Image above and content courtesy of Starbucks

Top Five Ways the Red Team breached the External Perimeter

Adam Toscher
12 min readMar 23, 2018

I have been performing “red team” breach assessments for many years. Often the goal is penetrating an external network, and gaining access internally to highly classified data, critical systems or money movement platforms.

This Top 5 summarizes the most efficient tools and techniques used by red teams for the reconnaissance, discovery & exploitation phases of an engagement.

In the world of red teaming, the idiom: “one and done”, applies to red teams. One mislead, and targeted victim, can lead to a chain of attacks that can help a red team obtain a very sophisticated goal.

1. OSINT

Open-source intelligence (OSINT) is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources)

OSINT is such a vast topic that it’s almost not fair to summarize it’s content numerically. I can honestly only summarize the best data sources I’ve seen, and hopefully provide tips that have helped assessors reach their goal in the shortest time.

Passive Gathering:

Shodan

Linkedin

DNS

Web Archives

OSINT Related“Services”

Google Dorks

Social Media

Manually crawling social media, may provide invaluable information that can not be gathered in an automated fashion, by script or tool. On Instagram, you can find worker’s phone number on business cards. Pictures of WiFi guest passwords on white boards, and happy new hires displaying their new proximity badges. New employees proud of their first day on the job, and posting tons of useful data to social networks.

You can usually find a list for active or past opening via the corporation’s homepage active and archived job listings

Github

Many application developers will commit AWS credentials, or scripts with working credentials. Github and Google Dorking skills go a long way here.

S3 Buckets

Previous Breach Data

Metadata

External Facing Microsoft Communication Services

Exchange:

LCS, OCS, Lync, Skype for Business:

The name may change but Lync is a great tool for Microsoft Active Directory reconnaissance with buggy Office Communicator 2007 roots. It’s extremely important to understand your target’s communications infrastructure. Lync in a hosted environment, may yield an increased surface area that can help you harvest usernames, and even working credentials.

Microsoft released Office Communicator 2007 to production on 28 July 2007 and launched it on 27 October 2007.[6] It was followed by Office Communicator 2007 R2, released on 19 March 2009

Sharepoint:

Many older and improperly hardened Microsoft services are just low hanging fruit and easy targets. If a hosted SharePoint environment is compromised, the red team can abuse SharePoint Services to gather information that can directly aid in a more sophisticated attack.

Active Scanning

External infrastructure network mapping & Web application fingerprinting

2. Spear Phishing

You should now have an extensive body of OSINT knowledge. Ideally you have names, ages and job descriptions of your targets. You should also have their Operating System, what version of Office, and Anti Virus make and type. Determining firewall or proxy devices prior to creation of the payload, is crucial when penetrating the perimeter.

By making a few phone calls you may be able to identify critical information about the environment that can help your spear phish be successful.

Remember you’re not conducting security training during this phish. This is a nation level phish. When you spear phish, try and use the vernacular and tone of the person you’re portraying. Make sure when emulating your false persona, that you have all the details about yourself. Know faux birth-date, SSN number and current location if applicable. If you’ve done your work by now, this should be the easy/fun part.

When sending any e-mails to your carefully, curated list of a few people, try and be as discreet as possible.

Don’t EVER include any links or files when sending your first one or two spear phishes. Don’t try and emphasize urgency, or come off as aggressive. You want to write a nice realistic “note”, and quietly drop it in their inbox.

Payload Generation:

Many of Cobalt Strike’s attacks and workflows deliver a payload as multiple stages. The first stage is called a stager. The stager is a very tiny program, often written in hand-optimized assembly, that: connects to Cobalt Strike, downloads the Beacon payload (also called the stage), and executes it.

An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript. The HTML is used to generate the user interface, and the scripting language is used for the program logic. An HTA executes without the constraints of the internet browser security model; in fact, it executes as a “fully trusted” application

Offer a gift, when it’s time to steer the victim towards a website to fill out a survey. After the survey has been completed, send them a working gift card as an example. The payloads have to be obfuscated, “self destruct”, and ideally adapt to sandbox conditions.

All web sites used in the phishing scenarios should appear legitimate, and all files should be presented as valid documents, or applications.

3. Infrastructure

Internal systems for red team need to be: Modern, secure, and to the individual’s preference.

