Penetration Testing vs Red Teams

Penetration Testing vs Red Teams

• Penetration Testing: a rigorous and methodical testing of a network, application, hardware, etc., involving scoping, intel gathering, vulnerability analysis, exploitation, post-exploitation, and reporting.
• Traditional network testing involves scanning for vulnerabilities, finding and exploiting systems or applications, and creating a matrix of vulnerabilities, patching issues, and actionable results.
• Penetration tests are well-defined, limited to a short assessment period (1-2 weeks), and usually announced to the company's internal security teams.

Current Security Landscape

• Despite having vulnerability management programs, secure software development life cycles, penetration testers, incident response teams, and expensive security tools, companies still get compromised.
• Many recent breaches occurred at large and mature companies, with some compromises lasting over 6 months before detection.
• Almost one-third of all businesses were breached in 2017.

Red Teams

• Red Teams emulate the tactics, techniques, and procedures (TTPs) of adversaries to identify gaps in a company's security program, identify skill gaps in employees, and increase their security posture.
• Red Teams' goals are to provide real-world and hard facts on how a company will respond, detect, and recover from an attack.
• Red Team campaigns are not as methodical as penetration tests, and every test can differ significantly.
• Campaigns may focus on getting personally identifiable information, credit cards, or domain administrative control.

Key Differences between Penetration Tests and Red Teams

• In penetration tests, getting domain admin control is a key goal, whereas in Red Team campaigns, this may not be the primary objective.
• Red Teams may ignore the Domain Controller (DC) in favor of lower-key targets, as DCs are often heavily protected.
• Red Teams rarely run vulnerability scans against the internal network.
• Red Teams work with a limited group of people inside the company to execute a custom malware payload on a server, which tries to connect out in multiple ways and bypass common AV.

Setting Up a Red Team Campaign

• Red Team campaigns start with clear objectives, such as APT detection, getting a flag on a server, getting data from a database, or achieving time-to-detect (TTD) metrics.
• Objectives may involve using specific techniques from the MITRE ATT&CK Matrix.
• The team must decide on the tools to use, such as COTS offensive tools or custom tools.
• Getting caught is a natural part of the assessment, and some campaigns may involve getting caught multiple times to test the client's defenses.

Introduction to The Hacker Playbook 3

• The Hacker Playbook 3 is a practical guide to penetration testing, focusing on red teaming
• The book is written by Peter Kim, with a dedication to his family and a note on copyright

Overview of the Book

• The book covers new vulnerabilities and attacks from the past couple of years
• Topics include:
  • Abusing Active Directory and Kerberos
  • Advanced web attacks
  • Lateral movement attacks
  • Cloud vulnerabilities
  • Faster and smarter password cracking
  • Living off the land
  • Privilege escalation
  • PowerShell attacks
  • Ransomware attacks
  • Red team vs penetration testing
  • Setting up a red team infrastructure
  • Usable red team metrics
  • Writing malware and evading AV

Author's Background and Goals

• The author has 12+ years of experience in penetration testing and red teaming
• He has worked with major financial institutions, utility companies, Fortune 500 entertainment companies, and government organizations
• He has taught offensive network security at colleges and spoken at security conferences
• His goal is to teach and challenge others, and to provide a more realistic approach to penetration testing

Notes and Disclaimer

• Do not attempt to find vulnerable servers or exploits without proper approval
• Do not try to perform attacks in this book without proper approval
• Always follow the law and respect the privacy of others
• There are legal ways to practice hacking, such as bug bounty programs and vulnerable sites/VMs

Introduction to Red Teaming

• Red teaming is about simulating real-world attacks to test a company's security
• The goal is to identify gaps in a company's security program, rather than just finding vulnerabilities
• Red teams use tactics, techniques, and procedures (TTPs) similar to those used by adversaries
• Red teams may ignore the domain controller and focus on other targets, unlike penetration tests
• Red teams do not perform vulnerability scans, as they are loud and may be detected
• Red teams may use social engineering, beaconing, and other tactics to simulate real-world attacks

Penetration Testing vs Red Teaming

• Penetration testing is a more methodical and rigorous testing of a network, application, or system
• Penetration testing is focused on finding vulnerabilities and exploitation, whereas red teaming is focused on simulating real-world attacks
• Penetration testing is typically limited to a short period of time (e.g. 2 weeks), whereas red teaming can last from 2 weeks to 6 months
• The outcome of a penetration test is a list of vulnerabilities, whereas the outcome of a red team engagement is a list of gaps in a company's security program### Red Teams vs Penetration Tests
• Red Teams focus on simulating real-world attacks to test the overall security program, whereas penetration tests focus on identifying vulnerabilities.
• Red Teams have a more flexible scope and can last from 1 week to 6 months, with no announcement to the target company.
• The goal of Red Teams is to provide value to the company by showing how the security program is running, not just counting vulnerabilities.

