Reviews

Book Review : Hands-on Red Team Tactics

By Posted on 0 Comments7min read199 views

Hands-on red team tactics

Book Details:

The red teaming concept has existed since the 6th century BCE when the ancient military genius Sun Tzu stated that “…one who knows the enemy and knows himself will not be endangered in a hundred engagements.”.  Today, red teaming concepts continue to evolve to fit the needs of the organization.  Although the current style of red teaming in the military, and business organizations around the world may differ slightly, they are increasingly finding success implementing plans formed by the structured and iterative processes introduced by adequately educated and trained red teamers.

A red teamer possesses the intellectual courage to challenge assumptions, mitigate cultural and cognitive biases, and counter groupthink. The execution of the modern day red teaming process originated in the U.S. Military during the 1960s during the height of the Cold War with the Soviet Union. The term “red team” emerged from game-theory approaches applied to war-gaming and scenario simulations designed to evaluate strategic decisions. Red teamers possess the ability to think holistically about issues or problems and analyze them from the perspectives of one’s organization, clients, competitors, and business executives. 

In the current world of bug bounty hunters and traditional penetration testers, I am happy that authors have tried to change and challenge traditional approaches, redefined methodologies and the most important instead of writing of conventional techniques, they have tried to put together some new content and procedures which are knowledge empowering to the reader. 

 

Summary

There are a total of 13 chapters in the book which are as following

  1. Red-Teaming and Pentesting
  2. Pentesting 2018
  3. Foreplay-Metasploit Basics
  4. Getting Started with Cobalt Strike
  5. ./ReverseShell
  6. Pivoting
  7. Age of Empire – The Beginning
  8. Age of Empire – Owning Domain Controllers
  9. Cobalt Strike – Red Team Operations
  10. C2 – Master of Puppets
  11. Obfuscating C2s – Introducing Redirectors
  12. Achieving Persistence
  13. Data Exfiltration

Keeping the context of the readers clear and precise to the point, I would begin with each item and maintain a streamlined summary version of each of the elements covered in the book.

Chapter 1: Red-Teaming & Pentesting

The books start with a short crisp and precise introduction of penetration testing. The section talks about OWASP, OSSTMM, ISSAF and PTES then goes into details of PTES then the books explain you the difference between traditional PT and red team exercise. How Red Team Methodologies are different and what is different in the red team approach.

Chapter 2: Pentesting 2018

Unlike the title suggests this chapters primarily focuses on the use of two tools which are MSFvenom Payload Creator (MSFPC) and Koadic. I liked the author has gone into details of both tools starting from where to download to have examples on how to use them in a very descriptive flow. 

Chapter 3: Foreplay – Metasploit Basics

This chapter starts with information on Metasploit then goes into details about commands and features it offers, then the chapter moves to more information on settings up Armigate and Team Server and how to connect it with Slack and end on a note on how to use Cortana scripts with Armitage.

Chapter 4: Getting Started with Cobalt Strike

Like the chapter’s name suggests this chapter talks about Cobalt Strike starting from what is required to set it to explanation and use of different buttons present on its user interface and how to generator payloads and connect with team servers. The first part of the chapters contains a nice note on how to plan red team activity. However, I believe that note would have been delivered better with chapter 2. The chapter ends with a note on how to secure your team server.

Chapter 5: ./ReverseShell

This chapter is very focused on multiple techniques on reverse shell connection, goes deep into details of using tools like netcat, ncat, socat, cryptcat and powercat then has examples of getting reverse shell connections using payloads such as reverse_tcp, reverse_tcp_rc4 and reverse_https. The chapter talks about using ngrok for getting the connection from a system behind NAT, and the chapter ends with a cheat sheet on the reverse shell.

Chapter 6: Pivoting

This chapter talks about different pivoting techniques. The chapter starts with port-forwarding and pivoting via SSH, Meterpreter port forwarding, Pivoting via Armitage and ends with a short note on multi-level pivoting. 

Chapter 7: Age of Empire – The Beginning

This chapter covers a very famous and powerful post-exploitation framework – Empire. The chapter starts with an excellent tutorial on how to set up the empire and then explains some of the primary usages along with examples of post-exploitation basics on Windows, Linux and OSx then the chapter has a nice note on popping Meterpreter session and setting up slack alerts with Empire.

Chapter 8: Age of Empire – Owning Domain Controllers

This chapter is a continuation of the previous chapter on empire as the last chapter primarily focuses Empire basics and getting access to systems this chapter focuses on gaining access to the Domain Controller apart from this chapter also has information on automating AD exploitation and Empire GUI web interface.

Chapter 9: Cobalt Strike – Red Team Operations

This is chapter is in continuation of chapter 4 on Cobalt Strike. This chapter goes more into details of Cobalt Strike explains it’s different features such listeners and it’s types and usage, beacons and their functions with its examples, a walkthrough on beacon menu and beacon console and finally pivoting using Cobalt Strike. The chapter ends on a note on aggressor scripts.

