HOW TO WIN CCDC

A RED TEAM perspective

2026 Edition

Originally created in 2010 - Updated in 2016 - Modernized in 2026

THIS PRESENTATION IS FREE FOR ANY AND ALL USE AND UNDER NO LICENSE.

THE REALITY: What Happens in the First 10 Minutes

MINUTE 0-5

Compromise & Persistence

From National Championship and Regional Red Team Outbriefs

Backdoors

Added

Accounts

Added

SSH Keys

Added

Agents

Installed

Patches Uninstalled

Keyloggers Activated

Services Added

Passwords Exfiltrated

The first 10-30 minutes set the tone for the entire competition.

If you’re not faster than this, you’re playing defense from behind for 2 days.

WHAT ACTUALLY STOPS US

1

2

3

4

5

Strong Egress Filtering

• Stops callbacks
• Alerts you to our activity
• Forces you to think about what’s talking

Good Ingress Filtering

• Only allow scored services
• Everything else is DENY by default
• Double check every so often as we may have changed it

Changing Passwords

• Do it fast, do it often
• Automate it, include local administrator accounts AND computer accounts
• Create new admins and immediately switch to those

Watching Logs

• Actually look at your logs. We do not have the time to worry about them (most of the time)

Watching Network Traffic

• Know what is expected, kill / block anything that isn’t a scored service connection

Notice what is NOT in that list:�

• Patching everything
• Complex SIEM setups
• Threat Hunting
• “Next Gen” anything

The basics, done fast, win.

​

You don’t need fancy tools. You need speed, discipline and focus. Do not let us distract you.

PRACTICE & PREPARATION

SECTION 01

The competition is won or lost before you walk in the door

BUILD YOUR PLAYBOOK

Prepare offline. Depending on the region, you may not have Internet access during the competition

Print Physical Copies

One playbook per team member. Paper doesn’t crash or timeout.

USB Toolkit

Pre-loaded with scripts, configs, tools and ESPECIALLY your

printed documents. Easy to print last minute.

Password Sheet (Per Day)

Pre-generated password with extras.DIFFERENT SETS. Distribute

at the start of each day. Easy to type but not predictable. Use words.

Automation Scripts

The Red Team is FASTER than you. We get to bring any tooling we

want, but you get first access. Your first 2 minutes needs to be solid.

Cheat Sheets (Role Specific)

Keep them SHORT. Looking through pages is just as bad as

googling in the moment. One page, front and back, per topic, max.

Network Map Template

Blank template to fill in. Know it, love it. update it if things change.

Print multiple copies and keep version numbers on the top.

Known Users / Service Lists

Default users, and services per OS. You need to be able to

reference what normal looks like. Leave space for checkboxes.

ANSIBLE IS YOUR FRIEND

Pre-built configs for SSH hardening, firewall rules, service lockdown. Test offline first.

1

2

3

4

5

6

7

KNOW YOUR TEAM

SECTION 02

Roles, responsibilities, and chain of command

TEAM ROLES & CHAIN OF COMMAND

Listed in order of operational importance, not technical skill

Team Captain

Coordinates, communicates and STAYS OFF THE KEYBOARD

Linux Admins

Service hardening, IPTables, SSH lockdown

Executive Assistant / Runner

Supports captain, handles paperwork injects

Web Admin

Application security, web server hardening

Firewall Admin

Egress / ingress control, network segmentation

Incident Responder

Detection, investigation, eradication, DOCUMENTATION

Windows Admin

Active Directory, GPO, Service Hardening, IIS

⚠️KNOW YOUR ROLE. PERIOD.

Scope creep kills teams. Stay in your lane unless explicitly asked to help elsewhere.

1

2

3

4

5

6

7

TEAM CAPTAIN

Listed in order of operational importance, not technical skill

Team Captain

Coordinates, communicates and STAYS OFF THE KEYBOARD

Linux Admins

Service hardening, IPTables, SSH lockdown

Executive Assistant / Runner

Supports captain, handles paperwork injects

Web Admin

Application security, web server hardening

Firewall Admin

Egress / ingress control, network segmentation

Incident Responder

Detection, investigation, eradication, DOCUMENTATION

Windows Admin

Active Directory, GPO, Service Hardening, IIS

⚠️KNOW YOUR ROLE. PERIOD.

