Hands-On Red Team Tactics A practical guide to mastering Red Team operations Himanshu Sharma Harpreet Singh BIRMINGHAM - MUMBAI Hands-On Red Team Tactics Copyright © 2018 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Vijin Boricha Acquisition Editor: Rohit Rajkumar Content Development Editor: Ronn Kurien Technical Editor: Prachi Sawant Copy Editor: Safis Editing Project Coordinator: Jagdish Prabhu Proofreader: Safis Editing Indexer: Tejal Daruwale Soni Graphics: Tom Scaria Production Coordinator: Deepika Naik First published: September 2018 Production reference: 1270918 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78899-523-8 www.packtpub.com mapt.io Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website. Why subscribe? Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals Improve your learning with Skill Plans built especially for you Get a free eBook or video every month Mapt is fully searchable Copy and paste, print, and bookmark content Packt.com Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. Contributors About the authors Himanshu Sharma has already achieved fame for finding security loopholes and vulnerabilities in Apple, Google, Microsoft, Facebook, Adobe, Uber, AT&T, Avira, and many more with hall of fame listings. He has helped celebrities such as Harbhajan Singh in recovering their hacked accounts, and also assisted an international singer in recovering his hacked accounts. He was a speaker at the international conference Botconf '13, CONFidence 2018 and RSA Singapore 2018. He also spoke at IEEE Conference as well as for TedX. Currently, he is the cofounder of BugsBounty, a crowd-sourced security platform. Harpreet Singh has more than 5 years experience in the field of Ethical Hacking, Penetration Testing, and Red Teaming. In addition, he has performed red team engagement in multi-national banks and companies. Harpreet is a Offensive Security Certified Professional (OSCP) and Offensive Security Wireless Professional (OSWP). He has trained 1500+ students including Govt. officials in International projects. About the reviewers Nipun Jaswal is an International Cyber Security Author and an award-winning IT security researcher with a decade of experience in penetration testing, vulnerability assessments, surveillance and monitoring solutions, and RF and wireless hacking. He has authored Metasploit Bootcamp, Mastering Metasploit, and Mastering Metasploit—Second Edition, and coauthored the Metasploit Revealed set of books. He has authored numerous articles and exploits that can be found on popular security databases, such as packet storm and exploit-db. Please feel free to contact him at @nipunjaswal. Ashwin Iyer is an M.Tech Graduate in Information Security and Computer Forensics with more than 5 years of experience in Cyber Security and earned a bachelor's degree in computer science. He has exposure to penetration testing and infrastructure security. He is currently working at SAP ARIBA, as a Red Team Lead. He has experience in Infrastructure Security, Harden the underlying technology / OS / Device. He is also experienced in web and network pentest—both e-commerce and software product domains. He has got professional certifications in GIAC GSEC #35151 (SANS), OSCP Certified OS-13175, ISO 27001:2013, ITILv3 2011 Foundation, Certified Ethical Hacker (CEHv7), CISRA. Packt is searching for authors like you If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea. Table of Contents Preface 1 Chapter 1: Red-Teaming and Pentesting 5 Pentesting 101 5 OWASP 5 Open Source Security Testing Methodology Manual (OSSTMM) 6 Information Systems Security Assessment Framework (ISSAF) 7 Penetration Testing Execution Standard (PTES) 7 Pre-engagement interactions 7 Intelligence gathering 7 Threat modeling 8 Vulnerability analysis 9 Exploitation 9 Post-exploitation 9 Reporting 9 A different approach 10 Methodology 10 How is it different? 12 Summary 13 Questions 13 Further reading 13 Chapter 2: Pentesting 2018 14 Technical requirements 14 MSFvenom Payload Creator 14 Resource file 17 Koadic 26 Installation 27 Why use MSHTA as the dropper payload? 