Hands-On Red Team Tactics

Other Books You May Enjoy

Chapter 13: Data Exfiltration

Chapter 11: Obfuscating C2s – Introducing Redirectors

Chapter 10: C2 – Master of Puppets

Chapter 9: Cobalt Strike – Red Team Operations

Chapter 8: Age of Empire – Owning Domain Controllers

Chapter 7: Age of Empire – The Beginning

Chapter 5: ./ReverseShell

Chapter 4: Getting Started with Cobalt Strike

Chapter 3: Foreplay – Metasploit Basics

Chapter 2: Pentesting 2018

Chapter 1: Red-Teaming and Pentesting

Assessment

Further reading

Questions

Summary

Data exfiltration via Empire

Data exfiltration via DNS

Running CloakifyFactory on Windows

CloakifyFactory

Exfiltration with PowerShell

Exfiltration via OpenSSL

Exfiltration via Netcat

Exfiltration basics

Technical requirements

Data Exfiltration

Further reading

Summary

Persistence via Cobalt Strike

Persistence via Empire

Persistence via Armitage

Technical requirements

Achieving Persistence

Further reading

Questions

Summary

Domain fronting

Filtration/smart redirection

Dumb pipe redirection

Redirection methods

Short-term and long-term redirectors

Obfuscating C2 securely

Introduction to redirectors

Technical requirements

Obfuscating C2s - Introducing Redirectors

Further reading

Questions

Summary

ICMP

DNS

HTTP(S)

UDP

TCP

C2 covert channels

Using OneDrive as the C2

Using Dropbox as the C2

Cloud-based file sharing using C2

Introduction to C2

Technical requirements

C2 - Master of Puppets

Further reading

Questions

Summary

Aggressor Scripts

Pivoting through Cobalt Strike

Beacon console

Explore menu

The beacon menu

Beacons

Cobalt Strike payloads

Foreign-based listeners

Cobalt Strike listeners

Technical requirements

Cobalt Strike - Red Team Operations

Further reading

Questions

Summary

Empire GUI

Automating Active Directory exploitation using the DeathStar

Getting into a Domain Controller using Empire

Age of Empire - Owning Domain Controllers

Further reading

Questions

Summary

Slack notification for Empire agents

Popping up a Meterpreter session using Empire

Empire post exploitation for OSX

Empire post exploitation for Linux

Empire post exploitation for Windows

Phase 5 – Post Module Operations

Phase 4 – Acquiring Agent

Phase 3 – Stager Execution

Phase 2 – Stager Creation

Phase 1 – Listener Initiation

Empire fundamentals

Empire setup and installation

Introduction to Empire

Technical requirements

Age of Empire - The Beginning

Further reading

Summary

Multi-level pivoting

Pivoting via Armitage

Meterpreter port forwarding

Pivoting via SSH

Technical requirements

Pivoting

Further reading

Questions

Summary

Socat reverse shell over SSL (cert.pem is the custom certificate)

Socat reverse shell over UDP

Socat reverse shell over TCP

Powershell reverse shell

Nodejs reverse shell

Lua reverse shell

Php reverse shell

Ruby reverse shell

Perl reverse shell

Python reverse shell

R reverse shell

(G)awk reverse shell

Telnet reverse shell

Netcat reverse shell

Ksh reverse shell

TCLsh/wish reverse shell

Zsh reverse shell

Bash reverse shell

Reverse shell cheat sheet

Meterpreter over ngrok

reverse_https with a custom SSL certificate

reverse_https

reverse_tcp_rc4

reverse_tcp

Reverse shell using powercat

Encrypted reverse shell using cryptcat

Encrypted reverse shell using socat

Encrypted reverse shell using ncat

Encrypted reverse shell for *nix with OpenSSL packages installed

Unencrypted reverse shell using netcat

Introduction to reverse shell connections

Encrypted reverse connections using OpenSSL

Unencrypted reverse connections using netcat

Introduction to reverse connections

Technical requirement

./ReverseShell

Further reading

Questions

Summary

Customizing the team server

Server switchbar

Managing the web server

File hosting

Scripted web delivery

Payload generation – MS Office macros

Payload generation – Java signed applet

Payload generation – stageless Windows executable

Screenshots

Keystrokes

Downloaded files

Credentials

Targets list

Session table

Session graphs

Configure listeners

Disconnecting from the team server

Connecting to another team server

Toolbar

Cobalt Strike interface

Cobalt Strike setup

What is a team server?

