beyond a lot of the great reactive or visibility driven suggestions already provided, and assuming this is in a lab environment (i hope) - harden the crap out of the server. standard fare, remove/disable unnecessary services, change default service accounts to low priv. add manual ntfs permissions across the filesystem *and registry* to limit that account's access. patch the os, apps, services, any web software (just assuming they're gonna give you joomla w/ 1500 plugins and modules to make it utterly impossible to win). move db passwords in the code into an included file ../ out of the main web directory, deny writes to all web directories for the duration of the scenario so no webshells can be uploaded, fix outbound connections at the firewall (host and upstream), switch services to listen only on 127.0.0.1, blah blah blah.. the list goes on
how are you measuring successful intrusion? what's the jackpot for red? you could just be a bastard, and move or delete that file :D lock it away in a truecrypt volume protected by keys and passphrases. On Tue, Jul 28, 2009 at 12:56 PM, Tim Mugherini <[email protected]> wrote: > Very Nice. Does Autopatcher allow you to manually copy over patches > (already have many downloaded)? > > To add some: > > Again Sysinternals Tools: Process Monitor, PSTools, TCPView > Kiwi Syslog Server & Viewer or comparable, Mandiant Highlighter > Nessus - Home Feed of course > Dumpsec - NTFS File Permission dumper > Your favorite free sniffer - Wireshark, etc.. > MRTG - Router bandwidth monitoring > AVG or other decent free AV > Snort > > > > > > On Tue, Jul 28, 2009 at 11:05 AM, Carlos Perez < > [email protected]> wrote: > >> 8 GB stick prepared with autopatcher http://www.autopatcher.com/ >> http://www.autopatcher.com/ I would have patches for all versions of >> windows. <http://www.autopatcher.com/>I would also place portable >> firefox, and xamp in case i need to migrate an apache LAMP server to an >> updated version since I have seen a trend of putting apache on windows in >> this competition, also place several pre-made security templates for use >> with GPO or local application, URLscan installer and pre-made urlscan.ini >> files. Komodo free firewall installer and the NSA cisco templates, acl >> templates, Nipper for checking the cisco equipment config quickly and some >> pvaln sample configs. Keepass for password storage and generation. >> >> that is what comes now to mind. >> >> >> On Tue, Jul 28, 2009 at 8:54 AM, John Strand <[email protected]> wrote: >> >>> Please! PSW land! Share your Blue Team tactics! >>> What tools, scripts, and techniques do you use as part of Incident >>> Response and Blue Team Activities? >>> >>> I have sat in on one to many Red/Blue/CTF games where the Red team gets >>> Core, Canvas, Metasploit, Nessus, Satan, Sara, Cain and Able, Ettercap, >>> Dsniff, Hydra, 0phcrack, Nmap, BT4 and various torture techniques (including >>> IronGeek's rubber hoses) and the the Blue team gets.... >>> >>> "An un-patched Windows 2000 box and a slew of un-patched software!!!!!'' >>> >>> Please see the following video for reference: >>> >>> http://www.youtube.com/watch?v=Y77n--Af1qo >>> >>> Yea.. Thats right.... As of today the Blue Team is what you get assigned >>> to when you are caught stuffing peas up your nose. >>> >>> This stops today!!! >>> >>> There are a few rules. Tricks and scripts must be able to run at the >>> command line of your operating system of choice and all tools must be >>> freeware or open source. >>> >>> Thats it!!! >>> >>> Look, the Blue Team *can* rock!!! So please share your tricks. >>> >>> I am going to collect and add to them so we have a solid list and this >>> will serve as the playbook for the Blues going forward. >>> >>> Be expecting this on the PDC site soon. >>> >>> strandjs >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
