Symantec, being a leader in the security domain for both enterprise and the consumer business has been very proactive in adopting and educating folks within its company on security best practices and policies. Towards this end, the CyberWarGames forms an important event within the Symantec community to find the best and the brightest in the IT security domain. Being a participant I felt it would be great to document my experience and elaborate on the reasons why we should make this an annual affair at Symantec.
The CyberWar Games is a virtual and online event with the same format as a CTF (Capture the Flag) where we'd be asked to don the role of an attacker and take down sensitive/critical infrastructure and demonstrate all 5 phases of an attack i.e. Recon, Infiltration, Discover, Capture and Exfiltrate in a simulated environment. This was started last year (2012) and received good support from the participants. This year we had over 700 employees across the world participate making this a fierce competition where time management and team management apart from basic security knowledge played a vital role to perform well. The first round was a virtual round and the top 10 teams from the first round advance to an on-site event.
This event ensured a great amount of learning for all participants apart from bragging rights and an opportunity to win great prizes. Some of them involved:
- Recon: One of the biggest lessons from this event was that we did not require any advanced knowledge of tools like metasploit or nexpose. One could cause heavy damage by just doing deep reconnaisance using browser tools and proxies. Apart from this we also felt that a detailed knowledge of http and web technologies would be extremely useful. The only tool that we used for platform assessments were nmap.
- Scripting: Some of the flags involved brute forcing directory traversals and browsing through a bunch of URLs of the format
where id would be a numerical value and we'd have to browse through many such URLs with increasing values of <id>.
Scripting knowledge is extremely useful in such situtations where you could automate the entire process and store the responses.
- PHP special character handling: One of the flags wanted us to extract a sensitive php script from a server that would reveal more secrets. The trick here was the script on the server was unreadable and the content cannot be rendered over a simply GET request. The content-length value would be 0 and the server would respond with a status code of 200 OK. This could lead one to believe that the file is empty or was tampered with.
One of the vulnerabilities on this server was small file uploads. A simple php script to list all the files in the web folder was uploaded to the server.
With this we figured out which sensitive file had the script but was unreadable. A hex dump of that script was extracted as follows:
# $file - file handler to the sensitive unreadble file $str = trim(file_get_contents($file)); echo bin2hex($str);
Once the hex dump was extracted, we could analyze what was making the php code unreadable using a Hex to ASCII converter.
The special characters which was making the file unreadable is then cleaned up and the sanitized script was then executed to reveal the flag.
- Web Scanners: Backtrack came in handy here as it comes shipped with multiple web scanners like DirBuster, Burpsuite, Powerfuzzer etc. Handling authentication and cookies with these scanners can be tricky at times.
- Password Cracking and Rainbow Tables: John the ripper and a host of other tools both online and offline can come in very handy for such events as many times we'd have to crack the MD5 hash to extract the flag. Backtrack came in really handy here.
- SMTP: A bunch of flags were related to breaking into an SMTP server and extracting sensitive information. The notion of using client server messages and understanding how SMTP really works was a great learning curve.
- Armitage: This tool was heavily used to scan platforms and IP ranges. It adds an abstraction layer on top of complex tools that would require advanced configuration knowledge. Armitage makes it a lot easier to perform basic, quick or intense scans and reports the findings in a clear, consice manner. This was heavily used for service discovery and port scans.
- Windows Password Management: This excercise was probably the most satisfying in the event as we got to clearly understand how windows password management works. One of the servers we had to exploit had a hidden file whose content resembled that of a pwdump file format.
The description of the above fields can be explained as follows:
The NTHash is a MD4 hash which can be broken easily.
- Common web application attacks: During this event we also had to exploit several web applications by identifying vulnerabilities and trying out basic attack strategies. Some of the attack vectors we employed heavily were SQL Injection, Directory path traversal etc.
- Telnet: Telnet formed one of the most important tools in our recon work as we had to indentify non-standard services running on different ports. Most of these services exposed the software stack metadata information as a part of the banner on the initial telnet connection.
There were numerous other pointers to take away from this event for security professionals but one of the striking features of this event was modelling human behavior. One of the tasks involved XSS scripting on a message board in a virtual hospital. There were no checks on injecting malicious script in the message on the POST request. What was interesting was that the bots or 'nurses' would click on any link blindly which is in line with the trends seen today where XSS still forms one of the most common ways of cookie hijacking etc.
There were many instances in the event where you could see that it was not just about the technical aspects but also about being street smart.
For developers and penetration testers alike, this excercise forms a great reality check on current day attack vectors and strategies and how the code we write and push out can be susceptible to these attacks. It also goes to show that for a determined attacker no target can be impossible to breach as for this event we had to spend long hours doing recon and scans on systems and deeply analyze strategies before going ahead with the rest of the attack process.