The Hacker Playbook 3 Red Team Edition
44 Questions
4 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is the main mission of Red Teams?

  • Emulate tactics used by adversaries (correct)
  • Test software applications for bugs
  • Conduct routine security audits
  • Identify vulnerabilities in IT infrastructure
  • Red Team tests have a more flexible scope compared to Penetration Tests.

    True

    The primary outcome of Red Team findings should be geared towards gaps in blue team ________.

    processes

    What do Time To Detect (TTD) and Time To Mitigate (TTM) represent in Red Team assessments?

    <p>measuring incident detection and mitigation times</p> Signup and view all the answers

    What is the cost of a new Cobalt Strike license for one user for a one-year license?

    <p>$3,500</p> Signup and view all the answers

    To take redirectors up a notch, what technique is utilized that makes use of other people’s domains and infrastructures as redirectors for a controller?

    <p>Domain Fronting</p> Signup and view all the answers

    What are examples of popular Content Delivery Networks (CDNs) mentioned in the text for masking traffic origins? (Select all that apply)

    <p>Amazon’s CloudFront</p> Signup and view all the answers

    Cobalt Strike is the only tool that supports Domain Fronting.

    <p>False</p> Signup and view all the answers

    What is the purpose of Red Team campaigns?

    <p>To replicate real world attacks and test detection capabilities</p> Signup and view all the answers

    What is the MITRE ATT&CK matrix?

    <p>A collection of different TTPs commonly used in various attacks.</p> Signup and view all the answers

    Which tool is known for post exploitation, lateral movement, and exfiltration in Red Teaming?

    <p>Cobalt Strike</p> Signup and view all the answers

    Obfuscation using ________ can be used for Meterpreter payloads in social engineering attacks.

    <p>PowerShell</p> Signup and view all the answers

    Red Team campaigns focus on detecting/mitigating threats rather than identifying vulnerabilities.

    <p>True</p> Signup and view all the answers

    What tool can be used in restrictive environments to bypass outbound traffic restrictions and leverage DNS resolutions for Command and Control of malware?

    <p>dnscat2</p> Signup and view all the answers

    Why is dnscat2 particularly useful in secure environments with restricted outbound UDP or TCP traffic?

    <p>It allows for shell access and exfiltration.</p> Signup and view all the answers

    To set up an authoritative DNS server using GoDaddy, you need to add the nameservers ___________ and ___________ which point to your VPS server.

    <p>ns1 (and put the IP of your VPS server); ns2 (and put the IP of your VPS server)</p> Signup and view all the answers

    Dnscat2 listens on UDP port 53 and performs all the heavy lifting for setting up an authoritative DNS server.

    <p>False</p> Signup and view all the answers

    What is the flag that needs to be configured in dnscat2 to ensure encrypted communication within DNS requests?

    <p>--secret flag</p> Signup and view all the answers

    What type of scripts do we usually set up for clients to monitor their network?

    <p>monitoring scripts</p> Signup and view all the answers

    Which tool uses Masscan to scan large networks quickly and phantomjs to take screencaptures of websites?

    <p>HTTPScreenshot</p> Signup and view all the answers

    The tool Eyewitness screenshots webpages, RDP servers, and VNC Servers using the XML output from _.

    <p>nmap</p> Signup and view all the answers

    Shodan can provide information about open web cams and vulnerability details like Heartbleed.

    <p>True</p> Signup and view all the answers

    What is one of the major features of Censys that helps Red Teamers find information on cloud servers?

    <p>SSL certificates</p> Signup and view all the answers

    Which tool is commonly used for web application exploitation in the Red Team Edition playbook?

    <p>Metasploit Framework</p> Signup and view all the answers

    Abusing Active Directory and Abusing Kerberos are new topics discussed in the third iteration of The Hacker Playbook series.

    <p>True</p> Signup and view all the answers

    What is the author's primary goal for the readers through this book?

    <p>To get into the mindset of an attacker and understand the how of the attacks; to take the tools and techniques learned and expand upon them</p> Signup and view all the answers

    What is recommended to avoid when attempting the attacks described in the book? Do not go looking for vulnerable servers and exploits on systems you don't own without the proper __________.

    <p>approval</p> Signup and view all the answers

    What AWS command can be used to check if a file in an S3 bucket is only writable by a user named 'secure'?

    <p>aws s3api get-object-acl</p> Signup and view all the answers

    Subdomain takeovers occur when a company forgets to configure a third-party service or deregister from the server.

