Security Challenges and Games

Published: 2006-09-22
Last Updated: 2006-09-22 20:06:27 UTC
by Ed Skoudis (Version: 2)
0 comment(s)
I'm a big fan of using challenges and games as learning tools, especially in the information security world.  One of the most common of these types of challenges, of course, is a Capture the Flag (CtF) game.  In May 2005, I posted a diary requesting readers to send in links to hacking and security challenges that they had actually played and learned from.  We got a good set of results, but many of those sites have gone down.  In the SANS class I teach, a good list of hacking challenges is one of the most commonly asked questions.

Speaking of that, I once had an attendee in my SANS class that did great throughout the first five days of class.  But, on the last day, he didn't want to play the CtF game that we had been building up to for the whole week.  When I asked him why he wouldn't play, he said, "I don't play games."  He seemed to imply that games were beneath him.  I found that to be very sad... Well-constructed games can help us learn, and have fun at the same time.  I build capture the flag game challenges for the neighborhood kids that they play around my house with my own children.  These games include computer challenges, audio quizzes, simple ciphers (that an 8-year old can crack), video puzzles, and so on.  They are a lot of fun.

So, I'd like to renew my request.  Have you seen and actually played any publicly available (i.e., on the web) security/hacking challenges?  Please submit only ones that you've played and found useful, interesting, or at least fun.

I'll get the ball rolling by mentioning these, and I'll add to the list as I get recommendations from you all day:

- The Defcon CtF Prequalification Challenges from this year, created by Kenshoto.  The folks from 1@stplace, this year's Defcon CtF winning team (congrats, guys... GREAT WORK!), compiled these challenges and posted them on the 'net.  Note that the target servers are off-line, but all of the fantastic file-based challenges are available at this site.  This set of challenges is really wonderful, especially with the mix of technologies brought to bear, and the different mindsets needed to play in the diverse categories.
- Skillz challenges, hosted at  I write these, along with my buddies Mike Poor and Tom Liston.  The latest, Netcat in the Hat, was created by Tom, and you can still enter to win a prize.
- My archive of movie and TV themed challenges (17 in all) on my website.

Reader Aaron mentioned the very nifty project Webgoat from OWASP.  I really like this one a lot.  It provides a simulated e-commerce application that you download and install on your own machine.  Then, you get to attack it, using techniques such as SQL injection, weak session cookies, Cross Site Scripting, etc.  It's a _great_ learning tool for people mastering the art of web app penetration testing.  Thanks, Aaron!

An anonymous reader points us to, where several challenges are available at different skill levels.

PJ mentioned and  Both are classics in this genre, worthy of your attention.

Reader Peter mentions the, which has a very large collection of hacking challenges and sort-of "real-world" scenarios.   Peter cautions, though, "However be warned and stay on the beaten track as you would not want to be firing malicious payload at a 'challenge' site that is redirecting to a .gov site!"  That's good advice.  Always, always, always double check your targets before firing in any such activities, whether hacker challenges or full-blown professional penetration tests!  Also, note that some people may find some of their stuff offensive.  You have been warned!

Beau pointed us to a fabulous collection of games and challenges that the Foundstone guys have pulled together here

Diligent reader Tyler points our our very own Pedro Bueno's malware analysis challenges, which are really fun and well thought-out.  Read them here.

Tyler also mentioned the Honeynet Project's scan of the month challenges.  Reader Brian points out that one of their very best challenges was the Forensics Challenge.   Truly a classic!

Although I was focusing on web-based challenges, several folks have written in with some live challenges that have tickled their fancy at hacker conferences or other venues.  

Chris Compton, a great friend and very bright guy, mentions: "While I'd certainly agree with the merits of web-based games, I also think there's something unique that can be learned from the highly charged, collaborative, competitive environment of in-person games.  I find I not only get good practice, but I also get to shoulder-surf my way to a better understanding of what some of the best 'competitors' are doing these days, and how they're approaching different problems.

Now, inevitably I'm going to plug Hack-or-Halo at Shmoocon as a good event for all skill levels... but I would also encourage the ISC readership to make an effort to attend and play at any or all of these such events/games." 

Well said, Chris.  These can be very worthwhile games.  A list of a few live, hands-on games was compiled by our reader Ronaldo, who mentions:

"Welcome to the DEF CON 13 WarDriving Contest

The 2005 UCSB International Capture The Flag (Giovanni Vigna)


ToorCon 8 - RootWars"

Ronaldo also mentioned OpenInfreno - An Open Source Root War Engine  This is a very cool engine on which to build CtF games.  Nice work, gents!

Dr. Neal Krawetz mentioned the DoD DC3 challenge here.  Although you have to apply to play (which is more than merely registering), this challenge looks quite good.   Dr. Neal says, "Calling DC3 a 'challenge' is an understatement.  Even if you know the solutions to some of the puzzles, it is not easy."  That's for sure, but it is impressive.

--Ed Skoudis
0 comment(s)


Diary Archives