Security is Everyone's Job

Red Team Operations

A cybersecurity red team is a group of ethical hackers who simulate real-world cyberattacks against an organization’s systems and defenses.

The goal of a red team is to test the organization’s defenses and identify any weaknesses or vulnerabilities that a real attacker could exploit.

Conducts reconnaissance to gather information about the target organization, such as its network architecture, security policies, employees, and business operations.

Typically, Red Team performs these acitivties

Information gathering phase: In this first phase, the red team member uses active reconnaissance to learn information about the target organization, such as its staff, facilities, network architecture, security controls, and potential entry points

Attack planning and execution phase: Next, the red team member works together with other team members to plan out potential attack paths, based on the information gathered in the previous phase. The red team member then executes the attack, using various techniques and tools to bypass security defenses, gain access to sensitive data, and achieve the objectives of the engagement

Reporting and remediation phase: The last step is the red team assessment, where the red team member documents the findings and recommendations from the attack, and presents them to the target organization. The red team member also helps the target organization to remediate the vulnerabilities and improve its security posture

The basic steps to offensive hacking

Reconnaissance: This is the phase where the hacker gathers information about the target system, network, organization, or individual, using both passive and active techniques. The goal is to identify the scope, assets, vulnerabilities, and potential attack vectors of the target

Scanning: This is the phase where the hacker performs more detailed and technical analysis of the target, using various tools and methods to scan for open ports, services, protocols, configurations, and vulnerabilities. The goal is to map out the target’s attack surface and find exploitable weaknesses

Exploitation: This is the phase where the hacker attempts to gain access to the target, using the information and vulnerabilities discovered in the previous phases. The hacker may use various techniques and tools to exploit the target, such as brute-forcing, phishing, SQL injection, buffer overflow, etc. The goal is to compromise the target’s security and achieve the objectives of the pentest.

Post-exploitation: This is the phase where the hacker maintains and extends the access to the target, using various techniques and tools to escalate privileges, install backdoors, exfiltrate data, pivot to other systems, etc. The goal is to demonstrate the impact and severity of the breach, and to test the target’s detection and response capabilities

Reporting: This is the final phase where the hacker documents and presents the findings and recommendations from the pentest, using various formats and methods to communicate the results to the target. The hacker may also provide evidence, screenshots, proof-of-concepts, and remediation suggestions for the target. The goal is to help the target improve its security posture and prevent future attacks

The different frameworks and methodologies

The Penetration Testing Execution Standard (PTES):This framework offers guidance on all stages of the pentest, from pre- to post-test, including pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting

The OWASP Testing Framework: This framework is based on the OWASP Testing Guide, which provides a comprehensive and consistent set of best practices for testing the security of web applications and services. The framework covers the technical aspects of the pentest, such as information gathering, configuration and deployment management testing, identity management testing, authentication testing, authorization testing, session management testing, input validation testing, error handling testing, cryptography testing, business logic testing, and client-side testing

The NIST 800-115 Technical Guide to Information Security Testing and Assessment:This guide is published by the National Institute of Standards and Technology (NIST), and provides a general framework for planning, conducting, and reporting on information security assessments, including pentests. The guide covers the review techniques, target identification and analysis techniques, target vulnerability validation techniques, security assessment analysis techniques, and security assessment reporting techniques

The PCI DSS Penetration Testing Guidance: This guidance is provided by the Payment Card Industry Security Standards Council (PCI SSC), and defines the requirements and best practices for conducting pentests on systems and networks that store, process, or transmit cardholder data. The guidance covers the penetration testing components, qualifications of a penetration tester, penetration testing methodologies, and penetration testing reporting guidelines

The Penetration Testing Framework (PTF): This framework is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for pentesting. The framework automates the installation and updating of various pentesting tools, organized in a fashion that is cohesive to the PTES. The framework also provides a Metasploit-like shell interface for interacting with the tools and modules

OWASP Framework

The OWASP framework is a set of best practices and guidelines for web application security, developed by the Open Web Application Security Project (OWASP).

The OWASP framework consists of several projects, such as the OWASP Top Ten, the OWASP Testing Guide, the OWASP Cheat Sheet Series, and more

The OWASP Top Ten is considered the “gold standard” for web application security, as it represents a broad consensus about the most critical security risks to web applications.

The OWASP Top Ten 2021

Some tools of the trade

Metasploit: A penetration testing tool that helps identify and exploit vulnerabilities in IT systems. Metasploit is one of the most popular and powerful tools for Red Team members, as it provides a large collection of exploits, payloads, modules, and scripts that can be used to compromise and control target systems

Cobalt Strike: A tool for conducting post-exploitation activities and managing a Red Team operation. Cobalt Strike is a commercial tool that extends the capabilities of Metasploit, and provides features such as stealthy communication, beaconing, privilege escalation, lateral movement, persistence, and data exfiltration

Social-Engineer Toolkit (SET): A toolkit for creating and delivering social engineering attacks, such as phishing emails or phone calls. SET is a free and open-source tool that helps Red Team members to craft convincing and realistic messages and payloads that can trick target users into revealing their credentials, clicking on malicious links, or downloading malicious files

Empire: A post-exploitation tool for managing and maintaining access to a compromised system. Empire is a free and open-source tool that uses PowerShell and Python to execute commands and scripts on target systems, and provides modules for various tasks such as keylogging, screenshotting, credential dumping, and more

BloodHound: A tool for mapping and visualizing an organization’s Active Directory infrastructure to identify potential attack paths. BloodHound is a free and open-source tool that uses graph theory and neo4j to analyze the relationships and permissions between users, computers, and groups in a domain, and helps Red Team members to find the shortest and most efficient way to compromise high-value targets.

