Slashdot Mirror

← Back to Stories (view on slashdot.org)

DEF CON "Capture the Capture The Flag" Data

Posted by Hemos on from the come-and-analyze dept.

pablos writes "Each year DEF CON hosts the famed Capture The Flag contest. Hackers from all over the world duke it out on the network for 72 hours, hacking for the title. The Shmoo Group diligently logs every packet for posterity, we "Capture the Capture The Flag." Now is your chance to download by far the most interesting, 'sploit ridden, 5.8GB of intrusion collusion ever published. Free for the bandwidth endowed, this is the ultimate IDS testbed."

107 comments

  1. I like to watch ... by ukryule · · Score: 0, Offtopic

    Either voyeurism has reached a new level, or it's just the players and their proud(?) mums downloading this.

    Then again, I guess it's not a bad screensaver!

  2. Making waves... by hyrdra · · Score: 3, Funny

    Hmm...my favorite was the sinusoidal IP address spoofing. Anyone else?

    --


    "I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
  3. *sniff sniff* by Anonymous Coward · · Score: 0

    logging 5.8 GB of packets so u can look thru them... that's really the epitome of sad :P

  4. They cheated us. by vulgarDPS · · Score: 5, Interesting

    At defcon 8 DPS was at defcon and Burrows straight up social engineered his way into the server room and rooted the main box. So technically we had just won but they disqualified him cuase they wouldn't acknowledge social engineering as valid. Before defcon 8 DPS (dead [protocol] society) had pretty much dominated the social engineering contests but defcon 8 was the first year they decided to stop doing the social engineering contests so we were forced to improvise.

    1. Re:They cheated us. by Effugas · · Score: 5, Funny

      Ghettohackers quite brutally owned my laptop. One of 'em started chatting with me, asked if he could check his email...though I watched the screen, it's always polite to look away when someone types in their password.

      Except when that password is

      notepad c:\flag.txt
      ghi

      Now, at the time I damn near killed someone over that...but I realized pretty quickly it was a damn slick hack. Ask, and ye shall receive. Even from me.

      --Dan

    2. Re:They cheated us. by Hard_Code · · Score: 2

      ahahahaahahahahaaah!

      Wait, wtf are you talking about?

      --

      It's 10 PM. Do you know if you're un-American?
    3. Re:They cheated us. by starfighter_org · · Score: 1

      This year there was a guy inside a server cabinet waiting to come out in the middle of the night to own all the machines in the server room. A last minute change in server locations blew it for them. Sadly, I've forgotten who did it.

    4. Re:They cheated us. by SinisterAngel · · Score: 0

      It's the simple things in life that make it great ;)

      --


      This post close captioned for the thinking impared.
    5. Re:They cheated us. by BasharTeg · · Score: 1

      Yeah it pissed us off too, that you were dumb enough to give away that many points to GH. However, since Digital Revelation merged with Ghetto Hackers, those turned out to be our points anyway. Since we only won by something like 10 points, thanks for the freebie. :)

      Ghetto Hackers + Digial Revelation = 0wned CTF 2001

    6. Re:They cheated us. by Rizz0 · · Score: 1

      Actually, that was us (Ghettohackers). Under our interpretation of the previous year's rules, Physical penetration of the NOC was allowable. In fact, we managed a capture at DC8 by SE'ing a guard into letting one of our members in (CIR), who then rooted from the console. Unfortunately, with the rule change this past year, that went right out the window.

      --
      Democracy is dead. All kneel to the Commander In Thief.
    7. Re:They cheated us. by Derek+Pomery · · Score: 2

      What morons would ever check their e-mail on someone else's computer at a "hacker" convention?
      1:9 there is a keystroke logger in place.

      Granted, you were asking for it by not having /flag.txt be -rw------- 1 root root

      Oh, wait. Was that a C: ? };->

      --
      -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
    8. Re:They cheated us. by Effugas · · Score: 2

      *laughs*

      "But...but...it's the client pool...you're not supposed to be attacking the client pool...whine whine...bitch bitch...goddamn fuckers that was a good hack...whine whine..."

      I did some serious penance for bringing a WinXP beta laptop to hack against Ghettohackers. Lets just say *my* Caesar's Challenge involved swimming on the bathroom floor and puking off of balconies the night before my big talk.

