263's Computer Hacking Competition
 

Hello everyone. A few of my fellow teammates and I want to put together a little wargame (not unlike roothack) where we would have two boxes on a lan and hack each others computers. We're not positive on every detail yet, but here's what he have so far that we're not going to change.

-Two (or possible more) computers on a lan. One gateway box to ssh into. The game might be like roothack's in where you get a certain amount of time to secure your box (the grace period) and then the open season begins after that.
-The OS will be Linux, although the distro is not decided (it may even be random). This is unmutable.
-Three team members max.

Other ideas we've thrown together:

-Write an vulnerable network service running as root that you can exploit as well.
-If the competition stalemates (no hacking being done) forced opening of various services.

If you have any ideas, we're pretty open. We just want this to be a fun learning experience for everyone involved. Hopefully we'll make this a regular thing. Ideally, your team should have experience in programming for Linux, in securing boxes, and even exploit writing. This idea needs to be thought out a lot more fully, so we need your help. Post here for additions, and PM me with your e-mail if you're interested.

Re: 263's Computer Hacking Competition
 

Ooh this looks like a great idea! I'm getting my CISCO certification just so i can learn about network security. What would be the rules on software your aloud to use? Also would it be school teams or can we form teams?

Re: 263's Computer Hacking Competition
 

What we're probably going to do is give you a linux box on a lan on my teammate's lan. You'll be able to run anything you want, basically. We are really serious about cracking though. We'll be logging every packet send to and fro on the network, we'll also be watching everything you do on all the boxes. So we really don't want you launching attacks from here. If you do, we'll simply forward your information and cooperate with the authorities. If you have a question on the legallity of a certain piece of software, ask. Anything you've written as well. Use common sense, we don't want you attacking other boxes on the network either.

We were originally going to do school robotics teams, but I see nothing wrong with letting anyone in. I'd really like to keep it to FIRST participants only. This might be bent, but contact me if that's the case.

Re: 263's Computer Hacking Competition
 

Do you have an AIM/ICQ/MSN/YAHOO SeanCassidy? I'd like to ask you a few questions.

Re: 263's Computer Hacking Competition
 

What do you get for winning? and If you wanted to make this a challenge set up an XP box to see if there are some good crackers. Or would that be illegal to use Microsoft products like that?

Re: 263's Computer Hacking Competition
 

This seems like a good thing for nationals where lots of people can participate. I asked about forming our own teams because ill probably be the only one on my team doing this type of thing.
Microsoft is WAY to easy. Just using command prompts alone....

Re: 263's Computer Hacking Competition
 

We will not under any circumstances be using windows for this game. Team 263 is very small, (in terms of participating members) and any member that would participate in this game would be very busy during nationals. (We will probably not be attending this year, but that's another story). Any questions about this game can also be sent to me, I will try and get an answer back to you as soon as possible.

AIM - rabidsquirlhunt6
ICQ - 220610998

Re: 263's Computer Hacking Competition
 

d00d! 7h47 w0u1d pwn!!1one! A11 of joo wi1 937 t0 s33 my 1337 h4xin9 skillz!

Re: 263's Computer Hacking Competition
 

You know i COULD comment but theirs really no need. I think you said it for me. :D

Re: 263's Computer Hacking Competition
 

I'm in. Would these boxes be running http/ftp servers as well?

Re: 263's Computer Hacking Competition
 

I'm in, me and Mike are gonna team up with..uhh...someone :)

Re: 263's Computer Hacking Competition
 

Most likely. You'll have at the very least a few hours to set up a working ftp/http server, and we'll get down to the exact rules and constraints eventually. We might say you have to be running Apache 1.3 or sendmail, or even samba. It'll be your job to put up the servers and make sure they're up to date security wise.

You should be very familiar with Linux going into this. Compiling glibc, kernels, and servers from source is not out of the question (but totally up to you if you care about security). If you're not familiar with Linux, you better be a very fast learner. :)
1nd33d.

Re: 263's Computer Hacking Competition
 

Okay, here's a draft of the game I decided to write up.

The game will be point based. Both computers will run the same distro of Linux on very similar computers. There will be a grace period. No hacking of any kind is allowed during this period. It results in an instant loss if it's detected. Social engineering is allowed, though, during this period.

