James Madison University (JMU) held an open cyber defense competition on Saturday of this past weekend for all current or former students. A few of us here at Gemini had the opportunity to attend and participate as the attackers. It was a great experience for me as well as the students.
The students were faced with the scenario of being hired into an already existing IT infrastructure after the entire network team had previously been fired. With a tight deadline and the need to keep standard business operations running, they had to secure all computers/servers and continue to process ‘business requests’ as they came in. The students were given a one hour head start to secure as many devices as possible, and then it was free reign for us attackers.
All in all, most teams ended up falling to the majority of the same attacks or forms of penetration. The following is a list of the most common ways we were able to penetrate their systems.
- Default Passwords – Every team except one fell victim to this. Leaving at least one system or process running under the default admin account/password. Even though we were given the knowledge that all systems had been setup with the default password, this still gives the scenario of systems using blank passwords or ones that would be easily guessable.
- Running Older (vulnerable) Software/Processes – Two of the teams fell due to running an older version of Apache. We noticed this and exploited it right away. The remedy to this would have been patching or upgrading immediately.
- Installing Unknown Software – The teams were given a business task to install spam-blocking software on their e-mail servers. The software that was given to them contained a rootkit. At least three teams installed this, with two falling victim and the other noticing and taking down the mail server while it was fixed.
- Physical Access – We got a little mischievous during lunch as we knew the students would be away. We took a peek into their rooms to find unlocked screens. We took best advantage of this. Sure it was easier for us because we knew they would be out, and it was only one room over. But it only goes to show that even the smallest amount of time is enough to be compromised.
- Un-patched E-Commerce Site/Engine – The teams were running Zen-Cart as their e-commerce engine. It just so happens that a SQL injection vulnerability was disclosed only a few days prior the competition. All but one team failed to patch this vulnerability.
- Not finding the real problem – One of my coworkers got into a mini battle with one of the teams continually opening an SSH connection only to have it dropped. The team was noticing the process and simply killing it. This went on for a good while before we finally hosed the system. The team kept killing the process, but not recognizing the fact that we had our own account already on the machine, and that’s how we were continuing to maintain access.
Four out of the five teams took some major hits due to one or all of the above attacks. The one team that held the best did take hits for not maintaining proper services running at all times. In the end, it was clear this was the correct thing to do. They would take down a system completely, wait until the system was completely patched/upgraded and only bring it back up once they knew it was locked down properly.
All in all, it was a great learning experience for the students and for me. They learned what kind of real-life scenarios they could potentially face, and I got to ramp up on my pen-testing skills in a fun way. Kudos to all the teams that participated at JMU, and I hope to take part again sometime soon.