The Hacker Playbook 3 Red Team Edition

Questions and Answers

What is the main mission of Red Teams?

Emulate tactics used by adversaries (correct)

Test software applications for bugs

Conduct routine security audits

Identify vulnerabilities in IT infrastructure

Red Team tests have a more flexible scope compared to Penetration Tests.

True

The primary outcome of Red Team findings should be geared towards gaps in blue team ________.

processes

What do Time To Detect (TTD) and Time To Mitigate (TTM) represent in Red Team assessments?

measuring incident detection and mitigation times

What is the cost of a new Cobalt Strike license for one user for a one-year license?

$3,500

To take redirectors up a notch, what technique is utilized that makes use of other people’s domains and infrastructures as redirectors for a controller?

Domain Fronting

What are examples of popular Content Delivery Networks (CDNs) mentioned in the text for masking traffic origins? (Select all that apply)

Amazon’s CloudFront

Cobalt Strike is the only tool that supports Domain Fronting.

False

What is the purpose of Red Team campaigns?

To replicate real world attacks and test detection capabilities

What is the MITRE ATT&CK matrix?

A collection of different TTPs commonly used in various attacks.

Which tool is known for post exploitation, lateral movement, and exfiltration in Red Teaming?

Cobalt Strike

Obfuscation using ________ can be used for Meterpreter payloads in social engineering attacks.

PowerShell

Red Team campaigns focus on detecting/mitigating threats rather than identifying vulnerabilities.

True

What tool can be used in restrictive environments to bypass outbound traffic restrictions and leverage DNS resolutions for Command and Control of malware?

dnscat2

Why is dnscat2 particularly useful in secure environments with restricted outbound UDP or TCP traffic?

It allows for shell access and exfiltration.

To set up an authoritative DNS server using GoDaddy, you need to add the nameservers ___________ and ___________ which point to your VPS server.

ns1 (and put the IP of your VPS server); ns2 (and put the IP of your VPS server)

Dnscat2 listens on UDP port 53 and performs all the heavy lifting for setting up an authoritative DNS server.

False

What is the flag that needs to be configured in dnscat2 to ensure encrypted communication within DNS requests?

--secret flag

What type of scripts do we usually set up for clients to monitor their network?

monitoring scripts

Which tool uses Masscan to scan large networks quickly and phantomjs to take screencaptures of websites?

HTTPScreenshot

The tool Eyewitness screenshots webpages, RDP servers, and VNC Servers using the XML output from _.

nmap

Shodan can provide information about open web cams and vulnerability details like Heartbleed.

True

What is one of the major features of Censys that helps Red Teamers find information on cloud servers?

SSL certificates

Which tool is commonly used for web application exploitation in the Red Team Edition playbook?

Metasploit Framework

Abusing Active Directory and Abusing Kerberos are new topics discussed in the third iteration of The Hacker Playbook series.

True

What is the author's primary goal for the readers through this book?

To get into the mindset of an attacker and understand the how of the attacks; to take the tools and techniques learned and expand upon them

What is recommended to avoid when attempting the attacks described in the book? Do not go looking for vulnerable servers and exploits on systems you don't own without the proper __________.

approval

What AWS command can be used to check if a file in an S3 bucket is only writable by a user named 'secure'?

aws s3api get-object-acl

Subdomain takeovers occur when a company forgets to configure a third-party service or deregister from the server.

True

What tool can be used to check for vulnerable subdomains and potentially take them over?

tkosubs

To find all email accounts for cnn.com, one can use the tool __________.

SimplyEmail

Match the following bug bounty programs with their respective websites:

HackerOne = https://www.hackerone.com BugCrowd = https://bugcrowd.com/programs SynAck = https://www.synack.com/red-team/

Where can the Custom THP VM be downloaded for setting up the demo for the Web Environment?

http://thehackerplaybook.com/get.php?type=csk-web

What should be added to the host file in the Kali VM to point to the vulnerable application by hostname?

[IP Address of Vuln App] chat

The Red Team Web Application Attacks focus on skipping many of the basic attacks to move into attacks commonly used in the __________.

real world

Knowing the OWASP Top 10 is insignificant for a penetration testing job.

False

What programming language was the Chat Support System application written in?

Node.js

What tools are included in the passive domain recon using Discover scripts?

ARIN, dnsrecon, goofile, goog-mail, goohost, theHarvester, Metasploit, URLCrazy, Whois, recon-ng

What is the purpose of Knockpy?

To enumerate subdomains on a target domain through a wordlist

What is the purpose of Sublist3r?

To utilize search engines for subdomain enumeration

What is the goal of SubBrute tool?

To create the fastest and most accurate subdomain enumeration tool

What is Truffle Hog used for?

Finding secrets, passwords, and keys

GitHub tracks every time code is modified or deleted.

True

To run Sublister, you need to navigate to optSublist3r and execute 'python sublist3r.py -d _____ -o _____'.

cyberspacekittens.com

Study Notes

Overview of the Hacker Playbook

• The book is a practical guide to penetration testing and red teaming, focusing on the latest vulnerabilities and attacks.
• The book is divided into nine chapters, covering topics such as web application exploitation, network compromise, social engineering, and evading detection.

About the Author

• The author, Peter Kim, has over 12 years of experience in penetration testing and red teaming.
• He has worked with major financial institutions, utility companies, and government organizations.
• He is also a teacher and has spoken at multiple security conferences.