29 Terminology 30 Stager establishment 32 Payload execution 34 Running Implants 36 Pivoting 41 Summary 44 Questions 44 Further reading 44 Chapter 3: Foreplay - Metasploit Basics 46 Technical requirements 47 Installing Metasploit 47 Table of Contents Running Metasploit 47 Auxiliaries 49 Exploits 51 Payloads 54 Encoders 56 Meterpreter 57 Armitage and team server 64 Metasploit with slack 74 Armitage and Cortana scripts 81 Summary 85 Questions 86 Further reading 86 Chapter 4: Getting Started with Cobalt Strike 87 Technical requirements 88 Planning a red-team exercise 88 Cyber kill chain (CKC) 88 Reconnaissance 89 Weaponization 90 Delivery 90 Exploitation 90 Installation 90 Command and Control Server 91 Actions 91 Objective and goal 92 Rules of Engagement (RoE) 92 Scenario/strategy 92 Deliverables 92 Introduction to Cobalt Strike 93 What is a team server? 94 Cobalt Strike setup 97 Cobalt Strike interface 99 Toolbar 99 Connecting to another team server 100 Disconnecting from the team server 101 Configure listeners 102 Session graphs 104 Session table 106 Targets list 107 Credentials 109 Downloaded files 110 Keystrokes 111 Screenshots 112 Payload generation – stageless Windows executable 113 Payload generation – Java signed applet 115 Payload generation – MS Office macros 117 [ ii ] Table of Contents Scripted web delivery 119 File hosting 120 Managing the web server 120 Server switchbar 122 Customizing the team server 123 Summary 128 Questions 129 Further reading 129 Chapter 5: ./ReverseShell 130 Technical requirement 131 Introduction to reverse connections 131 Unencrypted reverse connections using netcat 132 Encrypted reverse connections using OpenSSL 134 Introduction to reverse shell connections 136 Unencrypted reverse shell using netcat 138 Encrypted reverse shell for *nix with OpenSSL packages installed 140 Encrypted reverse shell using ncat 142 Encrypted reverse shell using socat 145 Encrypted reverse shell using cryptcat 148 Reverse shell using powercat 153 reverse_tcp 155 reverse_tcp_rc4 161 reverse_https 165 reverse_https with a custom SSL certificate 173 Meterpreter over ngrok 179 Reverse shell cheat sheet 187 Bash reverse shell 187 Zsh reverse shell 187 TCLsh/wish reverse shell 188 Ksh reverse shell 188 Netcat reverse shell 188 Telnet reverse shell 188 (G)awk reverse shell 189 R reverse shell 189 Python reverse shell 189 Perl reverse shell 190 Ruby reverse shell 190 Php reverse shell 191 Lua reverse shell 191 Nodejs reverse shell 192 Powershell reverse shell 193 Socat reverse shell over TCP 194 Socat reverse shell over UDP 194 Socat reverse shell over SSL (cert.pem is the custom certificate) 194 Summary 195 Questions 195 Further reading 196 [ iii ] Table of Contents Chapter 6: Pivoting 197 Technical requirements 199 Pivoting via SSH 199 Meterpreter port forwarding 203 Pivoting via Armitage 205 Multi-level pivoting 211 Summary 215 Further reading 215 Chapter 7: Age of Empire - The Beginning 216 Technical requirements 216 Introduction to Empire 217 Empire setup and installation 217 Empire fundamentals 219 Phase 1 – Listener Initiation 220 Phase 2 – Stager Creation 225 Phase 3 – Stager Execution 227 Phase 4 – Acquiring Agent 229 Phase 5 – Post Module Operations 232 Empire post exploitation for Windows 233 Empire post exploitation for Linux 241 Empire post exploitation for OSX 247 Popping up a Meterpreter session using Empire 257 Slack notification for Empire agents 260 Summary 268 Questions 268 Further reading 269 Chapter 8: Age of Empire - Owning Domain Controllers 270 Getting into a Domain Controller using Empire 271 Automating Active Directory exploitation using the DeathStar 286 Empire GUI 289 Summary 316 Questions 316 Further reading 316 Chapter 9: Cobalt Strike - Red Team Operations 317 Technical requirements 317 Cobalt Strike listeners 318 Foreign-based listeners 320 Cobalt Strike payloads 322 Beacons 327 The beacon menu 328 Explore menu 334 [ iv ]