Hello everyone. A few of my fellow teammates and I want to put together a little wargame (not unlike roothack) where we would have two boxes on a lan and hack each others computers. We’re not positive on every detail yet, but here’s what he have so far that we’re not going to change.
-Two (or possible more) computers on a lan. One gateway box to ssh into. The game might be like roothack’s in where you get a certain amount of time to secure your box (the grace period) and then the open season begins after that.
-The OS will be Linux, although the distro is not decided (it may even be random). This is unmutable.
-Three team members max.
Other ideas we’ve thrown together:
-Write an vulnerable network service running as root that you can exploit as well.
-If the competition stalemates (no hacking being done) forced opening of various services.
If you have any ideas, we’re pretty open. We just want this to be a fun learning experience for everyone involved. Hopefully we’ll make this a regular thing. Ideally, your team should have experience in programming for Linux, in securing boxes, and even exploit writing. This idea needs to be thought out a lot more fully, so we need your help. Post here for additions, and PM me with your e-mail if you’re interested.
Ooh this looks like a great idea! I’m getting my CISCO certification just so i can learn about network security. What would be the rules on software your aloud to use? Also would it be school teams or can we form teams?
What we’re probably going to do is give you a linux box on a lan on my teammate’s lan. You’ll be able to run anything you want, basically. We are really serious about cracking though. We’ll be logging every packet send to and fro on the network, we’ll also be watching everything you do on all the boxes. So we really don’t want you launching attacks from here. If you do, we’ll simply forward your information and cooperate with the authorities. If you have a question on the legallity of a certain piece of software, ask. Anything you’ve written as well. Use common sense, we don’t want you attacking other boxes on the network either.
We were originally going to do school robotics teams, but I see nothing wrong with letting anyone in. I’d really like to keep it to FIRST participants only. This might be bent, but contact me if that’s the case.
What do you get for winning? and If you wanted to make this a challenge set up an XP box to see if there are some good crackers. Or would that be illegal to use Microsoft products like that?
This seems like a good thing for nationals where lots of people can participate. I asked about forming our own teams because ill probably be the only one on my team doing this type of thing.
Microsoft is WAY to easy. Just using command prompts alone…
We will not under any circumstances be using windows for this game. Team 263 is very small, (in terms of participating members) and any member that would participate in this game would be very busy during nationals. (We will probably not be attending this year, but that’s another story). Any questions about this game can also be sent to me, I will try and get an answer back to you as soon as possible.
Most likely. You’ll have at the very least a few hours to set up a working ftp/http server, and we’ll get down to the exact rules and constraints eventually. We might say you have to be running Apache 1.3 or sendmail, or even samba. It’ll be your job to put up the servers and make sure they’re up to date security wise.
You should be very familiar with Linux going into this. Compiling glibc, kernels, and servers from source is not out of the question (but totally up to you if you care about security). If you’re not familiar with Linux, you better be a very fast learner.
d00d! 7h47 w0u1d pwn!!1one! A11 of joo wi1 937 t0 s33 my 1337 h4xin9 skillz!
Okay, here’s a draft of the game I decided to write up.
The game will be point based. Both computers will run the same distro of Linux on very similar computers. There will be a grace period. No hacking of any kind is allowed during this period. It results in an instant loss if it’s detected. Social engineering is allowed, though, during this period.
Here is the point allocation:
-150 points for every minute you hold root on a victim computer.
-0-50 points based on overall how secure your computer is. This will be judged after competition.
-10 points for running Apache 1.3 during the entire open season.
-10 points for running sendmail 8 during the entire open season.
-10 points for running ProFTPD 1.2 during the entire open season.
-25 points for a working kernel recompile by hand!
-100 points for writing your own vulnerable network service and running it as root (not in a chroot) during the entire open season. This is only worth 50 points if you don’t run it as root.
-200 points for giving a working exploit for the network service.
-0-20 points for social engineering.
-0-30 points for any special attacks (ARP poisioning, keylogging, packet sniffing)
-0-30 points for any special defenses.
-1 point for every minute before open season that you’re completely done. (NO screen sessions running, etc.) You can tell us when you’re done and we’ll cut access to your box.
-0-30 points for the whitepaper describing what happened.
-0-30 points for securely backdooring your own box.
-0-75 points for overall attack strategy. If you use metasploit or nessus, prepare to get very low points here.
Other rules:
-You cannot reboot in open season. It’s an instant loss if you do.
-No outbound connections from your box inside the LAN.
-You can only attack the victim computers on the LAN, any other even scanning other boxes, is an instant loss for that team.
-We’ll be logging everything, please don’t touch the logs. We want to look at the games afterwards too.
-If you don’t want your 0day to be released, don’t use it here.
-You must use vanilla kernels, and nothing you use can be stack guard compiled (especially your vulnerable network daemon).
Most of this will be judged after the competition. We hope to make this as professional as possible. We’ll probably be in #aftershock on irc.freenode.net too. I’m usually in there as bockman.
We have some opposing ideas on the format of the game itself. We can do it like a four hour grace period and an eight hour open season in one day, or break it up. Possibly three four hour sessions over a week. Any ideas about this?
Ill stock up on caffiene pills, soap, shirts, and drinks. You know suddenly im remembering the thread with how much soda will kill you. Who wants to test that calculator?
I like the 36 hour idea. But maybe you could plan it for mid-december so that we don’t have to worry about school and focus on the h4xin9. January would fit better for my school schedule (I have an obscenely long break), but that would cut into build period.
Quick idea for after this is over (or maybe in place of this, something like that)…
A programming challenge in the same format as this. You don’t know what you have to do until the first day and everything has to be made from scratch (no pre-made libraries). To make it really interesting, a combination of languages/platforms. EG: Have a client program that has to interact with a web program. Points for cross-OS compatibility and/or cross-database compatibility (having a nice sql abstraction layer that could work with both MySQL, MsSQL and PostgreSQL).
Kernel recompiling really can only be done during grace period. If you can’t get it done before then, though. We’ll be there to catch your computer if your kernel doesn’t reboot so backup your old kernels. The reason for lack of rebooting in the open season is so if you see someone rooting your box, you can’t just reboot to stop them. Or reboot multiple times to avoid attacks, etc.
Good question. I was thinking of a network service that in some way is vulnerable to a buffer overflow. You can change that up a bit, make the client and server do a bit of handshaking or something, it’s up to you. But it must be exploitable by a buffer overflow. Anything else is a bit beyond our scope I’d guess. Don’t pull any funny stuff, and you can expect a good outcome on this part. And keep it simple too. Anything over 200 lines is way too excessive.
Why don’t we do both? We can do the multiple small periods now, and then the longer game later. We need to hammer the rules out anyway and what better way to find weaknesses in rules than to actually play the game? Who knows, we may even get good enough to assemble a few teams to play the real roothack.