Scope creep kills teams. Stay in your lane unless explicitly asked to help elsewhere.

1

2

3

4

5

6

7

FIREWALL ADMIN

Listed in order of operational importance, not technical skill

Team Captain

Coordinates, communicates and STAYS OFF THE KEYBOARD

Linux Admins

Service hardening, IPTables, SSH lockdown

Executive Assistant / Runner

Supports captain, handles paperwork injects

Web Admin

Application security, web server hardening

Firewall Admin

Egress / ingress control, network segmentation

Incident Responder

Detection, investigation, eradication, DOCUMENTATION

Windows Admin

Active Directory, GPO, Service Hardening, IIS

⚠️KNOW YOUR ROLE. PERIOD.

Scope creep kills teams. Stay in your lane unless explicitly asked to help elsewhere.

1

2

3

4

5

6

7

WINDOWS ADMIN

Listed in order of operational importance, not technical skill

Team Captain

Coordinates, communicates and STAYS OFF THE KEYBOARD

Linux Admins

Service hardening, IPTables, SSH lockdown

Executive Assistant / Runner

Supports captain, handles paperwork injects

Web Admin

Application security, web server hardening

Firewall Admin

Egress / ingress control, network segmentation

Incident Responder

Detection, investigation, eradication, DOCUMENTATION

Windows Admin

Active Directory, GPO, Service Hardening, IIS

⚠️KNOW YOUR ROLE. PERIOD.

Scope creep kills teams. Stay in your lane unless explicitly asked to help elsewhere.

1

2

3

4

5

6

7

LINUX ADMIN

Listed in order of operational importance, not technical skill

Team Captain

Coordinates, communicates and STAYS OFF THE KEYBOARD

Linux Admins

Service hardening, IPTables, SSH lockdown

Executive Assistant / Runner

Supports captain, handles paperwork injects

Web Admin

Application security, web server hardening

Firewall Admin

Egress / ingress control, network segmentation

Incident Responder

Detection, investigation, eradication, DOCUMENTATION

Windows Admin

Active Directory, GPO, Service Hardening, IIS

⚠️KNOW YOUR ROLE. PERIOD.

Scope creep kills teams. Stay in your lane unless explicitly asked to help elsewhere.

1

2

3

4

5

6

7

WEB ADMIN

Listed in order of operational importance, not technical skill

Team Captain

Coordinates, communicates and STAYS OFF THE KEYBOARD

Linux Admins

Service hardening, IPTables, SSH lockdown

Executive Assistant / Runner

Supports captain, handles paperwork injects

Web Admin

Application security, web server hardening

Firewall Admin

Egress / ingress control, network segmentation

Incident Responder

Detection, investigation, eradication, DOCUMENTATION

Windows Admin

Active Directory, GPO, Service Hardening, IIS

⚠️KNOW YOUR ROLE. PERIOD.

Scope creep kills teams. Stay in your lane unless explicitly asked to help elsewhere.

1

2

3

4

5

6

7

INCIDENT RESPONSE

Listed in order of operational importance, not technical skill

Team Captain

Coordinates, communicates and STAYS OFF THE KEYBOARD

Linux Admins

Service hardening, IPTables, SSH lockdown

Executive Assistant / Runner

Supports captain, handles paperwork injects

Web Admin

Application security, web server hardening

Firewall Admin

Egress / ingress control, network segmentation

Incident Responder

Detection, investigation, eradication, DOCUMENTATION

Windows Admin

Active Directory, GPO, Service Hardening, IIS

⚠️KNOW YOUR ROLE. PERIOD.

Scope creep kills teams. Stay in your lane unless explicitly asked to help elsewhere.

1

2

3

4

5

6

7

KNOW YOUR ENEMY

SECTION 03

Red team tools, tactics, and reality checks

Tell 'em what you're gonna tell 'em

• Year(s) in review - what worked and didn't
• Practice and Preparation
• Know your team
• Know your role
• Know your space
• Know your network
• Know your defences
• Know your enemy
• Know your weak points
• Risk Prioritization
• Quick solutions to hard problems

What you do wrong...

