Maybe I'll plant one instead! — make your own CTF
I mentioned standing up a simple CTF for OSINT training and someone agreed they’d like to see how to do it.
So here it is.
Capture the flag exercises can be a great way to train team members in a new discipline. They are fun (well I find them kind of fun, they may not be for everyone), have elements of gamification and also allow for the practical application of skills.
Standing up a simple OSINT\Social Engineering(SE) CTF for your teams can be a cheap way to engage members and you can use the tools and ideas from the set up in other areas of interest, like email honeypots and canary tokens (which hopefully someone will ask me to write about and I'll do just that.. hint hint :) )
When creating the CTF it’s important to work out two things:
- What is it you intend to mimic
- Who is your audience
We don’t want to use overly technical challenges if the audience is just starting out. So make sure your goal and the obstructions in its path reflect what you have taught or hope to teach the users who will take part in your CTF.
Make sure you create a situation that mimics an activity you wish to emulate in real life.
If you want to teach people about SE lures that can be gained from performing reconnaissance on an individual then don’t create a fake company for your CTF, equally so, if you want users to understand how a company is exposed via OSINT then you likely won’t be creating Social Media profiles.
For the sake of this we’ll focus on creating a social engineering capture the flag targeting an individual.
1: (Mimic) An individual
2:(Audience) Users that are new to OSINT gathering\Reconnaissance\Social engineering
Tl;DR - If you just want the how and not the why then skip to the last section or Part 2:)
What to mimic and why
I’d recommend starting with a simple hypothesis or statement as to what you want to gain from running your CTF exercise.
This will help you scope the amount of effort you are going to put into creating your challenge.
Examples:
We aim to create a CTF to measure the success of our recent OSINT and Social Engineering training
or
We want to demonstrate how seemingly inconsequential data can be used to craft targeted attacks against individuals
In both instances we will need to mimic a human. Creating an online persona with enough detail to allow users to demonstrate training or find information that can be crafted into a targeted lure.
Our mimic does not have to be perfect. It just needs to be close enough to serve your purpose.
Crafting an entire persona might be fun to do and can help when fleshing out your CTF target but will it provide actionable content or be used in the CTF itself? If the answer is no, then don’t waste time on it.
If you want to demonstrate to your employees the danger of sharing too much information — then make sure your mimic has something that could be used against them in an attack.
If you are demonstrating the value of the training you have undertaken make sure you include something that will allow users to make use of the skills they’ve just learnt. Think about adding something a Google dork might pick up or some bit of metadata they can scrape or make sure you include a post on a profile that gives them a thread to pull (usernames, unusual strings, alternate e-mail addresses etc).
With this in mind it is worthwhile establishing what exactly your flag is going to be.
If the desired outcome is more SE then I'd suggest asking users to craft a phishing email targeting the mimic. Then review which ones appear plausible.
Alternately the flag could be the creation of a phishing awareness profile i.e. what you would recommend to the individual they need to change to become less of a target.
A more targeted flag might be a specific piece of information you require your team to gather. What is the targets main job? Do they have any other sources of income? Are they breaking the law in some manner? Are they committing a moral infraction and if so what (cheating or posting unsavoury content etc.)
Establishing the thing you want to mimic, in this case an individual, and what you require from your CTF will help you craft the necessary bits and bobs to put it together. Write these down on a simple summary sheet and refer back to it when creating your content to make sure you stay on track when creating your mimic.
Note: If you are targeting a company the same principles are true. Work out what information and techniques you wish your audience to gather and demonstrate and craft accordingly.
Too technical for me!
As mentioned in my OSINT post, the beauty of these skills is how approachable they are.
The skills we rely on when starting out collecting OSINT can be picked up quite quickly, or we already have them, even if the mindset to gather the real gems takes a while.
The same is true of setting up a CTF to introduce people to these skills.
There shouldn’t be anything too technical that is required of you when making this, just a bit of time and a cunning mind. Equally so we don’t want to create a technical challenge making use of capabilities our team hasn’t learnt yet.
It’s easy to go down the rabbit hole of possibilities and create a super complex puzzle. But ultimately we are trying to create these things to be solved and bring some value to the participants.
If you’ve ever played a point and click game where it feels more like you are trying to guess what the developer was thinking than actually solve a logical puzzle then that’s the kind of thing we want to avoid here.
Leave trails for participants. If you’ve shown them a tool that identifies which websites a username is used on then make sure that the username is used on a few of those websites.
But more importantly — make sure you give them some way of identifying that username in the first place!
