Top Five Ways the Red Team breached the External Perimeter
I have been performing “red team” breach assessments for many years. Often the goal is penetrating an external network, and gaining access internally to highly classified data, critical systems or money movement platforms.
This Top 5 summarizes the most efficient tools and techniques used by red teams for the reconnaissance, discovery & exploitation phases of an engagement.
In the world of red teaming, the idiom: “one and done”, applies to red teams. One mislead, and targeted victim, can lead to a chain of attacks that can help a red team obtain a very sophisticated goal.
Open-source intelligence (OSINT) is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources)
OSINT is such a vast topic that it’s almost not fair to summarize it’s content numerically. I can honestly only summarize the best data sources I’ve seen, and hopefully provide tips that have helped assessors reach their goal in the shortest time.
spiderfoot - SpiderFoot, the open source footprinting and intelligence-gathering tool.
LinkedInt: A LinkedIn scraper for reconnaissance during adversary simulation
Gathering Usernames from Google LinkedIn Results Using Burp Suite Pro - Black Hills Information…
Carrie Roberts//* As part of reconnaissance when performing a penetration test, it is often useful to gather usernames…
Internet Archive: Wayback Machine
texts All Texts latest This Just In Smithsonian Libraries FEDLINK (US) Genealogy Lincoln Collection Additional…
Censys is a platform that helps information security practitioners discover, monitor, and analyze devices that are…
Find email addresses in seconds * Hunter (Email Hunter)
Hunter is the leading solution to find and verify professional email addresses. Start using Hunter and connect with the…
Pipl — People Search
The most comprehensive people search. Pipl is the place to find the person behind the email address, social username or…
Google Hacking Database (GHDB)
The GHDB is an index of search queries (we call them dorks) used to find publicly available information, intended for…
Manually crawling social media, may provide invaluable information that can not be gathered in an automated fashion, by script or tool. On Instagram, you can find worker’s phone number on business cards. Pictures of WiFi guest passwords on white boards, and happy new hires displaying their new proximity badges. New employees proud of their first day on the job, and posting tons of useful data to social networks.
Job Search | Indeed
Job Search by Indeed. Search millions of jobs from thousands of job boards, newspapers, classifieds and company…
You can usually find a list for active or past opening via the corporation’s homepage active and archived job listings
truffleHog - Searches through git repositories for high entropy strings and secrets, digging deep into commit history
Many application developers will commit AWS credentials, or scripts with working credentials. Github and Google Dorking skills go a long way here.
Penetration Testing Amazon Web Services (AWS) - Rhino Security Labs
In our last AWS penetration testing post, we explored what a pentester could do after compromising credentials of a…
Previous Breach Data
Pastebin.com — #1 paste tool since 2002!
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set…
External Facing Microsoft Communication Services
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific…
Outlook Web App (OWA) Brute Force Utility | Rapid7
This module tests credentials on OWA 2003, 2007, 2010, 2013, and 2016 servers.
LCS, OCS, Lync, Skype for Business:
The name may change but Lync is a great tool for Microsoft Active Directory reconnaissance with buggy Office Communicator 2007 roots. It’s extremely important to understand your target’s communications infrastructure. Lync in a hosted environment, may yield an increased surface area that can help you harvest usernames, and even working credentials.
Microsoft released Office Communicator 2007 to production on 28 July 2007 and launched it on 27 October 2007. It was followed by Office Communicator 2007 R2, released on 19 March 2009
Many older and improperly hardened Microsoft services are just low hanging fruit and easy targets. If a hosted SharePoint environment is compromised, the red team can abuse SharePoint Services to gather information that can directly aid in a more sophisticated attack.
External infrastructure network mapping & Web application fingerprinting
EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default…
masscan - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
2. Spear Phishing
You should now have an extensive body of OSINT knowledge. Ideally you have names, ages and job descriptions of your targets. You should also have their Operating System, what version of Office, and Anti Virus make and type. Determining firewall or proxy devices prior to creation of the payload, is crucial when penetrating the perimeter.