    <p>True</p> Signup and view all the answers

    What tool can be used to check for vulnerable subdomains and potentially take them over?

    <p>tkosubs</p> Signup and view all the answers

    To find all email accounts for cnn.com, one can use the tool __________.

    <p>SimplyEmail</p> Signup and view all the answers

    Match the following bug bounty programs with their respective websites:

    <p>HackerOne = <a href="https://www.hackerone.com">https://www.hackerone.com</a> BugCrowd = <a href="https://bugcrowd.com/programs">https://bugcrowd.com/programs</a> SynAck = <a href="https://www.synack.com/red-team/">https://www.synack.com/red-team/</a></p> Signup and view all the answers

    Where can the Custom THP VM be downloaded for setting up the demo for the Web Environment?

    <p><a href="http://thehackerplaybook.com/get.php?type=csk-web">http://thehackerplaybook.com/get.php?type=csk-web</a></p> Signup and view all the answers

    What should be added to the host file in the Kali VM to point to the vulnerable application by hostname?

    <p>[IP Address of Vuln App] chat</p> Signup and view all the answers

    The Red Team Web Application Attacks focus on skipping many of the basic attacks to move into attacks commonly used in the __________.

    <p>real world</p> Signup and view all the answers

    Knowing the OWASP Top 10 is insignificant for a penetration testing job.

    <p>False</p> Signup and view all the answers

    What programming language was the Chat Support System application written in?

    <p>Node.js</p> Signup and view all the answers

    What tools are included in the passive domain recon using Discover scripts?

    <p>ARIN, dnsrecon, goofile, goog-mail, goohost, theHarvester, Metasploit, URLCrazy, Whois, recon-ng</p> Signup and view all the answers

    What is the purpose of Knockpy?

    <p>To enumerate subdomains on a target domain through a wordlist</p> Signup and view all the answers

    What is the purpose of Sublist3r?

    <p>To utilize search engines for subdomain enumeration</p> Signup and view all the answers

    What is the goal of SubBrute tool?

    <p>To create the fastest and most accurate subdomain enumeration tool</p> Signup and view all the answers

    What is Truffle Hog used for?

    <p>Finding secrets, passwords, and keys</p> Signup and view all the answers

    GitHub tracks every time code is modified or deleted.

    <p>True</p> Signup and view all the answers

    To run Sublister, you need to navigate to optSublist3r and execute 'python sublist3r.py -d _____ -o _____'.

    <p>cyberspacekittens.com</p> Signup and view all the answers

    Study Notes

    Overview of the Hacker Playbook

    • The book is a practical guide to penetration testing and red teaming, focusing on the latest vulnerabilities and attacks.
    • The book is divided into nine chapters, covering topics such as web application exploitation, network compromise, social engineering, and evading detection.

    About the Author

    • The author, Peter Kim, has over 12 years of experience in penetration testing and red teaming.
    • He has worked with major financial institutions, utility companies, and government organizations.
    • He is also a teacher and has spoken at multiple security conferences.

    Preface

    • The book aims to provide a comprehensive guide to penetration testing and red teaming, covering both theoretical and practical aspects.
    • The book is intended for anyone in the security field, from beginners to advanced hackers.
    • The author emphasizes the importance of having a strong public GitHub repository and technical blog to demonstrate skills and knowledge.

    Notes and Disclaimer

    • The author emphasizes the importance of only testing systems with proper approval and not attempting to exploit vulnerabilities without permission.
    • He provides examples of bug bounty programs and vulnerable sites/VMs that can be used for learning and growth.

    Introduction

    • The book is a simulation of a Red Team assessment, where the reader is tasked with breaking into a fictional company's systems.
    • The goal is to find external and internal vulnerabilities, use the latest exploits, and see if the company's defensive teams can detect or stop the breach.
    • The book covers the differences between penetration testing and red teaming, with a focus on simulating real-world attacks and identifying gaps in security programs.

