Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Red Team Methodology - A Naked Look
Ähnlich wie Red Team Methodology - A Naked Look (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Red Team Methodology - A Naked Look
- 2. RED TEAM METHODOLOGY A NAKED LOOK
- 3. ○ Jason Lang ○ Sr Security Consultant at TrustedSec ○ Red team, trolling, shennanigans ○ Twitter: @curi0usJack ○ Hobbies: woodworking, bee keeping About
- 4. Goals ○ To give you an unrestricted look at one red teamer’s (consultant) methodology, including core principals. ○ To foster learning by example (and failure) ○ To drop some handy stuff. :-)
- 5. Red Team Target Maturity Vuln scan External pentest Internal pentest Purple Team(s) Red team / ATT&CK Non-scoped long term / AdSims Patch Management Network Controls / Admin Rights Configured Endpoint /EDRs Centralized Logging Finely tuned Alerting and Response Threat Hunting Thanks @Contra_BlueTeam!
- 6. Red Team Target Maturity Vuln scan External pentest Internal pentest Purple Team(s) Red team / ATT&CK Non-scoped long term / AdSims Patch Management Network Controls / Admin Rights Configured Endpoint /EDRs Centralized Logging Finely tuned Alerting and Response Threat Hunting Thanks @Contra_BlueTeam!
- 7. Red Team Key Difference Ability to slow your roll
- 8. Why this talk? I’m already a pro Because of the 10-20%
- 9. Internal Staying Stealthy SE Tips to keep you getting shellz Reporting Lorem ipsum dolor sit ugh, Microsoft Word Pre-gig Initial steps, OSINT, & Recon External Required Reading Talk Agenda
- 10. My Red Team Core Principals ○ Adversary simulation, not emulation. ○ Goal is specific data, trophy systems, or apps. Not DA (unless DA a trophy, which it shouldn’t be). ○ Emphasize stealth over speed. ○ Active defense should be encouraged, to a point. Goal isn’t to “win” (either red or blue). ○ Scope should be as open as possible, including physical. ○ There should always be a “tip your hand” moment.
- 12. Core Principals: Pre-Gig ○ Steer client towards as open a scope as possible. ○ Clearly define what *can* be done vs what *will* be done. ○ Set an assumed breach target date. ○ Ask for their user password policy, specifically: Lockout Threshold, Lockout Duration, Lockout Observation Window.
- 13. Question When does a red team engagement start? Answer: The minute you get the assignment email.
- 14. LinkedIn - It’s The Best ○ You should must have a recon account by now ○ Set a repeating task to add connections ○ Easy to scrape
- 15. LinkedIn - Build It Fast 1. Build a decent profile. Be thorough. Be sure to add colleges/organization. 2. Click “My Network” 3. Scroll way down to fill the page 4. Run in Browser dev tools $("[data-control-name*='invite']").each(function(index) { $(this).trigger('click'); }) Thanks @mandreko & @Glitch1101!
- 16. Domains ○ Aged for months ahead of time ○ Reusable if possible. ○ clientname-portal.com is not ok. client.health-portal.com is. ○ Careful though, Cert transparency logs…. ○ C2 & Phish domains never overlap! ○ Submit domains with PA, BlueCoat, Checkpoint, McAfee ○ Magic categories: Health, Financial, Goverment
- 17. Domains 1. Determine the sensitive traffic that must not be decrypted: Best practice dictates that you decrypt all traffic except that in sensitive categories, such as Health, Finance, Government, Military and Shopping. https://blog.paloaltonetworks.com/2018/11/best-practices-enabling-ssl-decryption/ Palo Alto SSL Decryption Best Practices
- 18. Passive Recon - How I Do It ○ hardcidr to get external ranges ○ amass with shodan/censys keys (wait for Black Friday) ○ https://crt.sh for cert transparency (crtsh-parse.py) ○ Metadata searching with pymeta ○ Github searching with trufflehog, reposcanner, Google ○ Authenticated LinkedIn scraping for contacts (LinkedInt by @vysecurity) ○ Dorks for everything else Tool names in red. All on Github
- 19. Favorite Dorks ○ DOMAIN.COM (site:amazonaws.com | site:blob.core.windows.net | site:digitaloceanspaces.com) ○ DOMAIN.COM (site:pastebin.com | site:paste2.org | site:paste.bradleygill.com | site:pastie.org | site:dpaste.com) ○ “CLIENT NAME” site:linkedin.com (intitle:”Service Desk” | intitle:“Desktop Support” | intitle:”Security Engineer” | intitle:”Help Desk”)
- 20. Breach Data ○ Treasure trove of info: ○ Email format ○ Password format ○ New user passwords (group by count)? ○ Good place to start: ○ https://thepiratebay.org/torrent/22590240/Leaked_Databases
- 22. Core Principals: External ○ Brute AD from external, and always through a VPN. ○ Do your due diligence, but web app testing usually isn’t the focus (and quite possibly outside your discipline/expertise). ○ Make liberal use of credential stuffing. It works.
