Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Red Team Methodology - A Naked Look


Published on

DerbyCon 9
Jason Lang
Twitter: @curi0usJack

Published in: Technology

Red Team Methodology - A Naked Look

  3. 3. ○ Jason Lang ○ Sr Security Consultant at TrustedSec ○ Red team, trolling, shennanigans ○ Twitter: @curi0usJack ○ Hobbies: woodworking, bee keeping About
  4. 4. Goals ○ To give you an unrestricted look at one red teamer’s (consultant) methodology, including core principals. ○ To foster learning by example (and failure) ○ To drop some handy stuff. :-)
  5. 5. Red Team Target Maturity Vuln scan External pentest Internal pentest Purple Team(s) Red team / ATT&CK Non-scoped long term / AdSims Patch Management Network Controls / Admin Rights Configured Endpoint /EDRs Centralized Logging Finely tuned Alerting and Response Threat Hunting Thanks @Contra_BlueTeam!
  6. 6. Red Team Target Maturity Vuln scan External pentest Internal pentest Purple Team(s) Red team / ATT&CK Non-scoped long term / AdSims Patch Management Network Controls / Admin Rights Configured Endpoint /EDRs Centralized Logging Finely tuned Alerting and Response Threat Hunting Thanks @Contra_BlueTeam!
  7. 7. Red Team Key Difference Ability to slow your roll
  8. 8. Why this talk? I’m already a pro Because of the 10-20%
  9. 9. Internal Staying Stealthy SE Tips to keep you getting shellz Reporting Lorem ipsum dolor sit ugh, Microsoft Word Pre-gig Initial steps, OSINT, & Recon External Required Reading Talk Agenda
  10. 10. My Red Team Core Principals ○ Adversary simulation, not emulation. ○ Goal is specific data, trophy systems, or apps. Not DA (unless DA a trophy, which it shouldn’t be). ○ Emphasize stealth over speed. ○ Active defense should be encouraged, to a point. Goal isn’t to “win” (either red or blue). ○ Scope should be as open as possible, including physical. ○ There should always be a “tip your hand” moment.
  11. 11. PRE-GIG aka PRE-FUN
  12. 12. Core Principals: Pre-Gig ○ Steer client towards as open a scope as possible. ○ Clearly define what *can* be done vs what *will* be done. ○ Set an assumed breach target date. ○ Ask for their user password policy, specifically: Lockout Threshold, Lockout Duration, Lockout Observation Window.
  13. 13. Question When does a red team engagement start? Answer: The minute you get the assignment email.
  14. 14. LinkedIn - It’s The Best ○ You should must have a recon account by now ○ Set a repeating task to add connections ○ Easy to scrape
  15. 15. LinkedIn - Build It Fast 1. Build a decent profile. Be thorough. Be sure to add colleges/organization. 2. Click “My Network” 3. Scroll way down to fill the page 4. Run in Browser dev tools $("[data-control-name*='invite']").each(function(index) { $(this).trigger('click'); }) Thanks @mandreko & @Glitch1101!
  16. 16. Domains ○ Aged for months ahead of time ○ Reusable if possible. ○ is not ok. is. ○ Careful though, Cert transparency logs…. ○ C2 & Phish domains never overlap! ○ Submit domains with PA, BlueCoat, Checkpoint, McAfee ○ Magic categories: Health, Financial, Goverment
  17. 17. Domains 1. Determine the sensitive traffic that must not be decrypted: Best practice dictates that you decrypt all traffic except that in sensitive categories, such as Health, Finance, Government, Military and Shopping. Palo Alto SSL Decryption Best Practices
  18. 18. Passive Recon - How I Do It ○ hardcidr to get external ranges ○ amass with shodan/censys keys (wait for Black Friday) ○ for cert transparency ( ○ Metadata searching with pymeta ○ Github searching with trufflehog, reposcanner, Google ○ Authenticated LinkedIn scraping for contacts (LinkedInt by @vysecurity) ○ Dorks for everything else Tool names in red. All on Github
  19. 19. Favorite Dorks ○ DOMAIN.COM ( | | ○ DOMAIN.COM ( | | | | ○ “CLIENT NAME” (intitle:”Service Desk” | intitle:“Desktop Support” | intitle:”Security Engineer” | intitle:”Help Desk”)
  20. 20. Breach Data ○ Treasure trove of info: ○ Email format ○ Password format ○ New user passwords (group by count)? ○ Good place to start: ○
  21. 21. EXTERNAL aka “Find $Microsoft”
  22. 22. Core Principals: External ○ Brute AD from external, and always through a VPN. ○ Do your due diligence, but web app testing usually isn’t the focus (and quite possibly outside your discipline/expertise). ○ Make liberal use of credential stuffing. It works.
  23. 23. Active Recon - How I Do It ★aquatone for website screen grabs ★dirsearch for HTTP dir-bruting ★nmap for top port tcp/udp sweeps ‣ Proxies may require full TCP connect (-sT) ‣ nmap default UA: Mozilla/5.0 (compatible; Nmap Scripting Engine); Tool names in red. Blue Stars == Proxy/VPN
  24. 24. Because gimme the dataz… Code:
