• No results found

Capture the flag: computer science style

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "Capture the flag: computer science style"

Copied!
1
0
0

Loading.... (view fulltext now)

Download now ( 1 Page )

Full text

(1)

Capture the Flag - Computer Science Style

Kathy Robertson Kathy Robertson

Advisors: Dr. Dan Massey and Dr. Indrajit Ray Advisors: Dr. Dan Massey and Dr. Indrajit Ray

Future Work:

An Annual Front Range Capture the Flag – Computer Science Style

• Tutorials on Security Concerns

Attack Plan

Login to Box 1:

ssh or ftp into Box 1 with provided username and password

• 5 out of 5 teams completed this mission in less than 5 minutes Crack root Password: (1 flag)

• use a password cracker to decrypt an encrypted password file

• 5 out of 5 teams cracked the password in < 15 minutes Capture Username and Password Traffic:

• capture packets with username and password

• 5 out of 5 teams completed this mission in less than 10 minutes Login to Box 2: (1 flag)

• ssh or ftp into Box 2 with captured username and password

• 5 out of 5 teams completed this mission in less than 5 minutes Get Admin Password:

• implement an sql injection to obtain username and password

• 4 out of 5 teams completed this mission in less than 30 minutes Login to Admin Account: (1 flag)

login to Admin Account with obtained username and password

• 4 out of 5 teams completed this mission in less than 5 minutes Get Root Access

• Successfully exploit vulnerable code with a Buffer Overflow

• 0 out of 5 teams completed this mission

Capture the Flag Set Up

Buffer Overflow

How a Buffer Overflow Works:

Program Allocates Buffer Space

Program inserts too large of data

Overwrites Other Register

Hacker can execute Code Remotely Name =

“bob”

Code High Addresses

Low Addresses

Normal Code Execution

Buffer Overflow Exploit

Motivation:

• Teach students about security

• Learn what students know about security

• Interaction between Front Range Schools

Set Up:

• Set up exploitable machines

• Allow students to crack, hack, and intercept traffic

• Students work in teams to earn flags

Lessons Learned:

• Use Strong Passwords (flag 1)

• Encrypt Traffic with SSL (Secure Socket Layer) (flag 2)

• Patch Software (flag 3)

• Good Software Design (flag 4)

Equipment:

• Username

• Password

• IP Addresses of Each Box

Box 1

Box 2

Root Account

Observe Traffic: yes Login to box 2: no Contains flag: yes

Player Account

Observe Traffic: No Login to Box 2: No Contains Flag: No

User Account

Observe Traffic: No Hint: Check Website Contains Flag: yes

Root Account

Contains flag: yes

Webserver:

SQL Vulnerability

Admin Account

Contains flag: yes

Normal User Hacker

Packet

Packet Username Password

2 Get Root Access 3 Capture

Password

4 Login

5 SQL Injection

6 Login 7 Get Root

• Hacking Laptop

• Auditor (Live OS)

• Teammates

Name = “bob NOP NOP NOP NOP NOP NOP NOP NOP NOP start address

….

start address Code

References

Download now ( PDF - 1 Page - 66.75 KB )

Related documents

1 5 3 1 5 3

[r]

KeySafe The platform-independent password safe with external security Olof Björklund

Hence users are encouraged to use different login credentials for different services, resulting in an increasingly large list of sensitive data the user needs to remember.

Building a timer controller circuit, with password access

The left end has 6 pins in total but they divided into two parralles to each other.This has been , so that the AVR pocket programmer can fit the out put cable tightly into

1 (5)

Regionledningskontoret ser positivt på utredningens betänkande Framtidsval - karriärvägledning för individ och samhälle där utredaren redovisar och föreslår åtgärder för att

PASSWORD PRACTICE: The effect of training on password practice

The experiment gave a higher entropy value and a longer average password length and fewer users also reused the same password over the three services than the group not given

Natural Artefacts • 5 OUT • ESML

Após uma pausa, devido ao falecimento do saxofonista Ove Johansson em 2015, os membros originais, Susanna Lindeborg e Per Anders Nilsson, criaram uma segunda formação em

Stronger Authentication for Password Credential Internet Services

For example, when the user registers or changes their financial account profile, the user should be able to state that they wish to use MFA via the Google Authenticator app.

5 5 1:sta 1:sta

Kurserna äro uppgjorda med hänsyn till talens storlek, och skulle, om normalplanens kursfördelning af ämnet följes, vara afsedda för folkskolans 1:sta och 2:dra klasser, men