Glad to say that it will not work anymore with the resent changes to the payload :-) but then again a forensic framework will be released soon for detecting it in memory images
On Wed, Jul 29, 2009 at 10:33 AM, Albert R. Campa <[email protected]> wrote: > tasklist /m metsrv.dll > > ? > ;) > > __________________________________ > Albert R. Campa > > > On Wed, Jul 29, 2009 at 7:38 AM, Bradley McMahon <[email protected]>wrote: > >> I wonder if there has ever been a case where someone from the blue team >> went after the red teams machines. >> >> I am not sure of the rules of the CTF but being a linux admin I would try >> to find the MACs and IPs of the attackers as soon as possible and just write >> a iptables rule to drop all their connections or maybe route them to VM so >> they won't get suspicious. >> -Brad >> >> >> >> >> On Tue, Jul 28, 2009 at 11:29 PM, John Strand <[email protected]> wrote: >> >>> Time to bring Tim in on this. >>> >>> The White Wolf guys are simply the best at this kind of simulation. >>> >>> Tim, care to throw in your two cents? >>> >>> john >>> >>> >>> >>> On Jul 28, 2009, at 5:53 PM, Tim Mugherini wrote: >>> >>> All Good Suggestions. To answer Erik's question on scoring per my >>> experience last week at the NYC CTF. >>> >>> Red Team members were required to run a script on the comrpomised system >>> once it was compromised to gain a point for the hack. They were encouraged >>> to take data but no DDOS were allowed. However, they could take down systems >>> towards the end of the day (although they would not getting points for doing >>> so but the blue team would gain points for systems down - more points are >>> bad for blue). >>> >>> Blue Team Members with the lowest score won. They needed to keep systems >>> and services online. If compromised they could regain (subtract some points) >>> if they were able to get the systems online quickly and accurately report >>> data loss to the FBI field office. (Paul and Renald actually did a good job >>> destroying the team that won but because they were able to restore and start >>> over (DR) they regained their lead. >>> >>> So with that said while tools (both preventative and reactive) would >>> certainly help the blue team, I think the most important thing is to be >>> organized, have a plan, have the expertise (one person for linux, one for >>> windows, one for web apps/databases, and one for networking), and know when >>> to say we are screwed lets implement our DR plan. And ss Erik pointed out >>> lock down the systems! >>> >>> Some command line and gooyee tools could certainly have helped with this >>> but would be no substitute for experience and organization. Scripting >>> command line stuff and GPO's would certainly help in a large environment >>> (have quite of bit of experience there) but in an exercise like this it may >>> just slow a team down (better to do it manually since there were only a >>> handful of systems). >>> >>> So AV, log monitoring, best practices (i.e. all of Erik's preventative >>> suggestions and more), and things like TCSTools switchblade for incident >>> response would all be helpful. I'm wondering if the questions of what tools >>> is the right question. Maybe the question is what best practices? >>> >>> Just My 2 1/2 cents. >>> >>> >>> >>> On Tue, Jul 28, 2009 at 1:21 PM, Erik Harrison <[email protected]>wrote: >>> >>>> beyond a lot of the great reactive or visibility driven suggestions >>>> already provided, and assuming this is in a lab environment (i hope) - >>>> harden the crap out of the server. standard fare, remove/disable >>>> unnecessary >>>> services, change default service accounts to low priv. add manual ntfs >>>> permissions across the filesystem *and registry* to limit that account's >>>> access. patch the os, apps, services, any web software (just assuming >>>> they're gonna give you joomla w/ 1500 plugins and modules to make it >>>> utterly >>>> impossible to win). move db passwords in the code into an included file ../ >>>> out of the main web directory, deny writes to all web directories for the >>>> duration of the scenario so no webshells can be