linux machines, created SSH keys for future root access if the password was changed, and installed accounts on the MySQL server and dumped their existing databases. Needless to say, that first hour or so went by really fast.

9:30

By 9:30 the Red Cell started to slow down a bit, but that was soon to change. During the first hour one of the Red Cell members had to troubleshoot issues that cost him some time. While he was dealing with this, his network was handed off to another cell member and at least the Windows machines were compromised and in control of the Red Cell as a whole.

Once the troublesome machine was back online, the Red Cell worked together to get a creation of his installed into every machine possible. The creation was a specially compiled version of Poison Ivy, a remote access Trojan that contains a full set of features and functions to give an attacker full control over the infected computer. Obviously such a tool would be very useful if deployed through the targets machines, so the Red Cell came together and infected numerous machines with this malware — to great effect. In fact, thanks to this Trojan, the Red Cell was able to enjoy a little afternoon playtime, but more on that later.

The key to the game, from the Red Cell's perspective, was to make services invisible to the score bot. To do this, the Red Cell team employed a wide range of tactics and tricks. One member used Cain & Abel, a valuable resource in any professional's arsenal, to remotely log into and disable essential services on his targets. This particular program can connect to open IPC$ shares and give an attacker full command line access and more. Another person disabled access to services at the firewall to ensure the internal network was "offline" to the scoring machine. Metasploit was also deployed to remotely take over and control various machines.

12:00

The morning went by very quickly as machines were owned, backdoors installed, and services repeatedly turned off. However, around 12:00pm – 1:00pm, several of the teams had gained control over their machines and started to realize the firewall, a Cisco ASA, could be a valuable asset to keep the Red Cell out. In an effort to block the students from accessing the firewall, a rule set was added by the Red Cell to block their machines from the firewall interface, which essentially forced several teams to learn how to do a console-based password reset to regain control.

During the early afternoon the Red Cell remained busy as they monitored the various owned machines for information related to password changes and business injects using screen captures and key loggers. This helped us maintain control over the targets as our illegitimate accounts were removed.

Other tricks we used were to download the Outlook Express mail folders, which held a treasure trove of information. We also discovered a script one team had created to instantly change the password of every account on the domain, which we altered and ran thus changing the password of every account to our own password selection.

2:00

By the mid afternoon we were considering our options when one of the members remembered he had some prank software from http://www.rjlsoftware.com/software/entertainment/ that would make things interesting, at least from our perspective. So we uploaded the various executables and set an AT command to launch the prank software to great effect. We can only imagine what the target team thought as their system started to install Windows Vista.

Once we had sufficiently amused ourselves, we again turned back to the task at hand. In preparation for the event, one of the members had prepared a Switchblade, which is essentially a malware-ladened USB stick that automatically runs when it is inserted into a machine. This device was taken by one of the White Cell members, who walked around to each team and inserted the stick into the main Windows server. Only one team stopped him... and that was after it was inserted. We guarantee that more than one person learned how dangerous Autorun+USB can be to an otherwise secure system.

3:00

At this point in the day, most of the obvious vulnerabilities were patched, exploited machines cleaned up, and the Red Cell was losing targets. So, we started to hunt for various services and applications that were passed over in lieu of the low hanging fruit. During this time we discovered that the targets were all supposed to have a Webmail application running on one of their servers. After a quick scan, only two of the teams appeared to have the software running, and one of these teams still had the default user/pass enabled. Fortunately for them, the games were called off at about the same time this was discovered.

The Summary

Looking back, the Red Cell really had most odds in their favor, which made things amusing, but not very challenging. If each team had enough time to change their default passwords, install important patches, and configure their firewall, the Red Cell would not have had anywhere near as much success. For better or worse, depending on perspective, this is exactly what the school teams will be able to do in March during the regional event. Specifically, they will have four hours of freedom to lock down their networks before the Red Cell ever gets to send in a packet.

At the same time, the March event will be full of surprises and anomalies that are bound to keep things very interesting, for both the Red Cell and the students. As the CCDC event evolves, you can bet that the complexity of the game will, too, as will the lessons learned.

Schools going on to the regionals:

• Community College of Baltimore County
• George Washington University
• James Madison University
• Towson University

Red Cell Members

• Robert Danford (Jan 12th event)
• Omar Fink (Jan 12th and Jan 19th event)
• Seth Fogie (Jan 19th event)
• Scott Hazel (Jan 12th and Jan 19th event)
• Michael LaSalvia (Jan 12th and Jan 19th event)
• Chris Patterson (Jan 19th event)
• William Saluski (Jan 12th event)
• Jerry Shenk (Jan 12th event)