UCSB CTF Analysis

1
UCSB CTF Analysis

• LCDR Eagle

2
Packet Captures

• Available at
• http//rsgmail.cs.ucsb.edu/CTF/
• gt 2Gb of data
• Thats a lot of packets
• Split across 8 files
• How do you sort through it all
• Filters!

3
Useful Tools

• tcpdump
• Can read from file instead of from NIC
• Use it to filter out unwanted packets
• mergecap
• Included with Ethereal
• Use it to combine multiple capture files into a
  single file
• Nice when large captures have been split for ease
  of distribution

4
Combining Files

• Use mergecap at some point
• mergecap w dumpfile tcpdump-1of8 tcpdump-2of8
• Combines all of the packets in the listed files
  into one large file named dumpfile
• You can do this once before any other filtering
  or you can perform initial filtering on all
  pieces and then combine the filtered pieces

5
Filtering

• First, get rid of all gateway traffic
• Every packet is seen twice
• Once in original form
• Once after nating as it departs the gateway
• This filter halves the amount of data
• tcpdump r dumpfile w nogw s 0 not host
  10.1.1.1
• Reads from dumpfile and writes only those packets
  not containing address 10.1.1.1 to file nogw

6
Filtering Scoring Traffic

• A quick look at the data reveals that the scoring
  system lived at 10.90.0.1
• If you want to focus on what the players did
• tcpdump r nogw w players s 0 not host
  10.90.0.1
• For scoring traffic
• tcpdump r nogw w scoring s 0 host 10.90.0.1

7
Filtering By Protocol

• tcpdump r nogw w icmp s 0 icmp
• tcpdump r nogw w udp s 0 udp
• tcpdump r nogw w tcp s 0 tcp
• tcpdump r nogw w other s 0 not icmp and not
  udp and not tcp

8
Filtering By Service

• Grabbing sfind traffic
• tcpdump r udp w sfind s 0 port 31337
• Grabbing icecast traffic
• tcpdump r tcp w ice s 0 port 8000
• Grabbing ftp traffic
• tcpdump r tcp w ftp s 0 port 20 or port 21
• Grabbing http traffic
• tcpdump r tcp w http s 0 port 80

9
sfind Analysis

• By far the fewest probes/attacks
• Why?
• Not a single legitimate attempt at a buffer
  overflow
• Some teams did pass extra parameters in the
  keyword field to try some information leak
  attacks based on find results
• 10.70.x.x grabbed all other teams hashed sfind
  password whether they realized it not

10
ftp Analysis

• Only 276 big packets fired at ftp servers all
  day
• Some of these were continuation packets
• Some were nessus generated
• Conclusion not a lot of ftp attacks conducted
• 10.50.2.4 attacked with Core Impact
• Ineffective no attempt to take eip

11
ftp Analysis

• 2 attacks from 10.30.10.99
• Bad offset
• Goal open listener on port 7512
• 3 attacks from 10.30.10.40
• Bad offset
• Goal - Callback to attacker port 7512
• 1 Attack from 10.50.2.99
• Missed offset
• Goal open listener on port 30464

12
ftp Analysis

• Team 10.10.30.x had developed a brute force
  offset generator by the end of the day
• Attempted attack
• If attack failed, automatically changed offset
  and retried
• At least 87 separate attacks starting at 1650
• Accounts for 174 of the large packets
• Goal shell attached to original socket

13
ftp Analysis

• Success
• At 170305.790392
• 10.10.30.2 exploited ftp service on 10.20.30.99
• Remained connected through 170600912382
• Poked around, didn't do much
• Back in at 172437.247418
• Tried to copy flag to flag file BUT used wrong
  file name
• /tmp/x11-unix vice /tmp/.x11-unix
• Dropped a script to repeatedly change the flag
  but used wrong file name AND never started the
  script
• Disconnected at 172750.465256

14
icecast Analysis

• No one ever used the gimmepw backdoor
• strings ice grep gimmepw
• If we had a match, how do we correlate to a
  packet or packets?
• ngrep is another useful tool for analyzing
  packets
• Perform grep like searches on packet content
• http//ngrep.sourceforge.net

15
icecast Analysis

• Which teams used the /admin url to attempt to
  access flags?
• ngrep I ice O admin q "/admin"
• 150 matches, only 4 ips
• 10.10.10.3
• 10.30.10.99 argus
• Problem, this team authenticated with its own
  icecast password
• admin/megmanca
• If the other teams had sniffed and noticed, they
  would have gained access
• 10.70.0.99
• 10.70.97.13
• Even with proper password, none had proper format
  to change any key bytes

16
icecast Analysis

• Flag access via /flag
• Only one IP did this, 10.70.97.13 and only
  against 2 IP addresses
• 10.10.20.99
• 10.50.10.99

17
Useful Sniffing

• Run dsniff during the game to catch any passwords
  being used against you
• ftp, http, others
• You might learn the following
• When other teams know your passwords
• Other teams mistakenly using their passwords
• Passwords that might be used to attack other teams

18
Web Services Analysis

• By far the most traffic by players
• 568 megs of capture data
• Query service
• 6 teams used authenticated1 flaw
• 10.60.0.x
• 10.30.10.x
• 10.20.30.x
• 10.10.30.x
• 10.10.20.x
• 10.10.10.x

19
Web Service Analysis

• More to come, too much data
• Also tomcat analysis