      Man, that night was fun.

      --Dan

    9. Re:They cheated us. by Anonymous Coward · · Score: 0

      Am I retarted? I have no idea what this means.?!?

      Except when that password is

      notepad c:\flag.txt
      ghi

    10. Re:They cheated us. by Effugas · · Score: 2

      They dropped a flag in my root directory, thus "rooting" me and getting massive points.

      Q: How do you hack someone's desktop?
      A: Ask someone to let you check your mail.

      --Dan

  5. Re:la, la, la by vulgarDPS · · Score: 0

    Die

  6. Where do I download... by G-funk · · Score: 2, Funny

    ...The .pak files?

    *ducks*

    --
    Send lawyers, guns, and money!
  7. Site is slashdotted (almost), so here are mirrors. by thesolo · · Score: 5, Informative

    Well, since the site is getting hit pretty hard, here is a direct link to all the mirrors:

    Capture the Capture The Flag Mirrors

    If you have a mirror up, please let me know.

    If you're using wget to pull the data, please use the following command:
    &nbspwget -r -nd --no-parent -R "=A","=D" http://site/path/

    US - Wisconsin (100Mbit):
    http://www.wi2600.org/mediawhore/mirrors/shmoo/cct f-defcon9

    US - Colorado (100Mbit):
    http://www.ucar.edu/temp/shmoo-defcon9-ctf/

    US - Pennsylvania (T1):
    http://www.bitsend.com/defcon9-cctf

    US - Alaska (DSL):
    http://cctf1.shmoo.com

    Please be sure to read the license.

  8. Bandwith Endowed by JohnHegarty · · Score: 1

    'sploit ridden, 5.8GB of intrusion collusion ever published. Free for the bandwidth endowed'

    You would need alot of and bandwidth and evan more time on your hand to evan start on.

    Now , let my see ... on a 56k modem ,(if my math is correct) , then thats about 10 days...

    --
    Cruise TT
    1. Re:Bandwith Endowed by Anonymous Coward · · Score: 0

      did you take into account that most phone companies disconnect lines after 12 hours? so unless you had some kind of redialer, you'd have to be there to reconnect. and that's assuming you have a resumable server to connect to.

  9. Well I hope they Capture the Slashdot Effect. by Raindeer · · Score: 3, Funny

    Putting a couple of Gigs data on the net and then having the bad luck to be posted on Slashdot is going to mean that their link will be unreachable for most of the day. :-) But hey it will probably make for neat graphs.

    --
    Use Adsense for Charity
    1. Re:Well I hope they Capture the Slashdot Effect. by rnews · · Score: 1

      It did indeed make for some nice graphs... along with some politely expressed concern about collision rates.

      The wise look at it as an opportunity to test traffic shaping on distributed web clusters.

  10. Bandwidth Cost by JohnHegarty · · Score: 2, Interesting

    How are they going to pay for the bandwidth cos on this...if evan just 1000 people download it (and it has been slashdotted) then it will 5.8 Terabytes of information to be downloaded.

    This won't exaclty be payed for by a banner ad.

    --
    Cruise TT
    1. Re:Bandwidth Cost by Lozzer · · Score: 4, Funny

      Did you read who these people are? I don't expect acquiring bandwidth is much of a problem, if you know what I mean.

      --
      Special Relativity: The person in the other queue thinks yours is moving faster.
    2. Re:Bandwidth Cost by JohnHegarty · · Score: 1

      Evan bill gates pays by the gb of bandwidth.....no as much as us... but its not free....

      --
      Cruise TT
    3. Re:Bandwidth Cost by davidesh · · Score: 1

      or you could just get some clear-channel DS3's from a Tier-1 provider...
      who say's everyone pays by the GB ?

    4. Re:Bandwidth Cost by Anonymous Coward · · Score: 0

      If you look at some of the mirrors posted, they are on 100Mbit connections. They are also university connections, i.e. on Internet2, and I2 has no shortage of bandwidth. They will probably be OK, considering that most people have no use for several GB of packet dumps anyway.

