CTF FOR MORTALS Leigh Honeywell Seattle Attic Community Workshop 

ABOUT ME • I work at a large software company in Redmond • (but I’m speaking only on my behalf) • Co-founded a couple of hackerspaces • From around here • Went to U of T • Former Bell, MessageLabs/Symantec Cloud, independent consultant, failed startup founder • Hate when speakers spend too long on their bios, so I’ll shut up now. • @hypatiadotca on the tweeters 

WHAT THE CTF • Hacking tournament • Capture “flags” that look like flag{sdjkfhekjhremn} or sometimes flag{forensics_is_fun} you then submit to a game server for point • Play alone or with others, sometimes at big events or just online 

CTF IS FOR EVERYONE • Remember “Hackerspace Design Patterns”? This is like that, but for CTF. • Whatever lets you learn and have fun is the right way to play. • Even non-programmers and people who aren’t security specialists can learn and have fun playing – bond with your parents or kids*! *competition IRC channels etc. can be full of pottymouthed asshats. Don’t be that asshat. 

WELL, ALMOST EVERYONE •Some tournaments are student-only or have a student-only category •Some require you to be on-site •Some just want part of the team on-site, can have remote support •Qualification rounds – Defcon, CSAW (they fly you to NYC!) 

MY EXPERIENCES • 2011 UCSB iCTF – placed ~35th out of ~80 teams • Attack-Defend, student only CTF • Mentored by Alan Rosenthal at U of T – THANK YOU • 2013 NYU CSAW – placed ~300th out of ~1400 • Jeopardy style, open to non-students • Team Unicode Sparklehearts • Yup, I’ve only played two games. And I’m here talking to you. "What do I know now that I wish I knew a year ago?" --Jack Diederich 

OUTLINE •Styles of CTF •Building your team •Preparation •Game Day •OPSEC •Postmortem •Upcoming Games •Further Reading 

TYPES OF CTF 

STYLES Attack/Defend • Keep services running • Attack other teams • Attack central services • Involves infrastructure, possibly a VPN Jeopardy • Challenges you download • Various points / difficulty levels • Attack central services 

STYLES Attack/Defend Jeopardy 

TYPICAL CTF TOPICS •Trivia •Recon •Puzzles •Steganography/ Forensics 

TYPICAL CTF TOPICS •Reversing •Exploitation •Crypto •Web •Defense 

PREPARATION Friends don’t let friends CTF unawarez 

TIMELINE -1 Month •Basic infrastructure •Tools •Skills Roster -2 Weeks •Pick co- ordinator •Tactics •More infrastructure -1 Week •Hardware •Network •Logistics -1 to 3 Days •Food •Nap options At each checkpoint, check for any newly available information from the contest organizers! 

ONE MONTH AWAY -1 Month -2 Weeks -1 Week -1 to 3 Days At each checkpoint, check for any newly available information from the contest organizers! • Initial infrastructure: • mailing list • IRC channel • document share • Recruit! • Meet to go over tools, initial skills roster • Show newbies how to IRC. Freenode has webchat. Consider setting a password. 

BUILDING YOUR TEAM 

REAL VS. VIRTUAL •Recruit diversely •Different skills = valuable •Teams across timezones = moar sleep •Find someone with access to physical space 

TEAM SIZE •There’s usually no minimum •If there are rules, try to max out the allowed team •Otherwise the more the merrier, but the more folks you have the more important task allocation becomes 

MY TEAM • Unicode Sparklehearts • 2/3 women, geographically distributed • Recruited on women-in-tech mailing lists • About 20 people (8 active in NYU game, in Seattle and online) • Variety of skill levels from non-programmers to kernel hackers • Anti-harassment policy for our team space • Recruiting non-jerks of all skill levels and genders! 

