2011 Hackademic Challenge Wrap Up
By: Bill Mathews

At this year’s Information Security Summit, Hurricane Labs was proud to co-sponsor (in cooperation with the Summit) the 2011 and first Hackademic Challenge. We were proud to welcome teams from Baldwin-Wallace (2 teams), Youngstown State University (2 teams), Tiffin University (1 team) and Kent State University (1 team). The challenge was designed to be both fun and educational, hopefully we achieved that goal. Here goes the summary.

Challenge Goals

As with our previous hack challenges our team designed this one with as many “real-world” examples of vulnerabilities as possible, as opposed to the typical approach I see where you have to reverse engineer crazily designed protocols to even access the systems you’re trying to crack. That’s all well and good but we don’t see a lot of that in the real world. Most of the exploits came from actual penetration tests and things we’ve seen in the real world. The twist with this one is we had a way better scoreboard/monitoring system scattered throughout the conference center so conference attendees could keep up to date with what was going on.

As usual we used a combination of tools to monitor the challenge, including Icinga, Snort and OSSEC. The data for these tools was then dumped into Splunk for indexing, searching and reporting. Basically a mini-representation of our security monitoring services, which is a good thing. This allowed us to collect a really great amount of data about not only how the participants attacked the infrastructure in place but what tools they used and provided some insight into what strategy they were using.

Attack!

The attacks were not terribly advanced (at least that’s what the logs and alerts tell me). There was a lot of point, click, scan going on and not a lot of strategy about the targets taking place. This probably accounted for most of the “low hanging fruit” flags that were captured. Let’s take a look at the data:

As you can see in the chart, there were a wide variety of Snort alerts going off during the contest. I took just the top 20, well really 2-21, the number 1 attack (by several orders of magnitude) was an ASP.NET information disclosure attack that consumed 94% of the alerts, it was skewing my pie chart terribly so I removed it just to show the variety of scans more clearly. Next year I would LOVE to see a more adaptable strategy to it. Clever usually beats brute force testing.

We also collected direct host attacks via OSSEC. This is really just to illustrate the differences and coverages you get combining a network based IDS with a host based one. The combination of the two is a powerful network awareness system. The attacks here were pretty varied as well, I left the big one in this, just to illustrate what a scanner usually looks like on a web server and why monitoring your logs for rapid 400 errors can be an effective scanner defense.

Summary

The lowest hanging of the flags out there were captured quickly and frequently. Again, we saw very little strategy – just a lot of scanning and tool based attacks. One thing I noted from a couple teams was very little teamwork (at least outwardly), lots of headphones and little talking. Maybe they were in IRC or something. I prefer active collaboration but that’s just me, maybe we’ll put the teams in separate rooms and add a defensive component next year, who knows?

Anyway, teachers: if you’re reading, start teaching less tools and more fundamentals on why things break. This will lead to more plan based attacks and strategies, it’s a good thing to lead to.

Score!

Okay, now the part you care about the most, the score! The winner this year with a score of 39 points was Baldwin-Wallace Team 1. Congratulations! Here are the scores:

RankTeamPoints