uploaded, fix outbound >>>> connections at the firewall (host and upstream), switch services to listen >>>> only on 127.0.0.1, blah blah blah.. the list goes on >>>> >>>> how are you measuring successful intrusion? what's the jackpot for red? >>>> you could just be a bastard, and move or delete that file :D lock it away >>>> in >>>> a truecrypt volume protected by keys and passphrases. >>>> >>>> >>>> On Tue, Jul 28, 2009 at 12:56 PM, Tim Mugherini <[email protected]>wrote: >>>> >>>>> Very Nice. Does Autopatcher allow you to manually copy over patches >>>>> (already have many downloaded)? >>>>> >>>>> To add some: >>>>> >>>>> Again Sysinternals Tools: Process Monitor, PSTools, TCPView >>>>> Kiwi Syslog Server & Viewer or comparable, Mandiant Highlighter >>>>> Nessus - Home Feed of course >>>>> Dumpsec - NTFS File Permission dumper >>>>> Your favorite free sniffer - Wireshark, etc.. >>>>> MRTG - Router bandwidth monitoring >>>>> AVG or other decent free AV >>>>> Snort >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, Jul 28, 2009 at 11:05 AM, Carlos Perez < >>>>> [email protected]> wrote: >>>>> >>>>>> 8 GB stick prepared with autopatcher http://www.autopatcher.com/ >>>>>> http://www.autopatcher.com/ I would have patches for all versions of >>>>>> windows. <http://www.autopatcher.com/>I would also place portable >>>>>> firefox, and xamp in case i need to migrate an apache LAMP server to an >>>>>> updated version since I have seen a trend of putting apache on windows in >>>>>> this competition, also place several pre-made security templates for use >>>>>> with GPO or local application, URLscan installer and pre-made urlscan.ini >>>>>> files. Komodo free firewall installer and the NSA cisco templates, acl >>>>>> templates, Nipper for checking the cisco equipment config quickly and >>>>>> some >>>>>> pvaln sample configs. Keepass for password storage and generation. >>>>>> >>>>>> that is what comes now to mind. >>>>>> >>>>>> >>>>>> On Tue, Jul 28, 2009 at 8:54 AM, John Strand <[email protected]>wrote: >>>>>> >>>>>>> Please! PSW land! Share your Blue Team tactics! >>>>>>> What tools, scripts, and techniques do you use as part of Incident >>>>>>> Response and Blue Team Activities? >>>>>>> >>>>>>> I have sat in on one to many Red/Blue/CTF games where the Red team >>>>>>> gets Core, Canvas, Metasploit, Nessus, Satan, Sara, Cain and Able, >>>>>>> Ettercap, >>>>>>> Dsniff, Hydra, 0phcrack, Nmap, BT4 and various torture techniques >>>>>>> (including >>>>>>> IronGeek's rubber hoses) and the the Blue team gets.... >>>>>>> >>>>>>> "An un-patched Windows 2000 box and a slew of un-patched >>>>>>> software!!!!!'' >>>>>>> >>>>>>> Please see the following video for reference: >>>>>>> >>>>>>> http://www.youtube.com/watch?v=Y77n--Af1qo >>>>>>> >>>>>>> Yea.. Thats right.... As of today the Blue Team is what you get >>>>>>> assigned to when you are caught stuffing peas up your nose. >>>>>>> >>>>>>> This stops today!!! >>>>>>> >>>>>>> There are a few rules. Tricks and scripts must be able to run at the >>>>>>> command line of your operating system of choice and all tools must be >>>>>>> freeware or open source. >>>>>>> >>>>>>> Thats it!!! >>>>>>> >>>>>>> Look, the Blue Team *can* rock!!! So please share your tricks. >>>>>>> >>>>>>> I am going to collect and add to them so we have a solid list and >>>>>>> this will serve as the playbook for the Blues going forward. >>>>>>> >>>>>>> Be expecting this on the PDC site soon. >>>>>>> >>>>>>> strandjs >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Pauldotcom mailing list >>>>>>> [email protected] >>>>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>>>> Main Web Site: http://pauldotcom.com >>>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Pauldotcom mailing list >>>>>> [email protected] >>>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>>> Main Web Site: http://pauldotcom.com >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Pauldotcom mailing list >>>>> [email protected] >>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>> Main Web Site: http://pauldotcom.com >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
