Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Education Security

Ask Slashdot: Capture the Flag Training 102

An anonymous reader writes "I'm a computer science professor and a group of students want me to help them train for a capture the flag competition. I am interested in this and I'm familiar with security in general, but I've never been involved in one of these competitions. Does anyone know of any resources which would be useful to train for this?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Capture the Flag Training

Comments Filter:
  • lots of paintball capture the flags on roblox. not very realistic motions however unless you can jump higher than your head

  • CTF? (Score:4, Interesting)

    by exomondo ( 1725132 ) on Thursday October 09, 2014 @11:38PM (#48108937)
    As in a real-world Capture the Flag [wikipedia.org] or in a game like Team Fortress CTF [teamfortress.com]?
  • by Anonymous Coward

    ...use Unreal Tournament 99. Lots of levels for CTF, Last Man Standing, Deathmatch, Team Deathmatch and Assault.

    • Domination was a favorite of mine when we had our clan...

    • by cstec ( 521534 )
      LMCTF
    • by AqD ( 1885732 )

      Unreal Tournament 99 is only practically playable on 32-bit Windows now, because community-made plugins require it.

      It was the best days...

      • Doesn't 64 bit windows support 32 bit mode?
        • by AqD ( 1885732 )

          Yes. It was when Vista came out and I remember the problem has something to do with native dll plugins. However, I just tried it and all seem to be fine now. They also made new renderers to take advantage of new hardwares.

      • by ihtoit ( 3393327 )

        uh... there would be a problem if they required 16-bit environment, since 64-bit Windows has the canny ability to run 32-bit in compatibility mode (most of the time completely seamlessly) in which the memory space is shared. 16-bit mode in 64-bit requires a segregated memory space and a sandboxed environment.

  • by Anonymous Coward

    Most computer science students are fat and out of shape. Someone could get hurt.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Your stereotype is out of date. Most computer science students are Indians who eat curry and stay thin by dancing to Bollywood showtunes. Any fat American slob who is still studying computer science is an idiot who will never find a job.

      • Re: (Score:2, Funny)

        by Anonymous Coward

        Sorry, but your stereotype is out of date.

        Computer science students are all women because they were given scholarships and inflated grades in order to promote something mis-named "equality".

        • by Thanshin ( 1188877 ) on Friday October 10, 2014 @01:41AM (#48109257)

          Sorry, but your stereotype is out of date.

          There are no computer science students, only entrepreneurs who happen to be in the early stages of their short path to becoming multi-billionaires and who vote for the rightmost wing to protect their imminent fortune.

          • Re:Not a good idea (Score:4, Insightful)

            by Half-pint HAL ( 718102 ) on Friday October 10, 2014 @05:50AM (#48109875)

            Sorry, but your stereotype is out of date.

            There are no computer science students, because the industry only wants trained monkeys rather than people who can do new and clever things, and demand that computer science courses are replaced with programming ones.

            • by Talderas ( 1212466 ) on Friday October 10, 2014 @06:15AM (#48109933)

              Sorry, but your stereotype is out of date. Ever since they gaved trained monkeys rights like humans the industry only wants drunk college coeds.

            • demand that computer science courses are replaced with programming ones.

              Sorry, but your stereotype is OFF.

              Computer Science is not teaching you to do "programming"! If you want to replace the core course with "programming," you are picking the wrong major. You should rather change your major and go on Information Technology/System instead because they do learn more in programming (look at their course catalogue).

  • Best comments ever (Score:2, Informative)

    by Bovius ( 1243040 )

    The comments to this post are hilarious.

  • by Anonymous Coward

    Pico CTf is a good start.

  • by Anonymous Coward

    "I'm a computer science professor and a group of students want me to help them train for a capture the flag competition."

    Why not just be a scout leader?

  • by Anonymous Coward

    Www.ingress.com. it's about dominating control points. Lots of strategy and games are ongoing abd dynamic.

  • The obvious (Score:3, Insightful)

    by penguinoid ( 724646 ) on Thursday October 09, 2014 @11:52PM (#48109001) Homepage Journal

    Get as much information about the playing field as possible, and also the opponent robots. Study multiple strategies, and play them against each other. The optimum would identify the enemy's strategy and play the one strongest against that, but you may be unable to reliably identify it. When choosing a strategy, consider the rules and whether it is better to score as many flags as possible, or win as many games as possible.

  • by Anonymous Coward

    Google Gruyere
    OWASP's vulnerable web app project
    HackThis Site

  • Keep it up (Score:5, Funny)

    by Anonymous Coward on Friday October 10, 2014 @12:15AM (#48109053)

    Not sure if the comments are hilariously misguided or weak trolls. Either way, good job.

    Next month:
    Team coached by Slashdotter banned from CTF competition. It took security two hours to apprehend all team members, who were running around non-stop. "We were just looking for their flag", said one of the members. When asked for their reasons to run like madmen on coke, they had this to say: "The other teams were not even trying, they were just fucking around on their computers. We found it strange at first, but kept looking". They accused other teams of cheating, stating "we searched for hours and found not a single flag, zero. The cheating bastards broke the rules, and even laughed at us. We found out and have been banned."
    When pressed for comments, their coach mumbled something about "stupid [inaudible] beta" and walked away without making eye contact.