Laptop/Workstation

The worst thing a red team lead can do, is dictate the need to use bad software and hardware due to policy. There may be policies that state you can only use a certain type of equipment provided by the company. If the people controlling the red team exercise are allowing policy to overcome common sense, then their true alliance is to greed and self interest.

Internal LABS Infrastructure

Ensure your Lab environments have working Active Directory, Microsoft Office and the current version of Anti Virus software. Ideally you can test your payload against products like Fire Eye or Crowd Strike in a LAB environment.

Ensuring your .docx is working, on a well implemented and secure environment for testing is a necessity when your attack surface area is locked down and well fortified.

It’s a good idea to test out your payloads with Endpoint.

Understanding the networks themselves, and how sophisticated or unsophisticated the systems, and software that sits on Layer 7 is paramount in succeeding.

Epilogue: What about TLS Certificate Pinning?

— — — snip — — —

Earlier, I mentioned that one way to add protection to the staging process is to authenticate the staging server. Last year, the Metasploit Framework gained an optional HTTPS stager that does this. This stager ships with the expected hash of the staging server’s SSL certificate. When the stager connects to the staging server, it checks the server’s SSL cert hash against the value it expects. If they don’t match, it doesn’t download and act on the payload. If they do, it assumes things are good. Pretty neat, right? Ignoring the chicken and the egg problem, this is a way to solve this problem for one protocol.

Occasionally, I get asked, “Raphael, why don’t you add this to Cobalt Strike?” While I think this technique is interesting, I don’t feel this is the right approach for Cobalt Strike. Here’s why:

This technique applies to only one protocol: HTTPS. The HTTPS Beacon isn’t as heavily used as other Beacon options. The HTTPS Beacon’s default self-signed certificate is likely to stick out like a sore thumb. It’s possible to bring a valid certificate into Cobalt Strike, but this is a barrier to fully benefiting from the HTTPS Beacon payload.

— — — snip — — —

Always be cognizant of any firewall or proxy that can stop your payload from “beaconing” out of a restrictive network

External Infrastructure (Internet Facing)

C2 Infrastructure

Expendable hosts and services need to be devoid of artifacts. All C2 components should have the ability to be easily destroyed and re-created in an automated fashion.

Ensure that different payloads, and the underlying architecture can not be traced back to the same source.

Image from Tim MalcomVetter’s “Safe Red Team Infrastructure”

Old and Aged

Websites and domains are like fine liquors that only become better with time.

Pick a bunch of domains and age them like Château Lafite Rothschild Pauillac. Think outside the box here: CND providers, financial sites, and other generic domains are perfect. Pick a few generic themes for sites and proxies. Then you can hire a freelance web designer to create a faux front web server and establish a decent degree of credibility. When it comes to domains, make sure they’re old, and categorized. The websites need depth, not just a fake superficial shell to be taken seriously.

You want your shell companies to resonate legitimacy; but lack of content or a poorly executed shell site can be worse, and end up tarnishing your brand reputability from inception.

4. Stealth

Stealth is a mantra not a bullet point when red teaming. Every action must be calculated beforehand. Every tool must be assessed for its potential ability to cause an indicator of compromise. Every command issued to systems should be coordinated, predetermined and recorded.

Do not use common exploits that may yield results but generate noise or suspicion. This usually leaves the red team member with less options then a network penetration test when performing “snatch and grab” assessments. Many attacks used to quickly escalate privileges, can not be used for this reason, during a carefully executed red team exercise.

From Domain Fronting Theory (2015)

Fast forward to 2018:

Domain Fronting is now mainstream, and being over utilized by APT actor, and network penetration tester alike.

5. Persistence

Once you have persistence on multiple disparate endpoints, you can now focus on the goals of the engagement. Ideally a less common IBM server on the perimeter can be used to quietly ex-filtrate data via encrypted means. A red team can “backdoor”, and create a simply process with a cron job. You can also use SSH and Stunnel.

There are many stealthy ways to establish persistence on less hardened servers and networks, when you have identified that other user orientated networks maybe be very well fortified.

Read everything you can find once you’ve established persistence. Carefully dissect Intranets, documents, Wikis, and E-mails. Try and understand how the services that you are attacking work, and the structure of the organization itself. Meticulously focus all energy onunderstanding the organization and the systems that are your targets.

--

--

Adam Toscher

Adam is a offensive security engineer and red team operator with over 20 years of experience in IT