Red team tools and framework

# Red team tools and framework ## Before act * Stop thinking like a penetration tester * Every action should be methodical * Every action should be performed with stealth in mind * Think like an attacker * Channel your inner stalker * Get really comfortable with your OSINT * Plenty of Facebook/Linkedin trawling * I can easily spend a month doing but this * Makes for easier execution of future campaigns * Operate Quietly * One wrong defense tripped could be losing everything * Get in the mindset that your livelihood is at risk * Obfuscate everything * Build a very small target list * Each campaign should be limited to a small list of specifically chosen targets * You should gather as much as possible about those targets * OSINT everywhere [Source: https://owasp.org/www-pdf-archive/Red_Team_Operating_in_a_Modern_Environment.pdf] ## Reconnaissance ### OSINT #### LinkedIn #### Facebook #### Google Dorks * $Company_name filetype:doc ### Phisical recon ## Initial Access ### Enumeration ### Phishing Easily the most effective route of entry * Two types of Payloads * Browser based attacks (Chance of success: Higher, Profit: Lower) * Browser Exploit * Login Portal Clone * Attachment based attacks (Chance of success: Lower, Profit: Higher) * Office Document with macro * Zip file with JS script attached (common ransomware vector) * As an operator, you need to enumerate possible protections in place * Send a document with a begin payload that informs you when it has been activated * Small pixel in the email and/or possibly a macro * Based on the amount of time it tooks to activate from the time it got sent, and how many activations were made (as in, you saw multiple activations from different sources within a short windows of time), determine if you're dealing with a sandbox * Look at MX records * MX: Mail eXchange * Tools: * https://dns.google/ * https://www.dnsqueries.com/es/ | Protection Type | MX Record | |---|---| |Barracuda|.barracudanetworks.com| |Proofpoint|.secureserver.net| |Office 365|.mail.protection.outlook.com| |Google|.googlemail.com| #### Gophish https://docs.getgophish.com/user-guide/installation ##### Installation Downloaded from https://github.com/gophish/gophish/releases and unzipped. ``` unzip gophish-v0.11.0-linux-64bit.zip cd gophish chmod +x gophish ./gophish ``` The creds may be admin:gophish, but in other versions, it appears in the server logs. After running it, you'll see the dashboard in https://localhost:3333/ #### Use #### Errors **Max connection attempts exceeded - 535 5.7.8 Username and Password not accepted. Learn more at\n5.7.8 https://support.google.com/mail/?p=BadCredentials b2sm5532470wrd.64 - gsmtp** ![](https://i.imgur.com/ITK3Tgh.png) ![](https://i.imgur.com/O7oVrrQ.png) ![](https://i.imgur.com/a6wAZtJ.png) ![](https://i.imgur.com/vqTg8Lv.png) ### Phisical access ## Tools ### Covenant #### Installation ``` git clone --recurse-submodules https://github.com/cobbr/Covenant cd Covenant/Covenant sudo docker build -t covenant . sudo docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant -v /home/aml/experimentos/Covenant/Covenant/Data:/app/Data covenant ``` Now you can press Ctrl+P and Ctrl+Q for closing the tty, leaving running the Covenant image. ``` docker start covenant docker stop covenant ``` The service could be visited here: https://localhost:7443/ #### How it works For the examples, I'm using the HTB Endgame "Ascension". Previously, I've found an SQLi which can be converted to an RCE from [this way](https://www.optiv.com/explore-optiv-insights/blog/mssql-agent-jobs-command-execution). Now, in Covenant, I'll create a **Listener**. ![](https://i.imgur.com/wk3hbhK.png) This listener will wait for a connection. It's important to set the "ConnectAddresses" parameter with our IP. The next step is executing one of the **Launchers** in the target machine. ![](https://i.imgur.com/cFeJGBV.png) In our case, I'm going to use the *PowerShell* one, so let's open it. ![](https://i.imgur.com/h6tWRTW.png) Here we have to set our listener and click on *Generate*. This give us a payload for executing it in any powershell (take care of AV, because it scream a lot). I'll send it to the target machine and wait for the connection back. Here it is! ![](https://i.imgur.com/DTNkmTZ.png) Now, let's go to our newly created **Grunt**, which provide us a lot of information about the target. ![](https://i.imgur.com/nqFN6Kx.png) Also, in the second tab, we can open some kind of webshell for sending commands. ![](https://i.imgur.com/HBeJGe4.png) #### Interesting Tasks BypassAmsi ![](https://i.imgur.com/dlkPjBq.png) PortScan ![](https://i.imgur.com/d1u6nYQ.png) #### Errors ##### Cannot access Data If you did a screenshot and now cannot access Data, see if in the Developer Tools appears an error as "FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.". In this case, we have to enter to the Database: ``` sudo sqlite3 path/Covenant/Data/covenant.db sqlite> select * from Events; 1|2022-01-21 13:38:25.1999448|Download ScreenShot Completed|Downloaded screenshot: 2437c39e17.png|1|2|6aaa588b54|ScreenshotEvent|2437c39e17.png|System.ComponentModel.Win32Exception: The handle is invalid at System.Drawing.Graphics.CopyFromScreen(Int32 sourceX, Int32 sourceY, Int32 destinationX, Int32 destinationY, Size blockRegionSize, CopyPixelOperation copyPixelOperation) at System.Drawing.Graphics.CopyFromScreen(Point upperLeftSource, Point upperLeftDestination, Size blockRegionSize) at Task.Execute()|1 -- Get the ID (the first number) of the entry that shows this error and delete it: sqlite> delete from Events where id=10; .quit ``` ## Links https://github.com/infosecn1nja/Red-Teaming-Toolkit https://www.netspi.com/blog/technical/adversary-simulation/malicious-outlook-rules/