Wednesday, September 28, 2016

WCTF Debrief

In this edition of WCTF blog we welcome guest blogger 0rsu who was a member of the second place team of the DEFCON WCTF challenge.

void main ()
I rolled into Vegas this year much as I have the past four years: miserably hot and already over the idea of dealing with hilljacks in douchetastic mall-chic apparel.  I’m among the fortunate of those going to DEFCON in that I work for a company that I convince (con) into paying my way out.  So, I get here nice and early on Wednesday, and I have plenty of time to get ready to pilfer my weasely black guts out at DEFCON in style.

This is a recollection of a relative newbie, and how with the help of a small team of perfect strangers, we were able to capture second place in one of the most prestigious wireless hacking contests.  I won’t go into too many of the intimate details of the competition, because I’m sure those tricks will be used again.  But within I hope to give those sitting on the sidelines a little insight on why you should definitely compete next year, and what to expect.

A little about me, and how I got to this point.  I have been a general security engineer/analyst for a few years now, after transitioning out of more than a decade-long, aggravating career in general IT, where I put in my time educating the computer illiterate on where to find the Start button, and the difference between a computer and a monitor.  I don’t expect sympathy here.  I know most people reading this have similar tales, or are still neck deep in that hell.  At any rate, I have some experience in security, but it consists mostly of building defensive systems.  I like the attack surface that wireless provides, since it tends to produce less of a trail of breadcrumbs back to the attacker.  There’s just something ninja-like about pulling information literally out of the air.

I came to DEFCON with a nerd-on for SDR (software defined radio), and as it turned out, spent almost zero time working or learning anything about it.  This is mostly because the first talk I went to was in the Wireless Village, where I decided on a whim to sit down and compete in the wireless capture-the-flag.  In doing so, I flipped my usual script of roughly 90% of my time spent in various talks.  I still had a blast, and learned quite a bit.  Because I was competing, I didn’t have the luxury of hashing out the finer points of SDR.  However I managed to open the door to spending the coming year soaking in everything SDR by virtue of my drive to win the wCTF next year.

The Wireless Village at DEFCON, I should immediately point out, consists of every RF-based discipline.  Not just Wi-Fi.  In the context of the wCTF, there is ample time to learn and explore an unknown technology.  That’s half the point in my opinion.  Along with Wi-Fi, there are challenges involving various SDR disciplines, Bluetooth, and this year even a crossover into Wi-Fi-accessible SCADA/ICS systems.  To succeed in at least a few of the challenges from each group is to have come to DEFCON and actually learned a new skill – one that you will probably still remember once the hangover is gone.

The other value in these exercises is the idea of nailing down a technique you might know to some extent, but only ever used it in a limited way, and thus still require a trip to Google to pull it off.  This was where I stood going in with regard to basic techniques like using the Aircrack-NG suite.  Sure, I’d managed to perform a WEP crack before.  But pre-wCTF, even with a gun to my head I couldn’t have completed the steps without a reference.  After a weekend in the challenge, I can run the main tasks of Aircrack-NG about as easily as signing my name.  (Full disclosure, my signature looks like I’m trying to sign with my feet.  While trying to stay afloat in a vat of KY Jelly.  While having a seizure.)

So, in my four previous trips to DEFCON, I have managed to make almost zero meaningful or long lasting connections with other con-goers.  I tend to drift from talk to talk as a wallflower.  There are a few videos to be found out there where I have spoken up in the Q&A, and in one or two cases received applause for my remarks.  But even when someone has come up to me afterward, my anti-social tendencies render me as Teflon as I scuttle off to my next talk, squirming away from the friendliest of people.  This all changed in the span of one morning, as I sat down at a table of complete strangers and got to work.  I initially began the challenge flying under my own banner.  But as I began to trade the occasional comment with the other three at my table, something crazy happened - I started bonding with them.  I made an arbitrary decision to grab some lunch, and offered to grab food for anyone at my table.  The guy and the girl sitting opposite me took my offer, and suddenly and without fanfare, a winning team was born.  That is literally all it takes.  Offer to fetch some pizza, and you too can manage to meet a few good hackers.

My new team, who I will refer by their handles, consisted of rux616 and InvaderTAK, apparently work with each other as CS interns.  This was their first time at DEFCON, and they were jumping in with both feet, doing something it took me five years to break down and try.  I envy their foresight in gaining more value from the con than the handful of talks that would be freely available later anyway.  I would classify the three of us as rookie material – especially at the start of the event.  While we all have technical specialties, it did not necessarily translate well into the contest.  Personally, I spent a good three hours the first day scratching my head trying to figure out why I couldn’t make it past the first challenge.  It was breaking WEP for crying out loud!  I thought I was being fancy by pulling up Fern to automate the task and sat back, only to be puzzled on why nothing happened.  The short version is: don’t just assume the wireless adapter you know and trust has injection capabilities on a new OS build.  Run the stupid Airodump test, even if you think it’s a given.  It was humbling to go half a day into the contest with nothing to show for it.  But after a few speed bumps, I found my rhythm and began turning in challenges.  The other two on my team faced similar troubles getting off the ground, but both managed to start turning in good work.

