National Cyber Storm Competition Hands-On Security Challenges OWASP AppSec Beijing 2013

Size: px

Start display at page:

Download "National Cyber Storm Competition Hands-On Security Challenges OWASP AppSec Beijing 2013"

Domenic Patterson
5 years ago
Views:

1 National Cyber Storm Competition Hands-On Security Challenges OWASP AppSec Beijing 2013 Ivan Bütler Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

2 My Name is «Ivan Bütler» CEO Compass Security AG Switzerland Slide 2

3 My Home, Switzerland Slide 3

4 Compass Security AG Penetration Testing Forensic Analysis Slide 4

OWASP is offering free Hacking-Lab OWASP TOP 10 Web Security Challenges

5 Why am I here? Because we run a Remote Security Lab in Switzerland. It is called Hacking-Lab Security Puzzles / Challenges / Hands-On Because OWASP is offering free Hacking-Lab OWASP TOP 10 Web Security Challenges Because Hacking-Lab is being used for NATIONAL CYBER STORM COMPETITIONS Slide 5

6 At the end: You should understand how to setup your own security lab and how to use the free OWASP challenges Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

7 A long time ago... I was looking for a young jedi knight 俗塵 - 絕地武士 CTF 2007 in Switzerland Slide 7

8 2009 Swiss Cyber Storm 2 Fist Swiss Cyber Talent Competition 瑞士的網絡天賦競爭 Slide 8

9 2011 Swiss Cyber Storm 3 International SCS3 in Switzerland Prize 獎 = New Car 新車 Slide 9

10 Swiss Cyber Storm 4 Slide 10

Challenge Categories Web Security Malware / Trojan / Bugs Windows Security Apple Security Penetration Testing Networking Forensics Reverse

11 Challenge Categories Web Security Malware / Trojan / Bugs Windows Security Apple Security Penetration Testing Networking Forensics Reverse Engineering VoiP / SS7 / GSM Wireless Security Unix / Linux Security Crypto Challenges Programming Fun Challenge iphone Challenge Android Challenge Slide 11

12 What is «Hacking-Lab»????? Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

13 What is «Hacking-Lab»???? Slide 13

14 Understanding Hacking-Lab 1) Registration 2) Challenge Details Solving the challenges(vpn) Send Solution Solution Grading Slide 14

15 Demonstration Hacking-Lab SQL Injection & XML External Entity Attack Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

16 Details about «Hacking-Lab» Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

17 What is «Hacking-Lab»???? (1) Vulnerable Servers and Applications (Web, Windows, Linux, ios, Android) (2) Description about the security challenges (3) Tools required for solving the challenges (4) Teacher functions (accept/reject solutions) solutions, solution movies Slide 17

18 Details about Hacking-Lab (1/4) (1) Vulnerable Servers and Applications (Web, Windows, Linux, ios, Android) (2) Description about the security challenges (3) Tools required for solving the challenges (4) Teacher function (accept/reject solutions) Slide 18

19 Details about Hacking-Lab Vulnerable Mobile Apps Vulnerable Servers Remote Security Lab Automatic Revert to Snapshot Slide 19

20 Movie 1: Vulnerable Servers (ESXi) Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

21 Vulnerable Servers (ESX Virtualization) Slide 21

22 Vulnerable Servers (ESX Virtualization) Vulnerable Servers * SIP Gateway * IIS * Web Security * Fuzzing Challenge * Pyhton Challenge * Mimikatz * Shell of the Future * License Challenge * Nessus Scanning Slide 22

23 Vulnerable Servers (ESX Virtualization) Vulnerable Servers * Splung Engine * Java Script Arena * Web Goat * Struts Challenge * Buffer Overflow * HTML5 Challenge * JSP Challenge * Oracle Challenges * Conficker * Metasploit Lab Slide 23

24 Vulnerable Servers (ESX Virtualization) Vulnerable Servers * Server LiveCD * SSH Challenge * Backtrack * Unix Challenge * Active Directory * Terminal Server * Chat The Hacking-Lab servers will revert to snapshot ever 1, 2 or 4 hours Slide 24

25 Details about Hacking-Lab (2/4) (1) Vulnerable Servers and Applications (Web, Windows, Linux, ios, Android) (2) Description about the security challenges (3) Tools required for solving the challenges (4) Teacher function (accept/reject solutions) Slide 25

26 Slide 26

27 Slide 27

28 Slide 28

29 Slide 29

30 Slide 30

31 Slide 31

32 Details about Hacking-Lab (3/4) (1) Vulnerable Servers and Applications (Web, Windows, Linux, ios, Android) (2) Description about the security challenges (3) Tools required for solving the challenges (4) Teacher function (accept/reject solutions) Slide 32

33 Tools required to solve the Challenges VPNto Lab LiveCD OpenVPN into ESX Server Infrastructure Slide 33

34 LiveCD free Download LiveCD VirtualBox OVA LiveCD ISO LiveCD Vmware OVA Slide 34

35 Hacking-Lab LiveCD Project Slide 35

36 How to connect using VPN VPN Slide 36

37 How to use the Browser Browser 1) Two profiles 2) Attacker 3) Victim 4) SwitchProxy 5) LiveHttpHeader 6)... more Slide 37

38 How to use ZAP Proxy ZAP Inspection Proxy 1) Web Analysis 2) Man in the Middle 3) Open Source 4) Java based 5) Loading = slow Slide 38

39 How to get a Root Shell ROOT Shell Slide 39

40 How to access Microsoft XP (VDI) Vmware View VDI Slide 40

41 Details about Hacking-Lab (4/4) (1) Vulnerable Servers and Applications (Web, Windows, Linux, ios, Android) (2) Description about the security challenges (3) Tools required for solving the challenges (4) Teacher function (accept/reject solutions) Slide 41

42 Solution Grading as «Teacher» Slide 42

43 Solution Grading as «Teacher» Slide 43

44 Hacking-Lab for China Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

Problems for Chinese Users Problems with https://www.hacking-lab.

not working from everywhere in China Proposed Solution Translating the OWASP

45 Problems for Chinese Users Problems with It is not working from everywhere in China Problems with OpenVPN It is not working from everywhere in China Proposed Solution Translating the OWASP TOP 10 to the Chinese language Hosting a Chinese server Slide 45

46 Future Plans for China China PS: Must be checked with Chinese law!!! Switzerland Slide 46

47 Movie: china.hacking-lab.com This is a prototype not ready yet!!! Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax team@csnc.ch

48 OWASP TOP 10 Challenges in Chinese Language Slide 48

49 Slide 49

50 Conclusion How to build your own security lab Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

51 Conclusion Free OWASP TOP 10 challenges Slide 51

52 What do you think? Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

53 Thank you very much! Ivan Bütler Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

Hacking-Lab Magazine Issue

Hacking-Lab Magazine Issue 04-2012 December 2012 - Hack & Learn - Train your Brain Hacking-Lab Remote Security Lab Hack & Learn www.hacking-lab.com Editorial From E1: There is an arms race in cyber space.