CCDC Competition Notebook ============================ > According to CCDC Rules, student computers and external storage devices are not allowed to be used during the competition. As a result, many teams create reference guides that will be printed for use by the competition team during the event. > > This will serve as the team notebook where we can store notes throughout our training that can eventually be used to create a competition reference guide. ## Quick Links - [Github](https://github.com/UTexas-HASH) - [National Cyberwatch CCDC Preperation Guide](https://www.nationalcyberwatch.org/wp-content/uploads/2016/03/NCC_Press_How_To_Prepare_For_the_CCDC-1.pdf) - [CCDC Official Site](https://www.nationalccdc.org/) - [CCDC Rules](https://www.nationalccdc.org/index.php/competition/competitors/rules) ## Roster please fill in your name, skills and the team you'd like to be a part of. The following are the available teams: - **Competition (Blue Team)**: members who will compete at CCDC (8 available spots) - **Alternate (Blue Team**): members who will be on the official roster and serve as alternates for CCDC (4 available spots) - **Support (Red Team)**: members not on the roster who will be responsible for emulating a red team to both prepare themselves for next year's CPTC and serve to help test the skillz of the blue CCDC team (unlimited available spots) | Player | Skills | Github Handle | Team Preference | | -------------- | ------------------------------------- | ---------------- | ------------------- | | Teddy (Raoul) | Unix, AD, Interpersonal Communication | ra0x1duk3 | Competition | | Chris S | Unix, Windows | ChrisSmith2 | Competition | | Minwoo (Kevin) | Unix, Windows | kevinseonpj | Competition | | Aadhithya | Unix, ELK Stack | aadhi0319 | Competition/Support | | Rishabh | \*nix, Windows, SQL, Firewall, DNS | LookLotsOfPeople | Competition | | Rebecca | Interpersonal Communication, Unix | rebeccca-huang | Competition/Support | | Rob H | Unix, AD, ELK Stack, Windows, IDS | Rob8s7H | Competition/Support | | Aya | Unix | ayaabdelgawad | Alternate | | Jimmy Ding | Unix, Windows | DimmyJing | Competition | | Ayush Patel | Cloud (AWS), Networking | AyushPatel101 | Competition/Alter | | Matthew Healy | Unix, Windows | mzone242 | Competition/Alter | | Gavin Wang | Unix, Windows | PotatoTomatoYay | Competition/Alter | ## TO-DO if you intend to knock something out, or would like to assign it to yourself to complete in the future, add your name in parenthesis to the end of the task description. Once you finish a task, just add a `X` into the checkbox - [ ] VPN Authentication System - [ ] Practice Environment Configuration - [X] email Dr. Wu about CCDC dates (Raoul) - [ ] Develop Zeek Deployment Strategy - [ ] Develop Log Monitoring Strategy - [ ] Develop IDS Strategy - [ ] Develop Incident Response Report Strategy and Template - [ ] Create firewall hardening checklist (Rishabh) - [X] Create AD hardening checklist (Rob/Raoul) - [ ] Create Windows hardening checklist (Chris, Kevin) - [ ] Create Unix hardening checklist - [x] Create SQL hardening checklist (Rishabh) - [ ] Create DNS hardening checklist (Rishabh) - [ ] Create Mail Server hardening checklist - [ ] Create E-Commerce Site hardening checklist - [ ] organize checklists by priority ## Zeek Deployment Strategy ## Log Monitoring Strategy ## IDS Deployment Strategy ## Incident Response Reporting Strategy ## Firewall Checklist ### Getting Started - [ ] Change Admin Password - [ ] Make Sure the Firewall Won't Block ALL Traffic when Enabled - [ ] Enable the Firewall - [ ] Check Feature Set of the Firewall (Traffic Rules, Port Forwarding, Monitoring, DHCP, DNS) - [ ] Disable IPv6 Unless Necessary ### Rules - [ ] Identify the Purpose of Every Rule and Label Them - [ ] Disable (Don't Remove Yet) Any Rule that Seems Pointless - [ ] Create a Deny Deny Master