  • by plover ( 150551 ) on Friday October 10, 2014 @12:18AM (#48109063) Homepage Journal

    You didn't say how old your students are. If they're still in high school (or younger), consider the CyberPatriot competition. It's a National Youth Cyber Education Program, put on by the Air Force. In the competition, teams are given VM images that have various vulnerable operating systems that they have to keep operational while they keep them secure. The earlier rounds feature a scoring robot; in the later rounds the students face a Red Team.

    The entire competition is focused on defense, so there are no points for attack. Teams from around the country compete for a trip to the national finals. Prizes include scholarships for the winning teams.

    If you're interested, have a look at https://en.wikipedia.org/wiki/... [wikipedia.org] . Today is the last day to register teams for this year's competition, so you might want to look quickly.

    Even if you're not interested in standing up a competitive team, their site provides instructions on how to build practice images, and you can download their scoring bot to see how well your teams fared. http://www.uscyberpatriot.org/... [uscyberpatriot.org]

  • by Anonymous Coward

    I would recommend rolling your own mini CTF style competition. Here at Evergreen some of the members have been creating chals for the rest of the team to solve as practice for the upcoming CSAW finals. They range from the very simple to somewhat complicated.
    For some examples on what you can do, check out:
    ctf.hackevergreen.com

    We often use resources from websites like:
    root-me.org
    phrack magazine
    (esp good one about stack smashing http://phrack.org/issues/49/14... [phrack.org])

  • I'm a traditionalist.

  • by Visserau ( 2433592 ) on Friday October 10, 2014 @01:20AM (#48109205)

    That is, if you're trying to figure out WTF the CTF in question is. (I've never heard of it before, but it sounds cool.)

    Capture the Flag (CTF) is a special kind of information security competitions. There are three common types of CTFs: Jeopardy, Attack-Defence and mixed.

    Jeopardy-style CTFs has a couple of questions (tasks) in range of categories. For example, Web, Forensic, Crypto, Binary or something else. Team can gain some points for every solved task. More points for more complicated tasks usually. The next task in chain can be opened only after some team solve previous task. Then the game time is over sum of points shows you a CTF winer. Famous example of such CTF is Defcon CTF quals.

    Well, attack-defence is another interesting kind of competitions. Here every team has own network(or only one host) with vulnarable services. Your team has time for patching your services and developing exploits usually. So, then organizers connects participants of competition and the wargame starts! You should protect own services for defence points and hack opponents for attack points. Historically this is a first type of CTFs, everybody knows about DEF CON CTF - something like a World Cup of all other competitions.

    Mixed competitions may vary possible formats. It may be something like wargame with special time for task-based elements (like UCSB iCTF).

    CTF games often touch on many other aspects of information security: cryptography, stego, binary analysis, reverse engeneering, mobile security and others. Good teams generally have strong skills and experience in all these issues.

    https://ctftime.org/ctf-wtf/ [ctftime.org]

    • Thanks, I was wondering what it was. Doesn't matter though, I feel too old for this shit.
    • Are you restricted from using common techniques to protect your system during the competition? Wouldn't one simply make their services unreachable by the attackers and declare victory? Doing basic things like filtering packets and requiring that clients present security certificates are going to be pretty much impossible to bypass.
  • Yes (Score:5, Funny)

    by physicsphairy ( 720718 ) on Friday October 10, 2014 @01:25AM (#48109213)

    For your convenience I have put some good resources in C:/ on the FBI mainframe.

  • by ihtoit ( 3393327 ) on Friday October 10, 2014 @01:32AM (#48109229)

    The Fugitive Game, by J. Littman (9780316528696).

    Um... that's it, really. Unless you got time, in which case you could pick up The Art of Intrusion, The Art of Deception, or Ghost in the Wires (all K. D. Mitnick).

  • I'm also a comp sci prof and have played many cybersec ctfs. If you want to have a chat on the phone pm me and I can give some tips.

    Best
    Gareth

  • quakelive kind of ctf? 2 runs after the flags, the rest guards the base, keep running keep running keep running never stop.
  • Software Tools (Score:4, Informative)

    by zhennian ( 884384 ) on Friday October 10, 2014 @01:54AM (#48109295) Homepage
    I went looking for some open-source software to facilitate multi-team cyber training. There didn't seem to be much around so I wrote this set of python scripts to provide some basic CTF-like training - http://sourceforge.net/project... [sourceforge.net]. You still have to set up all the servers and networking, but this lets you set up new tokens and keep score.
  • resources (Score:5, Informative)

    by numatrix ( 242325 ) on Friday October 10, 2014 @03:15AM (#48109497)

    (for some reason the first time I loaded this page there were no comments, so some of this is duplicate)

    Excellent! Very glad to hear it. There are a /ton/ of helpful resources out there for you. Here's a brain-dump of some of the most popular:

    * CTFTime : http://ctftime.org/ [ctftime.org] : Website that tracks team scores, upcoming events, and writeups for previous events.
    * CapTF : http://captf.com/ [captf.com] : My CTF dump-site that includes a calendar, links to "practice" sites (aka Wargames), and many years worth of CTF events archived
    * Field Guide : http://trailofbits.github.io/c... [github.io] : Specifically covering the skills / approaches, the field guide is a good read for anyone getting into this world.
    * Guide for Running a CTF : https://github.com/pwning/docs... [github.com] : Written by PPP (CMU's ever-dominant CTF team) along with feedback from the broader CTF community, this guide is more relevant when making a CTF, but can aid in understanding how the good CTFs are designed.
    * PicoCTF : https://picoctf.com/ [picoctf.com] : PicoCTF is designed for high school students, but had an awesome difficulty curve, getting up to some relatively advanced challenges by the end of it. It's also extremely well designed, runs for a longer period of time and is a
    * CSAW : https://ctf.isis.poly.edu/ [poly.edu] : One of the best events targeted specifically at College students, unfortunately the qualifier round just finished, and the participants already selected for the final round, but you can always check out the archives of previous challenges to get a feel for the difficulty. Note that the qualifier event is typically intended to be much easier than the in-person finals to better encourage new students to get into the sport.
    * IRC : irc.freenode.net#pwning : There's a lively and active community in #pwning on freenode that would be happy to help you with questions/advice related to CTFs.
    * YouTube : There's a couple of different presentations/talks on CTFs over the years. If your'e interested in learning more about attack-defense CTFs and in-particular DEF CON CTF, I gave an old talk that's mostly still relevant (https://www.youtube.com/watch?v=okPWY0FeUoU), though I'd recommend you not focus on A/D at first, but just get into the regular challenge based or jeopardy boards as they're sometimes called.

    The best way to prepare for CTF is by... playing CTFs. There's no real magic formula, just go out there and start working on challenges. Old CTFs are great as learning exercises since you can usually cheat and read a writeup, but avoid the temptation as much as possible. If stuck, go off and try another problem first, and only if you're /really/ stuck should you check out a writeup.

  • root-me (Score:3, Informative)

    by zeropol ( 3871061 ) on Friday October 10, 2014 @03:43AM (#48109571)
    To train for CTF you may practice on root-me.org [root-me.org]
    Also has IRC, forum, and some ressources.
  • $ grep -v flag ctf.txt
  • Along with the practice images others mentioned, some of your students may be interested in these free online classes, particularly the CYB-201 track.

    http://www.teex.org/teex.cfm?p... [teex.org]

  • by Anonymous Coward

    Trail of Bits have written a startup guide: https://trailofbits.github.io/ctf/ctf.html

    You will probably like to take a look at the Kali Linux distribution: http://www.kali.org/
    It's a Ubuntu based live distro (can be installed too) with lots of security tools.

    For web security you should take a look at WebGoat: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
    It's a deliberately insecure Java web application with tutorials on each vulnerability.

    http://www.kioptrix.com/ - Is a couple of downloadab

  • by Anonymous Coward

    HackThisSite [hackthissite.org] has been around since 2003. Its missions are old, but it's one of many good starting points. They're updating their challenges, too .. eventually.

  • CTF resources (Score:4, Informative)

    by EdMcMan ( 70171 ) <moo.slashdot2.z.edmcman@xoxy.net> on Friday October 10, 2014 @07:57AM (#48110349) Homepage Journal

    Take a look at this list of practice or permanent CTFs [captf.com]. The root [captf.com] of the site also has a great archive of past CTFs, and other useful stuff.

  • by iceco2 ( 703132 ) <meirmaor&gmail,com> on Friday October 10, 2014 @09:52AM (#48111377)

    This is the best advice for any competition.
    Alsi arm yourselves with every tool you csn think of. Any minute spent familiarizing yourself with an extra tool is well spent.
    Several years ago I led a team of capture the flag, our main tool was simply metasploit(the only tool we used more than once), 8 hours into the conpetition we were down to the last flag trailing the leading team by 15 minutes. We collected a hint stating that some users use the same password on multiple servers which got us to attempt to retrieve all passwords from an already compromised windows machine and try them on an apparently iron clad linux box with nothing but the latest openssh exposed. The other teams were using john the ripper but we had rainbow tabels. This is the only different tool we used and it gave us the win.

  • by INT_QRK ( 1043164 ) on Friday October 10, 2014 @11:18AM (#48112421)
    Make sure you get specific written permissions, and execute your exercise in a controlled, preferably closed, network to prevent unintended or collateral damage. Lots of laws come into play, and you don't want to risk liability for damage or criminal culpability for breaking any laws.
  • Most commentators are assuming a computer-based game which is a reasonable assumption, but not guaranteed. They might actually want to do something different and get out into the woods.

    My experience with CTF games using paintball guns is the the vast majority of players want to strike out on their own or with a couple friends and be the hero. No concept of discipline, organization, or coordinated action exists. These groups of Rambos are easy pickings for any group that has learned to work together in a pla

He keeps differentiating, flying off on a tangent.

Working...