Red Team learning‐part 1 - ties2/Red-Team GitHub Wiki

Session 1

Module 1: Introduction

1.1: definition

Organization includes:

• digital data • people • operation

people and operation are out of scope of vulnerabilities assessment or Penetration testing, so red tram does this task and make it full this gap

the task of red team is similarity of attacks in extended scope that include people and operations

Red team should simulate TTP (tactics, technique, procedures)

tactics like recon, persist, …

technique is use to accessing the tactics

the best groups for red team are APT

the APT group create new tactics and technique during their attacking and it’s not easy

the red teamer should know:

• Computer architecture (read book about this) • network • programming (c++, python) • Thinking outside the box

the aim of red team is review of operation of monitoring and security devices and check if there are no misconfiguration of EDR, XDR, SIEM,

• Adversary emulation

normal red team is different from adversary emulation and difference is related to their scope, you just attack on special products of organization.

after about two years becoming red team, we can do adversary emulation and we should first know all current technique

the person who does adversary emulation has to expert on API call

Event Tracing for Windows (ETW) (it doesn’t active default and when active this we have log of API call and it very useful for adversary emulation) (most EDR use this features)

https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/event-tracing-for-windows--etw-

https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101

Event Tracing for Windows (ETW) is a powerful tracing infrastructure built into the Windows operating system. It enables developers and system administrators to capture detailed diagnostic and performance information from various sources, including the kernel, drivers, and applications.

ETW works by instrumenting software components with providers that emit events, which are then captured by trace sessions. You can create and manage trace sessions using the Event Viewer tool, the logman command-line utility, or the Windows Performance Recorder. To use ETW, you need to have administrative privileges on the windows computer. Once you have access, you can use ETW to:

• Monitor system and application performance • Diagnose issues related to software and hardware components • Debug software applications and drivers • Analyze and optimize system performance

Some examples of ETW providers that you can use to capture diagnostic and performance information include: • Microsoft-Windows-Kernel-Process • Microsoft-Windows-NetworkProfile • Microsoft-Windows-PowerShell • Microsoft-Windows-WinINet • Microsoft-Windows-WMI-Activity

To get started with ETW, you can use the Event Viewer tool to create a custom view that filters events based on specific criteria. You can also use the logman command-line utility to start and stop trace sessions, and to configure providers and filters. Keep in mind that ETW generates a large amount of data, so it's important to use it judiciously and to analyze the results carefully to avoid overwhelming your system.

we can use this feature to detect API CALL of an exe file

when you enable this tool, you can have logs of API call of windows EDR check output of this tool

Note: it can have a heavy log

How active ETW:

Using PowerShell:

  1. Open PowerShell: • Right-click on the Start button and select "Windows PowerShell (Admin)" to open PowerShell with administrative privileges.

  2. Enable ETW Provider: • Run the following command to enable the ETW provider. Replace ProviderName with the name of the specific provider you want to enable. powershellCopy code Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Event-Trace-Provider -NoRestart • For example, to enable the general ETW provider, you can use: powershellCopy code Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Event-Trace-Provider -NoRestart

  3. Start ETW Session: • Run the following command to start an ETW session: powershellCopy code logman start MySessionName -p {Provider-GUID} 0x10 0x8000000000000001 -ets • Replace MySessionName with your desired session name, and {Provider-GUID} with the GUID of the provider you want to trace. You can find provider GUIDs in the Windows Performance Toolkit or documentation related to the provider you're interested in.

Using Command Prompt:

  1. Open Command Prompt: • Right-click on the Start button and select "Command Prompt (Admin)" to open Command Prompt with administrative privileges.
  2. Enable ETW Provider: • Run the following command to enable the ETW provider. Replace ProviderName with the name of the specific provider you want to enable. cmdCopy code DISM /Online /Enable-Feature /FeatureName:Microsoft-Windows-Event-Trace-Provider /NoRestart • For example, to enable the general ETW provider, you can use: cmdCopy code DISM /Online /Enable-Feature /FeatureName:Microsoft-Windows-Event-Trace-Provider /NoRestart
  3. Start ETW Session: • Run the following command to start an ETW session: cmdCopy code logman start MySessionName -p {Provider-GUID} 0x10 0x8000000000000001 -ets • Replace MySessionName with your desired session name, and {Provider-GUID} with the GUID of the provider you want to trace.

