mreidiv Posted August 27, 2013 Share Posted August 27, 2013 Me and some fellow clasmates are going to enter a red vs blue competition. Can any one suggest and good simulations that we can practice with to help us out. I am looking for some help as i have never entered a contest like this and am new to security. I know alot of the basics. But any help from anyone that has done this befor would be greatly appreciated. Thanks #4 Quote Link to comment Share on other sites More sharing options...
no42 Posted August 27, 2013 Share Posted August 27, 2013 I don't know about simulations but here are some tips: Red Team Before Start of PlayWho will be the team organizer? The team organizer documents the networks, system names, OS versions, IP addresses, open ports, passwords, and updates configuration changes for everyone to see (such as on a whiteboard); helps to prioritize tasks; ensures that no systems are forgotten; monitors the functioning of the fictional production application(s) and otherwise maintains the “big picture” and a calm head while others are absorbed in the details and chaos of gameplay. Exactly which port numbers must be available on which systems for the scorebot? Try DoS attacks on these. How will the scorebot confirm that your other target application(s) are still running? Don’t block the scorebot. Which target systems are running the most vulnerable operating systems and/or services (such as IIS, RPC, SMB, and/or older unpatched software versions with known exploits)? Important to prioritize. What special tools will be available? Nmap, Nessus, Metasploit? Best to ask. Does everyone on the team know how to view live ports and established sessions? Does everyone know how to reset a password from the command line? Does everyone know how to escalate privileges on different architectures? Compile a list of default passwords (eg. the ones on your system, the opposing team may forget to change these) Who are you permitted to ask for help if necessary? What can or can’t they do for you? When Play BeginFull TCP & UDP Portscans Perform Service Enumeration and Software Version Enumeration on open ports. Interrogate each open port manually with netcat. Don't add new accounts, stay stealthy and use compromised accounts. Don't upload common files that trip Anti-Virus alerts (e.g cain and able). Dump local hashes Dump domain hashes Dump LSA secrets (windows) Dump cached passwords (windows) Snarf session tokens (windows) Finally, focus on your plan and don’t panic! Blue Team Before Start of PlayWho will be the team organizer? The team organizer documents the networks, system names, OS versions, IP addresses, open ports, passwords, and updates configuration changes for everyone to see (such as on a whiteboard); helps to prioritize tasks; ensures that no systems are forgotten; reminds players to periodically check for compromise; monitors the functioning of the fictional production application(s) and otherwise maintains the “big picture” and a calm head while others are absorbed in the details and chaos of gameplay. Exactly which port numbers must be available on which systems for the scorebot? Can’t block these. How will the scorebot confirm that your other target applications are still running? Don’t block the scorebot. Which target systems are running the most vulnerable operating systems and/or services (such as IIS, RPC, SMB, and/or older unpatched software versions with known exploits)? Important to prioritize. What special tools will be available? Process Explorer? WireShark? Tripwire? PowerShell? Best to ask. Does everyone on the team know how to view listening ports and established sessions? Does everyone know how to reset a password from the command line? Does everyone know how to kill a process? Does everyone know how to configure IPSec, the Windows Firewall and/or iptables for packet filtering? Who are you permitted to ask for help if necessary? What can or can’t they do for you? When Play BeginBlock all non-scorebot-required ports on all systems using IPSec/Windows Firewall/iptables. Assign a different 15+ character long passphrase to every administrative account on every system. Change all default application and service passwords to a different 15+ character passphrase. Remove all accounts from all administrative groups on each system except for one. Delete or disable all user accounts, including Guest, except for the one administrative account on each system. Establish a baseline by saving lists of your current processes, listening ports, services, device drivers, user accounts, and all files (“dir /s /b” or “ls –lARt”) to text files on each machine. If possible, generate a checksum database using a tool like Tripwire (or just md5sum). Use this information to detect compromise. Enable useful audit policies, clear all logs, and keep Event Viewer open (Windows) or “tail –f” critical log files (Linux). When you look at a log, if you notice that the only new events are of no security consequence, clear that log to reduce clutter during the games (it’s not real life). Continuously watch your list of established sessions, running processes, target applications and logs to try to detect malicious changes. Write scripts or use command history (up-arrow or F7) to help automate this work. Detect changes and respond: kill offensive processes, delete new user accounts, delete new binaries, etc. Finally, focus on your plan and don’t panic! Quote Link to comment Share on other sites More sharing options...