Rule - [ ] ~~Check to See if Anyone Screams at You for Disabling Their Service~~ ### Port Forwarding - [ ] Identify the Purpose of the Ports - [ ] Ensure their is a Defined Service on the Other Side for Each Port ### VPN? - Do we Ever Have a Nested VPN for "Company" Purposes? ### Other [pfSense](https://docs.netgate.com/pfsense/en/latest/config/) [OPNSense](https://docs.opnsense.org/) [Palo Alto (Find a Better Link?)](https://docs.paloaltonetworks.com/) [ACL Generation](https://github.com/google/capirca) - [ ] Setup WPA3 for WiFi (Or Just Disable it Altogether) ## AD Checklist ### General Network Enumeration - [ ] Run Bloodhound to visualize domain-joined objects 1. Run an ingestor: `C:\> SharpHound.exe` 2. Start the database: ` sudo neo4j start` 3. Open The GUI: `./Bloodhound` 4. Drag and drop the zip or json files created by ingestor onto the GUI 5. Stare at output and make some [queries](https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/) - [Bloodhound Docs](https://bloodhound.readthedocs.io/en/latest/index.html) ### Hardening - [ ] Backup the AD instance - [Full and incremental backup tutorial](https://activedirectorypro.com/backup-active-directory/) - [ ] Patch Domain Controller - [ ] Setup LAPS - LAPS: Local Administrator Password Solution, automatically sets unique complex passwords for the local admin in all domain-joined devices - [Tutorial](https://4sysops.com/archives/how-to-install-and-configure-microsoft-laps/) - [ ] Remove domain users from local admin groups - [ ] Deny domain admin logon through rdp (if competition is in person) 1. Run Gpedit.msc 2. Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment 3. double click "Deny logon through Remote Desktop Services" 4. Add domain admins, click OK 5. `C:\> gupdate /force` - [ ] devote a single machine to having only the kerberos KDC and no other services - [ ] enable SMB signing to prevent NTLM relay attacks ### Endpoint Detection and response - [ ] install ATALGW (Advanced Threat Analysis Lightweight Gateway) on the DC and continuously monitor for alerts - *ATA is should probably something we should spend a good chunk of time learning how to use* - [Documentation](https://docs.microsoft.com/en-us/advanced-threat-analytics/) ### Other - [AD Red and Blue Cheatsheet](https://cybersecuritynews.com/active-directory-checklist/) - [Best Practices for Securing AD](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory) ## Windows Checklist ### Network - [ ] Find the listening ports: `netstat -ano | findstr LISTEN` - Ports like 135, 139, 445 are common Windows ports for SMB/NetBIOS and file/printer sharing. - Ports like 3389 are for [Remote Desktop Protocol](https://en.wikipedia.org/wiki/Remote_Desktop_Protocol) - [ ] Look for ports that are actively connected: `netstat -ano | findstr ESTABLISHED` ### Hardening - [ ] Enable firewall with (in PowerShell): `Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True` - [ ] Run `sconfig`: - Enable Network Level Authentication for RDP (if RDP is a critical service). Otherwise, disable RDP. - [ ] Run `ipconfig` and check for multiple network adapters, and consider disabling or deleting which ever one is not behind a firewall. ### User accounts - [ ] Run `net user` or search for "users" in the Start menu - [ ] Create a new account that is part of the "Administrators" or "Domain Admins" group - [ ] Identify any users that are part of the "Administrators" or "Domain Admins" group - [ ] Disable "Administrator" and "Guest" users (Note: DO NOT DELETE) - [ ] If other user accounts are not being used by other Windows workstations, are not used by any local processes, and the team agrees they are likely not in use, then disable (don't delete) those as well - [ ] ## Unix Checklist ### User accounts - [ ] Look in the `/etc/passwd` file to identify users on the local system: `cat /etc/passwd` - [ ] Check