• Get frustrated
• Don't ask enough questions
• White/Black cell is there to support you...
• Injects are the only way you need to support them
• Focus too much on what is going wrong
• Patch everything
• Leave default passwords
• Windows
• SSH/Linux
• Web Applications / Administration
• Databases

Your complaints about the Red Team

Stolen from http://bit.ly/rmudge_derbycon

• How many 0days did you use?
• If you have a head start that's unfair!
• Real world attackers started attacking any Org that you get a job at before you got there.
• You have the biggest advantage. You know we are coming. Don't expect to have this when you get to the 'real world'
• They used really advanced tools!
• Nope, we found DEFAULT credentials

Practice and Preparation

The ugly red book that won’t fit on a shelf

• Create a playbook
• Automate everything you can/makes sense
• Kill trees (have a copy for each member)
• Have a list of shortened URLs for common resources printed out. AV download/etc
• Password sheets _FOR EACH DAY_
• Cheat Sheets _FOR STUFF YOU NEED_
• Looking through pages of references is just as bad as having to google it
• List of known and standard users per OS
• List of known and standard services per OS

Mubix’s Public Security Repo

• All links go the same place:
• https://mega.co.nz/#F!QkAVAZaR!N9xVfPYM4cjgXbSI03SDJA
• http://goo.gl/eTvaJk
• http://j.mp/mubix_repo

​

Got things you’d like to see in there? Shoot mubix@hak5.org and email and I’ll add it.

Know your team

Roles & Chain of Command

• Team Captain
• Gopher
• Firewall Admin
• Linux Admin
• Windows Admin
• Web Admin
• Client Services
• Incident Responder

This list is in order of importance

Know your role

period

Team Captain Roles / Responsibilities

• Make sure everyone is where and when they need to be
• Coordinate responsibilities
• Constantly ask for feedback on tasks assigned
• Answer to the CEO and go to any and all meetings that are part of injects
• Focus team on objectives
• Stop any infighting
• Channel feedback from internal and external
• STAY OFF THE KEYBOARD

Team Captain Roles / Responsibilities (Cont'd)

• When you go to a meeting with the CEO, have a report of your current team status written/printed on paper (or in PPT if your competition supports that). DO NOT GO INTO A MEETING EMPTY HANDED.
• 1 page or less
• Good stats to have on that paper are
• # of injects completed/underway/completed
• "working on" status for every member of the team
• # of compromises found/cleaning/removed (be sure you have details on every one of these)
• future plans on how to deal with injects, security (compromise) and team organization better

Team Captain Roles / Responsibilities (Cont'd)

• The team captain should _NOT_ be your most technical person. That person should be on the keyboard. You team captain should be able to manage projects, tasks, and people well. That is their job.

Secretary Executive Assistant / Gopher

• Get/Download anything that is needed
• Get supplies / food stuffs
• Step in for Team Captain when not present
• Support all other roles as needed
• Deal with all paperwork based injects
• Inherits all physical security responsibilities
• Defend team against Nerf assaults

Firewall admin

• RAISE SHIELDS Mr Sulu!
• Monitor OUTBOUND connections
• Know your firewall and how to configure it
• Have or know exactly where to get any and all software you need to administer the firewall given to you.
• Egress and Ingress filtering
• IPv6 OFF (Unless required)
• deny any any is your friend
• Wireless gear is your baby, WPA2, WPS off (if possible), and long pass phrase
• Pass off Incident Reports to IR person
• CAPRICA (ACL generator) is _AWESOME_
• http://code.google.com/p/capirca/

Linux Admin

• Upgrade your kernel ASAP
• Fail2Ban
• If ($PHP) then shoot.self; (Fix php.ini)
• SETUID
• Watch those auth logs
• Create a process list file so IR can diff it
• Remove any unused users or services
• IPTSTATE is like TCPview for Linux, use it. love it.
• GRSEC IF YOU HAVE TIME, custom kernels take time to compile but, it's fun to watch Red Teamers attempt privilege escalation on older kernels.
• Turn off the ability to change grsec settings via sysctl
• Turn on EXEC logging
• Watch the audit log for signs of escalation attempts

Linux Admin (cont'd)

• File Integrity logging pays dividends:
• Tripwire
• OSSec (has pre-configurations for most *nix)
• Nothing new should enter here without you knowing:
• /tmp/ (new files or binaries in here are bad news)
• .hidden directory is a common place to put stuff
• crontab for all users
• ~/.ssh/ (and /root/ not just /home)
• /etc/
• /etc/passwd & /etc/shadow & /etc/sudoers
• Know all SetUID binaries and watch for new ones

Linux Commands

• Final all 'immutable' files
• find . | xargs -I file lsattr -a file 2>/dev/null | grep '^....i'
• 'chattr -i file' to change it back
• Doing this on / takes a long time, point it where it counts: /etc/, ~/, /tmp/ etc.. etc..

