My team at work started an internal book club as a means of both team building and on-going education. The latest book covered was The Hacker Playbook 3: Practical Guide to Penetration Testing (Red Team Edition). This struck a cord since this was also a book on the BrakeSec Bookclub.
You can grab your copy here. I opted for the physical copy, but also grabbed the kindle version for $2.99 through the Amazon Matchbook program (new to me – I love this idea).
One thing to note about this book – Red Teaming is NOT Penetration Testing. The two activities do have a fair amount of overlap, but they are different in nature of execution and stated end goals. The book spells this out before jumping into the material:
1 – Pregame – The Setup
The opening chapter was absolutely stocked with a ton of reference links for various options when building out a red team infrastructure. Peter Kim seemed to have reference links for every other paragraph in here – everything from Virtual Private Cloud (VPC) providers to all sorts of Command and Control (C2) tools for managing your shells during a red team engagement. My physical copy of the book is already looking like one of my SANS books with all sorts of highlights and sticky notes as I build out my own reference index. This chapter alone makes the e-book version worthwhile as a second purchase. You’ll save lots of time being able to click links instead of typing out URLs and bit.ly links (guessing if that is an “I” or an “l”.
A companion virtual machine is available for download with the book (linked below), but I do see value in installing and configuring the tools as part of the lab exercises. You should fully understand any tool you will be using before using this in production with client data.
2 – Before the Snap – Red Team Recon
Chapter Two gets us right into the hands-on work and tool recommendations. One of the first tools discussed is EyeWitness, something I use on almost every engagement. This tool is great for speeding up your review of detected web servers. You can feed in Nmap results (-oX) or Nessus scan results (.nessus). The report generated gives you a screenshot of each web server identified, and takes an initial stab at organizing by “type”.
Discover was another great tool discussed in Chapter Two. This was great to see, as I had forgotten about how useful this set of scripts was. I am glad to have this back into my recon rotation.
Bucket Finder was an interesting read. I do not have much experience testing against major AWS implementations, but we know from the recurring news stories, mis-configured cloud services are an on-going concern.
Lastly, no discussion around recon is complete without mentioning the OSINT Framework. This site collects a massive amount of recon tools and organizes them by type. This is worth having as a “must check” for any engagement.
3 – The Throw – Web Application Exploitation
Web applications are not my strong suit, so this chapter’s labs were very beneficial for me. In talking with teammates who are stronger with web app testing, this chapter did a decent job of covering “the basics”. My favorite take-away was the Polyglot XSS payloads. Evading these XSS attempts seems to be a steep uphill battle.
If nothing else, this chapter brought back some guilt for giving up on working my way through The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws. I did not have a solid understanding of the concepts a few years ago, and the book has sat unloved on my bookshelf ever since. Perhaps it is time that gets moved into the “To-Read” pile.
4 – The Drive – Compromising the Network
This chapter was the most applicable to my engagements. I was happy to see several tools I already use, but learned a lot in living off the land. This was especially evident in some of the Empire features I have not used before. In addition to a lot of slick Empire modules, there are a bunch of builtin utilities in Active Directory that can provide a TON of information. One of this instances was using “Dump LAPS passwords with ldapsearch”. Active Directory seems to be a bottomless rabbit hole of “features” that come back to work in the attackers favor. Service Principal Names was one such feature – plenty useful for administration, but also massively useful for an attacker. Tay captures the emotion perfectly in this rant:
I am also realizing that I need to do a deep dive into learning PowerShell beyond being a scriptkiddie. I know enough to use some of the simple .ps1 scripts, but tools like PowerSploit bring a ton of oomph to your toolbox.
Another great reference was the GitHub repo for the Red Team Field Manual. While I like having the book as a quick reference for certain things I know and just need help with which flags I want, having a searchable database helps find things I either don’t know or have forgotten.
There are a ton more tools and techniques I did not include in the write up – this chapter is one I will be revisiting for sure.
5 – The Screen – Social Engineering
This chapter mainly focused on getting malicious files to an end user, such as macros and embedded files. This seems like a less commonly successful attack vector in my experience, without spending the time to carefully create a tailored attack. The VBad tool discussed seemed the best tool for this.
The approach that seems the most practical for the client environments I see most often was Abusing Microsoft Word Features for Phishing: “subDoc”.
6 – The Onside Kick – Physical Attacks
Physical attacks are the real exciting techniques to read about. These are the engagements all the kids want to hear about – you get paid to physically break into an organization. This chapter addresses several useful physical attack methods, outside of the typical social engineering tactics used to bypass human security.
One of the tried-and-true techniques is simply using the canned air keyboard cleaners to bypass a locked door. Almost every company that uses proximity card locks to enter an area uses a motion sensor on the interior to unlock for exit. This may be for convenience, or by fire code in certain areas. Either way, seeing how easy these are to exploit for entry should have you reconsider:
There is also some great coverage on attacking workstations once you have gained access to the environment. The Hak5 tools provide several options for exfiltrating sensitive data and credentials.
Lastly, this chapter includes coverage of “dropboxes” – machines you can connect to the network, leave behind, and have a VPN connection back to a server you control. This gives you a persistent connection into the network.
7 – The Quarterback Sneak – Evading AV and Network Detection
Many of the chapters in this book can (and have) been broken out into full books focused on the singular topic. Evading AV and Network Detection is the chapter that calls for this detail the most.
Over the last few years, the Blue Teams have gotten better at detecting common Red Team TTPs – pushing the attackers to mask their tools and post-exploit activity. This chapter covers many tools you can use to mask your payloads, as well as the concepts behind obfuscation and compiling your own code.
In general, red team engagements require significantly more skill, as these obfuscation techniques need to be considered. A standard penetration test is less concerned with being detected, and instead focuses on finding as many ways into the network as possible. Being able to mask your attack and act in a covert manner provides a more thorough test of detection capabilities – both of the tools deployed and the analysts charged with monitoring the environment.
8 – Special Teams – Cracking, Exploits, and Tricks
Who doesn’t love password cracking? That is one of the areas in penetration testing / red teaming that I find incredibly interesting. Not only the methods for securing passphrases, but looking at the cleartext results and learning more about these target employees.
There is also some coverage around PS logging – which is important since many of the popular tools in use today are written in PS. While this is important, I have seen many organizations flat-out block PS from running, having many of these tools fall flat (initially).
9 – Two-Minute Drill – From Zero to Hero
Two-Minute Drill is a great way to describe the feeling of time ticking down in an engagement, and you not having that final flag, whatever it may be. This chapter presents a fun high-level overview of an engagement from start to finish, with a condensed timeline. Plus – what good is an owning a network if you can’t Rick Roll someone?
10 – Post Game Analysis – Reporting
This is where the money is made. There is a saying that floats around a lot “I hack for free, but you pay me for the report”. The author notes the other THP books include more generic penetration test report templates, which are worth checking out. The biggest point to stress here is highlighting the client “wins”. A red team engagement is testing the Blue Team – if they catch you – call it out!
I have included a link below to a GitHub repository with some pretty good report templates to take a look at, as well as a talk from WWHF 2018 that did an awesome job breaking down good and bad reporting examples.