Note: to see GUID:

Event Viewer: • You can use the Event Viewer to view and analyze events. In the Event Viewer, select an event, right-click, and choose "Properties." The "Details" tab may include information about the provider, including the GUID.

Example:

let's walk through a simple example of enabling ETW for general provider logging in PowerShell on Windows 11:

  1. Open PowerShell as Administrator: • Right-click on the Start button and select "Windows PowerShell (Admin)".
  2. Enable ETW Provider: • Run the following command to enable the general ETW provider: powershellCopy code Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Event-Trace-Provider -NoRestart
  3. Start ETW Session: • Run the following command to start an ETW session named "MyETWSession" for the general provider: powershellCopy code logman start MyETWSession -p {E138C4E7-61F7-4CEF-9EF1-E03668100A18} 0x10 0x8000000000000001 -ets • The GUID {E138C4E7-61F7-4CEF-9EF1-E03668100A18} is the GUID for the general provider.
  4. Generate Some Events: • After starting the ETW session, perform some activities on your system to generate events.
  5. Stop ETW Session: • Run the following command to stop the ETW session: powershellCopy code logman stop MyETWSession -ets
  6. View Results: • You can use tools like tracerpt to convert the ETW log file into a readable format: powershellCopy code tracerpt MyETWSession.etl

Note: to get name of provider

Powershell -> Get-windowsOptionalFeatures -Online

Note: for disable

Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Event-Trace-Provider -NoRestart

• frequency of red team is intelligence-led (new exploit, tool, TTP)

• frequency of Adversary emulation is 2 times every year

Red team:

• software operation • hardware operation

Doing red team operation:

first, we start with software operation

software operation: • Bas (use auto tools such as cobalt strike) • make tools ourselves (need knowledge about TTP, python, WAC, C++)

Note: if we use malleable and change agent in cobalt and make custom profile it bypasses antivirus and also encrypt with python (it is fast method) and decrypt by C++

Example-1: • virtualAlloc • RtlMovememory • createthread • waitForSinfleobject

  1. VirtualAlloc: • Purpose: VirtualAlloc is a Windows API function used to reserve, commit, or decommit a region of memory. • Usage: It's often used for dynamic memory allocation, allowing a program to request a specific amount of virtual address space. Example:

LPVOID pBuffer = VirtualAlloc(NULL, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

  1. RtlMoveMemory: • Purpose: RtlMoveMemory is a memory copying function in the Windows API. It's similar to memcpy in the C standard library. • Usage: Used to copy a block of memory from one location to another. Example: RtlMoveMemory(pDestination, pSource, dwSize);

  2. CreateThread: • Purpose: CreateThread is a Windows API function used to create a new thread for concurrent execution in a process. • Usage: It's used for parallelism or concurrency in a program. Example: HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, lpParameter, 0, NULL);

  3. WaitForSingleObject: • Purpose: WaitForSingleObject is a Windows API function used to wait until the specified object is in the signaled state. • Usage: Often used in conjunction with threads for synchronization. Example: WaitForSingleObject(hThread, INFINITE);

Example-2: • HeapAlloc • HeapCreate • createThread • WaitForSinfloeobject

  1. HeapAlloc: • Purpose: HeapAlloc is a Windows API function used to allocate a block of memory from a specified heap. • Usage: It allows dynamic memory allocation from a heap, and it's often used when the programmer needs to manage memory explicitly. Example:

LPVOID pBuffer = HeapAlloc(hHeap, dwFlags, dwBytes);

