Chief Delphi

Chief Delphi (http://www.chiefdelphi.com/forums/index.php)
-   Chit-Chat (http://www.chiefdelphi.com/forums/forumdisplay.php?f=14)
-   -   263's Computer Hacking Competition (http://www.chiefdelphi.com/forums/showthread.php?t=39719)

Adam Richards 21-09-2005 21:48

Re: 263's Computer Hacking Competition
 
Quote:

Originally Posted by Mike
Ouch, 12 hours total? A little much. I'd say split it up over a week.

They could do a 36 hour perpetual weekend session ( :ahh: ) instead of just 12 hours...

mechanicalbrain 21-09-2005 22:10

Re: 263's Computer Hacking Competition
 
Quote:

Originally Posted by Adam Richards
They could do a 36 hour perpetual weekend session ( :ahh: ) instead of just 12 hours...

Ill stock up on caffiene pills, soap, shirts, and drinks. You know suddenly im remembering the thread with how much soda will kill you. Who wants to test that calculator?

sciguy125 22-09-2005 10:18

Re: 263's Computer Hacking Competition
 
I like the 36 hour idea. But maybe you could plan it for mid-december so that we don't have to worry about school and focus on the h4xin9. January would fit better for my school schedule (I have an obscenely long break), but that would cut into build period.

Mike 22-09-2005 16:19

Re: 263's Computer Hacking Competition
 
Quick idea for after this is over (or maybe in place of this, something like that)...

A programming challenge in the same format as this. You don't know what you have to do until the first day and everything has to be made from scratch (no pre-made libraries). To make it really interesting, a combination of languages/platforms. EG: Have a client program that has to interact with a web program. Points for cross-OS compatibility and/or cross-database compatibility (having a nice sql abstraction layer that could work with both MySQL, MsSQL and PostgreSQL).

SeanCassidy 22-09-2005 21:39

Re: 263's Computer Hacking Competition
 
Quote:

Originally Posted by sciguy125
Does it have to be tested? If we can't reboot, we can't test it. Unless we're supposed to do it during the grace period...

Kernel recompiling really can only be done during grace period. If you can't get it done before then, though. We'll be there to catch your computer if your kernel doesn't reboot so backup your old kernels. The reason for lack of rebooting in the open season is so if you see someone rooting your box, you can't just reboot to stop them. Or reboot multiple times to avoid attacks, etc.

Quote:

Originally Posted by sciguy125
Can you clarify this a little? What constitutes a "vulnerable network service"?

Good question. I was thinking of a network service that in some way is vulnerable to a buffer overflow. You can change that up a bit, make the client and server do a bit of handshaking or something, it's up to you. But it must be exploitable by a buffer overflow. Anything else is a bit beyond our scope I'd guess. Don't pull any funny stuff, and you can expect a good outcome on this part. And keep it simple too. Anything over 200 lines is way too excessive.

Quote:

Originally Posted by sciguy125
I like the 36 hour idea. But maybe you could plan it for mid-december so that we don't have to worry about school and focus on the h4xin9. January would fit better for my school schedule (I have an obscenely long break), but that would cut into build period.

Why don't we do both? We can do the multiple small periods now, and then the longer game later. We need to hammer the rules out anyway and what better way to find weaknesses in rules than to actually play the game? Who knows, we may even get good enough to assemble a few teams to play the real roothack.

SeanCassidy 24-09-2005 18:31

Re: 263's Computer Hacking Competition
 
If you want to be involved, PM me your email address. We're getting this thing going as soon as we can get teams and start talking about dates.

Denalin Fusion 25-09-2005 15:47

Re: 263's Computer Hacking Competition
 
This is a good, yet dangerous, idea! I want to participate!

SeanCassidy 26-09-2005 18:26

Re: 263's Computer Hacking Competition
 
Quote:

Originally Posted by Denalin Fusion
This is a good, yet dangerous, idea! I want to participate!

Then PM me your email. :) sciguy125 needs a team too, so you might want to PM him as well.

What about this for the vulnerable network service idea? I'll (or if you want to, you can as well, and we'll decide) write the vulnerable network service that you can choose to run. Running it as an unprivileged user will get you 50 or so points, but running it as root will get you 100 or so. If we think this is a good idea, I'll start writing it now.

sciguy125 26-09-2005 22:40

Re: 263's Computer Hacking Competition
 
Do you have any details about how we will be connecting to the LAN. Much of my strategy seems to revolve around how much access I have and how I gain this access. Will we all get accounts on some sort of portal? Maybe there will just be some kind of router that we connect through?

Hutch 27-09-2005 18:54

Re: 263's Computer Hacking Competition
 
Quote:

Originally Posted by SeanCassidy
-You must use vanilla kernels, and nothing you use can be stack guard compiled (especially your vulnerable network daemon).

You act as though stack guard solves the problem... Most of the time it just convolutes it.