Introduction to Cobalt Strike

Deliverables

Scenario/strategy

Rules of Engagement (RoE)

Objective and goal

Actions

Command and Control Server

Installation

Exploitation

Delivery

Weaponization

Reconnaissance

Cyber kill chain (CKC)

Planning a red-team exercise

Technical requirements

Getting Started with Cobalt Strike

Further reading

Questions

Summary

Armitage and Cortana scripts

Metasploit with slack

Armitage and team server

Meterpreter

Encoders

Payloads

Exploits

Auxiliaries

Running Metasploit

Installing Metasploit

Technical requirements

Foreplay - Metasploit Basics

Further reading

Questions

Summary

Pivoting

Running Implants

Payload execution

Stager establishment

Terminology

Why use MSHTA as the dropper payload?

Installation

Koadic

Resource file

MSFvenom Payload Creator

Technical requirements

Pentesting 2018

Further reading

Questions

Summary

How is it different?

Methodology

A different approach

Reporting

Post-exploitation

Exploitation

Vulnerability analysis

Threat modeling

Intelligence gathering

Pre-engagement interactions

Penetration Testing Execution Standard (PTES)

Information Systems Security Assessment Framework (ISSAF)

Open Source Security Testing Methodology Manual (OSSTMM)

OWASP

Pentesting 101

Red-Teaming and Pentesting

Disclaimer

Reviews

Get in touch

Conventions used

Download the color images

To get the most out of this book

What this book covers

Who this book is for

Preface

Packt is searching for authors like you

About the reviewers

About the authors

Contributors

Packt.com

Why subscribe?

Packt Upsell

Hands-On Red Team Tactics

Copyright and Credits

Title Page

封面

封面

Title Page

Copyright and Credits

Hands-On Red Team Tactics

Packt Upsell

Why subscribe?

Packt.com

Contributors

About the authors

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Disclaimer

Red-Teaming and Pentesting

Pentesting 101

OWASP

Open Source Security Testing Methodology Manual (OSSTMM)

Information Systems Security Assessment Framework (ISSAF)

Penetration Testing Execution Standard (PTES)

Pre-engagement interactions

Intelligence gathering

Threat modeling

Vulnerability analysis

Exploitation

Post-exploitation

Reporting

A different approach

Methodology

How is it different?

Summary

Questions

Further reading

Pentesting 2018

Technical requirements

MSFvenom Payload Creator

Resource file

Koadic

Installation

Why use MSHTA as the dropper payload?

Terminology

Stager establishment

Payload execution

Running Implants

Pivoting

Summary

Questions

Further reading

Foreplay - Metasploit Basics

Technical requirements

Installing Metasploit

Running Metasploit

Auxiliaries

Exploits

Payloads

Encoders

Meterpreter

Armitage and team server

Metasploit with slack

Armitage and Cortana scripts

Summary

Questions

Further reading

Getting Started with Cobalt Strike

Technical requirements

Planning a red-team exercise

Cyber kill chain (CKC)

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command and Control Server

Actions

Objective and goal

Rules of Engagement (RoE)

Scenario/strategy

Deliverables

Introduction to Cobalt Strike

What is a team server?