  25. 25. NTLM Bruting ○ Obvious Sources: ○ Office 365 ○ Exchange EWS ○ Skype/Lync ○ Check ○ Less Obvious - ADFS. Troopers 19 ○ /adfs/services/trust/2005/windowstransport ○ /adfs/services/trust/13/windowstransport 🔥 Still hawt 🔥
  26. 26. SE aka “Find Bob”
  27. 27. Core Principals: SE ○ Phishing: ○ 5 addresses max at a time, all bcc’d, with 15 mins between sends. Send from O365. ○ Links, not attachments. ○ Never a worry from Proofpoint. ○ Lead off with your latest tradecraft and downgrade as you get a feel for the environment. Don’t abuse your TTPs. ○ Eventually pivot to assumed breach (about 50% way through)
  28. 28. Infr. Automation with Ansible ○ Ansible is an open source platform that automates software provisioning, config mgmt & app deployement ○ It uses YAML files (.yml) to express gruops of commands called tasks. ○ All tasks are executed on a target server using SSH + Python. No agents required! ○ Modules make up the bulk of functionality, allowing a variety of tasks like copying files, service management, etc
  29. 29. Infr. Automation with Ansible
  30. 30. Ansible - Tasks
  31. 31. Ansible - Modules
  32. 32. Ansible - Arguments
  33. 33. Ansible - Playbooks Thanks Marcello!
  34. 34. Macros/Attachments ○ Payloads ○ Safe: Modified cactus torch (js + eval() = ftw) ○ Safer: regkey mods only ○ VBA Stomping / EvilClippy ○ ○ Template Injection ○
  35. 35. Template Injection
  36. 36. Azure Information Protection (AIP) ○ Leverages O365’s RMS to encrypt Office document to *specific recipients* ○ Impossible for defenders/sandboxes to evaluate the attachment without the user’s credentials. muahaha ○ Does not require your target have O365
  37. 37. Azure Information Protection (AIP)
  38. 38. Azure Information Protection (AIP)
  39. 39. Azure Information Protection (AIP)
  40. 40. Azure Information Protection (AIP)
  41. 41. Azure Information Protection (AIP) Full guide here: phishing-leveraging-azure-information-protection/ DerbyCon 9 Talk: Thanks @Oddvarmoe & @jarsnah12!
  42. 42. INTERNAL aka “Find Sharepoint”
  43. 43. Core Principals: Internal ○ Prioritize: cookies, bookmarks, file shares, SharePoint. ○ Kerberoast single users only, no less than one hour apart (at minimum). Research before hand. ○ Initial landing callback of 5-30 minutes, depending on engagement time & sophistication of defenses. ○ Test all commands in your lab before firing live. Duplicate defenses if possible.
  44. 44. Lab Environment ○ Internal lab is *required* ○ MSDN license ○ Splunk dev license ○ Used Dell R710 (ebay, ~$500) ○ Full AD forest ○ Sysmon/Defender -> Splunk ○ Splunk ThreatHunting App by @olafhartong
  45. 45. Tools/Tactics (*) == heavily modified ○ What I almost never use: ○ CrackMapExec, internal bruting, PowerSploit ○ What I sometimes use: ○ Bloodhound, MSF aux mods, mimikatz*, Cobalt Strike* ○ What I always use: ○ proxychains, SOCKS, impacket*, ldapsearch, kerberos manipulation, /*.*
  46. 46.
  47. 47. Thanks vim!
  48. 48. index=windows EventCode=4688 `comment("impacket/ commands")` (Process_Command_Line=** AND (Process_Command_Line="*ADMIN$*" OR Process_Command_Line="*C$*")) `comment("impacket/ commands")` OR (Process_Command_Line="*execute.bat*" AND Process_Command_Line=“*Temp__output*") `comment("impacket/")` OR (Creator_Process_Name="*services.exe" AND New_Process_Name="*svchost.exe" AND Process_Command_Line="*RemoteRegistry") `comment("impacket/")` OR (Process_Command_Line="cmd*C:WindowsTemp*.tmp 2>&1”) | table _time host Process_Command_Line | sort _time desc
  49. 49. Lowpriv - Chrome ○ mimikatz dpapi::chrome /in:%localappdata%googlechromeUser DataDefault(Cookies | Login Data)
  50. 50. Lowpriv - Chrome ○ If you don’t want to fire mimikatz in the target’s memory: ○ Save off the Cookies/Login Data files ○ Acquire the user’s password ○ Follow steps here for decrypting user DPAPI keys to then decrypt Chrome files ○ offensive-user-dpapi-abuse/
  51. 51. Persistence & Movement ○ inurl:blog intitle:beyond HKCU ○ COM/DLL Hijacking ○ Procmon is your best friend ○ Use a COM Proxy so you don’t fubar the target Thanks @leoloobeek! ○ Blend. In.
  52. 52. Blending In
  53. 53. Blending In
  54. 54. DLL Hijacking
  55. 55. DLL Hijacking
  56. 56. COM Hijacking
  57. 57. COM Hijacking Thanks @enigma0x3 @bohops!
  58. 58. Hooray free Windows!
  59. 59. REPORTING aka “Find Bourbon”
  60. 60. Core Principals: Communication/Reporting ○ Status Updates: Use “selective caution” when sharing. ○ Full walkthrough/narrative must be included in the report! ○ Findings: Less in number, better in quality. No SSL v2 nonsense unless you actually did something with it. ○ Consultants: Offer multiple follow up calls with defense team. These are *the best*.
  61. 61. Thank you DerbyCon!!