Thanks for asking, Don, I had been meaning to post this sooner.
This was actually their first competition, so some of it was trial and error. It wasn't a "Capture the Flag" competition, it was a "Defend the Flag" competition, though the "flags" weren't clearly defined.
The breakdown is that they gave us a mock enterprise network, consisting of a Linux webserver, and 2 Windows 7 workstations.
First thing we (our team had 4 people) took care of, was changing all of the password. The passwords were provided to us on a list, but the guy that setup each network happened to be on the red team.
After that was application layer firewalls on all the boxes. We implemented iptables on the server, and I believe it was ZoneAlarm on the workstations.
Next, we took care of some of the immediate things that could be dangerous, like making sure SSH was using protocol 2 only and didn't allow root only, checking what account the apache and mysql servers were running as, changing any users' shell who didn't need shell access to /bin/false, and double checking the sudo and su access.
Then we started scanning the webserver for XSS and SQL Injection, but we didn't find anything, fortunately.
We had a couple of safety measures planned/in-place that didn't work. For example, we used a Turn-Key ISO of Insta-Snorby (Snort and Snorby), setup 2 NICs as a bridge, and put it in-line between the incoming network line and our switch. However, after I got it setup, it was not capturing anything, even though it had worked in my previous attempts on my home network. The bridge was still working correctly, we left it in-line the whole competition, it just wasn't capturing any data. Not sure why that didn't work, I'll be investigating it later.
I had also signed an SSL certificate using OpenSSL, and was planning on forcing the apache server to only use HTTPS traffic, but we ended up not reconfiguring apache to use the newly signed certificate, I think just for the sake of time.
One of the more interesting things we did, though, was setup static ARP addresses on all of the machines, as to prevent an ARP spoofing man-in-the-middle attack.
After we took care of those measures, we had everybody watching access logs, error logs, tcpdump output, and quickly adding a drop rule at the top of iptables for any IP addresses that looked like they were attacking (nmap scans, changing user agents, etc.).
We had from 9 am to 12 pm to prepare, and then from 12 pm to 4 pm, the red team was attacking. At 2:30 pm, the leader of the red team got up and said "I give up, you guys win. I can't believe how prepared you were for this." So, even though there were no specific "flags" determined, he wasn't able to get into anything. I actually noticed once that he was using the Samurai Web Testing Framework, which naturally runs an apache server with convenient PHP and AJAX shells, but he noticed right when I was logging in with the default username and password and disconnected his line before turning off services like that and eventually reconnecting.
We were actually the only blue team that showed up, so we won the competition by default, but that didn't stop us from playing hard. I had a great team, and I would love to work with them again soon. It was absolutely a blast, and I can't wait for the next one. I think we're getting the local 2600, DC, and LUG groups to start planning a similar events.
Next year will be my first time at Def Con, so I'm not planning on even trying to get into their CTF event, but maybe the following year.
General Certification : CPT Practical Submission