A WORD ABOUT TOOLS • Too many to name • Many of them are in Backtrack / Kali Linux • Check the resources at the end of this deck • Top n: • IDA • Web proxy • Notepad++/Textmate • Search engine • Scripting language (python ftw) 

TWO WEEKS AWAY -1 Month -2 Weeks -1 Week -1 to 3 Days At each checkpoint, check for any newly available information from the contest organizers! • Review tactics • old pcaps and challenges • WALKTHROUGHS • Review skills roster • Figure out initial task breakdown • Pick a co-ordinator 

ONE WEEK AWAY -1 Month -2 Weeks -1 Week -1 to 3 Days At each checkpoint, check for any newly available information from the contest organizers! • Get computers in order: multiple OSes are a good idea • Server (maybe one with cuda-compatible video for cracking • Shells • Ensure you have a fat pipe + backup interwebs • Download rainbow tables • Spare laptops with Kali Linux • Whiteboards or butcher paper, markers, postits, lab notebooks • Switches and routers, printer • Consider letting your ISP know you'll be playing CTF 

ONE TO THREE DAYS AWAY -1 Month -2 Weeks -1 Week -1 to 3 Days At each checkpoint, check for any newly available information from the contest organizers! • Double-check your interwebs • Arrange food. • Reasonably healthy brain food. • Snacky things like carrots and hummus, fruit. • PROTEIN. WATER. • For longer CTFs, stock up on sleep! • If the game is 12+ hours, bring something to nap on - couches or thermarests, pillows, blankets. 

GAME DAY Or weekend! Or longer! AHHHH I NEED SLEEP! 

AW YEAH HACKING TIME •Read through all the challenges •Start downloading any additional tools you need •For Attack/Defend games, set up services 

CO-ORDINATE! • Have the co-ordinator you chose during preparation set alarms/reminders to regularly check for the following: • New challenges • Hints • Questions folks ask in IRC • People bragging on Twitter • Teammates who are stuck and need halpz 

THE CARE AND FEEDING OF NEWBIES • Assign easier challenges to the beginner folks on your team, based on the skills they want to focus on. • As a more experienced hacker, don’t be tempted to take the easy challenges. • Pair hacking! Let the newbie drive. Don't take away the keyboard. • If there are limited submissions or you’re penalized for too many, check their answers. • Leave some time at the end to tidy up beginner challenges. 

SECRET NAP TECHNIQUES • 90 minutes of sleep followed by two cups of coffee in the evening will give you another 12-24 hours of near-peak performance. SCIENCE! • Naps increase objective performance more than subjective – you’ll feel groggy but work better. PARADOXICAL! • Shorter naps: caffeine before 20-30 minute nap; the caffeine dose will hit you and you’ll wake up refreshed. • See Mythbusters S12E02 or “The Promise of Sleep” 

OPSEC I can put my dox back on, you can’t. PLAY SAFE. 

PLAYING SAFE Attack/Defend • Use fresh, fully patched machines on a dedicated network • Flatten them after playing (backup your pcaps and samples!) • Spin up dedicated shells • Segment off recon/exploitation/ reversing network or have a second one Jeopardy • No VPN, so less scary • You can still do all the stuff to the left • Use VMs for exploitation • Patch! • If there’s a game IRC, use a different IP unless the server masks it. 

DON’T BE A JERK. Model good behaviour to other teams. Un-excellent things to do: • Cheating • DoSing • Doxing • Spamming IRC or Twitter hashtag • Being a swear-bear on IRC (there may be kids around!) 

POSTMORTEM I know because of my learnings 

POSTMORTEM •Share what you learned with your peers •Give things a day or two to sink in, but don't wait too long. Schedule it before the game. •Give back - write up walkthroughs 

UPCOMING GAMES 

GET OUT AND GAME • SecTor! Email [email protected] with a team. Info on sector.ca under events • http://ctftime.org/ has listings of upcoming games • Meet at the bar after Jamie’s talk to find potential teammates! 

FURTHER READING 

FURTHER READING • The Many Maxims of Maximally Effective CTFs • ISIS Lab’s CTF Guide • picoCTF Preparations • My slides: https://speakerdeck.com/hypatia