Red team fundamentals
The offensive team, also known as the red team π, is the team that attack the company, in a pre-defined scope, to help them harden their systems and processes.
- π Look for vulnerabilities (bugs, loopholes, processes)
- π₯ Try to exploit them
- π° Suggest patches/measures to mitigate each vulnerability
It requires someone to be knowledgeable about
- π Web: HTML/CSS/JS/Node/PHP
- ποΈ DataBases: SQL/NoSQL/PLSQL
- πΆ Networking: Bash/PowerShell/Network
- βοΈ Cloud: docker/...
- ...
There are 3 kind of penetration tests, and according to the type of knowledge you have, you will test different things:
- β¬ Black box: No knowledge about the target
- π«οΈ Grey box: A partial knowledge about the target
- β¬ White box: A complete knowledge about the target
Some jobs in the red team are:
- Red Teamer: play the hacker, and provide feedback from an enemy perspective. They are testing the company response.
- Penetration tester: Try to find vulnerabilities in a system, a network, or an application. Perform security assessments, and audits. Recommend actions to prevent attacks.
- Security Engineer: implement, and maintain security controls, handle threats protection... to help prevent cyberattacks, and protect data.
When working with a client, both the penetration tester and the system owner will define Rules of Engagement (ROE)
- π― The scope of the test (servers, hosts, etc.)
- π€ The rules of the test (techniques allowed, no downtime, etc.)
- π΅ Concrete Objectives (system misconfiguration, etc.)
- ...
Everything outside the scope is illegal. See SANS ROE template.
β‘οΈ Note that it's common to record your screen/terminal during the penetration test, either for review, or for evidence of any actions taken.
Methodology
The Cyber Kill Chain model identifies 7 steps in the hacking process
- π Reconnaissance: investigate the target (passive, and active recon)
- π« Weaponization: create/prepare an exploit
- π© Delivery: deliver your exploit
- π Exploitation: make the exploit used
- π₯ Installation: install a malware
- π§βπ» Command&Control: get a remote shell on the victim
- πΎ Actions on objective: accomplish the goal
The Unified Kill Chain is a more developed/detailed version.
For a penetration tester, it's more something like that
- π Investigation (passive): information gathering
- π Discovery (active): enumerate/scan the target to find running applications, and services
- π₯ Exploitation: find a way to get in, get a foothold
- π Privilege Escalation: try to get root/administrator (horizontal/vertical escalation)
- π§Ό Post-exploitation: accomplish the goal, hide your traces...
Operating system π¦
We usually use a Linux distro, mostly on a VM, to practice.
Kali Linux
You can download Kali ISO here. On Virtual Box, you have to select Linux 2.6/3.x/4.x/5.x (64-bits) and tune the settings.
- Username: kali / Password: kali
- Don't forget to use
sudo apt update
/sudo apt upgrade
- Run
wordlists
, press Y to extract rockyou.txt wordlist. Location:/usr/share/wordlists/rockyou.txt
. - Windows binaries and tools:
/usr/share/windows-resources/
Swap to another keyboard layout π₯
- First, log in
- Click on Kali icon (top left)
- Search "Keyboard"
- Select the Keyboard Utility
- Go to the layout tab
- Add a keyboard layout (ex: fr-FR/AZERTY)
- Remove the unused QWERTY layout
The change is applied immediately... But on the login screen, the keyboard layout will still be QWERTY. β οΈ.
To change the login keyboard, you can use:
$ sudo nano /etc/lightdm/lightdm.conf
# add the correct setxkbmap line
[Seat:*]
greeter-setup-script=/usr/bin/setxkbmap fr
$ sudo systemctl restart lightdm
Tips and tricks πͺ
-
Use the right arrow key to use the suggested command
-
In the top-right corner, you can find your IP address (tun0)
-
Heavily use
locate <name>
(don't forgetsudo updatedb
) to search for installed scripts/wordlists/...
BackBox Linux π₯
backbox is a penetration testing distro.
Parrot Linux π¦
Parrot is a popular alternative to Kali Linux.
- There are a wide range of tools pre-installed
-
sudo 7z x /usr/share/wordlists/rockyou.txt.gz
to extract rockyou.txt wordlist. Location:/usr/share/wordlists/rockyou.txt
. - The
.config
hold the UI configuration... You can copy it to another user. You need to log back in to see the changes. -
sudo apt-get -y install ftp
- To download Debian 10 packages,
sudo nano /etc/apt/sources.list
and adddeb http://deb.debian.org/debian buster main
.
BlackArch πΆβπ«οΈ
BlackArch is mostly used by ArchLinux users, as an alternative to Parrot and Kali Linux.
CTF virtual machines π«
You may install a system/application on a Virtual Machine, to locally attempt to break into it or test some commands/tools.
Metasploit Vulnerable VM π£
Metasploit is an intentionnally misconfigured/vulnerable VM. There is no graphical interface. You can use AZERTY with sudo loadkeys fr
.
- Download Metasploit 2
- Download Metasploit 3
-
Username:
msfadmin
. Password:msfadmin
DarkStar7471 π
DarkStar is a THM staff that made a many rooms on THM. You can download the VM they used in their rooms here.
Active Directory π
The Game of Active Directory (GOAD) (4.0k β) is an Active directory Lab. It was designed by the French company "Orange".
Web applications π
- See OWASP Juice Shop (9.3k β) | THM juiceshop | multi-juicer
- See OWASP mutillidae (1.2k β) | THM mutillidae
- Damn Vulnerable Web Application (DVWA) (9.1k β) / THM DVWA
- WebGoat (6.4k β)
- pygoat (0.2k β, django)
- bwapp (0.1k β, 2014 πͺ¦) and bWapp solutions (0.2k β)
Random CTFs
- Root the Box (0.9k β)
- fbctf (6.5k β)
Transfer files π
Moved to a separate page: Files Transfer.
Wordlists βͺ
Moved to a separate page: wordlists.
π» To-do π»
Stuff that I found, but never read/used yet.
- Varonis Cyber Kill Chain
- cyberkillchainzmt
- unifiedkillchain
- pwndoc (pentest report)
- writehat (pentest report)
- Log date/time of pentest, so in the case of attack, you can prove it wasn't you (ex:
Start-Transcript
). - encrypt VBox VM
- Penetration Testing Execution Standard (PTES)
- Open Source Security Testing Methodology Manual OSSTMM
- MSTG
- Firmware Security Testing Methodology, lab401
- DREAD
- Exegol
Additional Notes
- Notes (OneNote, Evernote, Notion, Cherrytree)
- Joplin
- keepnote
- List exploited systems (IP, method), compromised users (name, method, type=local?), artifacts created, (system or not) changes, etc.
- AdminExile