  1. HeapCreate: • Purpose: HeapCreate is a Windows API function used to create a private heap object. • Usage: It's used when a program wants to create its own heap for managing memory. Example:

HANDLE hHeap = HeapCreate(dwOptions, dwInitialSize, dwMaximumSize);

  1. CreateThread: • Purpose: CreateThread is a Windows API function used to create a new thread for concurrent execution in a process. • Usage: Similar to the description in the previous response, it's used for parallelism or concurrency in a program. Example:

HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, lpParameter, 0, NULL);

  1. WaitForSingleObject: • Purpose: WaitForSingleObject is a Windows API function used to wait until the specified object is in the signaled state. • Usage: Often used in conjunction with threads for synchronization. Example:

WaitForSingleObject(hThread, INFINITE);

we use tools that do automation operation such as cobalt strike we call this technique BAS

note: we can write API windows with python and it has library for this but when wants convert it, the file has big size it just makes it high speed in some situation

• WAC (windows API call)

there are a lot of windows API and we should learn them and also their alternative

example: process injection use alternative and when use it EDR detect it. EDR check some important windows API and know the pattern

we can put our payload on heap instead of stack and EDR doesn’t check heap

Stack: Automatic Memory Management: • The stack is used for the automatic management of local variables and function calls in a program. • Memory on the stack is automatically allocated and deallocated as functions are called and return. Heap: Manual Memory Management: • The heap is used for dynamic memory allocation, where memory is manually allocated and deallocated by the programmer. • The programmer has more control over the memory on the heap.

with this gathering this information we can do software operation

3.1 Hardware operation

in hardware filed red teamer should have one of the mini hardware such as Raspberry

https://www.raspberrypi.com/products/

we should all kind of IOT in organization

minicomputer:

• raspberry pi zero • RockPro64 • HummingBoard Pro • Cobex-12ex • NanoPi Neo2 • Pycom fipy

RF: • SDR • RTL-SDR v3 • GPS bandpass filter • nRF52840 USB Dongle

HID: • rubberducky • rduino • USBNinja • xploit Nano

Network: • NAC Bypass • pwnplug r4

Note: we can use raspberry pi for nak bypass

Book: The Hacker’s Hardware Toolkit

Note: nrf52840 dongle uses for detect IOT device and in radio frequency we need these tools

Note: zigbee is an IEEE 802.15.4-based specification for a suite of high-level communication protocols used to create personal area networks with small, low-power digital radios

in hid attack field we should use EXPLoit nano device

site: EXPLIOT

Note: this device use com instead of USB during connection and this device has another device beside that call DIVA and it use for testing like DWVA in pentesting some attack to device like parking door is simulate in this device

Note: HID (human interface device)

note: use pwn plug r3 device or r4 for network test

site: PacketFence

when use these device and modem LTE the data exit from another network and it can’t detect on SIEM

PWNIE express make hack hardware

when organization use port security it becomes hard to do hardware operation (hack)

1.2 Methodology and framework

there are some famous methodologies for red team like

• MITRE ATT&CK • Cyber kill chain • CBEST • TIBER-EU

note: one of good EDRs is carbo because it has more predefine rule Kasper EDR has 10 rules but this is having 30 rules

Note: EDR like carbon and wazuh

1.2 BAS (bridge attack simulation)

tools and framework for doing red team

such as:

• cobalt strike (with license) • caldera (open source) • infectionmonkey • Foreseeti • cymulate • attackiq • efendify

1.3 MITRE ATT&CK

https://www.google.com/search?client=safari&rls=en&q=mitre+att%26ck&ie=UTF-8&oe=UTF-8

• Reconnaissance • Resource Development • Initial Acess • Execution • Persistence • Privilege Escalation • Defense Evasion • Credential Access • Discovery • Lateral Movement • Collection • Command and Control • Exfiltration • Impact