It is worth telling that capture the flag is an addictive game.  To be honest, the thing that made me decide to drop in to the challenge was the possibility of earning the nifty copper challenge coins they give to those that place in the contest.  Little did I know the prize haul in store this year, including the coveted Black Badge – free DEFCON for life!  After about 24 hours I was somewhat regretting the decision to sit down.  But once you start earning points and seeing your name/team go up in the standings, it’s hard to stop.  My mild case of FOMO was easily tempered by the thought of doing even mildly well in a contest I thought was steeply beyond my expertise.

Without detailing every challenge and every solution, I will just go through a few of my thoughts about the contest.  First, if you have a laptop, you have everything you need to get started.  The only other things I would recommend would be a cheap SDR adapter, and maybe one or two extra USB Wi-Fi adapters (capable of packet injection).  All told, apart from your laptop, you might have to invest $50 in your arsenal.  My next insight is as I have mentioned above.  Talk to people.  Even if it’s not in your nature.  The lone gunman hacker is a nifty persona to emulate, but among tens of thousands of people that are, for the most part, almost begging to include you in their social circle and teach you anything you want to know, it’s worth following the advice you hear pretty much everywhere at the con.  These people are your people.  Trust them (just don’t send any valuable information over the hotel Wi-Fi).  Buy them beer and marvel as the floodgates of knowledge and experience wash over you.

The folks that run the wCTF started their talk in the best way possible: with absolutely nothing approaching reverence or propriety.  These were a few ‘gentlemen’ that clearly were here for the enjoyment of it, and like most people, were eager to pass on knowledge.  They were funny, they were delightfully crude, they were instantly welcoming to all.  While they kept the competitors at an arm’s length for obvious reasons, they were perpetually friendly.  As soon as they began speaking, I registered them in my mind as my kind of people.  During the contest, they were happy to help demonstrate the requisite techniques needed to pass the challenge, and they did so in a positive and laid back manner.

The challenges themselves are fun, and are given mysterious clues.  The types of clues that have you smacking your forehead once you figure them out.  Some challenges are ...more fun for spectators that the person involved.  I tender this GIF of me on the business end of a dog training collar as what was probably a highlight for my teammate with his finger on the keyboard that triggered the collar.

I think I might have wandered into the ICS village for a total of 5 minutes at a previous con, but in this environment I was forced to put myself through a crash course of all things related in order to pass the challenges.  Is knowledge of ICS/SCADA something I will use next week at work?  I highly doubt it.  Will this information benefit me in my career?  It’s very possible.  For those still trying to get their foot in the InfoSec door, I can tell you that the more arrows you have in your quiver, the better your chances will be.  My company doesn’t really do much with ICS, but that’s not to say my CTO will decide tomorrow to roll out a new revenue channel I will suddenly be responsible for securing.  So in the end, I was grateful to learn new skills.

My small team of neophytes managed to progress almost to the top of the scoreboard.  Indeed, I personally came within ten points of the top individual score.  Above us was a large team of engineers from a major network/firewall vendor, who’s collective experience far surpassed mine.  So once it became obvious that they were the Katie Ledecky of this particular race, I respected their knowledge and efforts and congratulated them on their success.  At the same time, I am here to tell you that I will be spending a good part of the coming year learning - sharpening my axe so that next year my team can take down that particular marine-themed monster team and win the entire thing.

And that may be the best part of my experience.  Learning begets learning.  I come to DEFCON generally, not as much to learn, but to be inspired to learn.  This year I did both.  And coming in second, especially now that there is a black badge at stake, I know there will be tougher competitors, and that we will be among them – seasoned and ready for a bigger challenge.  I say bring it on.  I have no doubt that word will spread that the wCTF is an opportunity to score serious hacker cred, as well as a ton of cool prizes and gear.  Next year, my team and I will compete as veterans.  And while I know the competition will be open and friendly as ever, I also know the gauntlet has been dropped.  Next year, it is on like Donkey Kong.

We would like to sincerely thank Orsu and team, not just for this wonderful write-up, but also for exemplifing exactly what we are trying to accomplish.  We run this game to provide a safe space to practice and test your skills, but above all we do it to share our passion with others. We do this in the hopes that we ignite a new love (or rekindle an old one) in our attendees and contestants.  Many previous winners, near winners, and people who play have stories just like this.  Please, come in, sit down, play, make friends, and join a welcoming group of your new friends.

-The Wireless Village and Wireless CTF Team