By making a few phone calls you may be able to identify critical information about the environment that can help your spear phish be successful.
Remember you’re not conducting security training during this phish. This is a nation level phish. When you spear phish, try and use the vernacular and tone of the person you’re portraying. Make sure when emulating your false persona, that you have all the details about yourself. Know faux birth-date, SSN number and current location if applicable. If you’ve done your work by now, this should be the easy/fun part.
Secure Fake Name Creator | fakena.me
Securely generate a random fake name, address, username, password, and (usable) email address for use with online…
When sending any e-mails to your carefully, curated list of a few people, try and be as discreet as possible.
Free email accounts | Register today at mail.com
Email how it is supposed to be: ✔ Free, simple and secure ✔ Manage multiple mail accounts in one place, from any device…
Don’t EVER include any links or files when sending your first one or two spear phishes. Don’t try and emphasize urgency, or come off as aggressive. You want to write a nice realistic “note”, and quietly drop it in their inbox.
Many of Cobalt Strike’s attacks and workflows deliver a payload as multiple stages. The first stage is called a stager. The stager is a very tiny program, often written in hand-optimized assembly, that: connects to Cobalt Strike, downloads the Beacon payload (also called the stage), and executes it.
All You Need Is One - A ClickOnce Love Story
During recent email phishing assessments, NetSPI has been making use of ClickOnce applications to deploy payloads…
An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript. The HTML is used to generate the user interface, and the scripting language is used for the program logic. An HTA executes without the constraints of the internet browser security model; in fact, it executes as a “fully trusted” application
PowerLessShell - Run PowerShell command without invoking powershell.exe
Offer a gift, when it’s time to steer the victim towards a website to fill out a survey. After the survey has been completed, send them a working gift card as an example. The payloads have to be obfuscated, “self destruct”, and ideally adapt to sandbox conditions.
All web sites used in the phishing scenarios should appear legitimate, and all files should be presented as valid documents, or applications.
Internal systems for red team need to be: Modern, secure, and to the individual’s preference.
The worst thing a red team lead can do, is dictate the need to use bad software and hardware due to policy. There may be policies that state you can only use a certain type of equipment provided by the company. If the people controlling the red team exercise are allowing policy to overcome common sense, then their true alliance is to greed and self interest.
Internal LABS Infrastructure
Ensure your Lab environments have working Active Directory, Microsoft Office and the current version of Anti Virus software. Ideally you can test your payload against products like Fire Eye or Crowd Strike in a LAB environment.
Ensuring your .docx is working, on a well implemented and secure environment for testing is a necessity when your attack surface area is locked down and well fortified.
Endpoint Protection Platform for Enterprises
Endpoint protection built to stop advanced attacks before damage and loss occurs. 0 breach tolerance. Schedule a demo…
It’s a good idea to test out your payloads with Endpoint.
Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode
When configuring SSL decryption policy in order to define SSL traffic eligible for decryption, you have to make a…
Understanding the networks themselves, and how sophisticated or unsophisticated the systems, and software that sits on Layer 7 is paramount in succeeding.
Epilogue: What about TLS Certificate Pinning?
— — — snip — — —
Earlier, I mentioned that one way to add protection to the staging process is to authenticate the staging server. Last year, the Metasploit Framework gained an optional HTTPS stager that does this. This stager ships with the expected hash of the staging server’s SSL certificate. When the stager connects to the staging server, it checks the server’s SSL cert hash against the value it expects. If they don’t match, it doesn’t download and act on the payload. If they do, it assumes things are good. Pretty neat, right? Ignoring the chicken and the egg problem, this is a way to solve this problem for one protocol.
Occasionally, I get asked, “Raphael, why don’t you add this to Cobalt Strike?” While I think this technique is interesting, I don’t feel this is the right approach for Cobalt Strike. Here’s why:
This technique applies to only one protocol: HTTPS. The HTTPS Beacon isn’t as heavily used as other Beacon options. The HTTPS Beacon’s default self-signed certificate is likely to stick out like a sore thumb. It’s possible to bring a valid certificate into Cobalt Strike, but this is a barrier to fully benefiting from the HTTPS Beacon payload.
