That is one of the funniest things I have seen today...
Sad... But many people dont change the name..
On Jul 29, 2009, at 8:33 AM, Albert R. Campa wrote:
tasklist /m metsrv.dll
?
;)
__________________________________
Albert R. Campa
On Wed, Jul 29, 2009 at 7:38 AM, Bradley McMahon <[email protected]
> wrote:
I wonder if there has ever been a case where someone from the blue
team went after the red teams machines.
I am not sure of the rules of the CTF but being a linux admin I
would try to find the MACs and IPs of the attackers as soon as
possible and just write a iptables rule to drop all their
connections or maybe route them to VM so they won't get suspicious.
-Brad
On Tue, Jul 28, 2009 at 11:29 PM, John Strand <[email protected]>
wrote:
Time to bring Tim in on this.
The White Wolf guys are simply the best at this kind of simulation.
Tim, care to throw in your two cents?
john
On Jul 28, 2009, at 5:53 PM, Tim Mugherini wrote:
All Good Suggestions. To answer Erik's question on scoring per my
experience last week at the NYC CTF.
Red Team members were required to run a script on the comrpomised
system once it was compromised to gain a point for the hack. They
were encouraged to take data but no DDOS were allowed. However,
they could take down systems towards the end of the day (although
they would not getting points for doing so but the blue team would
gain points for systems down - more points are bad for blue).
Blue Team Members with the lowest score won. They needed to keep
systems and services online. If compromised they could regain
(subtract some points) if they were able to get the systems online
quickly and accurately report data loss to the FBI field office.
(Paul and Renald actually did a good job destroying the team that
won but because they were able to restore and start over (DR) they
regained their lead.
So with that said while tools (both preventative and reactive)
would certainly help the blue team, I think the most important
thing is to be organized, have a plan, have the expertise (one
person for linux, one for windows, one for web apps/databases, and
one for networking), and know when to say we are screwed lets
implement our DR plan. And ss Erik pointed out lock down the systems!
Some command line and gooyee tools could certainly have helped with
this but would be no substitute for experience and organization.
Scripting command line stuff and GPO's would certainly help in a
large environment (have quite of bit of experience there) but in an
exercise like this it may just slow a team down (better to do it
manually since there were only a handful of systems).
So AV, log monitoring, best practices (i.e. all of Erik's
preventative suggestions and more), and things like TCSTools
switchblade for incident response would all be helpful. I'm
wondering if the questions of what tools is the right question.
Maybe the question is what best practices?
Just My 2 1/2 cents.
On Tue, Jul 28, 2009 at 1:21 PM, Erik Harrison
<[email protected]> wrote:
beyond a lot of the great reactive or visibility driven suggestions
already provided, and assuming this is in a lab environment (i
hope) - harden the crap out of the server. standard fare, remove/
disable unnecessary services, change default service accounts to
low priv. add manual ntfs permissions across the filesystem *and
registry* to limit that account's access. patch the os, apps,
services, any web software (just assuming they're gonna give you
joomla w/ 1500 plugins and modules to make it utterly impossible to
win). move db passwords in the code into an included file ../ out
of the main web directory, deny writes to all web directories for
the duration of the scenario so no webshells can be uploaded, fix
outbound connections at the firewall (host and upstream), switch
services to listen only on 127.0.0.1, blah blah blah.. the list
goes on
how are you measuring successful intrusion? what's the jackpot for
red? you could just be a bastard, and move or delete that file :D
lock it away in a truecrypt volume protected by keys and passphrases.
On Tue, Jul 28, 2009 at 12:56 PM, Tim Mugherini
<[email protected]> wrote:
Very Nice. Does Autopatcher allow you to manually copy over patches
(already have many downloaded)?
To add some:
Again Sysinternals Tools: Process Monitor, PSTools, TCPView
Kiwi Syslog Server & Viewer or comparable, Mandiant Highlighter
Nessus - Home Feed of course
Dumpsec - NTFS File Permission dumper
Your favorite free sniffer - Wireshark, etc..
MRTG - Router bandwidth monitoring
AVG or other decent free AV
Snort
On Tue, Jul 28, 2009 at 11:05 AM, Carlos Perez <[email protected]
> wrote:
8 GB stick prepared with autopatcher http://www.autopatcher.com/http://www.autopatcher.com/
I would have patches for all versions of windows.
I would also place portable firefox, and xamp in case i need to
migrate an apache LAMP server to an updated version since I have
seen a trend of putting apache on windows in this competition, also
place several pre-made security templates for use with GPO or local
application, URLscan installer and pre-made urlscan.ini files.
Komodo free firewall installer and the NSA cisco templates, acl
templates, Nipper for checking the cisco equipment config quickly
and some pvaln sample configs. Keepass for password storage and
generation.
that is what comes now to mind.
On Tue, Jul 28, 2009 at 8:54 AM, John Strand <[email protected]>
wrote:
Please! PSW land! Share your Blue Team tactics!
What tools, scripts, and techniques do you use as part of Incident
Response and Blue Team Activities?
I have sat in on one to many Red/Blue/CTF games where the Red team
gets Core, Canvas, Metasploit, Nessus, Satan, Sara, Cain and Able,
Ettercap, Dsniff, Hydra, 0phcrack, Nmap, BT4 and various torture
techniques (including IronGeek's rubber hoses) and the the Blue
team gets....
"An un-patched Windows 2000 box and a slew of un-patched
software!!!!!''
Please see the following video for reference:
http://www.youtube.com/watch?v=Y77n--Af1qo
Yea.. Thats right.... As of today the Blue Team is what you get
assigned to when you are caught stuffing peas up your nose.
This stops today!!!
There are a few rules. Tricks and scripts must be able to run at
the command line of your operating system of choice and all tools
must be freeware or open source.
Thats it!!!
Look, the Blue Team can rock!!! So please share your tricks.
I am going to collect and add to them so we have a solid list and
this will serve as the playbook for the Blues going forward.
Be expecting this on the PDC site soon.
strandjs
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