Chapter 10: C2 – Master of Puppets

This chapter provides information on C2 servers and how they help in red team operations. After a brief note on the introduction to C2 the chapter covers a detailed tutorial on using cloud services such as Dropbox, OneDrive as C2 servers then how to set up covert C2 channels

Chapter 11: C2s – Introducing Redirectors

This chapter is in continuation of the previous chapter and focuses on obfuscating and hiding C2 server from the network and blue team. This chapter introduces the concept of redirectors, obfuscating C2 securely, types of redirectors such as short-term and long-term redirectors, different methods such as dump pipe redirection, Filtration/smart redirection and domain fronting.

Chapter 12: Achieving Persistence

This chapter covers a brief detail on achieving persistence once a target has been infiltrated and what is the role of persistence in a typical Red Team exercise. The chapter covers different types of persistence and how to achieve them via Armitage, Empire on Windows OSX and Linux and Cobalt Strike with Aggressor Scripts.

Chapter 13: Data Exfiltration

This last chapter of the books contains a piece of brief information on data extraction and why it is needed in an exercise and then moves to explain techniques using tools like ncat, OpenSSL, PowerShell, DNS, Dropbox and Empire and the chapter has a tutorial on CloakyFactory tool which primarily helps in bypassing DLP solutions. 

Final Notes: Above I have tried to give a short idea about all the chapters of the book. The use of step-on-step approach makes it very comfortable for the readers to go along the book and reproduce the same steps in his/her system provided all the steps were followed exactly as the author had described in this book.

Tips

  • The Book is amazingly priced and has brief content.
  • The Book primary focus is for newcomers who want to learn about Red Team Operations as well as it is equally benefitted for pen-testers as it contains various new methods on infiltration.
  • The Book is self-paced and dedicated across different streams of exploitation – app, network, systems.
  • The Book can be used as a reference guide for red teamer and study guide for newcomers
  • At some places, I have observed there is a gap in flow, however as per technicality of content that is understandable

Rating

  • For Content, I would rate it 8/10
  • For Grammar, I would rate it 7.5/10
  • For Technicality, I would rate it 8.5/10
  • For Deliverance of the subject, I would rate it 7.8/10

Overall Rating: 8/10 as per the subject, material delivered, proof-reading, self-pacing and technicality on the subject covered. The evaluation depends on personal perspective and the readers choice in the matter.

Recommendation

This final section personally I think is opinion based and technically driven. The author has taken his dedication and passion level to the next stage in drafting the book, and it can be seen by efforts he has had to put when developing the material itself.

I recommend this book to each and everyone InfoSec enthusiast and professional; after reading this book you will have a clear understanding of Red Team Operation and how they are different from your typical VAPT (For God Sake, Just end the flight VAPT != Red Team Assessment)

I thank you for reading the review on “Hands-on Red Team Tactics”, It’s been kind of interesting to deliver a review of someone’s work. The security community wouldn’t be so far as it’s now if it wasn’t for people like Himanshu Sharma & Harpreet Singh who have been contributing their time and investing their focus in different digital security research in the midst of forest daylight through the trees. I hope this post has delivered unbiased review and would put my efforts across to make things higher quality.

Disclaimer: The authors of the books are my old friends and one of the author is my coworker, However, I have tried my best to be as unbiased as I can be.

Share

Book Review : Mastering Metasploit Edition 1 & 2

By Posted on 0 Comments6min read100 views


Mastering Metasploit

Book Details:

  • Author: Nipun Jaswal
  • ISBN: 9781782162223 (Edition 1), 9781786463166 (Edition 2)
  • Publisher: PacktPub

In the crowded world of books on Metasploit; I find this book unique as most of them focus on “How to use Metasploit” but this book gives you an understanding and encouragement towards how you can port your exploit to Metasploit. I have bought hardcopy edition 1  just after launch and got it signed from Nipun Jaswal. For the 2nd edition, I have bought the e-book from PacktPub using my Packt credits given to me as the honorarium for reviewing other books for them, and I am waiting for my signed copy of edition 2 (Nipun are you reading this?). In the current world of bug bounty hunters, the methodological penetration testing is somewhere getting lost, and after reading both editions, I was happy that author has also tried to take each and every perspective while writing chapters.  A lot of efforts are put together to make this fantastic guide for the amateur seasoned Metasploit user who could benefit with a vast support of striking images and test cases. Now I would like to take a stop here and provide at a glance overview of “Mastering Metasploit.”

Summery

Both editions of book contain ten chapters which are following

Version 1

1: Approaching a Penetration Test Using Metasploit
2: Reinventing Metasploit
3: The Exploit Formulation Process
4: Porting Exploits
5: Offstage Access to Testing Services
6: Virtual Test Grounds and Staging
7: Sophisticated Client-side Attacks
8: The Social Engineering Toolkit
9: Speeding Up Penetration Testing
10: Visualizing with Armitage

Version 2

1: Approaching a Penetration Test Using Metasploit
2: Reinventing Metasploit
3: The Exploit Formulation Process
4: Porting Exploits
5: Testing Services with Metasploit
6: Virtual Test Grounds and Staging
7: Client-side Exploitation
8: Metasploit Extended
9: Speeding up Penetration Testing
10: Visualizing with Armitage

Where both have ten chapters; Edition one is more of introductory towards some and edition two covers more of in-depth details about the topics. Keeping the context of the readers clear and precise to the point, I would begin with each item and maintain a streamlined summary version of each of the elements covered in the book.