Preface

• The book aims to provide a comprehensive guide to penetration testing and red teaming, covering both theoretical and practical aspects.
• The book is intended for anyone in the security field, from beginners to advanced hackers.
• The author emphasizes the importance of having a strong public GitHub repository and technical blog to demonstrate skills and knowledge.

Notes and Disclaimer

• The author emphasizes the importance of only testing systems with proper approval and not attempting to exploit vulnerabilities without permission.
• He provides examples of bug bounty programs and vulnerable sites/VMs that can be used for learning and growth.

Introduction

• The book is a simulation of a Red Team assessment, where the reader is tasked with breaking into a fictional company's systems.
• The goal is to find external and internal vulnerabilities, use the latest exploits, and see if the company's defensive teams can detect or stop the breach.
• The book covers the differences between penetration testing and red teaming, with a focus on simulating real-world attacks and identifying gaps in security programs.

Penetration Testing Teams vs Red Teams

• Penetration testing is a more rigorous and methodical testing of a network, application, or hardware, with a focus on identifying vulnerabilities and creating a report.
• Red Teams, on the other hand, aim to emulate the tactics, techniques, and procedures of adversaries, with a focus on identifying gaps in security programs and increasing security posture.
• The author highlights the differences between penetration testing and red teaming, including the scope, timeline, and outcome of the two types of teams.### Penetration Tests vs. Red Teams
• Penetration tests focus on identifying vulnerabilities and weaknesses in a system or network
• Red Teams, on the other hand, focus on simulating real-world attacks to test the overall security program of an organization
• Red Teams aim to prove how the security program is running, not just identifying vulnerabilities

Red Team Objectives

• Identify vulnerabilities in security, not just IT
• Simulate real-world events
• Live in a world of constant Red Team infections
• Focus on Time To Detect (TTD) and Time To Mitigate (TTM) metrics
• Test the security program's ability to detect and respond to attacks

Red Team Campaigns

• Start with a few objectives, such as what are the end goals, what techniques to use, and what tools to employ
• Use tools like MITRE ATT&CK Matrix to identify TTPs (Tactics, Techniques, and Procedures) of attackers
• Set up external servers using services like Digital Ocean or Amazon Web Services (AWS) Lightsail
• Use tools like The PenTesters Framework (PTF) to set up exploitation, intel gathering, post-exploitation, PowerShell, and vulnerability analysis tools

Red Team Tools

• Metasploit Framework: a gold standard tool for compromising internal systems and generating Meterpreter payloads
• Cobalt Strike: a tool for post-exploitation, lateral movement, and exfiltration
• Obfuscation tools like Unicorn to generate obfuscated PowerShell Meterpreter payloads
• Signed SSL/TLS certificates to evade network IDS tools

Red Team Infrastructure

• Set up redirectors to mask traffic origins
• Use Domain Fronting to make traffic look like it's coming from high-reputation domains
• Use tools like socat to configure redirectors and CDN to mask traffic
• Cobalt Strike supports SMB Beacons for C2 communication between hosts
• Malleable C2 Profiles allow Red Teams to manipulate how Beacons communicate, making it look like normal traffic### HTTP Requests and Malleable Profiles
• HTTP requests are used with URI paths, host headers set to Amazon, and custom Server headers sent back from the C2 server
• Malleable Profiles are used to avoid security device signatures
• To avoid detection, modify static strings, change UserAgent information, configure SSL with real certificates, use jitter, and change beacon times

Cobalt Strike Aggressor Scripts

• Aggressor Script is a scripting language for Red Team operations and adversary simulations
• Purpose: create long-running bots that simulate virtual Red Team members, and extend and modify the Cobalt Strike client
• Examples of aggressor scripts: HarleyQu1nn's list of different scripts

PowerShell Empire

• A post-exploitation framework with a pure-PowerShell 2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent
• Features: cryptologically-secure communications, flexible architecture, and adaptable communications to evade network detection
• Key features:
  • Run PowerShell agents without needing powershell.exe
  • Rapidly deployable post-exploitation modules
  • C2 connectivity for Linux and OS X
  • Actively maintained and updated

Setting up Empire

• Configure Empire securely:
  • Set CertPath to a real trusted SSL certificate
  • Change DefaultProfile endpoints
  • Change the User Agent used to communicate
• Autorun scripts for efficiency and effectiveness

dnscat2

• A tool that creates an encrypted Command and Control (C2) channel over the DNS protocol
• Used to hide traffic and evade network sensors
• Features:
  • Does not require root privileges
  • Allows both shell access and exfiltration
  • Can be used in restrictive environments
  • Supports tunneling
• Steps to set up dnscat2:
  1. Set up an authoritative DNS server
  2. Configure dnscat2 server
  3. Compile the client code
  4. Execute the payload
  5. Start dnscat2 on the attacker server

Other Tools

• p0wnedShell: an offensive PowerShell host application that does not rely on powershell.exe
• Pupy Shell: an open-source, cross-platform remote administration and post-exploitation tool
• PoshC2: a proxy aware C2 framework written in PowerShell
• Merlin: a tool that takes advantage of HTTP/2 protocol for C2 communications
• Nishang: a framework and collection of scripts and payloads for offensive security and penetration testing

Description

A practical guide to penetration testing, covering red team strategies and techniques. Written by Peter Kim, this book provides in-depth knowledge of penetration testing.