As some are aware, I'm a professor at a college. One of the courses I teach is Introduction to Internet Security. As part of that course I've implemented "wargames". Wargames are a 4 week period where students attack each other (and defend against those attacks) to get somewhat of an experience of what they might face when being an admin out there in the real world. At the end of the 4 weeks they write a report on the methodology they used for their "role". I'm a firm believer in the use of hands on experiences and application of techniques to understand the need and the how of security. Everytime I talk about the wargames people seemed interested in learning about them. I'd thought I'd write out the reasons and concepts that I considered when creating and adding these.

When I started writing this, I envisioned a single tutorial. Given the amount of material I will have to split the information into multiple tutorials (4-5) that will cover:

a) how to setup a wargame
b) Hacker/attacker role
c) Defender/admin role
d) Reports

One caveat: In no way should you use this in an illegal manner. Do not attack your ISP, company or others without written consent from the proper authorities/management. If you choose to attack someone without their permission you may run the risk of being charged with a felon (depedent upon the laws of your nation). I DO NOT ADVOCATE THIS, ENCOURAGE THIS NOR SUGGEST YOU DO THIS.

Wargames: Purpose

The purpose of wargames is to offer a safe environment with which to experiment. As we are aware, it is illegal to "hack" other systems without the owner's consent. I know that students will try things (and play with "toys"). Rather than them getting arrested, the wargames allows for exploration and understanding with minimal to no risk (as long as the rules are followed).

Rules are:

1) Do not erase your opponents machine
2) Ask your opponent beforehand if you can attempt to attack their machine. This rule is lifted when doing a technique of "unknown audits" against targets. Best done with many groups of "attackers" and "defenders".
3) Attacks that are outside the LAN (internal/private network) towards live public machines results in an F (obviously if this isn't an educational setting, it should result in i) banishment from further wargames ii) potential to be arrested).

Wargames: Machine(s) requirements

The machines should be in good working condition. Hard drives should be easily erased and rebuilt. Attackers can use multiboot systems while defenders use single-OS systems (or remain in a single OS). Combinations of attacker vs defender could be:

- Windows vs. Windows
- Linux vs. Windows
- Windows vs. Linux
- Unix vs. Linux
etc.

Planning is key to a successful wargame. At a school it's easy to have machines coordinated in a single lab. For home users there are a few options:

a) acquire some older machines and use those for the wargames. Plan in advance what OS is going to be the target/victim "de jour" and install it. Configure it loosely to begin with but learn how to lock down what will need to be locked down. Select one person who can host the "Wargames Party". Ensure that everyone that is involved signs an agreement that covers the rules and strictly enforce it with a firewall that limits activities. If you want to go further, ensure that people come prepared and allow no internet access. Agree to default services that will run on the defender's box. I usually pick common ones on the Internet like DNS, FTP, HTTP, etc.

b) attackers need to research all the potential vulnerabilities and acquire the necessary "toys" to exploit those vulnerabilities. Google is a powerful friend. Other sites include (but not limited to): Packetstorm Security, Security Focus, SecuriTeam, NetSys.com, astalavista, Zone-h.org, etc. Utilities like nmap, nessus, SAINT/SARA/SATAN, hping2, etc. should also be on hand. Don't forget things like DoS and DDoS, sniffers, hijack tools and more. One thing might be to take a distro like knoppix and customize it with the tools you want to use regularly.

c) defenders need to learn their OS and the services/daemons they will be running. Research is key for vulnerabilities, patches, fixes, secure installations, etc. Defenders should not have long term blocks on attackers ip addresses (does take away the fun of it sometimes). Defenders should come with machines perpared and if need be, CDs with latest upgrades, patches, etc. if internet access is lacking.

d) network setup should be agreed upon beforehand. Most "Bang for buck" scenario is a straight network configuration with a hub. You can go fancier if you want to test setups with firewalls, IDs and honeypots.

Everyone should have a log book to record everything they did before and during the wargames. It should also list where they went to get whatever information. Details are important here so leave nothing out. If the wargames get hot and heavy, use history files, logs, human memory and, if possible, audio recordings to put the pieces together.

The last tutorial will talk about report writing. The value of a wargame is lost when people are unable to learn from the experience. The ability to explain what you did, how you did it, why you did it and what to do to prevent bad things from happening is powerful. For my students, success in the wargames isn't determined by compromising the system but by seeing the methodology they used to attempt to compromise a system. In the real world an attacker has months sometimes to prepare an attack. In this case, you have but a few hours.



Terminology

Attacker: sometimes referred to as "black hat hacker", "bad guy", "evil dude", this is the person that attempts to compromise a machine. They will use whatever is available to them including social engineering. Generally, what they do is illegal.

Defender: sometimes referred to as "good guy", "administrator", this is the person that attempts to thwart attacks and mitigate their effect. Often overworked, underpaid, under appreicated and lacking sleep, tries to be alert to any new tricks that are thrown at him/her.

Auditor: sometimes referred to as "white hat hacker", this person is legally allowed to break into systems. Their job is to find the vulnerabilities and suggest better courses of actions for situations. Attacks can be done against procedures, OSes, applications, network devices, methodologies, etc. Audits may be known to the defender and may be done without the defender's knowledge (but with CEO approval).

Hacking: IMHO, hacking is the expert understanding of a particular system. What that system is varies from situation to situation. A hacker is the expert on that particular system. e.g., Wayne Gretzky is (was?) the hacker of the NHL when it came to scoring. A hacker is someone who understands that system to that kind of level.

System: a logical interaction of objects and subjects. This could be the way an organization works, how a computer works, how a protocol works, how a phone works, how a department works, how humans interact. See hacking.

Script Kiddie: an individual that desires to be a "hacker" but doesn't want to take the time nor is interested in the necessary finite understanding of the system. Often refuses to do research on their own and refuses to record activities for future learning.

Social engineering: the ability to convince an individual to respond how you want them to respond and give forth information that normally wouldn't be given out. This is often done through the use of empathy, annoyance and other feelings. Relies on the "mark" being busy or wanting to help.