mreidiv Posted August 30, 2013 Author Share Posted August 30, 2013 I don't know about simulations but here are some tips: Red Team Before Start of PlayWho will be the team organizer? The team organizer documents the networks, system names, OS versions, IP addresses, open ports, passwords, and updates configuration changes for everyone to see (such as on a whiteboard); helps to prioritize tasks; ensures that no systems are forgotten; monitors the functioning of the fictional production application(s) and otherwise maintains the “big picture” and a calm head while others are absorbed in the details and chaos of gameplay. Exactly which port numbers must be available on which systems for the scorebot? Try DoS attacks on these. How will the scorebot confirm that your other target application(s) are still running? Don’t block the scorebot. Which target systems are running the most vulnerable operating systems and/or services (such as IIS, RPC, SMB, and/or older unpatched software versions with known exploits)? Important to prioritize. What special tools will be available? Nmap, Nessus, Metasploit? Best to ask. Does everyone on the team know how to view live ports and established sessions? Does everyone know how to reset a password from the command line? Does everyone know how to escalate privileges on different architectures? Compile a list of default passwords (eg. the ones on your system, the opposing team may forget to change these) Who are you permitted to ask for help if necessary? What can or can’t they do for you? When Play Begin Full TCP & UDP Portscans Perform Service Enumeration and Software Version Enumeration on open ports. Interrogate each open port manually with netcat. Don't add new accounts, stay stealthy and use compromised accounts. Don't upload common files that trip Anti-Virus alerts (e.g cain and able). Dump local hashes Dump domain hashes Dump LSA secrets (windows) Dump cached passwords (windows) Snarf session tokens (windows) Finally, focus on your plan and don’t panic! Blue Team Before Start of PlayWho will be the team organizer? The team organizer documents the networks, system names, OS versions, IP addresses, open ports, passwords, and updates configuration changes for everyone to see (such as on a whiteboard); helps to prioritize tasks; ensures that no systems are forgotten; reminds players to periodically check for compromise; monitors the functioning of the fictional production application(s) and otherwise maintains the “big picture” and a calm head while others are absorbed in the details and chaos of gameplay. Exactly which port numbers must be available on which systems for the scorebot? Can’t block these. How will the scorebot confirm that your other target applications are still running? Don’t block the scorebot. Which target systems are running the most vulnerable operating systems and/or services (such as IIS, RPC, SMB, and/or older unpatched software versions with known exploits)? Important to prioritize. What special tools will be available? Process Explorer? WireShark? Tripwire? PowerShell? Best to ask. Does everyone on the team know how to view listening ports and established sessions? Does everyone know how to reset a password from the command line? Does everyone know how to kill a process? Does everyone know how to configure IPSec, the Windows Firewall and/or iptables for packet filtering? Who are you permitted to ask for help if necessary? What can or can’t they do for you? When Play Begin Block all non-scorebot-required ports on all systems using IPSec/Windows Firewall/iptables. Assign a different 15+ character long passphrase to every administrative account on every system. Change all default application and service passwords to a different 15+ character passphrase. Remove all accounts from all administrative groups on each system except for one. Delete or disable all user accounts, including Guest, except for the one administrative account on each system. Establish a baseline by saving lists of your current processes, listening ports, services, device drivers, user accounts, and all files (“dir /s /b” or “ls –lARt”) to text files on each machine. If possible, generate a checksum database using a tool like Tripwire (or just md5sum). Use this information to detect compromise. Enable useful audit policies, clear all logs, and keep Event Viewer open (Windows) or “tail –f” critical log files (Linux). When you look at a log, if you notice that the only new events are of no security consequence, clear that log to reduce clutter during the games (it’s not real life). Continuously watch your list of established sessions, running processes, target applications and logs to try to detect malicious changes. Write scripts or use command history (up-arrow or F7) to help automate this work. Detect changes and respond: kill offensive processes, delete new user accounts, delete new binaries, etc. Finally, focus on your plan and don’t panic! Thanks man Great info. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.