O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Hands-On Red Team Tactics

Book Description

Your one-stop guide to learning and implementing Red Team tactics effectively

Key Features

  • Target a complex enterprise environment in a Red Team activity
  • Detect threats and respond to them with a real-world cyber-attack simulation
  • Explore advanced penetration testing tools and techniques

Book Description

Red Teaming is used to enhance security by performing simulated attacks on an organization in order to detect network and system vulnerabilities. Hands-On Red Team Tactics starts with an overview of pentesting and Red Teaming, before giving you an introduction to few of the latest pentesting tools. We will then move on to exploring Metasploit and getting to grips with Armitage. Once you have studied the fundamentals, you will learn how to use Cobalt Strike and how to set up its team server.

The book introduces some common lesser known techniques for pivoting and how to pivot over SSH, before using Cobalt Strike to pivot. This comprehensive guide demonstrates advanced methods of post-exploitation using Cobalt Strike and introduces you to Command and Control (C2) servers and redirectors. All this will help you achieve persistence using beacons and data exfiltration, and will also give you the chance to run through the methodology to use Red Team activity tools such as Empire during a Red Team activity on Active Directory and Domain Controller.

In addition to this, you will explore maintaining persistent access, staying untraceable, and getting reverse connections over different C2 covert channels.

By the end of this book, you will have learned about advanced penetration testing tools, techniques to get reverse shells over encrypted channels, and processes for post-exploitation.

What you will learn

  • Get started with red team engagements using lesser-known methods
  • Explore intermediate and advanced levels of post-exploitation techniques
  • Get acquainted with all the tools and frameworks included in the Metasploit framework
  • Discover the art of getting stealthy access to systems via Red Teaming
  • Understand the concept of redirectors to add further anonymity to your C2
  • Get to grips with different uncommon techniques for data exfiltration

Who this book is for

Hands-On Red Team Tactics is for you if you are an IT professional, pentester, security consultant, or ethical hacker interested in the IT security domain and wants to go beyond Penetration Testing. Prior knowledge of penetration testing is beneficial.

Downloading the example code for this book You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

