Capture The Flag in High Schools

Viewing 23 reply threads
  • Author
    Posts
    • #5033
      caissyd
      Participant

      Hey,

      I would really like to start a competition in the high schools around where I live. I have been a teacher years ago and I also did some volunteer work in on high school, etc.

      I think teenagers interested in InfoSec are often left learning tools by themselves and if not guided properly, can start hacking networks everywhere without permissions…

      Finally, I am a French Canadian and there is close to no resource in French in this field.

      So, I would like to create some kind of a club among different high schools in my city where we could meet once a month or something like that and organize a CTF among them. I really, really want to focus on the legal aspect of it. I want them to be White Hats, not the opposite…

      Do you guys think it would be a good idea? Have anyone done that before?

      Thanks for your advice!

    • #31893
      hayabusa
      Participant

      I think it’s a very interesting idea.  I’d considered something similar around here at one point, and had even thought of using it to prep some of the local ‘infosec-interested’ students towards the US Cyber Security challenge, etc.  I think giving them something to start with would be an excellent thing to help them decide if they wanted to truly stick with this field, or move to something else.  It would also encourage them to play / practice on legitimate servers and lab machines, and not ones that they shouldn’t be touching. 

      In any event, I think it’d be a good initiative.  I also think you could combine it into a local program, with meetings / presentations on internet safety for kids / parents, etc, and really grow the club into something worthwhile.

      Please continue to provide feedback as you move forward (assuming you do) and I’d do the same.

    • #31894
      caissyd
      Participant

      Thanks Hayabusa,

      I will keep you posted for sure. Meanwhile, I am just starting…

    • #31895
      Xen
      Participant

      We don’t have such kind of competitions for schools in our country. But colleges and universities routinely organize techfests and conduct various competitions. Besides regular tech events some of them do organize CTFs. However, it is not very difficult (not evry college student is a hacker geek) and is often preceded by 1-2 day optional security workshop. The idea is, if you don’t know hacking take the workshop where you’ll be taught some basic stuff like ethics, recon, malware etc. But if you have some hacking skills then jump right onto the CTF. What I like about it is that students are taught about the importance of ethics in hacking.

      You can also do something similar. Either organize some workshop or provide students with articles about infosec as a career and the importance of ethics. Add little tips/trics to make the article more interesting.

    • #31896
      caissyd
      Participant

      I was going to start by visiting high schools and try to talk to IT teachers and try to get some ideas from them to. They know their students after all…

      Then I could do a little presentation to push the interest. I will probably have to write a letter to parents, school directors, etc.

      Then we can start a web site, find a place to gather, do a few presentations and demos to really get the interest going. Then as you said Equix3n, have a workshop and organize a competition.

      And you are right ETHICAL would be the keyword here…

    • #31897
      rattis
      Participant

      H1t M0nk3y,

      Good luck. some things you’ll have to remember (since you’ve been a teacher), you’re responsible for them until they get picked up / home.

      Had a friend (Tang Soo Do master) try to start an after school program, and the expectations of the administration were way out there.

      Also, I don’t know how things are in your area, but around here extracurricular has been taking cuts left and right. If someone were to try this here, they’d have to supply all the equipment themselves.

    • #31898
      caissyd
      Participant

      Thanks chrisj,

      I agree with you, I will be responsible of this kids until they are picked up. Also, I will start with one school, talk to the teachers and the director before I “see too big”!

      My expectation is that any school will be afraid of us using their network. So I though of supplying the server, the switches, the cables, etc and the students bring their laptops. And since I wanted to put them in teams anyway, if one doesn’t have a laptop, it should be alright.

      But what about the CTF part. I don’t want it to be too tough, but I want them to have a good challenge nevertheless. So what about this:

      1) We meet twice a month and I give them a lecture on a single topic. Fro example, scanning with nmap using 4 or 5 switches.

      2) The same day, they practice against the lab’s server. Again for example, they use nmap to discover ports and enumerate services.

      3) Every month or so, there is a bigger challenge where they will apply the knowledge they have learned recently. Ex: Reconnaissance, scanning, and an easy hack.

      I also really, really want to put a big emphasis on ethic and defense!

      It is a vast field and my biggest challenge will probably be to choose among many, many subjects…

    • #31899
      rattis
      Participant

      Does the school or the home supply the laptop. Will they have the ability to boot BackTrack or something else on the laptop?

      How are you going to keep them from using the skills you’re teaching them from attacking the school network? What if someone else attacks the network, how are you going to prove it wasn’t one of yours?

      Not trying to discourage you, just playing devil advocate.

      I really do think this is a great idea, and once I get more experience might approach a school about this (I love teaching, but would hate working as a teacher in a public school).

    • #31900
      Xen
      Participant

      @chrisj I was going to post the same thing, but you worded it more clearly 🙂
      @H1t M0nk3y
      Will you provide any study guide to the students or just refer some books? Don’t hesitate to ask if you need any help with tutorials. I might help you out with some articles if you want.

    • #31901
      caissyd
      Participant

      Thanks guys!

      It’s good to see that I am not the only one thinking about this. I will try to meet the school director soon and see if I have too many road blocks.

      If I do, I may look at the College level instead!

      @Equix3n Thanks for offering your help!!!

      I will keep you guys posted.

    • #31902
      caissyd
      Participant

      Humm…

      I also wonder if this teenager would understand enough about computers to even start such a project. They probably wouldn’t know about even a router, what really is a firewall, yet alone TCP/IP, UDP, ports, NAT, etc.