Sorry Raph.. :-)

​

time find / | xargs -I file lsattr -a file 2>/dev/null | grep '^....i'

----i-------------- /etc/bob.txt

----i-------------- /etc/bob.txt

​

real 9m15.451s

user 0m51.505s

sys 6m38.862s

Just /etc => real 0m2.674s

​

Windows Admin

• Event Viewer is your friend
• Autoruns is your friend
• Process Explorer and TCP View are your friend
• OSSEC works for windows too
• (agent only, must talk to a Linux server for reporting)
• Change passwords and fast! (Automate if possible)
• Remove unused users and services
• Turn your firewall on and REMOVE EXCEPTIONS
• Turn off Teredo

​

Mark Russinovich is your friend.

​

Windows Admin - Changing Passwords Fast

• Program one:
• AutoIt (make a binary to do it faster)
• Download one:
• http://bit.ly/bulkpasswordcontrol (AD only - not local)
• Advantage: pseudo random passwords
• Built in one:
• dsquery user ou=Users,dc=testlab,dc=net | dsmod user -pwd RedTeamSucks! -mustchpwd yes
• LAPS for local admin passwords (Not built in, but it is Microsoft tool) https://technet.microsoft.com/en-us/library/security/3062591.aspx

​

Windows Admin - GPO (Security)

Some specific Windows Group Policy to set

Security Options

• Network security: LAN Manager authentication level - Send NTLMv2 response only\refuse NTLM & LM
• Network security: Do not store LAN Manager hash value on next password change - Enabled
• Network access: Do not allow anonymous enumeration of SAM accounts and shares - Enabled
• Network access: Do not allow anonymous enumeration of SAM accounts - Enabled
• Network access: Allow anonymous SID/name translation - Disabled
• Accounts: Rename administrator account - Rename to something unique (but remember it)
• Interactive logon: Message text for users attempting to log on - sometimes an inject

Windows Admin - GPO (Audit)

Audit Policy

Learn to configure windows audit logs and understand the events.

• Audit process tracking - Successes
• Audit account management - Successes, Failures
• Audit logon events - Successes, Failures
• Audit account logon events - Successes, Failures

Windows Admin - GPO (Other)

User Rights Assignment

• Debug programs - Remove all groups/users
• Allow log on through Terminal Services - Leave blank to disallow login via TS even if it has been started.

​

Windows Admin - Local GPO

Local GPO is much faster to push out on small networks, and can be applied to any Windows system, not just domain joined ones (plus if the attacker kicks a box off the domain, domain GPO goes away). There isn't an easy way to do it for all GPO settings, but for security ones 'secedit' is your friend.

-- Export a config from a VM or other default install for reference:

secedit /export /cfg checkme.inf

-- Edit to to have more secure settings then import onto your target system:

secedit /configure /db secedit.sdb /cfg securecheckme.inf

​

​

Web Admin

• Mod_Security
• (get the linux admin to install it quickly, and get comfortable installing it on Windows)
• http://blog.spiderlabs.com/2013/04/web-application-defenders-cookbook-ccdc-blue-team-cheatsheet.html (just ignore the honey traps portion, you normally won’t have time to set or monitor for them)
• Passwords… find them, reset them, most likely the Red Team found them first
• Look for administrative interfaces and restrict them to localhost or an “admin” box

Web Admin (Cont’d)

• As quick as possible figure out the use of the web apps provided and how they play into the “company” you are pretending to be.
• Watch logs, get them shipped somewhere, syslog, splunk, something so you can watch them all at once.
• ​

Client Services

• Turn on text only email reading if email is in play
• Microsoft Security Essentials free for SMB and home users so White Cell should be ok with it and hands down the best AV (IMHO)
• They have firewalls too! (nudge nudge)
• On windows systems install PeerBlock, it's a very small software package that does IP blocking for windows and supports LARGE IP lists (like every IP but my subnet) and supports egress
• On Linux remove all remote access options. It's a client, it doesn't need SSHd