SeanCassidy 28-09-2005 16:43

Re: 263's Computer Hacking Competition
 
Quote:

Originally Posted by sciguy125
Do you have any details about how we will be connecting to the LAN. Much of my strategy seems to revolve around how much access I have and how I gain this access. Will we all get accounts on some sort of portal? Maybe there will just be some kind of router that we connect through?

Sure. The network is a home network off of a standard linksys router. You will connect into a gateway box (your team will have one fairly limited account on this box). You'll be able to compile stuff and run stuff on this box. Now that you're in the lan you can ssh into your team's computer. We'll assign IPs beforehand. There should be no need to scan the entire network, and if you do, we'll consider it an attack and kick you off the network. Any attacking to the gateway box will result in your team's immediate disqualification. We'll secure it as we see fit, but the real key is us watching you. We have access to all of your data thoughout this entire competition. Don't use passwords you normally use, and if you have anything you don't want anyone else to know, don't bring it there. There will be other computers on the lan, don't touch them, or arp poision them or anything. Any evidence of this will result in immediate disqualification.
Quote:

You act as though stack guard solves the problem... Most of the time it just convolutes it.
It complicates solving buffer overflow attacks. If you're running vulnerable program xyz and it's stackguard compiled, I doubt many of us have the skills needed to get around that. This isn't a test of super hackers, this is just a bunch of FIRSTers trying to learn more about computer security. But, if you feel you have the skills necessary, by all means, join in the competition and teach us a thing or two. ;)

We'll be setting up the computers this Friday and we'll be having a meeting in IRC starting at 4pm (this may change, we'll see). We're #aftershock on irc.freenode.net. If you want to have a say in the games, go there then, and we'll chat. We'll be arranging times and dates then too. It's impossible to adjust to everyone's busy schedule, but hopefully at least one member of your team will be able to participate at any give time. Just a reminder: we're doing this piecemeal. Grace period will be one four hour block one day. We'll discuss afterwards if you really need more time or any other concerns you may have. (Remember, you get bonus points for every minute before the end of grace your team finishes :))

sciguy125 28-09-2005 18:37

Re: 263's Computer Hacking Competition
 
Quote:

Originally Posted by SeanCassidy
We'll be setting up the computers this Friday and we'll be having a meeting in IRC starting at 4pm (this may change, we'll see).

What timezone?
Quote:

Originally Posted by SeanCassidy
Grace period will be one four hour block one day.

That seems short. Depending on the system, it could take over an hour just to compile the kernel. Not to mention the time it'll take to explore the system and patch holes.

SeanCassidy 28-09-2005 18:46

Re: 263's Computer Hacking Competition
 
Quote:

Originally Posted by sciguy125
What timezone?

EST (UTC -5). We've decided to have a meeting tomorrow at 8pm EST if you can't goto the Friday meeting. If you can't go, feel free to ask the questions here.
Quote:

Originally Posted by sciguy125
That seems short. Depending on the system, it could take over an hour just to compile the kernel. Not to mention the time it'll take to explore the system and patch holes.

What I was planning on was doing the four hour session and then all of us evaluating what we've done. In all likely hood we'll need another four hour (or maybe five if we can squeeze it), but we'll see when we do it. I doubt your kernel compile will take that long on these computers, but I don't know what computers Rob (the_unknown) is using right now. We'll see. But, if you're strapped for time, won't that make the competition interesting? :)

scitobor 617 28-09-2005 19:20

Re: 263's Computer Hacking Competition
 
Quote:

Originally Posted by SeanCassidy
What about this for the vulnerable network service idea? I'll (or if you want to, you can as well, and we'll decide) write the vulnerable network service that you can choose to run. Running it as an unprivileged user will get you 50 or so points, but running it as root will get you 100 or so. If we think this is a good idea, I'll start writing it now.

What are the specifications for backdoors or for the vulnerable network service. I think it would be cool to write our own vulnerable network service to meet your specs. The closer you follow the specs(including specs on vulnerabilities) the more points awarded.

Also, can we write/download an IDS?

SeanCassidy 28-09-2005 19:24

Re: 263's Computer Hacking Competition
 
Quote:

Originally Posted by scitobor 617
What are the specifications for backdoors or for the vulnerable network service. I think I would be cool to write our own vulnerable network service to meet your specs. The closer you follow the specs(including specs on vulnerabilities) the more points awarded.

Just to throw out some ideas:

-It must provide a service (echo, date, it can add two numbers together, etc).
-It must be TCP, not UDP.
-It must be less than 200 lines.
-It must be susceptible to an exploitable buffer overflow exploit. Now what consitutes that is a matter of debate, but keep it simple, and you can get credit for this.

If you like this idea, join the competition and talk to us in IRC tomorrow or Friday.
Quote:

Also, can we write/download an IDS?
Yep. Definite bonus points if you write one, though.


All times are GMT -5. The time now is 19:21.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright © Chief Delphi