The Hacker Playbook 3

1. Red Teaming: Simulating Real-World Attacks

The Red Team’s mission is to emulate the tactics, techniques, and procedures (TTPs) by adversaries.

Beyond Penetration Testing. Red teaming goes beyond traditional penetration testing by mimicking the actions of real-world attackers. This involves understanding their motives, tools, and methods to assess an organization's security posture comprehensively. Unlike penetration tests, which often have a defined scope and timeline, red team exercises can last for weeks or months, allowing for a more realistic simulation of a persistent threat.

Focus on Detection and Response. The primary goal of a red team is not just to find vulnerabilities but to evaluate how well an organization can detect, respond to, and recover from a sophisticated attack. This includes testing the effectiveness of security tools, policies, and the skills of the security team. Red teams provide valuable insights into gaps in the security program, helping organizations improve their overall resilience.

Metrics for Success. Red team engagements are measured by metrics like Time To Detect (TTD) and Time To Mitigate (TTM). TTD measures the time it takes for the security team to identify an incident, while TTM measures the time it takes to contain and resolve it. These metrics provide a clear picture of an organization's ability to handle real-world threats and highlight areas for improvement.

2. Reconnaissance: The Foundation of Red Team Operations

For Red Team campaigns, it is often about opportunity of attack.

Gathering Intelligence. Reconnaissance is the initial phase of any red team operation, involving the collection of information about the target organization. This includes identifying IP ranges, subdomains, employee email addresses, and any publicly available information that could be used to gain an initial foothold. Tools like Nmap, Shodan, and Censys are used to scan for open ports, services, and vulnerabilities.

Monitoring for Changes. Red teams continuously monitor the target environment for changes that could create new attack opportunities. This includes setting up scripts to track changes in open ports, web applications, and cloud configurations. Regular Nmap diffing and web screenshots help identify new services or vulnerabilities that may have been introduced.

Cloud Reconnaissance. With the increasing adoption of cloud services, red teams must also focus on identifying cloud assets and misconfigurations. This involves scanning for publicly accessible S3 buckets, Azure storage accounts, and other cloud resources that could be exploited. Tools like sslScrape can be used to extract hostnames from SSL certificates, providing valuable information about the target's infrastructure.

3. Web Application Exploitation: A Prime Target

If we look at any of the recent breaches, we see that many of these happened to very large and mature companies.

Shifting Focus. Web applications are a common entry point for attackers, making them a prime target for red teams. This involves identifying vulnerabilities such as Cross-Site Scripting (XSS), NoSQL injections, and template injection attacks. Red teams must stay up-to-date on the latest web application vulnerabilities and techniques to effectively simulate real-world attacks.

Exploiting Vulnerabilities. XSS vulnerabilities can be used to steal cookies, redirect users, or even compromise the entire system. NoSQL injections allow attackers to bypass authentication and gain access to sensitive data. Template injection attacks can lead to remote code execution, allowing attackers to take complete control of the server.

NodeJS Exploitation. With the increasing popularity of NodeJS, red teams must also focus on identifying and exploiting vulnerabilities in NodeJS applications. This includes understanding the security implications of using JavaScript as backend code and identifying common misconfigurations in NodeJS frameworks like Express and Pug. Techniques like JSF*ck can be used to bypass filters and execute malicious JavaScript code.

4. Network Compromise: Moving Inward

For network pentests, we love getting to Domain Admin (DA) to gain access to the Domain Controller (DC) and calling it a day.

Gaining Initial Access. Once a red team has gained an initial foothold, the next step is to move laterally through the network to reach the target objective. This involves identifying and exploiting vulnerabilities in internal systems, escalating privileges, and stealing credentials. Tools like Responder and CrackMapExec are used to capture credentials and identify vulnerable systems.

Living off the Land. Red teams often use built-in Windows tools and features to avoid detection. This includes using PowerShell to query Active Directory, enumerate users and groups, and execute commands on remote systems. Techniques like Pass-the-Hash and Kerberoasting are used to gain access to privileged accounts without cracking passwords.

Bloodhound for Attack Path Analysis. Bloodhound is a powerful tool for visualizing and analyzing attack paths in Active Directory environments. It uses graph theory to identify hidden relationships and unintended privileges, allowing red teams to quickly identify the most efficient way to reach their target objective. By importing ACL data into Bloodhound, red teams can identify users who have the ability to reset passwords or modify ACE permissions, creating opportunities for privilege escalation and lateral movement.

5. Social Engineering: Exploiting the Human Element

Many of the social engineering exercises require you to overcome your nervousness and go outside your comfort zone.

Targeting Human Weaknesses. Social engineering is a powerful technique that exploits human psychology to gain access to systems or information. This involves crafting believable phishing emails, creating fake websites, and impersonating trusted individuals. Red teams must understand the principles of social engineering to effectively manipulate employees into divulging sensitive information or performing actions that compromise security.

Doppelganger Domains and Credential Harvesting. Doppelganger domains, which are similar to legitimate domain names, are used to trick users into entering their credentials on fake login pages. These pages are designed to look identical to the real ones, making it difficult for users to distinguish them. Tools like ReelPhish can be used to bypass two-factor authentication, allowing attackers to gain access to accounts even with enhanced security measures.

