Red Team Considerations - kaotickj/NetSentinel GitHub Wiki

๐Ÿ›ก๏ธ Red Team Considerations

NetSentinel was built with stealth and operational realism in mind. This page outlines key OPSEC notes and recommended use cases during red team operations and authorized internal assessments.

๐Ÿ” OPSEC Notes

Red team operations require balancing technical effectiveness with stealth. Below are considerations to preserve operational security (OPSEC) when using NetSentinel in production environments.

1. Avoid Loud Techniques

NetSentinel avoids high-noise discovery methods by default:

Method Status Notes
ARP-based discovery โœ… Enabled Only works on local subnets (L2)
ICMP/ping sweep โŒ Avoided May trigger alerts/logs
Port scanning โœ… Controlled Targets essential ports only
DNS enumeration โœ… Passive Reverse lookups only, no brute-force

To maintain stealth:

  • Stick with --scan-type stealth
  • Limit port range in ports.py
  • Use --resolve-hostnames sparingly if reverse DNS logging is monitored

2. Minimize Network Footprint

Tips to reduce detection:

  • Run scans slowly (consider adding throttling or sleep logic)
  • Avoid triggering IDS/IPS signatures tied to WinRM/LDAP enumeration
  • Disable modules you donโ€™t need for the objective

Use TCP SYN scans sparingly โ€” many EDR/NDR solutions correlate these rapidly.

3. Domain Credential Hygiene

If using --kerberos-scan, ensure you:

  • Use a red teamโ€“owned low-privilege account
  • Avoid domain accounts tied to named users
  • Store credentials securely (e.g., vaults, runtime injection)

Avoid logging real passwords โ€” NetSentinel does not log passwords, but wrapping scripts might.

4. Kerberos OPSEC

Running SPN and AS-REP scans via Impacket-based modules is inherently noisy and may trigger the following:

  • Windows Event 4768 / 4769 / 4771 (TGT/Service Ticket requests)
  • Alerting from behavior analytics (e.g., requesting many SPNs)
  • AS-REQs without pre-auth (for roastable accounts) may appear suspicious

Recommendations:

  • Use Kerberos modules only after host identification
  • Chain enumeration logic with goal-based targeting
  • Monitor your own network traffic if operating inside a sandbox

5. Logging Controls

  • Output is printed only to console โ€” no files are written unless --export-json is used
  • All modules use a common logger, with color-coded output for visibility
  • Add your own logging backend (e.g., log to file) only in controlled environments

๐Ÿงช Engagement Use Cases

NetSentinel supports a range of red team and internal pentest scenarios. Here are a few examples of how it can be applied.

๐Ÿน 1. Initial Access โ€“ Network Situational Awareness

Use Case: After initial compromise (e.g., phishing, credential stuffing), gain situational awareness of the local subnet.

Steps:

python3 main.py --target 10.0.0.0/24 --scan-type stealth

Benefits:

  • Identifies local machines with minimal noise
  • Detects services like SMB or RPC for lateral movement

๐Ÿงญ 2. Host Discovery with Hostname Resolution

Use Case: Discover hosts and resolve naming structure to prioritize targets (e.g., DC01, FS-PRINT, JSmith-WIN).

Steps:

python3 main.py --target 10.0.0.0/24 --resolve-hostnames

Use Tip:

  • Combine with passive DNS logs or ARP tables if available

๐Ÿ—‚ 3. Lateral Movement Prep via SMB Enumeration

Use Case: Identify unsecured or misconfigured SMB shares accessible anonymously or with low privileges.

Steps:

python3 main.py --target 10.0.0.0/24 --smb-enum

Targets:

  • Open C$ shares
  • Public or misconfigured repositories
  • Non-standard file shares that leak credentials or scripts

๐Ÿ•ต๏ธโ€โ™‚๏ธ 4. Kerberos-Based Privilege Escalation Recon

Use Case: Hunt for service accounts and users vulnerable to Kerberoasting or AS-REP roasting.

Steps:

python3 main.py --target 10.0.0.0/24 --kerberos-scan

Requirements:

  • Valid low-privileged domain credentials
  • Visibility of the domain controller via --dc-ip

Use Tip:

  • Combine with tools like GetUserSPNs.py or Rubeus for offline ticket cracking

๐Ÿ“ฆ 5. Offline Reporting or Handoff to Analysts

Use Case: Save scan results for reporting or handoff to another operator.

Steps:

python3 main.py --target 10.0.0.0/24 --smb-enum --export-json netsentinel-output.json

Benefits:

  • Enables deconfliction or chain-of-custody analysis
  • Reporters can inspect JSON for host/service summaries

๐Ÿšซ What Not to Use It For

NetSentinel is not designed for:

  • Internet-facing scanning
  • Exploitation (no payloads are included)
  • Brute-force attacks or password spraying
  • Full LDAP/AD tree dumps

It is intended strictly for internal recon in authorized environments under a well-defined Rules of Engagement (RoE).

โœ… Summary

Goal Recommended Flags
Local subnet recon --scan-type stealth
SMB share enumeration --smb-enum
SPN/AS-REP discovery --kerberos-scan
Export results --export-json output.json
Add hostnames --resolve-hostnames

Use NetSentinel responsibly, and always get written authorization before scanning any network.