    Penetration Testing Teams vs Red Teams

    • Penetration testing is a more rigorous and methodical testing of a network, application, or hardware, with a focus on identifying vulnerabilities and creating a report.
    • Red Teams, on the other hand, aim to emulate the tactics, techniques, and procedures of adversaries, with a focus on identifying gaps in security programs and increasing security posture.
    • The author highlights the differences between penetration testing and red teaming, including the scope, timeline, and outcome of the two types of teams.### Penetration Tests vs. Red Teams
    • Penetration tests focus on identifying vulnerabilities and weaknesses in a system or network
    • Red Teams, on the other hand, focus on simulating real-world attacks to test the overall security program of an organization
    • Red Teams aim to prove how the security program is running, not just identifying vulnerabilities

    Red Team Objectives

    • Identify vulnerabilities in security, not just IT
    • Simulate real-world events
    • Live in a world of constant Red Team infections
    • Focus on Time To Detect (TTD) and Time To Mitigate (TTM) metrics
    • Test the security program's ability to detect and respond to attacks

    Red Team Campaigns

    • Start with a few objectives, such as what are the end goals, what techniques to use, and what tools to employ
    • Use tools like MITRE ATT&CK Matrix to identify TTPs (Tactics, Techniques, and Procedures) of attackers
    • Set up external servers using services like Digital Ocean or Amazon Web Services (AWS) Lightsail
    • Use tools like The PenTesters Framework (PTF) to set up exploitation, intel gathering, post-exploitation, PowerShell, and vulnerability analysis tools

    Red Team Tools

    • Metasploit Framework: a gold standard tool for compromising internal systems and generating Meterpreter payloads
    • Cobalt Strike: a tool for post-exploitation, lateral movement, and exfiltration
    • Obfuscation tools like Unicorn to generate obfuscated PowerShell Meterpreter payloads
    • Signed SSL/TLS certificates to evade network IDS tools

    Red Team Infrastructure

    • Set up redirectors to mask traffic origins
    • Use Domain Fronting to make traffic look like it's coming from high-reputation domains
    • Use tools like socat to configure redirectors and CDN to mask traffic
    • Cobalt Strike supports SMB Beacons for C2 communication between hosts
    • Malleable C2 Profiles allow Red Teams to manipulate how Beacons communicate, making it look like normal traffic### HTTP Requests and Malleable Profiles
    • HTTP requests are used with URI paths, host headers set to Amazon, and custom Server headers sent back from the C2 server
    • Malleable Profiles are used to avoid security device signatures
    • To avoid detection, modify static strings, change UserAgent information, configure SSL with real certificates, use jitter, and change beacon times

    Cobalt Strike Aggressor Scripts

    • Aggressor Script is a scripting language for Red Team operations and adversary simulations
    • Purpose: create long-running bots that simulate virtual Red Team members, and extend and modify the Cobalt Strike client
    • Examples of aggressor scripts: HarleyQu1nn's list of different scripts

    PowerShell Empire

    • A post-exploitation framework with a pure-PowerShell 2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent
    • Features: cryptologically-secure communications, flexible architecture, and adaptable communications to evade network detection
    • Key features:
      • Run PowerShell agents without needing powershell.exe
      • Rapidly deployable post-exploitation modules
      • C2 connectivity for Linux and OS X
      • Actively maintained and updated

    Setting up Empire

    • Configure Empire securely:
      • Set CertPath to a real trusted SSL certificate
      • Change DefaultProfile endpoints
      • Change the User Agent used to communicate
    • Autorun scripts for efficiency and effectiveness

    dnscat2

    • A tool that creates an encrypted Command and Control (C2) channel over the DNS protocol
    • Used to hide traffic and evade network sensors
    • Features:
      • Does not require root privileges
      • Allows both shell access and exfiltration
      • Can be used in restrictive environments
      • Supports tunneling
    • Steps to set up dnscat2:
      1. Set up an authoritative DNS server
      2. Configure dnscat2 server
      3. Compile the client code
      4. Execute the payload
      5. Start dnscat2 on the attacker server

    Other Tools

    • p0wnedShell: an offensive PowerShell host application that does not rely on powershell.exe
    • Pupy Shell: an open-source, cross-platform remote administration and post-exploitation tool
    • PoshC2: a proxy aware C2 framework written in PowerShell
    • Merlin: a tool that takes advantage of HTTP/2 protocol for C2 communications
    • Nishang: a framework and collection of scripts and payloads for offensive security and penetration testing

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    3,5,6,7 ITT630.pdf

    Description

    A practical guide to penetration testing, covering red team strategies and techniques. Written by Peter Kim, this book provides in-depth knowledge of penetration testing.

    More Like This

    Penetration Testing and Ethical Hacking Quiz
    20 questions
    Penetration Testing vs Red Teams
    13 questions
    Cybersecurity Penetration Testing Quiz
    52 questions
    Use Quizgecko on...
    Browser
    Browser