  11. Re:Yes, but maybe.. by Anonymous Coward · · Score: 0
    Sparc cpus are expensive, and provide piss poor floating point performance, that's when they do not lock up. I've seen lots of enterprise class servers (read, E6500 and up) lock hard due to the USIIi e-cache bug. 3 out of 10 cpus manufactured by IBM had this problem, with the Sony made ones it got down to 1-2 out of 10. All Sun said is, is your kernel patch level 23? (for Solaris 2.6) So you patched you kernel and used the cache scrubber, but even with that you shiny E10k you just lock hard whenever it pleased him. Sun used to make cool hardware, nowadays they have a mediocre OS and slow processors, big deal.


    Go buy an IBM or HP server, better hardware for less money.


    Sincerely, Mike Bouma

  12. Social engineering is the way forward by Anton+Anatopopov · · Score: 1, Offtopic
    In the dim and distant past, before I became 'respectable' I used to be a hacker wannabe. I used to use my 1200 baud modem to dial into various systems, and lets just say, that had the law been the same then as it is now, I could have been arrested.

    But after I became involved in tech support for major financial institutions, I realised that although security there was reasonably good, you could almost always circumvent it via social engineering.

    My favorite trick to get into the server room was to put on an old hard-hat and a fluorescent jacket. I would stand outside the door until someone came along, then I would simply ask them to let me in. Which about 70% of the time, they did. At which point, I would point out to them that I could have been anyone, usually got an embarassed apology.

    I was using social engineering to raise the security awareness of staff, but it was a real eye-opener to me just how easy it was to control people.

    1. Re:Social engineering is the way forward by Anonymous Coward · · Score: 5, Funny

      My favorite trick to get into the server room was to put on an old hard-hat and a fluorescent jacket.

      Yes, my favorite way to get into the server room is to dress up as a member of the Village People, and then wait for some random person to agree to take me into the closet.

    2. Re:Social engineering is the way forward by MrFredBloggs · · Score: 1

      "I was using social engineering"

      You mean lying, right?

    3. Re:Social engineering is the way forward by osiris · · Score: 1

      social engineering is lying. just lying very convincingly to fool others. making others think that you are someone you are not.

      its not like you are gonna say "uh, i dont work here, but could you give me access to the server room" of course your gonna lie.

    4. Re:Social engineering is the way forward by well_jung · · Score: 2
      I find most SysAdmins got their jobs by "Social Engineering" during the interview.

      --
      Carl G. Jung
      --
      "With one breath, with one flow, You will know Synchronicity" -La Policia
  13. Re:Site is slashdotted (almost), so here are mirro by ConsumedByTV · · Score: 2

    Their site may be but I got a blazingly fast 11.9 MB PER SECOND!

    It feels damn good to take over a 1/10 of a major pipe :)

    --


    "Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
  14. Mirror in the making by siliconincdotnet · · Score: 3, Informative

    Mirror in the making at http://deimos.siliconinc.net/cctf

    Its currently chugging away at about 250 kbps, so it should be done within a few hours. There is already 1+ gig of data up there for your browsing pleasure, and its chugging away at around 250kbps. Enjoy. If it breaks email me or something.

    --
    Insert witty .sig here
  15. Traces collected using ?? by fasuin · · Score: 1

    Tcpdump? or what else?

  16. n-ctf sucked this year, I hear... by Gainax · · Score: 2, Interesting

    from what I hear, n-ctf SUCKED this year...

    From a friend whom was on one of the teams:

    We set up some 'reflectors', using the MIRROR target of the Linux netfilter and almost got booted of the net by the judges for this unique solution.

    Bleh.

  17. a bit of hyperbole by evenprime · · Score: 2
    The Shmoo Group diligently logs every[*] packet for posterity

    I don't know about defcon 9 (2001), but I seem to recall them only being able to get part of the traffic at defcon 8 (2000).

    [*] my emphasis, not theirs

    --

    "Weapons should be hardy rather than decorative" - Miyamoto Musashi
    I think that goes for OS's too
    1. Re:a bit of hyperbole by pablos · · Score: 1

      True, the entropy of the CTF network architecture each year, is roughly equal to that of the entire internet. We had a tough time getting everything at DEF CON 8. The DEF CON 9 capture is certainly much better, but we're bound to have missed some bits here and there. Also, as other posts have pointed out, the contest had a very strange design which allowed flag hosts to come up and down faster than an MTV weened script kiddie's attention span could track. We're expecting the DEF CON 10 CTF, hosted by the Ghetto Hackers will improve capture possibilities a great dea. - pablos.

