.

Capture The Flag in High Schools

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue May 11, 2010 7:26 am

Capture The Flag in High Schools

Hey,

I would really like to start a competition in the high schools around where I live. I have been a teacher years ago and I also did some volunteer work in on high school, etc.

I think teenagers interested in InfoSec are often left learning tools by themselves and if not guided properly, can start hacking networks everywhere without permissions...

Finally, I am a French Canadian and there is close to no resource in French in this field.

So, I would like to create some kind of a club among different high schools in my city where we could meet once a month or something like that and organize a CTF among them. I really, really want to focus on the legal aspect of it. I want them to be White Hats, not the opposite...

Do you guys think it would be a good idea? Have anyone done that before?

Thanks for your advice!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue May 11, 2010 7:58 am

Re: Capture The Flag in High Schools

I think it's a very interesting idea.  I'd considered something similar around here at one point, and had even thought of using it to prep some of the local 'infosec-interested' students towards the US Cyber Security challenge, etc.  I think giving them something to start with would be an excellent thing to help them decide if they wanted to truly stick with this field, or move to something else.  It would also encourage them to play / practice on legitimate servers and lab machines, and not ones that they shouldn't be touching. 

In any event, I think it'd be a good initiative.  I also think you could combine it into a local program, with meetings / presentations on internet safety for kids / parents, etc, and really grow the club into something worthwhile.

Please continue to provide feedback as you move forward (assuming you do) and I'd do the same.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue May 11, 2010 8:10 am

Re: Capture The Flag in High Schools

Thanks Hayabusa,

I will keep you posted for sure. Meanwhile, I am just starting...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Tue May 11, 2010 8:17 am

Re: Capture The Flag in High Schools

We don't have such kind of competitions for schools in our country. But colleges and universities routinely organize techfests and conduct various competitions. Besides regular tech events some of them do organize CTFs. However, it is not very difficult (not evry college student is a hacker geek) and is often preceded by 1-2 day optional security workshop. The idea is, if you don't know hacking take the workshop where you'll be taught some basic stuff like ethics, recon, malware etc. But if you have some hacking skills then jump right onto the CTF. What I like about it is that students are taught about the importance of ethics in hacking.

You can also do something similar. Either organize some workshop or provide students with articles about infosec as a career and the importance of ethics. Add little tips/trics to make the article more interesting.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue May 11, 2010 8:50 am

Re: Capture The Flag in High Schools

I was going to start by visiting high schools and try to talk to IT teachers and try to get some ideas from them to. They know their students after all...

Then I could do a little presentation to push the interest. I will probably have to write a letter to parents, school directors, etc.

Then we can start a web site, find a place to gather, do a few presentations and demos to really get the interest going. Then as you said Equix3n, have a workshop and organize a competition.

And you are right ETHICAL would be the keyword here...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue May 11, 2010 10:21 am

Re: Capture The Flag in High Schools

H1t M0nk3y,

Good luck. some things you'll have to remember (since you've been a teacher), you're responsible for them until they get picked up / home.

Had a friend (Tang Soo Do master) try to start an after school program, and the expectations of the administration were way out there.

Also, I don't know how things are in your area, but around here extracurricular has been taking cuts left and right. If someone were to try this here, they'd have to supply all the equipment themselves.
OSWP, Sec+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue May 11, 2010 10:43 am

Re: Capture The Flag in High Schools

Thanks chrisj,

I agree with you, I will be responsible of this kids until they are picked up. Also, I will start with one school, talk to the teachers and the director before I "see too big"!

My expectation is that any school will be afraid of us using their network. So I though of supplying the server, the switches, the cables, etc and the students bring their laptops. And since I wanted to put them in teams anyway, if one doesn't have a laptop, it should be alright.

But what about the CTF part. I don't want it to be too tough, but I want them to have a good challenge nevertheless. So what about this:

1) We meet twice a month and I give them a lecture on a single topic. Fro example, scanning with nmap using 4 or 5 switches.

2) The same day, they practice against the lab's server. Again for example, they use nmap to discover ports and enumerate services.