— — — snip — — —
Always be cognizant of any firewall or proxy that can stop your payload from “beaconing” out of a restrictive network
External Infrastructure (Internet Facing)
Designing Effective Covert Red Team Attack Infrastructure
Covert red team attack infrastructure is a topic I've covered many times before, but always only in part. I've wanted…
How to Build a C2 Infrastructure with Digital Ocean - Part 1 - Black Hills Information Security
Lee Kagan* // Deploying an offensive infrastructure for red teams and penetration tests can be repetitive and…
Expendable hosts and services need to be devoid of artifacts. All C2 components should have the ability to be easily destroyed and re-created in an automated fashion.
PoshC2 v3 with SOCKS Proxy (SharpSocks)
We've been working on quite a few changes since the release of PoshC2 v2, our public Command & Control framework, back…
Adversary Simulation and Red Team Operations Software - Cobalt Strike
Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk…
Ensure that different payloads, and the underlying architecture can not be traced back to the same source.
Old and Aged
Websites and domains are like fine liquors that only become better with time.
Pick a bunch of domains and age them like Château Lafite Rothschild Pauillac. Think outside the box here: CND providers, financial sites, and other generic domains are perfect. Pick a few generic themes for sites and proxies. Then you can hire a freelance web designer to create a faux front web server and establish a decent degree of credibility. When it comes to domains, make sure they’re old, and categorized. The websites need depth, not just a fake superficial shell to be taken seriously.
You want your shell companies to resonate legitimacy; but lack of content or a poorly executed shell site can be worse, and end up tarnishing your brand reputability from inception.
Stealth is a mantra not a bullet point when red teaming. Every action must be calculated beforehand. Every tool must be assessed for its potential ability to cause an indicator of compromise. Every command issued to systems should be coordinated, predetermined and recorded.
Do not use common exploits that may yield results but generate noise or suspicion. This usually leaves the red team member with less options then a network penetration test when performing “snatch and grab” assessments. Many attacks used to quickly escalate privileges, can not be used for this reason, during a carefully executed red team exercise.
Signal >> Blog >> Doodles, stickers, and censorship circumvention for Signal Android
Follow-up releases will include detecting censorship and applying circumvention when needed (e.g. so that when users…
From Domain Fronting Theory (2015)
Fast forward to 2018:
Domain Fronting is now mainstream, and being over utilized by APT actor, and network penetration tester alike.
High-reputation Redirectors and Domain Fronting
Working on Cobalt Strike, I get some insight into what folks are trying to do with it. Recently, the use of domain…
APT29 Used Domain Fronting, Tor to Execute Backdoor
by Chris Brook APT29, a/k/a Cozy Bear, has been utilizing a technique called domain fronting in order to secure…
Domain Fronting: Who Am I?
TLDR; Set whatever Host header you want in your Domain Fronting packet when you use CloudFront
Once you have persistence on multiple disparate endpoints, you can now focus on the goals of the engagement. Ideally a less common IBM server on the perimeter can be used to quietly ex-filtrate data via encrypted means. A red team can “backdoor”, and create a simply process with a cron job. You can also use SSH and Stunnel.
There are many stealthy ways to establish persistence on less hardened servers and networks, when you have identified that other user orientated networks maybe be very well fortified.
Read everything you can find once you’ve established persistence. Carefully dissect Intranets, documents, Wikis, and E-mails. Try and understand how the services that you are attacking work, and the structure of the organization itself. Meticulously focus all energy onunderstanding the organization and the systems that are your targets.
Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence
Introduction Over the last few weeks, I researched and tested a few interesting namespaces/methods documented on…
Schtasks Persistence with PowerShell One Liners
One of my favorite Metasploit Framework modules is psh_web_delivery. You can find it in exploits -> windows -> misc…
impacket — Impacket is a collection of Python classes for working with network protocols.