Red team fundamentals

pentestingfundamentals careersincyber introtooffensivesecurity redteamfundamentals redteamengagements pentestingfundamentals

The offensive team, also known as the red team πŸ“•, is the team that attack the company, in a pre-defined scope, to help them harden their systems and processes.

  • πŸ”Ž Look for vulnerabilities (bugs, loopholes, processes)
  • πŸ’₯ Try to exploit them
  • πŸ’° Suggest patches/measures to mitigate each vulnerability

It requires someone to be knowledgeable about

  • 🌍 Web: HTML/CSS/JS/Node/PHP
  • πŸ—ƒοΈ DataBases: SQL/NoSQL/PLSQL
  • πŸ“Ά Networking: Bash/PowerShell/Network
  • ☁️ Cloud: docker/...
  • ...

There are 3 kind of penetration tests, and according to the type of knowledge you have, you will test different things:

  • ⬛ Black box: No knowledge about the target
  • 🌫️ Grey box: A partial knowledge about the target
  • ⬜ White box: A complete knowledge about the target

Some jobs in the red team are:

  • Red Teamer: play the hacker, and provide feedback from an enemy perspective. They are testing the company response.
  • Penetration tester: Try to find vulnerabilities in a system, a network, or an application. Perform security assessments, and audits. Recommend actions to prevent attacks.
  • Security Engineer: implement, and maintain security controls, handle threats protection... to help prevent cyberattacks, and protect data.

When working with a client, both the penetration tester and the system owner will define Rules of Engagement (ROE)

  • 🎯 The scope of the test (servers, hosts, etc.)
  • 🀠 The rules of the test (techniques allowed, no downtime, etc.)
  • πŸ’΅ Concrete Objectives (system misconfiguration, etc.)
  • ...

Everything outside the scope is illegal. See SANS ROE template.

➑️ Note that it's common to record your screen/terminal during the penetration test, either for review, or for evidence of any actions taken.


Methodology

The Cyber Kill Chain model identifies 7 steps in the hacking process

  1. πŸ”Ž Reconnaissance: investigate the target (passive, and active recon)
  2. πŸ”« Weaponization: create/prepare an exploit
  3. πŸ“© Delivery: deliver your exploit
  4. 🎁 Exploitation: make the exploit used
  5. πŸ’₯ Installation: install a malware
  6. πŸ§‘β€πŸ’» Command&Control: get a remote shell on the victim
  7. 🍾 Actions on objective: accomplish the goal

The Unified Kill Chain is a more developed/detailed version.

For a penetration tester, it's more something like that

  • πŸ”Ž Investigation (passive): information gathering
  • πŸ”Ž Discovery (active): enumerate/scan the target to find running applications, and services
  • πŸ’₯ Exploitation: find a way to get in, get a foothold
  • πŸ‘‘ Privilege Escalation: try to get root/administrator (horizontal/vertical escalation)
  • 🧼 Post-exploitation: accomplish the goal, hide your traces...

Operating system 🦘

We usually use a Linux distro, mostly on a VM, to practice.

Kali Linux

You can download Kali ISO here. On Virtual Box, you have to select Linux 2.6/3.x/4.x/5.x (64-bits) and tune the settings.

  • Username: kali / Password: kali
  • Don't forget to use sudo apt update / sudo apt upgrade
  • Run wordlists, press Y to extract rockyou.txt wordlist. Location: /usr/share/wordlists/rockyou.txt.
  • Windows binaries and tools: /usr/share/windows-resources/
Swap to another keyboard layout πŸ”₯
  • First, log in
  • Click on Kali icon (top left)
  • Search "Keyboard"
  • Select the Keyboard Utility
  • Go to the layout tab
  • Add a keyboard layout (ex: fr-FR/AZERTY)
  • Remove the unused QWERTY layout

The change is applied immediately... But on the login screen, the keyboard layout will still be QWERTY. ⚠️.

To change the login keyboard, you can use:

$ sudo nano /etc/lightdm/lightdm.conf
# add the correct setxkbmap line
[Seat:*]
greeter-setup-script=/usr/bin/setxkbmap fr
$ sudo systemctl restart lightdm
Tips and tricks πŸͺ„
  • Use the right arrow key to use the suggested command

  • In the top-right corner, you can find your IP address (tun0)

  • Heavily use locate <name> (don't forget sudo updatedb) to search for installed scripts/wordlists/...


BackBox Linux πŸ₯”

backbox is a penetration testing distro.

Parrot Linux 🦜

Parrot is a popular alternative to Kali Linux.

  • There are a wide range of tools pre-installed
  • sudo 7z x /usr/share/wordlists/rockyou.txt.gz to extract rockyou.txt wordlist. Location: /usr/share/wordlists/rockyou.txt.
  • The .config hold the UI configuration... You can copy it to another user. You need to log back in to see the changes.
  • sudo apt-get -y install ftp
  • To download Debian 10 packages, sudo nano /etc/apt/sources.list and add deb http://deb.debian.org/debian buster main.

BlackArch πŸ˜Άβ€πŸŒ«οΈ

BlackArch is mostly used by ArchLinux users, as an alternative to Parrot and Kali Linux.


CTF virtual machines πŸ”«

You may install a system/application on a Virtual Machine, to locally attempt to break into it or test some commands/tools.

Metasploit Vulnerable VM πŸ’£

Metasploit is an intentionnally misconfigured/vulnerable VM. There is no graphical interface. You can use AZERTY with sudo loadkeys fr.


DarkStar7471 🌠

DarkStar is a THM staff that made a many rooms on THM. You can download the VM they used in their rooms here.

Active Directory πŸ›Ÿ

The Game of Active Directory (GOAD) (4.0k ⭐) is an Active directory Lab. It was designed by the French company "Orange".


Web applications 🌍


Random CTFs


Transfer files πŸ›…

Moved to a separate page: Files Transfer.


Wordlists β›ͺ

Moved to a separate page: wordlists.


πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

Additional Notes

  • Notes (OneNote, Evernote, Notion, Cherrytree)
  • List exploited systems (IP, method), compromised users (name, method, type=local?), artifacts created, (system or not) changes, etc.
  • AdminExile