3) Every month or so, there is a bigger challenge where they will apply the knowledge they have learned recently. Ex: Reconnaissance, scanning, and an easy hack.

I also really, really want to put a big emphasis on ethic and defense!

It is a vast field and my biggest challenge will probably be to choose among many, many subjects...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue May 11, 2010 11:14 am

Re: Capture The Flag in High Schools

Does the school or the home supply the laptop. Will they have the ability to boot BackTrack or something else on the laptop?

How are you going to keep them from using the skills you're teaching them from attacking the school network? What if someone else attacks the network, how are you going to prove it wasn't one of yours?

Not trying to discourage you, just playing devil advocate.

I really do think this is a great idea, and once I get more experience might approach a school about this (I love teaching, but would hate working as a teacher in a public school).
OSWP, Sec+
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Tue May 11, 2010 11:46 am

Re: Capture The Flag in High Schools

@chrisj I was going to post the same thing, but you worded it more clearly :)
@H1t M0nk3y
Will you provide any study guide to the students or just refer some books? Don't hesitate to ask if you need any help with tutorials. I might help you out with some articles if you want.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue May 11, 2010 12:16 pm

Re: Capture The Flag in High Schools

Thanks guys!

It's good to see that I am not the only one thinking about this. I will try to meet the school director soon and see if I have too many road blocks.

If I do, I may look at the College level instead!

@Equix3n Thanks for offering your help!!!

I will keep you guys posted.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue May 11, 2010 12:49 pm

Re: Capture The Flag in High Schools

Humm...

I also wonder if this teenager would understand enough about computers to even start such a project. They probably wouldn't know about even a router, what really is a firewall, yet alone TCP/IP, UDP, ports, NAT, etc.

Would anyone know about a 15 year old superuser who could even slowly start learning about these subjects?

I may be too optimistic...  ???
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue May 11, 2010 1:18 pm

Re: Capture The Flag in High Schools

H1t M0nk3y wrote:Humm...

I also wonder if this teenager would understand enough about computers to even start such a project. They probably wouldn't know about even a router, what really is a firewall, yet alone TCP/IP, UDP, ports, NAT, etc.

Would anyone know about a 15 year old superuser who could even slowly start learning about these subjects?

I may be too optimistic...  ???


I don't think so. Tech is popular now (was going to say chique, but not sure if that's the word I wante). Back in the day (when I was 15) we had bbses, and dial-up internet was new. While I didn't mind playing around on the bbses, I wasn't as interested in computers back then. However with edbuntu and the increase of Linux, and networking to the house, I'm sure you'll find students.

If not, arrange for a couple of copies of Little Brother by Cory Doctorow to become available at the school.
OSWP, Sec+
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Tue May 11, 2010 1:21 pm

Re: Capture The Flag in High Schools

15 yr. olds are more intelligent than you think. I've seen some 13 year old kids hacking stuff like professionals (random sites). What level of stuff do you want to teach these kids? From your above post it seems to me that you're going too deep into the syllabus. Teaching the above basics won't take more than a day or two. At this stage, however, I think you should just give an overview of each of the phase-- Whois, Zone Transfer, bit of Google hacking & web based searching in Recon, 3-way handshake, ports, 2-3 nmap scans, what's a vuln. scanner with bit of nessus intro in scanning etc (Are you getting my point?)
Conducting a full fledged hacking class will be too much. Flow gently through each of the phase and let them explore the advanced stuff themselves.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue May 11, 2010 1:35 pm

Re: Capture The Flag in High Schools

Ok,  let's say I can gather 20 teenagers.

After about 10 hours of training, demonstrations and exercises, what kind of challenge should I give them?

I guess I will know their level once I can evaluate them, but with CTF in mind, what kind of vulnerabilities should I expect them to compromise? I just can't throw a reverse engineering problem at them...

So password cracking, ARP cache poisoning, maybe some basic SQL injection?!?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Tue May 11, 2010 1:48 pm

Re: Capture The Flag in High Schools

Could you please provide a basic overview of what you want to cover-- any table of contents you've prepared?
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software