Chapter 1: Approaching a Penetration Test using Metasploit

This particular chapter in both books has the introduction of Metasploit and procedure to set up testing lab environment wherein edition 2. The author has gone into more in-depth about the tools and also covered benefits of Metasploit and have also discussed a methodology to pentest an unknown network and how to exploit publically know vulnerability such as VSFTPD 2.3.4 backdoor and HFS 2.3 RCE.

Chapter 2: Reinventing Metasploit

This chapter in both books contains information about Ruby the heart of Metasploit, gives an idea on how you can make your custom modules for Metasploit. The chapter also has information about making meterpreter scripts then it moves to the concept of working with RailGun which allows you to make calls to Windows API(s) without compiling your own DDL.

Chapter 3: The Exploit Formulation Process

This chapters starts with the concept of assembly language and states the importance EIP & ESP registers and NOP & JMP while writing an exploit. The section also contains brief details about Stack, SEH based buffer overflow attacks & how to bypass DEP in Metasploit modules and what are protection mechanism against them.

Chapter 4: Porting Exploits

This is one of the core chapters in the book. In this chapter, readers get ample amount of information that how one can port exploits written in different programming languages like Python and Perl also web-based exploits into Metasploit modules.

Chapter 5: Testing Service with Metasploit

It starts with Introduction with SCADA and how to exploit them and secure them after this chapter moves towards database exploitation right from basics like fingerprinting. The chapter also has details about how one could test VOIP services by scanning the network for VOIP clients and spoofing VOIP calls as well.

Chapter 6: Virtual Test Grounds and Staging

In this section, The author covers a vast number of subjects like how to efficiently perform black box testing, white box testing & grey box testing on the target under the scope. How to format reports and use leading industry directly from the Metasploit console and use it as a single point of testing for a complete penetration.

Chapter 7: Client-side attacks

In this section, Variety of techniques that can help us attack client-based systems is explained like browser-based exploitation and its variants, exploiting Windows-based systems using Arduino and creating file formate-based exploits. Using Metasploit with DNS-spoofing attack vectors and exploiting Linux-based clients and Android devices.

Chapter 8: This is the chapter which is different in both editions. In version 1 it is about the Social Engineering Toolkit and explains a brief detail about it and in edition 2 it is about Metasploit for post-exploitable scenarios and using it’s extended features.

Chapter 9: Speeding up Penetration Testing

Throughout this chapter, Author focused on faster penetration testing with automated approaches. He explained about various techniques to improve the testing of databases, speeding up exploitation with db_autopwn and pushm, popm, loadpath, reload and edit commands. He also explains about creating resource scripts and making use of AutoRunScript and about setting global variables, automating payload generation, and exploit handler setup using SET.

Chapter 10: Visualizing with Armitage

In this chapter, Author gave a good look at Armitage and its various features. He kicked off by looking at the interface and building up workspaces.he also explained how to exploit a host with Armitage using remote as well as client-side exploitation and post-exploitation. Furthermore, he jumped into Cortana, using it to control Metasploit. He also created post-exploitation scripts, custom menus, and interfaces as well.

Final Notes: Above I have tried to give a short idea about all the chapters in the both editions of the book. The use of step-on-step approach makes it very comfortable for the readers to go along the book and reproduce the same steps in his/her system provided all the steps were followed exactly as the author had described in this book.

Tips

  • The Book is amazingly priced and has a brief content.
  • The Book has been a great benefit to previous buyers.
  • The Book primary focus is for pen-testers and equally beneficial to bug-hunters.
  • The Book is self-paced and dedicated across different streams of exploitation – app, network, system;
  • The Books has a huge exploit writing section for beneficiaries discussed above.
  • The Book can be used as a reference guide for newcomers to Penetration Testing.

Rating

  • For Content, I would rate it 9/10
  • For Grammar, I would rate it 8/10
  • For Technicality, I would rate it 9/10
  • For Deliverance of the subject, I would rate it 8/10

Overall Rating: 8.5/10 as per the subject, material delivered, proof-reading, self-pacing and technicality on the subject covered. The evaluation depends on personal perspective and the readers choice in the matter.

Recommendation

This final section covers any preliminary core concepts you would require to get into this book for a hands-on experience and advice which personally I think is opinion based and technical driven. The author has taken his dedication and passion level to the next stage in drafting the book, and it can be seen by efforts he has had to put when developing the material itself.

I recommend this book to each and everyone InfoSec enthusiast and professional; after reading this book you will have a clear understanding of Metasploit and Penetration Testing skills will be improved.

I thank you for reading the review on “Mastering Metasploit”, It’s been kind of interesting to deliver a review of someone’s work who has made through his efforts right across the desk and gave them in a fashion. The security community wouldn’t be so far as it’s now if it wasn’t for people like Nipun Jaswal who have been contributing their time and investing their focus in different digital security research in the midst of forest daylight through the trees. I hope this post has delivered unbiased review and would put my efforts across to make things higher quality.

Share