Jump to content

Red vs Blue


mreidiv

Recommended Posts

Me and some fellow clasmates are going to enter a red vs blue competition. Can any one suggest and good simulations that we can practice with to help us out.

I am looking for some help as i have never entered a contest like this and am new to security. I know alot of the basics. But any help from anyone that has done this befor would be greatly appreciated.

Thanks

#4

Link to comment
Share on other sites

I don't know about simulations but here are some tips:

Red Team

Before Start of Play
  • Who will be the team organizer? The team organizer documents the networks, system names, OS versions, IP addresses, open ports, passwords, and updates configuration changes for everyone to see (such as on a whiteboard); helps to prioritize tasks; ensures that no systems are forgotten; monitors the functioning of the fictional production application(s) and otherwise maintains the “big picture” and a calm head while others are absorbed in the details and chaos of gameplay.
  • Exactly which port numbers must be available on which systems for the scorebot? Try DoS attacks on these.
  • How will the scorebot confirm that your other target application(s) are still running? Don’t block the scorebot.
  • Which target systems are running the most vulnerable operating systems and/or services (such as IIS, RPC, SMB, and/or older unpatched software versions with known exploits)? Important to prioritize.
  • What special tools will be available? Nmap, Nessus, Metasploit? Best to ask.
  • Does everyone on the team know how to view live ports and established sessions? Does everyone know how to reset a password from the command line? Does everyone know how to escalate privileges on different architectures?
  • Compile a list of default passwords (eg. the ones on your system, the opposing team may forget to change these)
  • Who are you permitted to ask for help if necessary? What can or can’t they do for you?

When Play Begin
  • Full TCP & UDP Portscans
  • Perform Service Enumeration and Software Version Enumeration on open ports.
  • Interrogate each open port manually with netcat.
  • Don't add new accounts, stay stealthy and use compromised accounts.
  • Don't upload common files that trip Anti-Virus alerts (e.g cain and able).
  • Dump local hashes
  • Dump domain hashes
  • Dump LSA secrets (windows)
  • Dump cached passwords (windows)
  • Snarf session tokens (windows)
  • Finally, focus on your plan and don’t panic!

Blue Team

Before Start of Play
  • Who will be the team organizer? The team organizer documents the networks, system names, OS versions, IP addresses, open ports, passwords, and updates configuration changes for everyone to see (such as on a whiteboard); helps to prioritize tasks; ensures that no systems are forgotten; reminds players to periodically check for compromise; monitors the functioning of the fictional production application(s) and otherwise maintains the “big picture” and a calm head while others are absorbed in the details and chaos of gameplay.
  • Exactly which port numbers must be available on which systems for the scorebot? Can’t block these.
  • How will the scorebot confirm that your other target applications are still running? Don’t block the scorebot.
  • Which target systems are running the most vulnerable operating systems and/or services (such as IIS, RPC, SMB, and/or older unpatched software versions with known exploits)? Important to prioritize.
  • What special tools will be available? Process Explorer? WireShark? Tripwire? PowerShell? Best to ask.
  • Does everyone on the team know how to view listening ports and established sessions? Does everyone know how to reset a password from the command line? Does everyone know how to kill a process? Does everyone know how to configure IPSec, the Windows Firewall and/or iptables for packet filtering?
  • Who are you permitted to ask for help if necessary? What can or can’t they do for you?

When Play Begin
  • Block all non-scorebot-required ports on all systems using IPSec/Windows Firewall/iptables.
  • Assign a different 15+ character long passphrase to every administrative account on every system.
  • Change all default application and service passwords to a different 15+ character passphrase.
  • Remove all accounts from all administrative groups on each system except for one.
  • Delete or disable all user accounts, including Guest, except for the one administrative account on each system.
  • Establish a baseline by saving lists of your current processes, listening ports, services, device drivers, user accounts, and all files (“dir /s /b” or “ls –lARt”) to text files on each machine. If possible, generate a checksum database using a tool like Tripwire (or just md5sum). Use this information to detect compromise.
  • Enable useful audit policies, clear all logs, and keep Event Viewer open (Windows) or “tail –f” critical log files (Linux). When you look at a log, if you notice that the only new events are of no security consequence, clear that log to reduce clutter during the games (it’s not real life).
  • Continuously watch your list of established sessions, running processes, target applications and logs to try to detect malicious changes. Write scripts or use command history (up-arrow or F7) to help automate this work. Detect changes and respond: kill offensive processes, delete new user accounts, delete new binaries, etc.
  • Finally, focus on your plan and don’t panic!
Link to comment
Share on other sites