for users with UID 0 (that should only be for the root user) - [ ] Check for users toward the end of the file (those are usually added post-install) - [ ] You can filter out users who don't have shell access: `cat /etc/passwd | egrep -v "/bin/false|/usr/sbin/nologin"` - [ ] Look for users that have a password assigned: `sudo cat /etc/shadow | grep '\$'` ### Network - [ ] Look for listening ports: `netstat -lunt | grep LISTEN` - If we have sudo privileges, run: `sudo netstat -plunt | grep LISTEN` - Some newer Debian/Ubuntu machines don't have netstat, so try: `sudo ss -tan | grep LISTEN` - Port 22 is usually SSH (to get a remote terminal). If we can disable it, we should do so - [ ] Focus on ports that aren't only listening on the localhost interfaces (for example: 127.0.0.1, ::1): `sudo ss -tanp | egrep -v "127.0.0.|\[::1\]"` ### Hardware - [ ] install and enable usbguard, set policies for peripherals only - Not something to worry about as much with virtual machines ## SQL Checklist ### Getting Started - [ ] Figure Out the Root Password for the Machine - [ ] Figure Out the Root Password for the SQL Server - [ ] Check to See What else is Installed on the Machine ### Starting to Secure the System - [ ] Remove/Decouple Anything Unecessary to the SQL Purposes if Possible - [ ] Update the SQL Service - [ ] Disable SQL Server Browser Service ### Starting to Secure the SQL - [ ] Collect Credentials (Username/Password) for All "User" Accounts - [ ] Check Type of Authentication (Local, LDAP, Keys, etc.) and Migrate if Necessary - [ ] Peruse the Data and Identify the Purpose of Every Database, Table, Coloumn, etc. - [ ] Identify the Services which Utilize the DB and What they Do ### Authentication Securing - [ ] Decouple Authentications and Make Sure Every Service Uses it's Own Set of SECURE Credentials (Not Root) - [ ] Make Proper Usage of Groups and Roles! - [ ] Disable "Guest" Authentication ### Backing Up the SQL Server - If the DB is Small, Always Use Full Backups! - If the DB is Large, Do a Full Backup with Increments Afterwards - If the DB is VERY Large, Backup by File / File Groups ### Encryption - [Transparent Data Encryption](https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption) - [Always Encrypted](https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine) - [Column Encryption](https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/encrypt-a-column-of-data) ### Detection - [ ] Enable Login Auditing - [ ] Log Changes (Row Operations) for Sensitive Data - Monitor Average Load and Identify the Reasoning Behind Spikes / High Usage - Check for Resources that Remain Locked for a Long Period of Time (Deadlocks) ## DNS Checklist ### DNSSEC - [ ] . ### DNS Query Forwarding ## Mail Server Checklists ### Scratch Receiving/Sending SMTP? Reistered Users Log Files Location ## E-Commerce Site Checklists ## What Can Red Team Do? Red Team Knows Nothing Coming In They Will Port Scan They Will Use Default Passwords Day 1: They Just Look Around Try to Collect Information Create Backdoors (SSH Keys, Open Ports, etc.) Day 2: Will Start Removing Points for Taking Data They Will Start to Take Things Down towards the End of the Day ## Scratch ### High Level Checklist Check OS See What is Installed What is Open / Services Running Check Open Ports (netstat) # Linux Hardening ## Hardening First Stage ### Add user hash Use one of the following: ``` sudo adduser hash sudo id hash # must have sudo as one of the groups sudo visudo # must check if sudo has sudo priviledges (%sudo ALL=(ALL:ALL) ALL or %sudo ALL=(ALL:ALL) NOPASSWD: ALL) ``` ``` sudo adduser hash sudo usermod -aG wheel hash id hash # must have wheel as one of the groups sudo visudo # must check if wheel has sudo priviledges (%wheel ALL=(ALL:ALL) ALL or %wheel ALL=(ALL:ALL) NOPASSWD: ALL) ``` ### Setup initial logs ``` mkdir -p ~/logs/initial cd ~/logs sudo cp -R /var/log . mv log initial sudo netstat -pan > ~/logs/netstat_init sudo ps ax > ~/logs/ps_init ``` To compare logs, run: ``` diff -r /var/log initial sudo netstat -pan > ~/logs/netstat_current && diff ~/logs/netstat_current ~/logs/netstat_init sudo ps ax > ~/logs/ps_current && diff ~/logs/ps_current ~/logs/ps_init ``` ### User Priviledges Run `sudo passwd -l root` Look at `/etc/passwd`, if anyone who is not root has id or group of 0, look into it. Look at users who has a valid login shell (not /bin/false or /usr/sbin/nologin) or has home directory, see if you recognize them. Run following to see users who has uid or groupid of 0: ``` awk -F: '($3 == "0" || $4 == "0") {print}' /etc/passwd ``` Look at `/etc/group`, look for `admin`, `wheel`, `sudo`, `nopasswdlogin`, and see if any are not root or hash. Look at `/etc/sudoers` (through `sudo visudo`), see if it allows any non `admin`, `wheel`, or `sudo` users sudo access. Look at `/etc/shadow`, check for accounts that has no password through command below: ``` awk -F: '($2 == "") {print}' /etc/shadow ``` ### SSH Look at `~/.ssh/authorized_keys` or `/root/.ssh/authorized_keys` and see if theres anything in there. Look at `/etc/sshd_config` and change the options below: ``` PermitRootLogin no PermitEmptyPasswords no # only do this if you made sure there is no valid empty passwords ``` ### Cronjobs Run following to see crontabs: ``` crontab -l ``` Look at `/etc/cron.*ly` and `/etc/cron.d` and `/etc/crontab` to see if there's anything weird. ### Kernel Hardening Go to `/etc/sysctl.conf` and change the following: ``` # Turn on execshield kernel.exec-shield=1 kernel.randomize_va_space=1 # Enable IP spoofing protection net.ipv4.conf.all.rp_filter=1 # Disable IP source routing net.ipv4.conf.all.accept_source_route=0 # Ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_messages=1 # Make sure spoofed packets get logged net.ipv4.conf.all.log_martians = 1 ``` ### Disable IPV6 Go to `/etc/modprobe.d/aliases` and replace `alias net-pf-10 ipv6` with ``` alias net-pf-10 off alias ipv6 off ``` ### Services Get services by using: ``` sudo netstat -pan | grep LISTEN | grep -v STREAM ``` See what they are and disable if needed (be very careful, start it up again if it breaks anything) ``` sudo service <name> stop sudo service <name> start sudo service --status-all ``` ### Init files Look at `/etc/init`, `/etc/initx`, and see if everything links to `/etc/init.d`. Look at `/etc/rc*.d` and see if everything links to `/etc/init.d`. If not then look at the script and make sure it's not vulnerable. Run the following command to set permission for startup scripts: ``` sudo chmod 0700 /etc/rc* sudo chmod 0700 /etc/init.d* ``` ### Secure terminals Secure basically means root can login on that shell Look at `/etc/ttys`, `/etc/default/login`, `/etc/security` or `/etc/securetty` and remove all secure flags from entries that does not need root login. ### Bash History Run the following to make bash_history append only ``` sudo chattr +a .bash_history ``` ### Config files Look at `/etc/resolv.conf` and `/etc/hosts` and see if theres anything weird in it. do `chmod 0700` on the following files for firewall: `/etc/profile`, `/etc/hosts.allow`, `/etc/mtab`, `/etc/utmp`, `/var/adm/wtmp` (or `/var/log/wtmp`), and `/etc/syslog.pid` (or `/var/run/syslog.pid`). do `chmod 0700` on the following files for kernel: `/etc/sysctl.conf` and `/etc/inittab`. make sure the following files has owner and group of `root.root` and permission of `-rw-r--r--` except for shadow, which should be `-r--------`: `/etc/fstab`, `/etc/passwd`, `/etc/shadow`, `/etc/group`, `/etc/sudoers`. make sure that `/var/log/`, `/var/adm`, and `/var/tmp` are only writable as root. ### Kernel Modules list current kernel module directory: ``` echo "Modules dir: /lib/modules/$(uname -r) for kernel version $(uname -r)" ``` list permissions of directory: ``` ls -l /lib/modules/$(uname -r) ``` ## Third Party Hardening ### Bastille Bastille is a program that hardens a system by asking questions. It is safe to accept default values but use your own judgement. ``` sudo apt-get install bastille perl-tk sudo bastille ``` If something happens, use following command to revert: ``` sudo RevertBastille ``` ## Hardening Second Stage ### Firewalls #### Tables There are three tables, specified with `-t`. filter table: default table, has default chains `INPUT`, `OUTPUT`, and `FORWARD`. nat table: has default chains `OUTPUT`, `PREROUTING`, and `POSTROUTING`. mangle table: has default chains `INPUT`, `OUTPUT`, `FORWARD`, `PREROUTING`, and `POSTROUTING`. Use `-L` to get current rules for table (can use `-v` to show more info) and `-F` to clear rules from a chain or all chains in a table. Use `-P` to set a general policy, like `sudo iptables -P INPUT DROP` (only do this the firewall is all setup) Use `-A` to add a rule to a chain: `-p` matches the protocol, `-s` matches the source of the packet, `-d` matches the destination of the packet, and `-j` decides what to do with the packet (ACCEPT or DROP). `-m` can be specified to match a condition, what is commonly used is state where you can specify the specific state allowed with `-m state --state NEW,ESTABLISHED,RELATED`. When `-p` is specified, `--sport` is the source port, `--dport` is the destination port. #### Forwarding `-j REDIRECT` can be specified for the nat table, and it will be forwarded to a port specified by `--to` #### Saving Changes Use one of the following: ``` sudo /sbin/iptables-save /sbin/service iptables save /etc/init.d/iptables save ``` The goal is to understand how each service communicates, setup the INPUT filters first, then setup OUTPUT filters as needed. ### AppArmor Guide to apparmor: https://ubuntu.com/server/docs/security-apparmor ``` sudo apt-get install apparmor-profiles sudo apparmor_status # gets status of apparmor ``` ### SELinux (Be careful this can break everything) SELinux is a more advanced version of apparmor, but is hard to setup. SELinux guide: https://docs.oracle.com/cd/E37670_01/E36387/html/ol_selinux_sec.html ## Centralized logging Logging setup for one or two machines: graylog, zeek (with conf from https://github.com/alias454/graylog-zeek-content-pack/blob/master/rsyslog_00-zeek.conf), palo alto, suricata (with rules from https://rules.emergingthreats.net/) Logging for all machines: rsyslog (auth.log or secure, syslog, cron, audit.log), application specific logs, tripwire (maybe), go-audit (maybe), other logs from windows using some type of ad rules. Other programs to use: Brim to parse zeek logs, Open Canary if we have a lot of time. ## Updating (Major updates is done after day 1 but patching can start on day 1) ### apt-get systems: ``` sudo apt-get update sudo apt-get upgrade sudo apt-get install unattended-upgrades # to get only security updates ``` ### yum systems: ``` yum list updates yum update ``` ### zypper systems: ``` zypper ref zypper dup ``` ## Application specific hardening Try to harden mysql, postgresql, mssql, or any other database (this is very important, data leak costs a lot of points). Apache hardening: https://geekflare.com/apache-web-server-hardening-security/ Nginx hardening: https://www.acunetix.com/blog/web-security-zone/hardening-nginx/ ## Hardening Guide ### Add user hash For ubuntu/mint/fedora/debian systems: ```bash su # enter password adduser hash usermod -aG sudo hash id hash # must have sudo visudo # must check if sudo has sudo priviledges (%sudo ALL=(ALL:ALL) ALL or %sudo ALL=(ALL:ALL) NOPASSWD: ALL) ``` For suse and other systems that has wheel: ```bash su # enter password adduser hash usermod -aG wheel hash id hash # must have wheel visudo # must check if wheel has sudo priviledges (%sudo ALL=(ALL:ALL) ALL