Table of Contents

  1. Title Page
  2. Copyright and Credits
    1. Hands-On Red Team Tactics
  3. Packt Upsell
    1. Why subscribe?
    2. Packt.com
  4. Contributors
    1. About the authors
    2. About the reviewers
    3. Packt is searching for authors like you
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Get in touch
      1. Reviews
    5. Disclaimer
  6. Red-Teaming and Pentesting
    1. Pentesting 101
      1. OWASP
      2. Open Source Security Testing Methodology Manual (OSSTMM)
      3. Information Systems Security Assessment Framework (ISSAF)
      4. Penetration Testing Execution Standard (PTES)
        1. Pre-engagement interactions
        2. Intelligence gathering
        3. Threat modeling
        4. Vulnerability analysis
        5. Exploitation
        6. Post-exploitation
        7. Reporting
    2. A different approach
      1. Methodology
      2. How is it different?
    3. Summary
    4. Questions
    5. Further reading
  7. Pentesting 2018
    1. Technical requirements
    2. MSFvenom Payload Creator
      1. Resource file
    3. Koadic
      1. Installation
      2. Why use MSHTA as the dropper payload?
      3. Terminology
      4. Stager establishment
      5. Payload execution
      6. Running Implants
      7. Pivoting
    4. Summary
    5. Questions
    6. Further reading
  8. Foreplay - Metasploit Basics
    1. Technical requirements
    2. Installing Metasploit
    3. Running Metasploit
      1. Auxiliaries
      2. Exploits
      3. Payloads
      4. Encoders
      5. Meterpreter
    4. Armitage and team server
    5. Metasploit with slack
    6. Armitage and Cortana scripts
    7. Summary
    8. Questions
    9. Further reading
  9. Getting Started with Cobalt Strike
    1. Technical requirements
    2. Planning a red-team exercise
      1. Cyber kill chain (CKC)
        1. Reconnaissance
        2. Weaponization
        3. Delivery
        4. Exploitation
        5. Installation
        6. Command and Control Server
        7. Actions
        8. Objective and goal
          1. Rules of Engagement (RoE)
          2. Scenario/strategy
          3. Deliverables
    3. Introduction to Cobalt Strike
      1. What is a team server?
    4. Cobalt Strike setup
    5. Cobalt Strike interface
      1. Toolbar
      2. Connecting to another team server
      3. Disconnecting from the team server
      4. Configure listeners
      5. Session graphs
      6. Session table
      7. Targets list
      8. Credentials
      9. Downloaded files
      10. Keystrokes
      11. Screenshots
      12. Payload generation – stageless Windows executable
      13. Payload generation – Java signed applet
      14. Payload generation – MS Office macros
      15. Scripted web delivery
      16. File hosting
      17. Managing the web server
      18. Server switchbar
    6. Customizing the team server
    7. Summary
    8. Questions
    9. Further reading
  10. ./ReverseShell
    1. Technical requirement
    2. Introduction to reverse connections
      1. Unencrypted reverse connections using netcat
      2. Encrypted reverse connections using OpenSSL
    3. Introduction to reverse shell connections
      1. Unencrypted reverse shell using netcat
      2. Encrypted reverse shell for *nix with OpenSSL packages installed
      3. Encrypted reverse shell using ncat
      4. Encrypted reverse shell using socat
      5. Encrypted reverse shell using cryptcat
      6. Reverse shell using powercat
        1. reverse_tcp
        2. reverse_tcp_rc4
        3. reverse_https
        4. reverse_https with a custom SSL certificate
        5. Meterpreter over ngrok
        6. Reverse shell cheat sheet
          1. Bash reverse shell
          2. Zsh reverse shell
          3. TCLsh/wish reverse shell
          4. Ksh reverse shell
          5. Netcat reverse shell
          6. Telnet reverse shell
          7. (G)awk reverse shell
          8. R reverse shell
          9. Python reverse shell
          10. Perl reverse shell
          11. Ruby reverse shell
          12. Php reverse shell
          13. Lua reverse shell
          14. Nodejs reverse shell
          15. Powershell reverse shell
          16. Socat reverse shell over TCP
          17. Socat reverse shell over UDP
          18. Socat reverse shell over SSL (cert.pem is the custom certificate)
    4. Summary
    5. Questions
    6. Further reading
  11. Pivoting
    1. Technical requirements
    2. Pivoting via SSH
    3. Meterpreter port forwarding
    4. Pivoting via Armitage
    5. Multi-level pivoting
    6. Summary
    7. Further reading
  12. Age of Empire - The Beginning
    1. Technical requirements
    2. Introduction to Empire
    3. Empire setup and installation
    4. Empire fundamentals
      1. Phase 1 – Listener Initiation
      2. Phase 2 – Stager Creation
      3. Phase 3 – Stager Execution
      4. Phase 4 – Acquiring Agent
      5. Phase 5 – Post Module Operations
    5. Empire post exploitation for Windows
    6. Empire post exploitation for Linux
    7. Empire post exploitation for OSX
    8. Popping up a Meterpreter session using Empire
    9. Slack notification for Empire agents
    10. Summary
    11. Questions
    12. Further reading
  13. Age of Empire - Owning Domain Controllers
    1. Getting into a Domain Controller using Empire
    2. Automating Active Directory exploitation using the DeathStar
    3. Empire GUI
    4. Summary
    5. Questions
    6. Further reading
  14. Cobalt Strike - Red Team Operations
    1. Technical requirements
    2. Cobalt Strike listeners
      1. Foreign-based listeners
    3. Cobalt Strike payloads
    4. Beacons
      1. The beacon menu
      2. Explore menu
      3. Beacon console
    5. Pivoting through Cobalt Strike
    6. Aggressor Scripts
    7. Summary
    8. Questions
    9. Further reading
  15. C2 - Master of Puppets
    1. Technical requirements
    2. Introduction to C2
    3. Cloud-based file sharing using C2
      1. Using Dropbox as the C2
      2. Using OneDrive as the C2
    4. C2 covert channels
      1. TCP
      2. UDP
      3. HTTP(S)
      4. DNS
      5. ICMP
    5. Summary
    6. Questions
    7. Further reading
  16. Obfuscating C2s - Introducing Redirectors
    1. Technical requirements
    2. Introduction to redirectors
    3. Obfuscating C2 securely
    4. Short-term and long-term redirectors
    5. Redirection methods
      1. Dumb pipe redirection
      2. Filtration/smart redirection
    6. Domain fronting
    7. Summary
    8. Questions
    9. Further reading
  17. Achieving Persistence
    1. Technical requirements
    2. Persistence via Armitage
    3. Persistence via Empire
    4. Persistence via Cobalt Strike
    5. Summary
    6. Further reading
  18. Data Exfiltration
    1. Technical requirements
    2. Exfiltration basics
      1. Exfiltration via Netcat
      2. Exfiltration via OpenSSL
      3. Exfiltration with PowerShell
    3. CloakifyFactory
      1. Running CloakifyFactory on Windows
    4. Data exfiltration via DNS
    5. Data exfiltration via Empire
    6. Summary
    7. Questions
    8. Further reading
  19. Assessment
    1. Chapter 1: Red-Teaming and Pentesting
    2. Chapter 2: Pentesting 2018
    3. Chapter 3: Foreplay – Metasploit Basics
    4. Chapter 4: Getting Started with Cobalt Strike
    5. Chapter 5: ./ReverseShell
    6. Chapter 7: Age of Empire – The Beginning
    7. Chapter  8: Age of Empire – Owning Domain Controllers
    8. Chapter 9: Cobalt Strike – Red Team Operations
    9. Chapter 10: C2 – Master of Puppets
    10. Chapter 11: Obfuscating C2s – Introducing Redirectors
    11. Chapter 13: Data Exfiltration
  20. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think