      Would anyone know about a 15 year old superuser who could even slowly start learning about these subjects?

      I may be too optimistic…  ???

    • #31903
      rattis
      Participant

      @H1t M0nk3y wrote:

      Humm…

      I also wonder if this teenager would understand enough about computers to even start such a project. They probably wouldn’t know about even a router, what really is a firewall, yet alone TCP/IP, UDP, ports, NAT, etc.

      Would anyone know about a 15 year old superuser who could even slowly start learning about these subjects?

      I may be too optimistic…  ???

      I don’t think so. Tech is popular now (was going to say chique, but not sure if that’s the word I wante). Back in the day (when I was 15) we had bbses, and dial-up internet was new. While I didn’t mind playing around on the bbses, I wasn’t as interested in computers back then. However with edbuntu and the increase of Linux, and networking to the house, I’m sure you’ll find students.

      If not, arrange for a couple of copies of Little Brother by Cory Doctorow to become available at the school.

    • #31904
      Xen
      Participant

      15 yr. olds are more intelligent than you think. I’ve seen some 13 year old kids hacking stuff like professionals (random sites). What level of stuff do you want to teach these kids? From your above post it seems to me that you’re going too deep into the syllabus. Teaching the above basics won’t take more than a day or two. At this stage, however, I think you should just give an overview of each of the phase– Whois, Zone Transfer, bit of Google hacking & web based searching in Recon, 3-way handshake, ports, 2-3 nmap scans, what’s a vuln. scanner with bit of nessus intro in scanning etc (Are you getting my point?)
      Conducting a full fledged hacking class will be too much. Flow gently through each of the phase and let them explore the advanced stuff themselves.

    • #31905
      caissyd
      Participant

      Ok,  let’s say I can gather 20 teenagers.

      After about 10 hours of training, demonstrations and exercises, what kind of challenge should I give them?

      I guess I will know their level once I can evaluate them, but with CTF in mind, what kind of vulnerabilities should I expect them to compromise? I just can’t throw a reverse engineering problem at them…

      So password cracking, ARP cache poisoning, maybe some basic SQL injection?!?

    • #31906
      Xen
      Participant

      Could you please provide a basic overview of what you want to cover– any table of contents you’ve prepared?

    • #31907
      rattis
      Participant

      for a capture the flag event, I’d divide them up into 4 groups. Give them X amount of time to set up a system and harden it. Then give them an image file to put somewhere on the box (different for each team). Then let them go at it either in a bracket or free for all.

      Capture the image, and shut down the box they’re trying to defend.

      Next time, switch up the people on the teams.

      That way they get to work with different people, they get to learn both sides of pen-testing (how to do it and spot / defend). Rotating people around will hopefully prevent 1 team from dominating the rest every time.

      Purposely put your weakest people with the strongest. IF they’re strong in the cracking, make them take a couple of turns as incident response.

    • #31908
      bamed
      Participant

      Don’t forget to give them a list of services that must be running and stay running.  It’s easier to kill apache than to harden it.  Depends on their level of skill, and how involved you want the scoring to be.  But keeping a list of critical services up and running should be part of the defense.

    • #31909
      j0rDy
      Participant

      i see some good ideas arond here!

      maybe give DVL or some other pentest disks (like De-Ice) a go as a base to start with. another option would be to use the lampsecurity disks (which have great documentation, but for the instructor only ofcourse) and make it a time trial! maybe even set up a group that tries to find the errors in the code against a group trying to hack it. be sure to put a chapter “ethics” in it while you finish up. good luck and i’m sure there are people willing to help!

    • #31910
      caissyd
      Participant

      A little update on the topic.

      I have got a reference from a French teacher at one high school. She talked to a programming teacher and very briefly explained my idea. She said he was very excited! Anyway, I have contacted this teacher by email but since then, everything went wrong!

      Before even replying to my email, he went on straight and talk to the school principal about an “Hacker Club”. He knows nothing about ethical hacking and he his running with my idea!

      Hummm, not impressive and not looking good…

    • #31911
      j0rDy
      Participant

      Not good when people run with your idea. try to talk to the principal directly and explain why it was your idea and how much he needs you to make it a succes! props for trying to turn this one into a working concept! keep us informed and if there is any way we can help, let us know!

    • #31912
      caissyd
      Participant

      Thanks J0rDy, I will keep you all posted.

    • #31913
      caissyd
      Participant

      Hey,

      I’ve got some updates on this. I finally went visiting the school yesterday and met with the IT teacher and the school principal. It went surprisingly well! I kind of “connected” with the guy and the principal was happy when I talked about the disclaimer form.

      The club will start around the end of September since the classes are virtually over for the summer. We will:

      1) Have the students and their parents signed a disclaimer form.
      2) We have a lab with about 30 computers, disconnected from the school network. Students will also be able to bring a laptop if they want to.
      3) We will use Backtrack 4 in VMPlayer (Windows XP being the Host OS)
      4) We have a projector and many switches, routers and other network equipments

      So, all seems to look good now!

      Does anyone have a disclaimer form I could adapt to the school?

      Thanks!

    • #31914
      Xen
      Participant

      Congrats! Everything looks good 🙂

    • #31915
      rattis
      Participant

      Rock on. Glad you’re back in the saddle on this.

Viewing 23 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?