or %sudo ALL=(ALL:ALL) NOPASSWD: ALL) ``` For systems that does not have sudo, change password for root: ```bash su # enter password passwd root ``` ### Setup Initial Logs System with sudo: ```bash mkdir -p /home/hash/logs/initial cd /home/hash/logs sudo cp /etc/passwd passwd_bak sudo cp /etc/shadow shadow_bak sudo cp -R /var/log . mv log initial sudo netstat -plunt > netstat_init # if it complains that netstat doesn't exist, do sudo apt-get install net-tools sudo ps aux > ps_init ``` Systen without sudo: ```bash mkdir -p /root/logs/initial cd /root/logs cp -R /var/log . mv log initial netstat -plunt > netstat_init # if it complains that netstat doesn't exist, do apt-get install net-tools ps aux > ps_init ``` ### User Priviledges System with sudo: MAKE SURE THAT YOU CAN SU INTO HASH WITH A PASSWORD AND CAN RUN SUDO ON HASH, SOMETHING LIKE BELOW: ```bash ssh hash@localhost sudo ls ``` IF ANY OF THAT COMPLAINS PLEASE FIX IT BEFORE DOING ANYTHING ELSE. ```bash EDITOR=nano sudo visudo # check if only admin, sudo, and root has sudo access. # Add two # before last line, save and exit awk -F: '($3 == "0" || $4 == "0") {print}' /etc/passwd # check if that only returns one line, which is root cat /etc/group | grep sudo # check if that only returns hash and other valid admins cat /etc/group | grep admin # check if no users has the admin group cat /etc/group | grep root # check if only root has the root group # USE THE SAME CHECK AS ABOVE BEFORE RUNNING THE LINE BELOW, # THIS WILL LOCK ROOT SO IF HASH DOESN'T WORK THEN YOU WILL LOSE SUDO ACCESS sudo passwd -l root ``` If the account that has sudo access is a service account like `www-data` and `mysql`, then ask Jimmy to see if it is possible to make it not sudo. Otherwise if you think it is a red team account, remove it. System Without Sudo: ```bash awk -F: '($3 == "0" || $4 == "0") {print}' /etc/passwd # check if that only returns one line, which is root cat /etc/group | grep root # check if only root has the root group ``` If the account that has sudo access is a service account like `www-data` and `mysql`, then ask Jimmy to see if it is possible to make it not sudo. Otherwise if you think it is a red team account, remove it. ### SSH ```bash mkdir ~/bak_ssh_keys mv ~/.ssh/authorized_keys ~/bak_ssh_keys/hash_keys # it's fine if it fails mv /root/.ssh/authorized_keys ~/bak_ssh_keys/root_keys # it's fine if it fails # if there is no sudo, don't add sudo to next line sudo nano /etc/ssh/sshd_config # Change/add the following two lines: PermitRootLogin no PermitEmptyPassword no ``` ### Bash_History ```bash # if there is no sudo, don't add sudo to next line sudo chattr +a /home/*/.bash_history ``` ### Permissions ```bash # if there is no sudo, don't add sudo to next lines # dont worry if the following commands gives errors sudo chmod 0700 /etc/profile /etc/hosts.allow /etc/mtab /etc/utmp /var/adm/wtmp \ /var/log/wtmp /etc/syslog.pid /var/run/syslog.pid /etc/sysctl.conf /etc/inittab /var/log /var/adm /var/tmp sudo chmod 0644 /etc/fstab /etc/passwd /etc/group /etc/sudoers sudo chmod 0400 /etc/shadow ``` # Setup graylog ```bash # setup mongodb sudo apt-get install gnupg wget -qO - https://www.mongodb.org/static/pgp/server-6.0.asc | sudo apt-key add - echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list sudo apt-get update sudo apt-get install -y mongodb-org # setup graylog sudo apt install apt-transport-https wget https://packages.graylog2.org/repo/packages/graylog-5.0-repository_latest.deb sudo dpkg -i graylog-5.0-repository_latest.deb sudo apt update sudo apt install graylog-server sudo vi /etc/graylog/server/server.conf sudo apt install pwgen # change password_secret to the following: pwgen -N 1 -s 96 # change root_password_sha2 to the following: echo -n 'password' | shasum -a 256 sudo systemctl start graylog-server sudo systemctl enable graylog-server ```