So this weekend I got the opportunity to RedTeam for one of the regional Collegiate Cyber Defense Competition (CCDC) competitions. I made a huuuuuge mistake. The entire competition was going well, and redteam was doing our thing – most redteamers working on all schools. I however was assigned to focus on one school, kinda as a project manager as well as an adversary. Well, this school for the entire weekend was being difficult. They were very effective in monitoring their network, as well as writing firewall ingress and egress rules – we’ll get back to this in a bit; this is the reason for my accidental DOS.
Let me back up a second. CCDC is basically a competition where students from many colleges compete as blue teams, against professionals (not much of a blue team w/o an adversary). From my understanding, initially, these teams know just as much as the redteam about their networks (pretty much nothing, including passwords [assumption is initially services are configured with default creds]), so the start of the competition is pretty much a race to find services and get in. Anyway, so on day one, everything went well. We basically enum’d their networks and services as well as established our backdoors and persistances (mind you, ideally, the smart blue teams take a snapshot of their services before we get in, so they can revert if they discover they’ve been compromised). Well for my assigned team, they were a bit faster than me at enuming their network, and changed most/all default passwords, so for the most part, my only way in was by attacking/exploitation(oh yeah, most/all the services are also exploitable and they are supposed to fix this as well). That’s day one.
Day two was crap. By this time, the team dedicated one of their members to network analysis, the changed a lot of IPs to their services(meaning redteam had to remap their network a few times), stood up new products, as well as upgraded the vulnerable products. So this dedicated analyst was a pain in the butt. On day 2 they stood up a webserver, and I tried to enum it using dirb, and well, he kept blocking my IP. So I changed IPs. Tried again. Again IP blocked. This went on for about 2 hours (yeah I know, should not have spent so much time doing this). This is where the DOS comes in. Well, so determined to enum the webserver I decided to enlist ole trusty hping3 to spoof packets to generate enough traffic that my IP wouldn’t be easily seen. To accomplish this, I used the “–fast” option. This actually worked! Well, once I got dirb successfully running, I decided to open wireshark to see how fast my spoofed packets were being pushed compared to my dirb packets. To my amazement, dirb was running faster that the spoofed traffic. Afraid they would still catch my actual IP, I decided to use the “–faster” option in hping3. Next thing I know, the entire redteam is complaining about the network being down. I thought “hmm odd…just after I changed options. Better check out Wireshark.” Vital video for what follows. Within 2 minutes, I observed 1.25 million spoofed packets going over the network. Next thing I said was “Oops…I made mistake…”. Of course I killed hping3 after that. 5 minutes later, the CCDC officials are running into the dungeon they were keeping us in, yelling “WHATEVER YOU ARE DOING, STOP!!!”. I felt so embarrassed, and did the right thing and told them that I actually stopped 5 minutes ago and that it was a mistake.
So what did I learn? I thought I read the man page clearly, obviously not clearly enough. When on a live engagement, definitely triple read on things you are uncertain about it. I misread the documentation for the “–faster” option and didn’t realize it was sending a packet every micro-second. I was so determined the evade their network analyst that I had tunnel vision, and it caused network downtime. Had this been a real redteam engagement, it could have cost me my job, and potentially the contract. Fortunately, everyone was cool about it, and has been giving me crap all week, but everything is otherwise all good. There’s a lesson in mistake, and I definitely learned mine.
– Khaotic