  18. Re:Site is slashdotted (almost), so here are mirro by Procrasti · · Score: 1

    Looks like a great case for using something like SwarmCast.

    On a completely offtopic note, a swarmcast like system would work great with the P2P file sharing programs, would it?

  19. even better by evenprime · · Score: 5, Insightful

    the shmoo group's data gives an idea of the type of attack tools that are most commonly used in intrusion attempts, but if you want to know the tools and techniques that are the most likely to succeed, it would be good to talk to Caezar or some other member of the ghettohackers. After all, they are the ones who win at capture the flag year after year....

    --

    "Weapons should be hardy rather than decorative" - Miyamoto Musashi
    I think that goes for OS's too
    1. Re:even better by BasharTeg · · Score: 2, Informative
      Don't forget this year it wasn't just GH. I certainly had my share of points in the final score. This year I was running under the flag of Digital Revelation, although that's not my group. The final team was Ghetto Hackers merged with Digital Revelation, and without our admin points, GH wouldn't have won. It was a real team effort.


      Here's some pics:


      My speech on behalf of Digital Revelation
      Ceazar's speech on behalf of GH


      And damn it was alot of fun this year.

  20. Is there any commentary on the 5.8GB by totierne · · Score: 1

    Call me lazy (I am) is there a summary or commentary on all that raw information that can show us hacks attempted, both successful and unsuccessful. It even gives some hacker some reflected flame at deciphering and commenting on the information. If I was considerably less lazy I might do it myself.

    Greed is Good - 1980's
    Lazy is Good - 2001

    --
    Be Free: Free Software Tuition
  21. Re:Porn links.. sigh.. troll.. by iamsure · · Score: 0

    Its a troll.. no real links here.. move along.

    --
    GPL'd web-based tradewars themed space game
  22. Article's title by codeButcher · · Score: 1

    I suppose that would then be "Metacapturing the Flag".
    <P><H3>This useless comment was generated by a Cockpitful of Suicidal Fanatics for you</H3>

    --
    Free, as in your money being freed from the confines of your account.
  23. Re:Site is slashdotted (almost), so here are mirro by Peridriga · · Score: 1, Offtopic

    Odd question?...
    But, for a free site that simply runs off banner ads and donations

    Why does Slashdot never get Slashdotted?

    Sorry just had to ask....

  24. Question ... by da5idnetlimit.com · · Score: 1

    isn't hacking a form of lying to the sysadmin ? 8)

    --
    It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
  25. Re:Site is slashdotted (almost), so here are mirro by ghostlibrary · · Score: 1

    >Why does Slashdot never get Slashdotted?

    To steal from Yogi Berra, because "no one reads Slashdot anymore, it's too popular."

    Besides, we're all too busy slashdotting the other sites to spend time here :)

    --
    A.
  26. Dan... by evenprime · · Score: 2, Funny

    Microsoft's email client caused some people on the wireless network almost as much grief during blackhat this year. ;-)

    -Joey

    --

    "Weapons should be hardy rather than decorative" - Miyamoto Musashi
    I think that goes for OS's too
  27. Re:Site is slashdotted (almost), so here are mirro by Charm · · Score: 1

    Actually it did during the sept WTC attacks. Slashdot was virtually unuseable. CNN was better.

    --
    -- RTFM:Slackware::Beer:Saturday
  28. Re:Site is slashdotted (almost), so here are mirro by Jaeger · · Score: 1
    Actually it did during the sept WTC attacks. Slashdot was virtually unuseable. CNN was better.
    Not for any definition of better I'm familiar with. When I checked cnn.com at 10:30 EDT that morning, I couldn't even get in the gate. I had to hop over the pond to bbc.co.uk to get my news, and even then half the images didn't load. cnn.com rebounded by noon with a no-graphics, single-page site, but even at that time Slashdot was serving huge, dynamically-generated pages without much trouble.
  29. Re:Site is slashdotted (almost), so here are mirro by Alan · · Score: 2

    I think you mean "a free site that simply runs off banner ads and donations" ... but is backed by a large linux company (VA) that has lots of ca$h money to throw at popular linux "products" such as /. for servers and whatnot.