Incident Responder

• Windows
• Autoruns and other Sysinternals from a known good source. Ask White Team for a USB if you aren't allowed to have one/bring one
• List logged in users (qwinsta)
• If notepad.exe is running you've been breached
• Linux/BSD/Nix
• .bash_history
• ~/.ssh/authorized_keys
• lsof -nPi / netstat -ano
• know where logs are
• diff process list
• fuser -k pts/2
• Get the incident response forms and learn how to fill them out. Big points! 5 dolla

Know your space

Physical space

• Go into blackout (everyone has a single role) every morning. Check everything from network cables to users, services, and passwords
• Baseline and inventory your gear every day
• Look for tape on mouses
• Schedule 20 minutes before the ending bell to police your space. Remove and secure all media (physical and digital)
• Tag (like in graphiti) all of your gear, think SPY movie (small piece of tape to know if someone opened the door)
• GSM bugs? Keyloggers? Wifi Access Points? Voice recorders? Stuff that Tom Cruise would use (minus the couch jumping)
• If the fire alarm goes off, ask the White Cell if it's real.

Verbal Space

• If you get injects via phone, call back just like you (sh/w)ould your bank. Start to recognize the voice, have the same person answer every time.
• Verify _any_ communication with alternative means. Challenge / Response

Know your network

Forget Snort/Splunk/Nagios/Cacti

• You do not have time to install and configure these, much less watch them. Don't.
• Event Viewer, /var/logs, .bash_history
• Create a network map a head of time. Know it, love it, feed it breakfast
• NetworkMiner makes it easy to watch for new IPs connecting to/from your system
• nmap has NSE scripts to check for vulnerabilities
• Nikto can catch easy web app stuff

Know your defences

What gets the most bang for the buck?

• A clear head
• Firewalls
• AV
• File Integrity Monitoring (FIM)
• Logs

||

||

||

V

• Patches (At least all of them we'll talk later)

Know your enemy

THE RED TEAM ARE NOT GODS

when someone asks you if you are a god, you say: YES!

Realm of Possible

• ARP spoofing only works on a broadcast range. Configure your router/firewall and you're fine, stop worrying about it.
• DNS poisoning is hard and takes time, the Red Team _probably_ won't do it. Don't waste your time on it
• They cannot launch missiles by whistling the 2600Hz tone into your VoIP Phone

ME Gorrillllla

• Red Team posturing is just that, ignore it
• Red Team isn't going to get in if you focus on the basics and keeping them out instead of getting them out

Know the Red Team tools

• Run Poison Ivy, know how to remove it
• Run Metasploit's attacks psexec, MS08_067, and MS09_050 and see what changes are made to the system
• Run Metasploit's persistence script, know how to get rid of it
• AUTORUNS is your friend

Risk prioritization

You patch too much...

• Patch what is exploitable. This will save on download time, install time, and maximizes impact. Assume certain vulnerabilities.
• If XP/2k3 then PATCH MS08_067
• If Vista/7/2k8 then PATCH MS09_050
• If Linux/BSD don't patch, secure the kernel

NO ONE IS GOING TO DROP 0DAY AT CCDC

NO ONE IS GOING TO DROP 0DAY AT CCDC

NO ONE IS GOING TO DROP 0DAY AT CCDC

This also closely resembles the challenges of enterprise networks as you won't be able to patch everything on every system. Go for what counts.

Quick solutions to the right problems is the way to win.

Learn from mistakes, don't sweat them

Questions?

Rob Fuller

- mubix@hak5.org

- @mubix on twitter

- http://www.room362.com/

​

​

Special thanks to Devon, Joseph, Marco, Aaron, Raymond, and Brian for the 1 AM jam session to get these slides together. Go social media.

Alex Herrick for GPOs and other suggestions

Craig Balding for the beautiful 'iptstate' command

​

Other Resources (need to add to main preso)

• http://ambuships.com/ <- Free HIPS that kicks ASS
• https://github.com/trustedsec/artillery <-- Sorta another HIPS but both Win and Linux
• http://la-samhna.de/samhain/ SAMHAIN - Linux IDS / File Integrity monitor
• OSSEC...
• Lynis (Linux security checking)