Here is the point allocation:
-150 points for every minute you hold root on a victim computer.
-0-50 points based on overall how secure your computer is. This will be judged after competition.
-10 points for running Apache 1.3 during the entire open season.
-10 points for running sendmail 8 during the entire open season.
-10 points for running ProFTPD 1.2 during the entire open season.
-25 points for a working kernel recompile by hand!
-100 points for writing your own vulnerable network service and running it as root (not in a chroot) during the entire open season. This is only worth 50 points if you don't run it as root.
-200 points for giving a working exploit for the network service.
-0-20 points for social engineering.
-0-30 points for any special attacks (ARP poisioning, keylogging, packet sniffing)
-0-30 points for any special defenses.
-1 point for every minute before open season that you're completely done. (NO screen sessions running, etc.) You can tell us when you're done and we'll cut access to your box.
-0-30 points for the whitepaper describing what happened.
-0-30 points for securely backdooring your own box.
-0-75 points for overall attack strategy. If you use metasploit or nessus, prepare to get very low points here.

Other rules:
-You cannot reboot in open season. It's an instant loss if you do.
-No outbound connections from your box inside the LAN.
-You can only attack the victim computers on the LAN, any other even scanning other boxes, is an instant loss for that team.
-We'll be logging everything, please don't touch the logs. We want to look at the games afterwards too.
-If you don't want your 0day to be released, don't use it here.
-You must use vanilla kernels, and nothing you use can be stack guard compiled (especially your vulnerable network daemon).

Most of this will be judged after the competition. We hope to make this as professional as possible. We'll probably be in #aftershock on irc.freenode.net too. I'm usually in there as bockman.

We have some opposing ideas on the format of the game itself. We can do it like a four hour grace period and an eight hour open season in one day, or break it up. Possibly three four hour sessions over a week. Any ideas about this?

Re: 263's Computer Hacking Competition
 

Ouch, 12 hours total? A little much. I'd say split it up over a week.

Re: 263's Computer Hacking Competition
 

Does it have to be tested? If we can't reboot, we can't test it. Unless we're supposed to do it during the grace period...
Can you clarify this a little? What constitutes a "vulnerable network service"?
That should be easy enough.
n00b! j00 r ϋ83r un1337!!11!

Re: 263's Computer Hacking Competition
 

They could do a 36 hour perpetual weekend session ( :ahh: ) instead of just 12 hours...

Re: 263's Computer Hacking Competition
 

Ill stock up on caffiene pills, soap, shirts, and drinks. You know suddenly im remembering the thread with how much soda will kill you. Who wants to test that calculator?

Re: 263's Computer Hacking Competition
 

I like the 36 hour idea. But maybe you could plan it for mid-december so that we don't have to worry about school and focus on the h4xin9. January would fit better for my school schedule (I have an obscenely long break), but that would cut into build period.

Re: 263's Computer Hacking Competition
 

Quick idea for after this is over (or maybe in place of this, something like that)...

A programming challenge in the same format as this. You don't know what you have to do until the first day and everything has to be made from scratch (no pre-made libraries). To make it really interesting, a combination of languages/platforms. EG: Have a client program that has to interact with a web program. Points for cross-OS compatibility and/or cross-database compatibility (having a nice sql abstraction layer that could work with both MySQL, MsSQL and PostgreSQL).

Re: 263's Computer Hacking Competition
 

Kernel recompiling really can only be done during grace period. If you can't get it done before then, though. We'll be there to catch your computer if your kernel doesn't reboot so backup your old kernels. The reason for lack of rebooting in the open season is so if you see someone rooting your box, you can't just reboot to stop them. Or reboot multiple times to avoid attacks, etc.

Good question. I was thinking of a network service that in some way is vulnerable to a buffer overflow. You can change that up a bit, make the client and server do a bit of handshaking or something, it's up to you. But it must be exploitable by a buffer overflow. Anything else is a bit beyond our scope I'd guess. Don't pull any funny stuff, and you can expect a good outcome on this part. And keep it simple too. Anything over 200 lines is way too excessive.

Why don't we do both? We can do the multiple small periods now, and then the longer game later. We need to hammer the rules out anyway and what better way to find weaknesses in rules than to actually play the game? Who knows, we may even get good enough to assemble a few teams to play the real roothack.

Re: 263's Computer Hacking Competition
 

If you want to be involved, PM me your email address. We're getting this thing going as soon as we can get teams and start talking about dates.

Re: 263's Computer Hacking Competition
 

This is a good, yet dangerous, idea! I want to participate!

Re: 263's Computer Hacking Competition
 

Then PM me your email. :) sciguy125 needs a team too, so you might want to PM him as well.

