NCCDC 2013 – Red Team Recap







This past April (4/19 to 4/21) I had the great pleasure and experience of joining the Red Team at 9th NCCDC competition.   It was actually my 2nd year on the Red Team and 4th year to attend in total (I judged in 2010 and 2011).  McAfee is actually a perpetual sponsor of this event.  That being said, I have my own selfish agenda when I attend.

Joining in as part of the Red Team is, by far, on of the most educational experiences I could possibly put myself in.   Not only are you tossed into a room w/ folks like Mubix, Vyrus, Raphael Mudge, and others – but also you are on a limited schedule and from the time that the competition starts it’s heated and non-stop.

The general strategy this year was to lay down all our toys and persistence (backdoors, beacons, RATs and other tools) on Day 1.   We made very little noise, hoping that the competing teams would gain a false sense of confidence and not notice our presence on their systems.   This way on Day 2 when the chaos commences, and the teams choose to just ‘restore from backup’ or ‘revert snapshots’ and the like, they end up restoring all our persistent tools and we retain access and ownership.

DarkComet Client Console

DarkComet Client Console





And . . . .. . It worked!


Different individuals on the Red Team had their unique tools and methods to gain and retain access and unset the teams’ activities.   As the McAfee guy, I choose to rely on some old, tried and true (and very accessible RATs).  Most of my activities centered on the use of DarkComet and, to a far lesser degree, DNA.


RAT Remote Process View

RAT Remote Process View

My philosophy was driven by two primacy goals.   First, I know these things work realllllllllly well.  And with these RATs on the box, I can control and own everything.  Second, and possibly more interesting, is that if these tools work, I know that the teams are not putting any effort into installing/deploying even the most basic endpoint/host-based AV solutions.   This is especially intriguing because, as a sponsor, McAfee provided the competition with our software.   I purposely did NOT do any crypting/packing/obfuscation on the RATs I generated.   I know that McAfee (and just about all other) vendors DID detect these things.  Yet, I still managed to install and persist on most of the hosts that I deployed to (deployed via Cobalt Strike btw).

When the competition was over, I chatted with a few competitors, and mentioned this fact.  I immediately saw the gears start turning.  I could tell they had a real “Ahhhh we should have done that” moment.  Not to mention, that McAfee (and others) detect meterpreter/MSF listeners and Trojans as malware/PUPs.  Those could have been curtailed as well.

Each year, the teams have to setup, maintain, and safeguard an environment for a faux company/entity.  This year the teams were tasked with tasked with the environment of a Correctional Institute.   This includes databases for tracking the whereabouts of prisoners, an e-commerce site for a prisoner commissary, and more.  From the Red Team perspective, this gives us some of our big bets for getting points deducted from the teams.   For example if you kill/mangle/destroy the database for tracking prisoner and personnel, that’s one of the high point items.   After all, they don’t want an IT issue to allow prisoners to go unaccounted for or escape, etc.   Other hot items include public web site defacement and acquisition of PII (personally identifiable information).  For added fun, many of us defaced the web sites by posting the company’s PII for all to see.

Defaced with PII

Defaced with PII


All and all it was a fantastic experience.   I look forward to future activities with this competition.

UTSA shot a documentary this year.  I’ll post details on that once it’s released.    However, if you’d like to get some really detailed info, Hak5 released a documentary filmed at the 2012 event.   It features great interviews and ‘behind the scenes’ Red Team action.   I’m not interviewed, but you can see the top of my head in a couple shots!!

Hak5 Doc - Jim's Head

Hak5 Doc – Jim’s Head



2012 Hak5 Documentary

Additional Blogs on NCCDC 2013

NCCDC 2013 Red Team Brief -

Bonus:   We recently did our 2nd AudioParasitics episode with the great Raphael Mudge.   This time we have a full and glorious video demo of Cobalt Strike in action.  We actually walk though scenarios and give you details on how some of these Red Team activities actually occur.