  30. CTF Rules by Rizz0 · · Score: 5, Interesting

    The rules for CTF at DC9 were, unfortunately, not well tested prior to the actual event. The intent of the rules were to provide more targets to attack, by shifting the burden of providing targets to the competitors. However, with the rules as written at the beginning of the contest, it turned out to be (pointwise) not worth attempting to hack. The net effect of the rules were that most groups were simply putting up a server, getting the points and pulling it down. While this is a valid strategy for that ruleset, it doesn't make for much of a hacking competition. This constant churning of servers also made hacking difficult, with targets disappearing by the time you could identify them through the standard CTF network instability.

    We (the GhettoHackers, with the much appreciated help of Jennifer Grannick) managed to slowly, over the course of the competition, convince Miles to change the rules to a set more conductive to an actual hacking competition. When teams began merging due to the rule changes, we merged with Digital Revelation, to both group's benefit. We gained their server points, and they gained our capture points.

    Besides winning CTF, the GhettoHackers / Digital Revelation team also had the highest average Blood Alcohol Level of any group (check out http://cow.pasture.com/~tcroc for more details). As announced at the awards ceremony, we, the GhettoHackers, have retired from CTF after DC9. To help foster more competiton, and for a different application of our expertise, the GhettoHackers will be helping to run CTF at DC10.

    --
    Democracy is dead. All kneel to the Commander In Thief.
  31. slight overestimate by Anonymous Coward · · Score: 0

    "this is the ultimate IDS testbed."

    No, it really isn't. Read up on the cluefull folk's take on tiger teams. Tiger teams are not the ultimate test of if your box is hackable or not. Tiger teams are the ultimate test of if said team can hack your box. There is a distinct difference. Similarly, the capture the flag data only documents a select number of hacker's techniques.

    You can't predict what hackers will do. You can only be cautious.

  32. Re:Site is slashdotted (almost), so here are mirro by Anonymous Coward · · Score: 0

    i don't understand..... mine said 8MB/sec as well....... i don't understand. i transfered it in linux with the correct wget parameters and it said 120k/s (more reasonable).

  33. Weapons Factory mod by Anonymous Coward · · Score: 0
    DEF CON still owes a bunch of people in the mod Weapons Factory their prizes.

    These people sign up and paid for the membership. Prizes were promised for those that competed. When it came time to give out the prizes, DEF CON fell flat.

    Don't trust DEF CON.

  34. Input from a member of the winning team. by nouveaux · · Score: 1

    Defcon 9 was my first time with CTF and I must say, it's not exactly what I expected. My buddy Thalakan got recruited to Digital Revelation and he recruited me over there. 90% of the time, everyone hacked systems that were difficult to hack. All the servers on the server segment (x.x.x.250-254) had either chrooted systems, patched servers and for a day and a half, nothing happened. During that time, the most exciting thing was when Dan got social engineered (see above link). However, 2 hacks did happen. I think it was prophet on digital revelation who rooted a win2k box with the unicode exploit. Then, the most exciting hack was the obsd 2.9 local exploit. Someone from the grey team finally setup a server with local access (he gave out login/password) and the race was on to apply the exploit. By this time, we were already merged with ghetto and everyone watched in anticipation. Eugene, from the ghetto hackers worked ferverntly and a bunch of us watched in anticipation. Because of the race condtion, two teams simultaneously rooted the server at the same time and split the points.

    Since there was physical access to the box (they were located right next to the operator), I heard that people yanked network cables when they were about to be rooted.

    There were many interesting systems and different programs that ran on the network but without source, 2 days is simply not enough time to do anything substantial. I hope next year, Caesar and the Ghetto Hackers will run a better job of providing more interesting hacks. I'm hoping the judges will put up servers that arent locked down. Those roots will be for maybe 10 points. Roots in servers with no known vulnerability (with source provided) will give 100 points. Something like that would provide with more hacks than the 3-5 roots we had. Having each team provide servers that are locked down is plain stupid.

    -Nouveaux