Cobalt Strike setup

Cobalt Strike interface

Toolbar

Connecting to another team server

Disconnecting from the team server

Configure listeners

Session graphs

Session table

Targets list

Credentials

Downloaded files

Keystrokes

Screenshots

Payload generation – stageless Windows executable

Payload generation – Java signed applet

Payload generation – MS Office macros

Scripted web delivery

File hosting

Managing the web server

Server switchbar

Customizing the team server

Summary

Questions

Further reading

./ReverseShell

Technical requirement

Introduction to reverse connections

Unencrypted reverse connections using netcat

Encrypted reverse connections using OpenSSL

Introduction to reverse shell connections

Unencrypted reverse shell using netcat

Encrypted reverse shell for *nix with OpenSSL packages installed

Encrypted reverse shell using ncat

Encrypted reverse shell using socat

Encrypted reverse shell using cryptcat

Reverse shell using powercat

reverse_tcp

reverse_tcp_rc4

reverse_https

reverse_https with a custom SSL certificate

Meterpreter over ngrok

Reverse shell cheat sheet

Bash reverse shell

Zsh reverse shell

TCLsh/wish reverse shell

Ksh reverse shell

Netcat reverse shell

Telnet reverse shell

(G)awk reverse shell

R reverse shell

Python reverse shell

Perl reverse shell

Ruby reverse shell

Php reverse shell

Lua reverse shell

Nodejs reverse shell

Powershell reverse shell

Socat reverse shell over TCP

Socat reverse shell over UDP

Socat reverse shell over SSL (cert.pem is the custom certificate)

Summary

Questions

Further reading

Pivoting

Technical requirements

Pivoting via SSH

Meterpreter port forwarding

Pivoting via Armitage

Multi-level pivoting

Summary

Further reading

Age of Empire - The Beginning

Technical requirements

Introduction to Empire

Empire setup and installation

Empire fundamentals

Phase 1 – Listener Initiation

Phase 2 – Stager Creation

Phase 3 – Stager Execution

Phase 4 – Acquiring Agent

Phase 5 – Post Module Operations

Empire post exploitation for Windows

Empire post exploitation for Linux

Empire post exploitation for OSX

Popping up a Meterpreter session using Empire

Slack notification for Empire agents

Summary

Questions

Further reading

Age of Empire - Owning Domain Controllers

Getting into a Domain Controller using Empire

Automating Active Directory exploitation using the DeathStar

Empire GUI

Summary

Questions

Further reading

Cobalt Strike - Red Team Operations

Technical requirements

Cobalt Strike listeners

Foreign-based listeners

Cobalt Strike payloads

Beacons

The beacon menu

Explore menu

Beacon console

Pivoting through Cobalt Strike

Aggressor Scripts

Summary

Questions

Further reading

C2 - Master of Puppets

Technical requirements

Introduction to C2

Cloud-based file sharing using C2

Using Dropbox as the C2

Using OneDrive as the C2

C2 covert channels

TCP

UDP

HTTP(S)

DNS

ICMP

Summary

Questions

Further reading

Obfuscating C2s - Introducing Redirectors

Technical requirements

Introduction to redirectors

Obfuscating C2 securely

Short-term and long-term redirectors

Redirection methods

Dumb pipe redirection

Filtration/smart redirection

Domain fronting

Summary

Questions

Further reading

Achieving Persistence

Technical requirements

Persistence via Armitage

Persistence via Empire

Persistence via Cobalt Strike

Summary

Further reading

Data Exfiltration

Technical requirements

Exfiltration basics

Exfiltration via Netcat

Exfiltration via OpenSSL

Exfiltration with PowerShell

CloakifyFactory

Running CloakifyFactory on Windows

Data exfiltration via DNS

Data exfiltration via Empire

Summary

Questions

Further reading

Assessment

Chapter 1: Red-Teaming and Pentesting

Chapter 2: Pentesting 2018

Chapter 3: Foreplay – Metasploit Basics

Chapter 4: Getting Started with Cobalt Strike

Chapter 5: ./ReverseShell

Chapter 7: Age of Empire – The Beginning

Chapter 8: Age of Empire – Owning Domain Controllers

Chapter 9: Cobalt Strike – Red Team Operations

Chapter 10: C2 – Master of Puppets

Chapter 11: Obfuscating C2s – Introducing Redirectors

Chapter 13: Data Exfiltration

Other Books You May Enjoy