- 23. Active Recon - How I Do It ★aquatone for website screen grabs ★dirsearch for HTTP dir-bruting ★nmap for top port tcp/udp sweeps ‣ Proxies may require full TCP connect (-sT) ‣ nmap default UA: Mozilla/5.0 (compatible; Nmap Scripting Engine); http://nmap.org/book/nse.html Tool names in red. Blue Stars == Proxy/VPN
- 24. initialrecon.py Because gimme the dataz… https://git.io/initialrecon https://git.io/crtshparse Code:
- 25. NTLM Bruting ○ Obvious Sources: ○ Office 365 ○ Exchange EWS ○ Skype/Lync ○ Check https://testconnectivity.microsoft.com ○ Less Obvious - ADFS. Troopers 19 ○ /adfs/services/trust/2005/windowstransport ○ /adfs/services/trust/13/windowstransport 🔥 Still hawt 🔥
- 27. Core Principals: SE ○ Phishing: ○ 5 addresses max at a time, all bcc’d, with 15 mins between sends. Send from O365. ○ Links, not attachments. ○ Never a worry from Proofpoint. ○ Lead off with your latest tradecraft and downgrade as you get a feel for the environment. Don’t abuse your TTPs. ○ Eventually pivot to assumed breach (about 50% way through)
- 28. Infr. Automation with Ansible ○ Ansible is an open source platform that automates software provisioning, config mgmt & app deployement ○ It uses YAML files (.yml) to express gruops of commands called tasks. ○ All tasks are executed on a target server using SSH + Python. No agents required! ○ Modules make up the bulk of functionality, allowing a variety of tasks like copying files, service management, etc
- 29. Infr. Automation with Ansible
- 30. Ansible - Tasks
- 33. Ansible - Playbooks Thanks Marcello! https://github.com/byt3bl33d3r/AnsiblePlaybooks
- 34. Macros/Attachments ○ Payloads ○ Safe: Modified cactus torch (js + eval() = ftw) ○ Safer: regkey mods only ○ VBA Stomping / EvilClippy ○ https://vbastomp.com/ ○ Template Injection ○ http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html
- 36. Azure Information Protection (AIP) ○ Leverages O365’s RMS to encrypt Office document to *specific recipients* ○ Impossible for defenders/sandboxes to evaluate the attachment without the user’s credentials. muahaha ○ Does not require your target have O365 https://blog.atwork.at/post/2018/02/18/Azure-information-protection-user-experience-with-external-users
- 37. Azure Information Protection (AIP)
- 38. Azure Information Protection (AIP)
- 39. Azure Information Protection (AIP)
- 40. Azure Information Protection (AIP)
- 41. Azure Information Protection (AIP) Full guide here: https://www.trustedsec.com/2019/04/next-gen- phishing-leveraging-azure-information-protection/ DerbyCon 9 Talk: https://youtu.be/EYUp_MNtJIk Thanks @Oddvarmoe & @jarsnah12!
- 43. Core Principals: Internal ○ Prioritize: cookies, bookmarks, file shares, SharePoint. ○ Kerberoast single users only, no less than one hour apart (at minimum). Research before hand. ○ Initial landing callback of 5-30 minutes, depending on engagement time & sophistication of defenses. ○ Test all commands in your lab before firing live. Duplicate defenses if possible.
- 44. Lab Environment ○ Internal lab is *required* ○ MSDN license ○ Splunk dev license ○ Used Dell R710 (ebay, ~$500) ○ Full AD forest ○ Sysmon/Defender -> Splunk ○ Splunk ThreatHunting App by @olafhartong
- 46. Tools/Tactics (*) == heavily modified ○ What I almost never use: ○ CrackMapExec, internal bruting, PowerSploit ○ What I sometimes use: ○ Bloodhound, MSF aux mods, mimikatz*, Cobalt Strike* ○ What I always use: ○ proxychains, SOCKS, impacket*, ldapsearch, kerberos manipulation, /dirkjanm.io/*.*
- 47. wmiexec.py
- 49. wmiexec.py index=windows EventCode=4688 `comment("impacket/wmiexec.py commands")` (Process_Command_Line=*127.0.0.1* AND (Process_Command_Line="*ADMIN$*" OR Process_Command_Line="*C$*")) `comment("impacket/smbexec.py commands")` OR (Process_Command_Line="*execute.bat*" AND Process_Command_Line=“*Temp__output*") `comment("impacket/secretsdump.py")` OR (Creator_Process_Name="*services.exe" AND New_Process_Name="*svchost.exe" AND Process_Command_Line="*RemoteRegistry") `comment("impacket/atexec.py")` OR (Process_Command_Line="cmd*C:WindowsTemp*.tmp 2>&1”) | table _time host Process_Command_Line | sort _time desc
- 50. Lowpriv - Chrome ○ mimikatz dpapi::chrome /in:%localappdata%googlechromeUser DataDefault(Cookies | Login Data)
- 51. Lowpriv - Chrome ○ If you don’t want to fire mimikatz in the target’s memory: ○ Save off the Cookies/Login Data files ○ Acquire the user’s password ○ Follow steps here for decrypting user DPAPI keys to then decrypt Chrome files ○ https://www.harmj0y.net/blog/redteaming/operational-guidance-for- offensive-user-dpapi-abuse/
- 52. Persistence & Movement ○ site:hexacorn.com inurl:blog intitle:beyond HKCU ○ COM/DLL Hijacking ○ Procmon is your best friend ○ Use a COM Proxy so you don’t fubar the target https://adapt-and-attack.com/2019/08/29/proxying-com-for-stable-hijacks/ Thanks @leoloobeek! ○ Blend. In.
- 53. Blending In
- 54. Blending In
- 55. DLL Hijacking
- 56. DLL Hijacking
- 57. COM Hijacking
- 58. COM Hijacking Thanks @enigma0x3 @bohops!
- 61. Core Principals: Communication/Reporting ○ Status Updates: Use “selective caution” when sharing. ○ Full walkthrough/narrative must be included in the report! ○ Findings: Less in number, better in quality. No SSL v2 nonsense unless you actually did something with it. ○ Consultants: Offer multiple follow up calls with defense team. These are *the best*.