How to organize a Pentesting competition

[K1LLb0x]

Hi guys,

I go to alot of gamer Lanpartys and travel up and down the country, the biggest Lan is called the XLParty and is normally done 3 times a year with a attendance group of around 10 000 visitors and 1000 participants etc..

Ok, enough with the info, the real problem is I would love to see a pentesting contest, and wouldn’t mind talking to the XLParty organization, and organize one myself during the event.

Problem is:
How or what event will I organize..?
What do I need..?
How are points given away..?

Best regards, ev!LZz

[KMDave]

Basically that's something you should have an idea about.

We can't tell you the perfect setup since it is all about what you want to achieve and how you think it should be set up.

What you most likely need will be a switch and at least one server for running several VM's.

Everything else depends on the direction you want to go in.

[imported_=Tron=]

As KMDave says the possibilities are pretty much endless and all depends on the scenario you want and the interest of the attendants. One pretty popular form is called capture the flag. Both teams will in this case be given a pre-compiled OS to work with, for example in the form of an VMware image, with different weaknesses and exploitable services present. The goal is then to try to break into the opposing teams OS while patching, updating and basically trying your best to keep them out of your own. There are several variations of this game as well and it is only one of many possible challenges you could set up.

The most important part of hosting a pentesting competition, especially if you plan on doing it during this big LANparty, would be to make sure that the network used for your competition does in no way interfere or even give access to the main network. Good luck with your idea, but I have a nagging feeling that the organizers of XLParty will not be too keen on attracting a bunch of hackers to their event.

[imported_cybrsnpr]

What do I need..?
How are points given away..?

Best regards, ev!LZz

If you google for "CTF" or "capture the flag" or similar terms, you will find several sites that have run capture the flag competitions that also have their contest images available for download (vm images) and also the source code of their score bots that you can modify and use for the contests.

In general terms, points are given (or taken) for the successful exploitation of targeted hosts, and/or for successfully continuing to run specific services on your own hosts such as web, mail, ftp etc. (the game coordinators usually specify what services need to be up and running all the time).

Remember, in a standard CTF, your team is defending your images and services while trying to attack the other team's images and services.

Good Luck with this...

[Shavx]

I have participated in something like this, its called Collegiate Cyber Defense Competition (CCDC) and a few schools around the nation compete in it and its a very cool competition!

It usually happens in the spring and colleges from around nation compete in semi finals for their region and the last contest consisted of a room with 8 PC's on a network we knew nothing about. You and your team go in and assess the network, what services are running and what vulnerablities might exist. While during this whole competition you have a "boss" who comes in from time to time to give you buisness objectives as well as you having to maintain a secure network while government hackers (real people at the competition) are trying to gain root access to your machines and ultimately your network. Its an intense weekend of 12 hr days with a break for lunch and dinner and you start right after breakfast. Its a HUGE learning experience on how to function as a team, be good network admins, and its all about defense. So knowing how to attack is good, so you know how to defend.