Exploiting Trust. Red teams often leverage existing relationships and trust to increase the effectiveness of their social engineering attacks. This involves impersonating colleagues, vendors, or even family members to gain the victim's confidence. By crafting highly targeted and personalized attacks, red teams can significantly increase their chances of success.

6. Physical Attacks: Bypassing Physical Security

"Pretending to not be afraid is as good as actually not being afraid."

Beyond the Digital Realm. Physical security is an often-overlooked aspect of an organization's overall security posture. Red teams conduct physical assessments to identify vulnerabilities in access controls, surveillance systems, and security personnel. This involves attempting to bypass gates, doors, and other physical barriers to gain unauthorized access to the facility.

Tools of the Trade. Red teams use a variety of tools to bypass physical security measures, including lock picks, gate bypass devices, and card reader cloners. These tools allow them to gain access to restricted areas and potentially compromise sensitive data or systems. The LAN Turtle and Packet Squirrel are used to establish covert network connections, allowing attackers to remotely access and control systems within the facility.

Testing Response Times. A key objective of physical assessments is to evaluate the response times of security personnel. This involves triggering alarms, observing security patrols, and documenting any weaknesses in the organization's physical security procedures. By identifying these weaknesses, red teams can help organizations improve their physical security posture and prevent unauthorized access.

7. Evading Detection: Staying Under the Radar

As a Red Team, we don’t really care as much about the origins of an attack. Instead, we want to learn from the TTPs.

Obfuscation and Encryption. Evading detection is a critical aspect of red team operations. This involves using techniques to obfuscate code, encrypt communications, and bypass security controls. Red teams must understand how antivirus software, intrusion detection systems, and other security tools work to effectively evade detection.

Custom Payloads and Droppers. Red teams often develop custom payloads and droppers to avoid detection by signature-based security tools. These custom tools are designed to be small, stealthy, and difficult to reverse engineer. Techniques like code caves and reflective DLL injection are used to hide malicious code within legitimate processes.

PowerShell Obfuscation. PowerShell is a powerful tool for red teams, but its widespread use has made it a target for security tools. Red teams use a variety of techniques to obfuscate PowerShell code, including string encryption, variable renaming, and code splitting. Tools like Invoke-Obfuscation and HideMyPS are used to automate the process of obfuscating PowerShell scripts.

8. Automation and Password Cracking: Speed and Efficiency

With Red Teams, we need to show value back to the company.

Automating Tasks. Red teams automate repetitive tasks to improve efficiency and reduce the risk of detection. This includes using scripts to scan for open ports, enumerate users and groups, and execute commands on remote systems. Automation allows red teams to quickly gather information and identify potential attack vectors.

Password Spraying. Password spraying involves attempting to log in to multiple accounts with a small set of common passwords. This technique is used to avoid account lockouts and increase the chances of gaining access to at least one account. Tools like Spray and Ruler are used to automate the process of password spraying.

Password Cracking. Password cracking is a crucial skill for red teams, allowing them to gain access to systems and information protected by weak or default passwords. Red teams use powerful GPU-based cracking rigs and specialized password lists to crack hashes quickly and efficiently. Tools like Hashcat are used to perform password cracking attacks.

9. Exploiting Cloud Vulnerabilities

As more and more companies switch over to using different cloud infrastructures, a lot of new and old attacks come to light.

Cloud Misconfigurations. Cloud environments often present unique security challenges due to misconfigurations and a lack of understanding of cloud security best practices. Red teams focus on identifying and exploiting these misconfigurations to gain unauthorized access to cloud resources. This includes scanning for publicly accessible S3 buckets, Azure storage accounts, and other cloud services.

S3 Bucket Enumeration. Amazon S3 buckets are a common target for attackers due to their often-misconfigured permissions. Red teams use tools like Slurp and Bucket Finder to enumerate S3 buckets and identify those that are publicly accessible. Once a vulnerable bucket is found, attackers can download sensitive data, upload malicious files, or even modify access controls to gain complete control of the bucket.

Subdomain Takeovers. Subdomain takeovers occur when a company points a subdomain to a third-party service but fails to properly configure or remove the service. This allows attackers to claim the subdomain and use it for malicious purposes, such as hosting phishing sites or distributing malware. Tools like tko-subs are used to identify vulnerable subdomains.

10. Post-Exploitation: Living off the Land

Challenge the system… Provide real data to prove security gaps.

Blending In. Once inside a network, red teams aim to blend in with legitimate traffic and avoid detection. This involves using built-in Windows tools and features, such as PowerShell and WMI, to perform reconnaissance, move laterally, and maintain persistence. By "living off the land," red teams can reduce their reliance on custom tools and avoid triggering security alerts.

Credential Harvesting. Red teams use a variety of techniques to harvest credentials from compromised systems, including dumping memory, extracting passwords from the Windows Credential Store, and stealing browser cookies. These credentials can then be used to gain access to additional systems and resources. Tools like Mimikatz and SessionGopher are used to automate the process of credential harvesting.

Maintaining Persistence. Red teams establish persistence to ensure they can maintain access to compromised systems even after they are rebooted or patched. This involves creating scheduled tasks, modifying registry keys, and installing backdoors. By establishing multiple persistence mechanisms, red teams can increase their chances of maintaining access to the target environment.

Last updated: April 4, 2025