What about this for the vulnerable network service idea? I'll (or if you want to, you can as well, and we'll decide) write the vulnerable network service that you can choose to run. Running it as an unprivileged user will get you 50 or so points, but running it as root will get you 100 or so. If we think this is a good idea, I'll start writing it now.

Re: 263's Computer Hacking Competition
 

Do you have any details about how we will be connecting to the LAN. Much of my strategy seems to revolve around how much access I have and how I gain this access. Will we all get accounts on some sort of portal? Maybe there will just be some kind of router that we connect through?

Re: 263's Computer Hacking Competition
 

You act as though stack guard solves the problem... Most of the time it just convolutes it.

Re: 263's Computer Hacking Competition
 

Sure. The network is a home network off of a standard linksys router. You will connect into a gateway box (your team will have one fairly limited account on this box). You'll be able to compile stuff and run stuff on this box. Now that you're in the lan you can ssh into your team's computer. We'll assign IPs beforehand. There should be no need to scan the entire network, and if you do, we'll consider it an attack and kick you off the network. Any attacking to the gateway box will result in your team's immediate disqualification. We'll secure it as we see fit, but the real key is us watching you. We have access to all of your data thoughout this entire competition. Don't use passwords you normally use, and if you have anything you don't want anyone else to know, don't bring it there. There will be other computers on the lan, don't touch them, or arp poision them or anything. Any evidence of this will result in immediate disqualification.
It complicates solving buffer overflow attacks. If you're running vulnerable program xyz and it's stackguard compiled, I doubt many of us have the skills needed to get around that. This isn't a test of super hackers, this is just a bunch of FIRSTers trying to learn more about computer security. But, if you feel you have the skills necessary, by all means, join in the competition and teach us a thing or two. ;)

We'll be setting up the computers this Friday and we'll be having a meeting in IRC starting at 4pm (this may change, we'll see). We're #aftershock on irc.freenode.net. If you want to have a say in the games, go there then, and we'll chat. We'll be arranging times and dates then too. It's impossible to adjust to everyone's busy schedule, but hopefully at least one member of your team will be able to participate at any give time. Just a reminder: we're doing this piecemeal. Grace period will be one four hour block one day. We'll discuss afterwards if you really need more time or any other concerns you may have. (Remember, you get bonus points for every minute before the end of grace your team finishes :))

Re: 263's Computer Hacking Competition
 

What timezone?
That seems short. Depending on the system, it could take over an hour just to compile the kernel. Not to mention the time it'll take to explore the system and patch holes.

Re: 263's Computer Hacking Competition
 

EST (UTC -5). We've decided to have a meeting tomorrow at 8pm EST if you can't goto the Friday meeting. If you can't go, feel free to ask the questions here.
What I was planning on was doing the four hour session and then all of us evaluating what we've done. In all likely hood we'll need another four hour (or maybe five if we can squeeze it), but we'll see when we do it. I doubt your kernel compile will take that long on these computers, but I don't know what computers Rob (the_unknown) is using right now. We'll see. But, if you're strapped for time, won't that make the competition interesting? :)

Re: 263's Computer Hacking Competition
 

What are the specifications for backdoors or for the vulnerable network service. I think it would be cool to write our own vulnerable network service to meet your specs. The closer you follow the specs(including specs on vulnerabilities) the more points awarded.

Also, can we write/download an IDS?

Re: 263's Computer Hacking Competition
 

Just to throw out some ideas:

-It must provide a service (echo, date, it can add two numbers together, etc).
-It must be TCP, not UDP.
-It must be less than 200 lines.
-It must be susceptible to an exploitable buffer overflow exploit. Now what consitutes that is a matter of debate, but keep it simple, and you can get credit for this.

If you like this idea, join the competition and talk to us in IRC tomorrow or Friday.
Yep. Definite bonus points if you write one, though.

Re: 263's Computer Hacking Competition
 

One question. How come when I joked about cracking the manual the FIRST community had an absolute fit but now a hacking competition is perfectly acceptable?

-Justin

Re: 263's Computer Hacking Competition
 

What's wrong with it? We're letting people into our computers and telling them to have fun. We're specifying constraints as well. No one is attacking innocent computers. This has nothing to do with FIRST except for the fact that we want people in the community to participate. Plus, I don't really have to justify my actions to you anyway, but I thought I'd explain to quell any resistance, at least for now.