AudioParasitics Episode 141 (video) -




Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too

Aurich Lawson / Thinkstock

Security researchers have uncovered an ongoing and widespread attack that causes sites running three of the Internet's most popular Web servers to push potent malware exploits on visitors.

Linux/Cdorked.A, as the malicious backdoor behind the attacks is known, has been observed infecting at least 400 Web servers, 50 of them from the Alexa top 100,000 ranking, researchers from antivirus provider Eset said. The backdoor infects sites running the Apache, nginx, and Lighttpd Web servers and has already exposed almost 100,000 end users running Eset software to attack (the AV apps protect them from infection). Because Eset sees only a small percentage of overall Internet users, the actual number of people affected is presumed to be much higher.

"This is the first time I've seen an attack that will actually target different Web servers, meaning the attacker is willing to create the backdoor for Apache, Lightttp, and nginx," Pierre-Marc Bureau, Eset's security intelligence program manager, told Ars. "Somebody is running an operation that can victimize various Web servers and in my opinion this is the first time that has ever happened. This is a stealthy, sophisticated, and streamlined distribution mechanism for getting malware on end users' computers."

Read 12 remaining paragraphs | Comments

OpUSA Begins Today, Is Your Organization Ready?

Following on from recent concerted campaigns by Anonymous against Israel on April 7 and Facebook on April 5, the latest target for the online hacktivist collective is the USA and American online interests. Today, hackers and script kiddies of various affiliations are expected to begin a campaign of hack attacks and general online disruption against any target that is related to the USA. From previous activity of this sort, the attackers are generally opportunistic in nature and will aim for the low hanging fruit. Attacks may take various forms including the following:

  • DDoS attacks
  • Hack social media accounts and deface or post fake messages
  • Hack organization websites and deface or steal information and post it as “proof” of breach
  • Hack organization servers and attempt sabotage such as planting disk wiping malware
  • Less likely but plausible scenarios could include attacks against ICS/SCADA systems causing real-world impacts, for example disruptions of traffic control systems or electrical grid/power generation

Attackers may use any number of means to gain access or carry out their attacks, the favored methods include:

  • Password brute-forcing as seen against WordPress sites recently
  • Phishing emails to trick recipients into revealing account login details
  • Use of distributed botnets to perform DDoS attacks. Recent high-profile attacks against US financial institutions were performed by using web server based botnets running PHP.Brobot allowing for increased attack bandwidth. Opportunistic attackers will use tools such as  LOIC to participate in DDoS attacks.
  • Traditional targeted attack methods involving the use of emails with exploit laden attachments or links to exploit kit websites

OpUSA was first announced back in April and it is quite possible that attackers have been preparing for this event for some time. For example, the recent mass attacks against WordPress sites may have netted attackers a large number of compromised webservers which may now be leveraged to perform large scale attacks for an event such as this one. The initial pastebin announcement included a wish-list of targets, indicating that US government and financial related sites are high on the agenda. We know that other US organizations will also be targeted as a large number of participants may not have the necessary skills or wherewithal to perform attacks against high-profile targets. These attackers with limited skills may perform opportunistic attacks against less protected organizations using basic techniques or toolkits widely available.

The much publicized activities of OpIsrael has shown that these concerted campaigns can have some level of success. Clearly, OpIsrael never lived up to its claim of “wiping Israel off the internet” but it did result in an increased number of organizations coming under attack. Another observation from OpIsrael is that attacks often started earlier than planned as some hacktivists either jump the gun or perhaps May 7 comes earlier for them depending on where they are based in the world. The same thing is happening this time and already some reports of site defacements and database leaks are trickling in.

Organizations with American interests should be prepared for attacks in the coming days and monitor for unusual activities in their networks and any attempts to breach their perimeters. Staff should also be trained on social engineering mitigation tactics and provided security awareness training. As usual, increased vigilance and a multi-layered approach to defense should help to ward off all but the most determined attackers.