The Hacker Playbook 3 Red Team Edition

Overview of the Hacker Playbook

• The book is a practical guide to penetration testing and red teaming, focusing on the latest vulnerabilities and attacks.
• The book is divided into nine chapters, covering topics such as web application exploitation, network compromise, social engineering, and evading detection.

About the Author

• The author, Peter Kim, has over 12 years of experience in penetration testing and red teaming.
• He has worked with major financial institutions, utility companies, and government organizations.
• He is also a teacher and has spoken at multiple security conferences.

Preface

• The book aims to provide a comprehensive guide to penetration testing and red teaming, covering both theoretical and practical aspects.
• The book is intended for anyone in the security field, from beginners to advanced hackers.
• The author emphasizes the importance of having a strong public GitHub repository and technical blog to demonstrate skills and knowledge.

Notes and Disclaimer

• The author emphasizes the importance of only testing systems with proper approval and not attempting to exploit vulnerabilities without permission.
• He provides examples of bug bounty programs and vulnerable sites/VMs that can be used for learning and growth.

Introduction

• The book is a simulation of a Red Team assessment, where the reader is tasked with breaking into a fictional company's systems.
• The goal is to find external and internal vulnerabilities, use the latest exploits, and see if the company's defensive teams can detect or stop the breach.
• The book covers the differences between penetration testing and red teaming, with a focus on simulating real-world attacks and identifying gaps in security programs.

Penetration Testing Teams vs Red Teams

• Penetration testing is a more rigorous and methodical testing of a network, application, or hardware, with a focus on identifying vulnerabilities and creating a report.
• Red Teams, on the other hand, aim to emulate the tactics, techniques, and procedures of adversaries, with a focus on identifying gaps in security programs and increasing security posture.
• The author highlights the differences between penetration testing and red teaming, including the scope, timeline, and outcome of the two types of teams.### Penetration Tests vs. Red Teams
• Penetration tests focus on identifying vulnerabilities and weaknesses in a system or network
• Red Teams, on the other hand, focus on simulating real-world attacks to test the overall security program of an organization
• Red Teams aim to prove how the security program is running, not just identifying vulnerabilities

Red Team Objectives

• Identify vulnerabilities in security, not just IT
• Simulate real-world events
• Live in a world of constant Red Team infections
• Focus on Time To Detect (TTD) and Time To Mitigate (TTM) metrics
• Test the security program's ability to detect and respond to attacks

Red Team Campaigns

• Start with a few objectives, such as what are the end goals, what techniques to use, and what tools to employ
• Use tools like MITRE ATT&CK Matrix to identify TTPs (Tactics, Techniques, and Procedures) of attackers
• Set up external servers using services like Digital Ocean or Amazon Web Services (AWS) Lightsail
• Use tools like The PenTesters Framework (PTF) to set up exploitation, intel gathering, post-exploitation, PowerShell, and vulnerability analysis tools

Red Team Tools

• Metasploit Framework: a gold standard tool for compromising internal systems and generating Meterpreter payloads
• Cobalt Strike: a tool for post-exploitation, lateral movement, and exfiltration
• Obfuscation tools like Unicorn to generate obfuscated PowerShell Meterpreter payloads
• Signed SSL/TLS certificates to evade network IDS tools

Red Team Infrastructure

• Set up redirectors to mask traffic origins
• Use Domain Fronting to make traffic look like it's coming from high-reputation domains
• Use tools like socat to configure redirectors and CDN to mask traffic
• Cobalt Strike supports SMB Beacons for C2 communication between hosts
• Malleable C2 Profiles allow Red Teams to manipulate how Beacons communicate, making it look like normal traffic### HTTP Requests and Malleable Profiles
• HTTP requests are used with URI paths, host headers set to Amazon, and custom Server headers sent back from the C2 server
• Malleable Profiles are used to avoid security device signatures
• To avoid detection, modify static strings, change UserAgent information, configure SSL with real certificates, use jitter, and change beacon times

Cobalt Strike Aggressor Scripts

• Aggressor Script is a scripting language for Red Team operations and adversary simulations
• Purpose: create long-running bots that simulate virtual Red Team members, and extend and modify the Cobalt Strike client
• Examples of aggressor scripts: HarleyQu1nn's list of different scripts

PowerShell Empire

• A post-exploitation framework with a pure-PowerShell 2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent
• Features: cryptologically-secure communications, flexible architecture, and adaptable communications to evade network detection
• Key features:
  • Run PowerShell agents without needing powershell.exe
  • Rapidly deployable post-exploitation modules
  • C2 connectivity for Linux and OS X
  • Actively maintained and updated

Setting up Empire

• Configure Empire securely:
  • Set CertPath to a real trusted SSL certificate
  • Change DefaultProfile endpoints
  • Change the User Agent used to communicate
• Autorun scripts for efficiency and effectiveness

dnscat2

• A tool that creates an encrypted Command and Control (C2) channel over the DNS protocol
• Used to hide traffic and evade network sensors
• Features:
  • Does not require root privileges
  • Allows both shell access and exfiltration
  • Can be used in restrictive environments
  • Supports tunneling
• Steps to set up dnscat2:
  1. Set up an authoritative DNS server
  2. Configure dnscat2 server
  3. Compile the client code
  4. Execute the payload
  5. Start dnscat2 on the attacker server

Other Tools

• p0wnedShell: an offensive PowerShell host application that does not rely on powershell.exe
• Pupy Shell: an open-source, cross-platform remote administration and post-exploitation tool
• PoshC2: a proxy aware C2 framework written in PowerShell
• Merlin: a tool that takes advantage of HTTP/2 protocol for C2 communications
• Nishang: a framework and collection of scripts and payloads for offensive security and penetration testing