This can be done by leaving it on a post or in a mail or you could provide the users with a cheat sheet to get them started.
Documenting what you want the CTF user to find and giving them a few hints about our target is a useful way to kick off the CTF but is also useful if you want to re-use it further down the line as you’ll have collateral good to go.
It’s worthwhile documenting the paths you lay as well.
If we can’t remember how we are supposed to lead our users to the information we wish them to find then we won’t be able to help them if they get stuck.
You can map this in your favourite mapping tool — Excel is simple enough but you could use something cool like Maltego case file, you could also use this for getting your analysts to record their hunting and SE profile creation if you wished.
Record things like usernames, pseudo names, job roles, address, emails, passwords and anything that you think your users might find. Add notes for yourself to let you know how they can be found. Things like the website you’ve put the information on and document names that contain key info etc.
This might sound complex, and you can forego this part if you want, but a few columns in a spreadsheet or a table in a doc can save you quite a bit of time should you come back to the CTF or if you aren’t the one delivering it.
So we have an idea of what we want to do (Mimic), we know we are going to capture a goal (Hypothesis\Statement) and the level we should pitch the content at (Audience).
Time to crack on with the making.
Place the flag — make the course
If you skipped to this part you should have a good idea as to why you want to make your CTF.
In this example we’ll go through some of the resources and ideas behind creating a CTF that mimics an individual and we want our target audience to make use of some simple OSINT skills whilst finding out what the target does for a living.
Disclaimer: If you are going to use any tools\websites\resources you may want to check what terms and conditions they put on you about re-use etc. I’m just using some examples here it’s up to you which sites you end up using if you decide to make your own CTF.
First up — create our mimic
Time for a bit of creative licence.
Create an individual that has a unique name that really stands out. This will help your users avoid false positives.
Think of unusual\antiquated names for your region and consider things like double barrelled surnames to help make them stand out a bit more.
Name: Ophelia Bardem-Jones
If you struggle coming up with a name maybe hit up Shakespeare's characters or Google names from the 1900’s or something.
Next up we want to flesh out our character a little bit so we are going to need a few key things.
- A profile picture
- User information
A profile picture is easy enough to come by if you use a stock site, but this could lead to false positive if the stock image is used elsewhere.
I’d recommend generating a fake picture as can be found on sites like:
Give it a whirl, just refresh the page to see tons of fake people that have never existed.
Cool, so we’ve got a name, we’ve got a profile pic. Now for some fake data.
We could make all this up ourselves. Coming up with email addresses and places or residence etc. But luckily the internet has us covered here as well.
You can use sites like this one below.
Fake name generator is boss for spinning up fake profiles. Just select a few fields and then cherry pick what you want from the data returned.
In this instance we’d forgo the supplied name and just keep some of the key fields like address etc. (Choose what makes sense for your scenario). You could take the email address as well. Fake name generator will actually stand you up a mailbox for your fake profile at the click of a button. But we are going to create our own for this.
Awesome, we’ve got our name, some data and a fake profile picture. time to start fleshing out the CTF paths.
Next up — bring our mimic to life
We are going to Frankenstein an online persona together.
Remember this doesn’t have to be all singing all dancing with a family tree tracing back to Charlemagne. We just need to add enough content to give a sense of reality and drop the key elements that we need.
The only investment needed for this entire thing is roughly £5.
Buy yourself a cheap SIM card, unless you are happy supplying your own number for verification of your mimic, and chuck it in an old phone.
We are going to use whatever number you’ve got when we register accounts. Use the SIM, get your number then any time a site requires verification just grab the text. Once you are done with it feel free to throw it away. Or keep it for signing up for things in the future when you don’t trust them with your real number.
In the UK you can pick up SIMs without registering them from companies like Asda or shops selling Lebara products. Given their ownership of ASDA I assume you can get a similar SIM card from Walmart in America. Check around for your country and see what you can find.
There are websites that’ll give you fake numbers you can use but these are dubious at best in my experience, use them with caution. They tend to be largely ineffective.
So we now have our mimic ready. And we have a mobile phone we don’t care about that can receive verification texts.
In Part 2 we’ll cover what to do with these, where to use them and how to create some data for your users to find.
It can actually be quite fun building out these personalities for using in CTF and training exercises.
You can always use the personalities in other situations like as a canary account or as part of a fake profile if you are looking to engage in the more salubrious parts of the internet like the DARK WEB!! or Hacking forums! ooohhh scary!
Give it a go until you create a persona that you think will be good for your needs and check out Part 2 for examples of how you can make use of it in your CTF.