Time To Detect (TTD) and Time To Mitigate (TTM)

• TTD is the time between the initial occurrence of an incident to when an analyst detects and starts working on the incident.
• TTM is the time recorded when the firewall block, DNS sinkhole, or network isolation is implemented.
• These metrics are valuable for Red Teams to measure the effectiveness of a company's security program.

Assumed Breach Exercises

• Companies should assume they have already been breached and focus on detection and mitigation.
• Assumed breach exercises involve working with a limited group of people to get a custom malware payload to execute on a server, and then testing the client's ability to identify and mitigate against secondary and tertiary steps.

Setting Up a Red Team Campaign

• Objectives include what the end goal is, such as APT detection, flag on a server, or data from a database.
• Techniques used include those from the MITRE ATT&CK Matrix, which provides a detailed breakdown of different TTPs commonly used in attacks.
• Tools used can be COTS offensive tools like Metasploit, Cobalt Strike, or custom tools.

Setting Up External Servers

• Services such as Digital Ocean Droplets and Amazon Web Services (AWS) Lightsail servers can be used to configure VPS servers.
• Ubuntu servers can be set up with Metasploit and Empire services.
• IPTables rules should be set up to limit where SSH authentications can initiate from, and where Empire/Meterpreter/Cobalt Strike payloads can come from.

Tools of the Trade

• Metasploit Framework is a gold standard tool for Red Teams, with a community-driven framework that is updated daily.
• Cobalt Strike is a tool for post exploitation, lateral movement, staying hidden in the network, and exfiltration.
• Obfuscating Meterpreter payloads can be used to evade detection, using tools like Unicorn to generate more obfuscated PowerShell Meterpreter payloads.

Red Team Infrastructure

• Redirectors can be used to make it difficult to identify the C2 domain associated with the attack.
• Domain Fronting can be used to make use of other people's domains and infrastructures as redirectors for the controller.
• Cobalt Strike supports SMB Beacons between hosts for C2 communication, allowing for more secure communication.### HTTP Requests and Custom Profiles
• HTTP requests with URI paths are used in campaigns
• Host headers are set to Amazon and custom Server headers are sent back from the C2 server
• Static strings are modified, UserAgent information is changed, and SSL is configured with real certificates to evade signatures

Cobalt Strike Aggressor Scripts

• Aggressor Script is a scripting language for Red Team operations and adversary simulations
• It allows creation of long-running bots that simulate virtual Red Team members and extension of the Cobalt Strike client
• Examples of Aggressor Scripts can be found on the Cobalt Strike website and on GitHub

PowerShell Empire

• PowerShell Empire is a post-exploitation framework with a pure-PowerShell Windows agent and a pure Python 2.6/2.7 Linux/OS X agent
• It offers cryptologically-secure communications and a flexible architecture
• Features include:
  • Ability to run PowerShell agents without needing powershell.exe
  • Rapidly deployable post-exploitation modules
  • Adaptable communications to evade network detection
• Empire is actively maintained and updated with new post-exploitation modules

Configuring Empire

• Set up Empire with a real trusted SSL certificate
• Change the DefaultProfile endpoints and User Agent
• Configure the listener and settings
• Create a payload (e.g., a bat file or Office Macro)

dnscat2

• dnscat2 is a tool that creates an encrypted Command and Control (C2) channel over the DNS protocol
• It allows for exfiltration and evades network sensors
• Configure an authoritative DNS server for a malicious domain
• Set up a dnscat2 server and client
• Use a secret flag to encrypt communication within DNS requests

Other C2 Tools

• Pupy Shell: an opensource, cross-platform remote administration and post-exploitation tool
• PoshC2: a proxy aware C2 framework written in PowerShell
• Merlin: a tool that uses HTTP/2 protocol for C2 communications
• Nishang: a framework and collection of scripts and payloads for offensive security and penetration testing

Conclusion

• Be prepared for different scenarios with various tools and servers configured
• Use different tools and techniques to get around obstacles and evade detection
• Red Team campaigns involve opportunity of attack and constant monitoring of the environment for vulnerabilities