Nmap: A network scanning tool that helps identify open ports and services on target systems. Nmap is a free and open-source tool that is widely used by Red Team members to perform reconnaissance and enumeration on target networks, and to discover potential vulnerabilities and attack vectors.

Wireshark: A network protocol analyzer for capturing and analyzing network traffic. Wireshark is a free and open-source tool that helps Red Team members to monitor and inspect the packets and protocols that are exchanged between target systems, and to extract useful information such as credentials, cookies, files, and more

Aircrack-ng: A tool for testing the security of wireless networks by attempting to crack WEP or WPA keys. Aircrack-ng is a free and open-source tool that helps Red Team members to perform wireless attacks, such as sniffing, injecting, replaying, and cracking wireless packets, and to gain access to wireless networks and devices.

Responder: A tool for intercepting and stealing user credentials from a target network. Responder is a free and open-source tool that helps Red Team members to perform man-in-the-middle attacks, by spoofing and responding to various network protocols, such as LLMNR, NBT-NS, and MDNS, and capturing hashes, passwords, and tokens from target users.

Nessus: A vulnerability scanner that helps identify vulnerabilities in IT systems and applications. Nessus is a commercial tool that helps Red Team members to perform automated and comprehensive scans on target systems, and to generate detailed and actionable reports on the findings and recommendations.

Mimikatz: A tool for extracting and manipulating Windows credentials, such as passwords, hashes, tickets, and keys. Mimikatz is a powerful tool for privilege escalation and lateral movement, as it can dump, inject, and pass credentials to access other systems

Shodan: A tool for searching and exploring the Internet of Things (IoT) devices, such as webcams, routers, servers, and more. Shodan is a useful tool for reconnaissance and exploitation, as it can reveal vulnerable and misconfigured devices that can be compromised

ZAP: A tool for testing the security of web applications, such as websites, APIs, and web services. ZAP is an interactive tool that allows red team members to intercept, modify, and replay web requests and responses, and to identify and exploit web vulnerabilities, such as injection, XSS, CSRF, and more

CrackMapExec: A tool for automating the assessment and exploitation of Active Directory environments. CrackMapExec is a versatile tool that can perform various tasks, such as enumerating users, groups, shares, and sessions, executing commands and scripts, dumping hashes and credentials, and more

CursedChrome: A tool for turning a victim’s Chrome browser into a proxy server that allows the red teamer to browse the web as the victim, access their accounts, and perform actions on their behalf. CursedChrome is useful for exploiting web browser vulnerabilities and gaining access to sensitive information and applications

Sliver: A tool for generating cross-platform implant binaries that can be used to establish persistent and encrypted communication channels with target systems. Sliver is useful for post-exploitation activities, such as privilege escalation, lateral movement, file transfer, and command execution

GitHound: A tool for scraping GitHub for sensitive data, such as passwords, API keys, tokens, and secrets. GitHound is useful for reconnaissance and credential harvesting, as it can find exposed information that can be used to access target systems or applications

Stormspotter: A tool for visualizing and exploring Azure Active Directory objects and their relationships. Stormspotter is useful for mapping and analyzing an organization’s cloud infrastructure, and identifying potential attack paths and misconfigurations

DumpsterFire: A tool for creating and executing security incident scenarios, such as ransomware attacks, data breaches, denial-of-service attacks, and more. DumpsterFire is useful for testing the target’s detection and response capabilities, and creating realistic and noisy distractions

John the Ripper John the Ripper is one of the most popular and powerful tools for password security auditing and password recovery, and it is often included in many penetration testing Linux distributions, such as Kali Linux, Parrot OS, etc

True Red Team skills

Now I could list a dozen certifcates that one can get to learn the tools of the trade, but offensive hacking takes a lot more then just understanding how tools work and following frameworks and methodologies

Curiosity: Hackers are driven by a natural curiosity and a desire to learn and explore new things. They are not satisfied with the surface level of information, but want to dig deeper and understand how things work and why they work that way. They are always looking for new challenges and problems to solve, and they are not afraid to ask questions and seek answers. Curiosity is the fuel that motivates hackers to pursue their goals and passions

Creativity: Hackers are creative and innovative thinkers, who can come up with original and unconventional solutions to complex and difficult problems. They are not limited by the conventional rules and norms, but rather they think outside the box and experiment with different possibilities and approaches. They are also able to adapt and improvise when faced with unexpected situations and obstacles. Creativity is the skill that enables hackers to find and exploit vulnerabilities and opportunities that others may overlook or ignore

Intuition: Hackers have a strong intuition and a gut feeling that guides them in their decisions and actions. They are able to sense and recognize patterns and connections that may not be obvious or logical, and they can use their intuition to make quick and accurate judgments and predictions. They are also able to trust and follow their intuition, even when it goes against the common sense or the evidence. Intuition is the skill that helps hackers to discover and anticipate the hidden and unknown aspects of their targets and environments

Philosophy: Hackers have a philosophy and a set of moral values that shape their worldview and their behavior. They believe in the freedom of information and the sharing of knowledge, and they oppose any form of censorship or restriction that limits their access and expression. They also believe in the ethical and responsible use of their skills and knowledge, and they respect the rights and privacy of others. They are also aware of the social and political implications of their actions, and they strive to make a positive impact and contribution to the world. Philosophy is the skill that gives hackers a purpose and a direction for their hacking activities