Sunday, June 28, 2015

My Impressions of SANS NetWars Continuous

From the SANS NetWars Continuous website, :

"SANS' NetWars Continuous Online Range uses the gamification of IT Security to advance your most vital InfoSec skills. To build your skills and keep them from getting rusty, you need an environment where you can apply your knowledge to solving real-world infosec issues to stay sharp. That's what NetWars Continuous is all about. Over the course of 4 months and 5 levels, you can master real-world tactics and techniques in a safe learning environment."

Having just about completed SANS NetWars Continuous, I wanted to share my impressions on it and my experience working through it.  Obviously, I will share what I can without giving away any hints or details that might ruin it for others who will participate in the future. :)

First, let me say this: I am not a pentester.  Nor am I a blackhat.  I don't spend many hours of my days hacking into other people's networks.  What I've learned I've learned through self-training, SANS courses, with great instruction by people like Ed Skoudis, Seth Minisar, Dave Shackleford, Jeremy Druin, and others like them.  I do hack some as part of my job and definitely enjoy it, but by NO MEANS am I at the level of these guys or those who do this kind of thing everyday as their profession.

I signed up for NetWars continuous after taking SEC542 (Web Application Testing and Ethical Hacking) in New Orleans from Seth.  I thought, why not give it a go?  It has been fun and severely educational.  While live NetWars competition is available at SANS conferences, NetWars continuous provides much more time for someone like me to learn a whole lot more.

Ed Skoudis and his team have done a great job of creating a challenging CTF game that is stable and repeatable.  That isn't easy to do.  It's consistent in that things work the way they should and you don't have to worry about getting "cheated" by a technical glitch or an unseen bug.  They also make it fun in the usual Ed Skoudis way, by including a theme and characters from that theme as a backdrop for the scenario.

My 4 months is over.  Here's a brief overview of my experience.

NetWars is NOT just about offense.  That is made clear immediately in levels 1 and 2, where you are provided with a Linux image to work on.  As someone who has been actively defending for years and is an old Linux guy, levels 1 and 2 were both interesting and pretty straight forward. Correctly answering online questions is the way to earn points in levels 1 through 4, while taking as few hints as possible.  You are allowed up to 3 hints per question, but taking them all not only lowers your ranking in a tie situation, it also (for me) kinda defeats what I wanted, which was to force my own learning and education.  I tried my best to take as few hints as possible, and if I wasn't sure about something I would hit up the Interwebs first.  Often after starting work on a question I would take the first hint just to make sure I was "barking up the right tree".  I was surprised and stoked that I was able to make it to level 5 while taking only 23 hints, and only needed all 3 hints for one particularly grueling question, which took me an entire week to answer! (more below).

They also show you all 3 hints after you have successfully answered a question.  On one scenario, I realized I was able to complete it in a different manner than what the hints showed afterwards, and I was kinda proud of myself for that one. ;)

The variety of scenarios and questions stretch you, as they cover almost all aspects of offense, defense, forensics, intrusion detection, etc.  I never found any of it boring or repetitive.  The challenges kept stacking up.

Level 3 introduces you to the online challenge by placing you in a company's DMZ where you have to attack and infiltrate systems in a variety of manners.  This is where I really started to have to stretch my mind a bit.  It includes network and web application pentesting in this level.  Having just finished SEC542, I really enjoyed this level.

Level 4 ups the ante by giving you the opportunity to break into the internal corporate network.  It includes social engineering, which I think is fantastic.  This level took me awhile.  One particular question involving encryption took me about a week to research, learn and try before I finally got it.  It was a bruiser. ;)

When I started NetWars continuous I never even dreamed of making it to level 5.  I was surprised and stoked that I did (and kinda scared too! ;)  I wanted to complete all the questions in the previous levels so that I had as many points as possible, as I wasn't sure how well I would do from there.  After finishing off, I joined a level 5 game.

Level 5 is interesting in that it is live offense and defense.  You compete against others in the game, defending the "castle" you are given while performing offense against theirs, with the goal of uptime for your castle's services while placing your "flag" in the services of as many other castles as you can.

The other thing that is interesting about level 5 is that it is played in games that last one week.  Each Monday a new game starts, and you join it and move on.  You can play as many games as you like as long as you have time left in NetWars continuous. I found this to be a great thing, because it honed my approach.  Having about 5 weeks left, I decided to start the first game I participated in by just "watching" what happened.  Locking down my castle as much as I knew how (a couple of the applications I had to defend were new to me), I setup a packet capture and leaned back.  My castle was compromised pretty quickly, but I had the evidence of exactly what was done.  I used those packet captures to lock my castle down further, as well as learn from some of the better attackers their techniques and put them in my bag of offense for use in the next game against others.  After 2 weeks of this, my castle finally appeared to be pretty solid.

That having been said, offense came slowly, because, well, I'm not as good, and I ended up not having a lot of time during those weeks to watch for newcomers. And there remained some very good offensive players (one in particular who had taken 0 hints throughout) that had more time, jumped all over the newcomers almost immediately, and made it difficult for others to compromise the boxes they had already pwned.  But I did manage some fun pwnage. :)

It has been a fun and very satisfying experience for me.  It looks like I'll still finish with a spot in the top 10% of finishers, which for me is quite surprising yet makes me happy... ;))

So, if you are thinking about participating in NetWars Continuous, do it!!  It's not cheap, but it's worth every penny, and you can get a discount if you sign up for it when you register for a SANS course.  I paid for it out-of-pocket as a gift to my own education, and I can say sincerely that it was definitely worthwhile.  Since much of my job is making this very same stuff educational and entertaining for end-users, I have a lot more material to talk about.  Thank you Ed Skoudis and SANS!

P.S.: Others to thank that I know are part of NetWars, and forgive me if I've left someone out: Daniel Pendolino, Tom Hessman, Josh Wright, Jeff McJunkin, Tim Medin...THANKS!!!


  1. How did you setup a packet capture in Level 5? I'm about to kcik it off and annoyingly nervous about it all!

    1. Just used tcpdump with the -w flag to write the contents to a file. Use -C to set the max size of the file created before creating a new one. Limit your capturing to capturing packets from only the attack host, ignoring all the other castles out there.

    2. Do you remember the number and name of services you needed to defend your castle?

  2. How much time (in hours) did you spend on each level? Trying to figure out how to budget my time when going through the challenges.