tasklist /m metsrv.dll ? ;)
__________________________________ Albert R. Campa On Wed, Jul 29, 2009 at 7:38 AM, Bradley McMahon <[email protected]>wrote: > I wonder if there has ever been a case where someone from the blue team > went after the red teams machines. > > I am not sure of the rules of the CTF but being a linux admin I would try > to find the MACs and IPs of the attackers as soon as possible and just write > a iptables rule to drop all their connections or maybe route them to VM so > they won't get suspicious. > -Brad > > > > > On Tue, Jul 28, 2009 at 11:29 PM, John Strand <[email protected]> wrote: > >> Time to bring Tim in on this. >> >> The White Wolf guys are simply the best at this kind of simulation. >> >> Tim, care to throw in your two cents? >> >> john >> >> >> >> On Jul 28, 2009, at 5:53 PM, Tim Mugherini wrote: >> >> All Good Suggestions. To answer Erik's question on scoring per my >> experience last week at the NYC CTF. >> >> Red Team members were required to run a script on the comrpomised system >> once it was compromised to gain a point for the hack. They were encouraged >> to take data but no DDOS were allowed. However, they could take down systems >> towards the end of the day (although they would not getting points for doing >> so but the blue team would gain points for systems down - more points are >> bad for blue). >> >> Blue Team Members with the lowest score won. They needed to keep systems >> and services online. If compromised they could regain (subtract some points) >> if they were able to get the systems online quickly and accurately report >> data loss to the FBI field office. (Paul and Renald actually did a good job >> destroying the team that won but because they were able to restore and start >> over (DR) they regained their lead. >> >> So with that said while tools (both preventative and reactive) would >> certainly help the blue team, I think the most important thing is to be >> organized, have a plan, have the expertise (one person for linux, one for >> windows, one for web apps/databases, and one for networking), and know when >> to say we are screwed lets implement our DR plan. And ss Erik pointed out >> lock down the systems! >> >> Some command line and gooyee tools could certainly have helped with this >> but would be no substitute for experience and organization. Scripting >> command line stuff and GPO's would certainly help in a large environment >> (have quite of bit of experience there) but in an exercise like this it may >> just slow a team down (better to do it manually since there were only a >> handful of systems). >> >> So AV, log monitoring, best practices (i.e. all of Erik's preventative >> suggestions and more), and things like TCSTools switchblade for incident >> response would all be helpful. I'm wondering if the questions of what tools >> is the right question. Maybe the question is what best practices? >> >> Just My 2 1/2 cents. >> >> >> >> On Tue, Jul 28, 2009 at 1:21 PM, Erik Harrison <[email protected]>wrote: >> >>> beyond a lot of the great reactive or visibility driven suggestions >>> already provided, and assuming this is in a lab environment (i hope) - >>> harden the crap out of the server. standard fare, remove/disable unnecessary >>> services, change default service accounts to low priv. add manual ntfs >>> permissions across the filesystem *and registry* to limit that account's >>> access. patch the os, apps, services, any web software (just assuming >>> they're gonna give you joomla w/ 1500 plugins and modules to make it utterly >>> impossible to win). move db passwords in the code into an included file ../ >>> out of the main web directory, deny writes to all web directories for the >>> duration of the scenario so no webshells can be uploaded, fix outbound >>> connections at the firewall (host and upstream), switch services to listen >>> only on 127.0.0.1, blah blah blah.. the list goes on >>> >>> how are you measuring successful intrusion? what's the jackpot for red? >>> you could just be a bastard, and move or delete that file :D lock it away in >>> a truecrypt volume protected by keys and passphrases. >>> >>> >>> On Tue, Jul 28, 2009 at 12:56 PM, Tim Mugherini <[email protected]>wrote: >>> >>>> Very Nice. Does Autopatcher allow you to manually copy over patches >>>> (already have many downloaded)? >>>> >>>> To add some: >>>> >>>> Again Sysinternals Tools: Process Monitor, PSTools, TCPView >>>> Kiwi Syslog Server & Viewer or comparable, Mandiant Highlighter >>>> Nessus - Home Feed of course >>>> Dumpsec - NTFS File Permission dumper >>>> Your favorite free sniffer - Wireshark, etc.. >>>> MRTG - Router bandwidth monitoring >>>> AVG or other decent free AV >>>> Snort >>>> >>>> >>>> >>>> >>>> >>>> On Tue, Jul 28, 2009 at 11:05 AM, Carlos Perez < >>>> [email protected]> wrote: >>>> >>>>> 8 GB stick prepared with autopatcher http://www.autopatcher.com/ >>>>> http://www.autopatcher.com/ I would have patches for all versions of >>>>> windows. <http://www.autopatcher.com/>I would also place portable >>>>> firefox, and xamp in case i need to migrate an apache LAMP server to an >>>>> updated version since I have seen a trend of putting apache on windows in >>>>> this competition, also place several pre-made security templates for use >>>>> with GPO or local application, URLscan installer and pre-made urlscan.ini >>>>> files. Komodo free firewall installer and the NSA cisco templates, acl >>>>> templates, Nipper for checking the cisco equipment config quickly and some >>>>> pvaln sample configs. Keepass for password storage and generation. >>>>> >>>>> that is what comes now to mind. >>>>> >>>>> >>>>> On Tue, Jul 28, 2009 at 8:54 AM, John Strand <[email protected]>wrote: >>>>> >>>>>> Please! PSW land! Share your Blue Team tactics! >>>>>> What tools, scripts, and techniques do you use as part of Incident >>>>>> Response and Blue Team Activities? >>>>>> >>>>>> I have sat in on one to many Red/Blue/CTF games where the Red team >>>>>> gets Core, Canvas, Metasploit, Nessus, Satan, Sara, Cain and Able, >>>>>> Ettercap, >>>>>> Dsniff, Hydra, 0phcrack, Nmap, BT4 and various torture techniques >>>>>> (including >>>>>> IronGeek's rubber hoses) and the the Blue team gets.... >>>>>> >>>>>> "An un-patched Windows 2000 box and a slew of un-patched >>>>>> software!!!!!'' >>>>>> >>>>>> Please see the following video for reference: >>>>>> >>>>>> http://www.youtube.com/watch?v=Y77n--Af1qo >>>>>> >>>>>> Yea.. Thats right.... As of today the Blue Team is what you get >>>>>> assigned to when you are caught stuffing peas up your nose. >>>>>> >>>>>> This stops today!!! >>>>>> >>>>>> There are a few rules. Tricks and scripts must be able to run at the >>>>>> command line of your operating system of choice and all tools must be >>>>>> freeware or open source. >>>>>> >>>>>> Thats it!!! >>>>>> >>>>>> Look, the Blue Team *can* rock!!! So please share your tricks. >>>>>> >>>>>> I am going to collect and add to them so we have a solid list and this >>>>>> will serve as the playbook for the Blues going forward. >>>>>> >>>>>> Be expecting this on the PDC site soon. >>>>>> >>>>>> strandjs >>>>>> >>>>>> _______________________________________________ >>>>>> Pauldotcom mailing list >>>>>> [email protected] >>>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>>> Main Web Site: http://pauldotcom.com >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Pauldotcom mailing list >>>>> [email protected] >>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>> Main Web Site: http://pauldotcom.com >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