I don't know about simulations but here are some tips:

Red Team

Before Start of Play
  • Who will be the team organizer? The team organizer documents the networks, system names, OS versions, IP addresses, open ports, passwords, and updates configuration changes for everyone to see (such as on a whiteboard); helps to prioritize tasks; ensures that no systems are forgotten; monitors the functioning of the fictional production application(s) and otherwise maintains the “big picture” and a calm head while others are absorbed in the details and chaos of gameplay.
  • Exactly which port numbers must be available on which systems for the scorebot? Try DoS attacks on these.
  • How will the scorebot confirm that your other target application(s) are still running? Don’t block the scorebot.
  • Which target systems are running the most vulnerable operating systems and/or services (such as IIS, RPC, SMB, and/or older unpatched software versions with known exploits)? Important to prioritize.
  • What special tools will be available? Nmap, Nessus, Metasploit? Best to ask.
  • Does everyone on the team know how to view live ports and established sessions? Does everyone know how to reset a password from the command line? Does everyone know how to escalate privileges on different architectures?
  • Compile a list of default passwords (eg. the ones on your system, the opposing team may forget to change these)
  • Who are you permitted to ask for help if necessary? What can or can’t they do for you?

When Play Begin

  • Full TCP & UDP Portscans
  • Perform Service Enumeration and Software Version Enumeration on open ports.
  • Interrogate each open port manually with netcat.
  • Don't add new accounts, stay stealthy and use compromised accounts.
  • Don't upload common files that trip Anti-Virus alerts (e.g cain and able).
  • Dump local hashes
  • Dump domain hashes
  • Dump LSA secrets (windows)
  • Dump cached passwords (windows)
  • Snarf session tokens (windows)
  • Finally, focus on your plan and don’t panic!

Blue Team

Before Start of Play
  • Who will be the team organizer? The team organizer documents the networks, system names, OS versions, IP addresses, open ports, passwords, and updates configuration changes for everyone to see (such as on a whiteboard); helps to prioritize tasks; ensures that no systems are forgotten; reminds players to periodically check for compromise; monitors the functioning of the fictional production application(s) and otherwise maintains the “big picture” and a calm head while others are absorbed in the details and chaos of gameplay.
  • Exactly which port numbers must be available on which systems for the scorebot? Can’t block these.
  • How will the scorebot confirm that your other target applications are still running? Don’t block the scorebot.
  • Which target systems are running the most vulnerable operating systems and/or services (such as IIS, RPC, SMB, and/or older unpatched software versions with known exploits)? Important to prioritize.
  • What special tools will be available? Process Explorer? WireShark? Tripwire? PowerShell? Best to ask.
  • Does everyone on the team know how to view listening ports and established sessions? Does everyone know how to reset a password from the command line? Does everyone know how to kill a process? Does everyone know how to configure IPSec, the Windows Firewall and/or iptables for packet filtering?
  • Who are you permitted to ask for help if necessary? What can or can’t they do for you?

When Play Begin

  • Block all non-scorebot-required ports on all systems using IPSec/Windows Firewall/iptables.
  • Assign a different 15+ character long passphrase to every administrative account on every system.
  • Change all default application and service passwords to a different 15+ character passphrase.
  • Remove all accounts from all administrative groups on each system except for one.
  • Delete or disable all user accounts, including Guest, except for the one administrative account on each system.
  • Establish a baseline by saving lists of your current processes, listening ports, services, device drivers, user accounts, and all files (“dir /s /b” or “ls –lARt”) to text files on each machine. If possible, generate a checksum database using a tool like Tripwire (or just md5sum). Use this information to detect compromise.
  • Enable useful audit policies, clear all logs, and keep Event Viewer open (Windows) or “tail –f” critical log files (Linux). When you look at a log, if you notice that the only new events are of no security consequence, clear that log to reduce clutter during the games (it’s not real life).
  • Continuously watch your list of established sessions, running processes, target applications and logs to try to detect malicious changes. Write scripts or use command history (up-arrow or F7) to help automate this work. Detect changes and respond: kill offensive processes, delete new user accounts, delete new binaries, etc.
  • Finally, focus on your plan and don’t panic!

Thanks man Great info.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...