CTF A Primer for InfoSec

Transcript

1. CTF... A PRIMER FOR INFOSEC @NICOLAISMITH1 [email protected] @773PROCESS312@GITHUB

2. AGENDA • Introduction of myself and how I got here

   (the why) • What is a CTF and what do they do (the what) • What skills are necessary and how to get started • I CTF now where’s the Jobs ? • CTF for Glory, Fame but mostly pain • Useful Tools and Websites Needed for a CTF • CTF Types, Tasks and Demo Overview • DEMO (interactive) • Questions

3. BRIEF INTRO DAD • * lover of technology and evangelist

   of raspberry pi • Captain In U.S. Army National Guard currently on a Cyber Protection Team • Tech hobbyist for about 12 years • Part-time Pen tester and tinkerer. • Active volunteer at both B Sides Las Vegas and B Sides DC • Taught intro to computing as an afterschool high school program within Chicago. • Worked as both a Defensive and Offensive analyst in the private sector and the military. • 3 years leading Red Team engagements to support Blue Space Defenders.

4. HOW I GOT HERE • Pumping Station One – Chicago

   Hackerspace • Chicago Linux User Group [ChiLUG] • Side Jobs (freelancing) for peanuts • Meeting and working with other curious minds • Infecting my own system through use of LimeWire , kazaa and poorness

5. WHAT IS A CTF AND WHAT DO THEY DO ?

   • Capture The Flag or CTF is cyber activity where the participant attempts to solve a puzzle , gain access to a machine, or manipulate an environment in order to locate an item called a Flag. • A Flag is determined by the creator of the CTF and assigned a value for scoring purposes, most scoring is relative to the difficulty of the question and or task. • CTF’s provide the environment for infosec professionals and infosec minded people to practice and learn how a particular threat , or threat actor may employ a particular technique within computer network systems Capture The Flags enable infosec professionals to stay sharp and provides proving grounds for the newcomer

6. WHAT SKILLS ARE NECESSARY AND HOW TO GET STARTED ?

   http://trailofbits.github.io/ctf/intro/ is a great source for reading and learning.

7. WHAT SKILLS ARE NECESSARY AND HOW TO GET STARTED ?

   http://trailofbits.github.io/ctf/intro/ is a great source for reading and learning. • Patience • Time • Resourcefulness • Google • Passion • Knowledge of Operating Systems • *nix and windows • Hosts and Servers • Command Line Navigation • Overthewire.org • The Hackers Sandbox • Socializing Techniques • D.B.A.D. • Come with something to offer , vs always taking • Read the questions posed and think about what it is asking • Learn to investigate and identify opportunities and communities that are in CTF Curation and Participation and join them

8. I CTF…… NOW, WHERE’S THE JOBS? • The honest answer

   is , CTF’s alone don’t produce jobs , they demonstrate a candidates ability to critically think and operate as both an individual and on a team • CTF participation greatly increases the ability for individuals to gain awareness within an environment, which translates into quicker methods to gain initial compromise and maintain footholds during an active pentest. • If you have found success in CTF’s perhaps you will want to participate in bug bounty programs .

9. CTF FOR GLORY AND FAME….. BUT MOSTLY PAIN CTF involvement

   will cycle the average individual through options 1-4 repeatedly while option 5 is experienced very sparingly

10. USEFUL TOOLS ,WEBSITES NEEDED FOR A CTF • Kali Linux

    • https://www.kali.org/downloads/ • Parrot OS • https://www.parrotsec.org/download.php • CommandoVM • https://github.com/fireeye/commando-vm

11. USEFUL TOOLS ,WEBSITES NEEDED FOR A CTF 1. https://github.com/MrMugiwara/CTF-Tools 2.

    https://resources.infosecinstitute.com/tools-of-trade-and-resources-to-prepare-in-a-hacker-ctf- competition-or-challenge/#gref 3. http://trailofbits.github.io/ctf/intro.html 4. https://ctftime.org/ 5. GOOGLE.COM

12. CTF TYPES, TASKS AND DEMO OVERVIEW Jeopardy – In this

    type of competition there is a certain number of task challenges which can be different types: web, crypto, binary, forensic, etc. Depending on the difficulty of a certain task it delivers a different amount of points to the player that solved it. The tasks can be shaped in so-called “chains” which means that for the player to unlock the next challenge he needs to first solve the one before it. At the end of the game, which is usually defined by a time limit the team that scored the most points is victorious. Examples for competitions of the like are present at Hack the Nexus, DEFCON Quals, Kaspersky Industrial, SECCON, HITCON Attack-Defense – Each team has its own Vulnbox which is essentially a system with security vulnerabilities. Each team has time to patch it’s own system while developing exploits for the enemy system. When the games start the teams have to start using exploits on each other while protecting their own systems in order to “steal” flags off the enemy team. Mixed – Any combination of the upper two competitions is considered a mixed one. There can be an attack-defense competition having a few jeopardy tasks set as bonuses or a jeopardy competition with a global task including an attack-defense dynamic. Excerpts taken from cybrary.it

13. CTF TYPES, TASKS AND DEMO OVERVIEW Reverse Engineering – The

    point of reverse engineering is collecting new information and understanding of a technology through disassembling it to its base parts. At the beginning, to RE it was only used on hardware, but currently, it has evolved into being applicable in software, databases and even DNA analysis. PWN (Binary) – The objective of PWN challenges is for the player to acquire access to a target system without the system administrator’s permission. The targets can be personal computers, servers, websites, networking devices or applications. Excerpts taken from cybrary.it Crypto – Cryptographic challenges are mostly defined by giving the players a sample of encrypted information. The player has to decrypt it in order to acquire a flag or a clue to the next step of the competition. Stego – Steganography is the art of hiding a secret string of text, image, video or audio file in a different file of the same like. Stego challenges usually consist of an image that contains nothing interesting at first sight. The image factually contains the flag of the challenge, but to acquire it the player has to run the image through filters and algorithms. There have even been steganographic challenges that feature a 3D model the player has to add a light source over to be able to see the flag. CTF TASKS

14. CTF TYPES, TASKS AND DEMO OVERVIEW Todays demo will require

    each participant to have the following: 1. Laptop with any Linux or Windows OS, however the preferred Operating System(s)are: ParrotOS, CommandoVM, Kali linux, in that order. - If the participant wants to run a virtual machine of the preferred Operating System, he\she needs to have experience, running virtual machines on their computer 2. The ability to plug in an Ethernet Cable to their computer 3. Internet access for research 4. Positive Attitude 5. Join a team Todays CTF Type will be: Jeopardy Todays CTF Tasks will be: CRYPTO and STEGO

15. DEMO TIME