CVE.mittre.org (technique) CWE.mittre.org (main category of attack-tactics) https://cwe.mitre.org/)

note: one of important attacks is UAF (use after free) it means a program has a lot of reference and when the program become close its reference stayed open and we use this feature most of the Linux distribution are vulnerable to this attack.

note: processhearpaderping connect mimikatz process to chrome so it gives Microsoft sign

MITRE has 14 tactics and every tactic has technique and technique has sub technique

site that we should sign up:

• Shodan (https://www.shodan.io/) • exploit.in (https://exploit.in) • zerodaylab (https://www.zdlgroup.com) • dark matter

MITRE defines a subdomain call Defend (d3fend.mitre.org)

note: klist (check it)

• Microsoft Exploit protection

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide

Module 2: BAS

two new projects: • BishopFox/sliver (GitHub)

2.1 Cobalt strike

Async Real time use http and dns for network communication

note: cobalt follow structure of C2 and the concept of C2 is agent install on system which the antivirus is disable on in the first tests

Note: main agent of cobalt is beacon

there are two types of agents: (small code that upload our payload) • stager (it can bypass antivirus and its aim is upload the main payload) • stageless (agent has all thing or almost it needs and it transfer to memory and it has high risk to detect

note: we can write our stager by about minimum 10 windows API call and when we have bypass problem, we can use alternative such as virtualalloc

note: techniques that have words like loader, dropper, reflective they use stager

Stager windows api call 10 alternatives Stageless windows api call 50

Note: cobalt recan can cover stager and stageless.

• the communication platform of cobalt is https, smb, dns for attacking and also, it can be tcp and do raw socket

note: SOC should monitor index netflow with destports 80 and method everything except POST and GET

• Malleable C2

we can change IOC with this feature and make customs profile and use this method for check security devices. We should use different profile to simulate different APT attack these changes can be on different levels like:

• HTTP Parameter • Process path • SSL Certificate • User-agent

this feature is default by we should and also if we use cobalt in default mode it makes a lot of IOC in network

• Aggressor Script

Aggressor script is a scripting language for red team operations and adversary simulations inspired by scripting IRC clients and bots and allow modify and extend Cobalt payload features

note: IOC means that how a C2 connect to their agents

note: meterpreter is a simple C2

• Team server

Is the controller for the Beacon payload and the host for Cobalt Strike’s social engineering features. The team server also stored data collected by Cobalt Strike and it manages logging

#cd cobalt #ls server client
#cd server #chmod +x Team*

Run Team Server

. /teamserver 192.168.1.149 123456

connect to team Server

then: #cd client #chmod +x cobaltstrike-client.cmd #./cobaltstrike-clinet .cmd

ip:192.168.1.49 port:50050

• Step1: Bas we use cobalt and then we should define listener (we define listener to connect to it with our payload)

menu->cobalt strike ->listeners->

you should make Beacon HTTPS, SMB, DNS and TCP in last step

note: we can use another C2 like Metasploit it means meta become agent and listener show in cobalt.

for Host Rotation we can use round-robin and it means we can give different ip to our server or take it on Cloudflare so if a C2 become down we have another C2

• Step 2:

we should make beacon (payload) note: first and simple payload is windows stager payload that provide initial access for us

menu->Payloads

• HTML Application • MS Office Macro • Stager Payload Generator • stageless Payload Generator • windows stager payload • windows stageless payload • windows stageless generate all payloads

so, we make an agent and in cobalt show like online client

note: default rule of EDR detect ALL token but we can use token ourselves

we can steal token for every process that we want and use it for our process

• security token basics:

In Windows, a security token is a data structure associated with a process that contains information about the security context of the process. The security token represents the identity and privileges of the user account associated with the process. Understanding the concept of a process token is crucial for security and access control in the Windows operating system. Here's a more detailed explanation: Security Token Basics:

  1. User Account Identity: • A security token contains information about the user account associated with the process. This includes the user's security identifier (SID), username, domain, and authentication information.
  2. Privileges: • Privileges define the specific actions that a process can perform. Examples of privileges include the ability to shut down the system, increase the process priority, or act as part of the operating system.
  3. Groups and Group Memberships: • Security tokens include information about the security groups to which the user belongs. Group memberships influence the user's effective permissions.
  4. Token Type: • There are different types of tokens, including primary tokens and impersonation tokens. Primary tokens represent the security context of a process, while impersonation tokens are used when a process acts on behalf of another user. Creating and Modifying Tokens:
  5. Logon Process: • When a user logs in, a logon process creates a security token for the user. This token encapsulates the user's identity and privileges.
  6. Token Duplication and Impersonation: • Processes can duplicate an existing token, allowing them to run with the same security context. Impersonation involves temporarily adopting the security context of another user or process.
  7. Adjusting Privileges: • Processes can adjust their privileges by modifying their security token. This is often done during elevation of privileges or when specific actions require additional permissions. Access Control:
  8. Access Checks: • Security tokens are crucial for access control checks. When a process attempts to access a resource, the system checks the permissions granted to the user in the process's security token.
  9. Token-Based Access Control Lists (ACLs): • Resources, such as files or registry keys, may have ACLs that specify which users or groups have permission to access them. The security token is used to determine if a process has the necessary permissions. Token Manipulation API Functions: Windows provides a set of API functions for working with security tokens. Some of the key functions include: • OpenProcessToken: Retrieves the access token for a specified process. • DuplicateToken: Creates a new token that duplicates an existing token. • AdjustTokenPrivileges: Adjusts the privileges of an access token. Security Implications: Understanding and managing security tokens is crucial for security-related operations, such as privilege escalation, user impersonation, and access control. Security tokens play a central role in maintaining the integrity and security of the Windows operating system.

note: caldera and phoenix are for mac and cobalt use for windows

note: we can make change to token if credential guard is not active on windows

note: how we check we access to special process?

we use cmd->tasklist /V

note: if we want to connect to process which we don’t have access to it, we should do privilege escalation

note: we see in log that it performs sleep technique between every window API call when it run so the security protection can’t find this

note: in EDR it checks if open process runs and then the virualt alloc next writeprocesstomemory and creatto… become run so block this

when agent disappear in cobalt framework, we first doing net view to detect range ip

pivoting and lateral movement

note: what is a difference between pivoting and lateral movement?

note: pivoting means you open port on system that you get access from it with different (port forward) technique like socks proxy but lateral movement means you move to another system with exist open ports on system

note: different web proxy and socks proxy is port, with web proxy you have just http protocol but with socks we have all protocols

for example, connect with socks by port 5019 to windows:

To connect to a Windows machine using a SOCKS proxy on port 5019, you'll need to follow a few steps. Here, I'll outline the general process using a tool called ssh for creating a SOCKS proxy and connecting to it. Please note that you'll need an SSH server running on the Windows machine.

  1. Install an SSH Server on Windows: • You can use an SSH server implementation for Windows, such as OpenSSH. You may need to install the OpenSSH Server feature on your Windows machine. • To install OpenSSH Server on Windows, you can use PowerShell: powershellCopy code Install-WindowsFeature -Name OpenSSH.Server • Start the SSH server: powershellCopy code Start-Service sshd You may want to set the service to start automatically: powershellCopy code Set-Service -Name sshd -StartupType 'Automatic'
  2. Configure SSH Server: • Optionally, you can modify the SSH server configuration (sshd_config) to customize settings. The configuration file is usually located in C:\ProgramData\ssh on Windows.
  3. Create a SOCKS Proxy: • Use ssh to create a SOCKS proxy on your Windows machine. Run the following command in a terminal or command prompt: bashCopy code ssh -N -D 5019 username@windows_machine_ip Replace username with your Windows username, and windows_machine_ip with the actual IP address of your Windows machine. This command establishes an SSH connection with the -D option, which creates a SOCKS proxy on the specified port (5019 in this case). The -N option tells ssh not to execute any commands.
  4. Configure Applications to Use the SOCKS Proxy: • In the applications you want to use with the SOCKS proxy, configure the proxy settings to use localhost or 127.0.0.1 as the SOCKS proxy server and 5019 as the port. • The exact steps to configure proxy settings depend on the specific application you're using. For web browsers, you can usually find proxy settings in the network or connection settings. Details:

Pivoting, in the context of computer security, refers to the technique of using one compromised system to attack another system within the same network. When combined with a SOCKS proxy, pivoting allows you to route traffic through an intermediary system to reach other systems in the network. Here's a step-by-step guide on how to set up pivoting and forward ports using a SOCKS proxy: Prerequisites:

  1. Two Machines: • A compromised machine (Machine A) with SSH access. • A target machine within the same network (Machine B) that you want to connect to.
  2. SSH Server: • Ensure that an SSH server is running on Machine A. Steps:
  3. Establish SOCKS Proxy: • On Machine A, create a SOCKS proxy using SSH: bashCopy code ssh -N -D 1080 username@machine_a_ip Replace username with your username on Machine A, and machine_a_ip with the IP address of Machine A.
  4. Port Forwarding: • On Machine A, forward a port from Machine B through the SOCKS proxy: bashCopy code ssh -L 8080:machine_b_ip:80 username@machine_a_ip Replace machine_b_ip with the IP address of Machine B.
  5. Connect to Forwarded Port: • On your local machine, use a web browser or any tool that supports SOCKS proxies to connect to the forwarded port (e.g., 8080). For example, if you're using a web browser, configure the proxy settings to use SOCKS5 with localhost or 127.0.0.1 and port 1080. Then, access http://localhost:8080 in your browser. Explanation: • Step 1: Creates a SOCKS proxy on Machine A that listens on port 1080. • Step 2: Forwards traffic from port 8080 on your local machine to port 80 on Machine B through the SOCKS proxy. • Step 3: Connect to the forwarded port (e.g., http://localhost:8080) to access the service on Machine B as if it were running locally. This setup allows you to access services on Machine B through the SOCKS proxy on Machine A. Keep in mind that this approach assumes you have SSH access to Machine A and proper permissions to pivot and forward ports.

when net view task become finish, we can do port scan

we can do port scan on port 445, Arp scan we should in SOC if it detects this or not

after port scan we check result with menu->view->Targets

the compromised system which we install agent on it, show with red color

then we test lateral movement with different way: jump: • psexec • psexec64 • psexec_psh • ssh • ssh-key • winrm • winrm64

PsExec and PsExec64 are tools from Sysinternals (now part of Microsoft) that allow for remote command execution on Windows systems. They enable administrators to run processes on remote systems, providing a powerful and flexible way to manage Windows machines. PsExec_psh is an adaptation of PsExec that integrates with PowerShell. SSH is a standard protocol for secure remote access to Unix-like systems, and ssh-key refers to a public-private key pair used for authentication in SSH. On the Windows side, WinRM and WinRM64 (Windows Remote Management) facilitate management tasks, allowing remote execution of PowerShell commands and scripts. These tools are essential for system administrators and security professionals, enabling efficient and secure remote management of both Windows and Unix-like systems. Proper security measures, such as encryption and authentication, should be implemented when using these tools in production environments.

we start with psexec:

because we don’t have user and password, we chose use current process

finally, we take complete report

• stageless payload generator

note: system call has two method, direct and indirect

we have two parts in windows, user land and kernel land

the border between userland and kernel land is ntdll.dll and win32k.sys

when you write an application you use user32.dll or kernel32.dll, you use their functions

and under kerne32.dll, there is openprocess function this method is indirect

because these dll functions can’t connect direct to kernel and first connect to ntdll.dll

and EDR detect and deny it

but when you call function of ntdll.dll like nt create process this method is direct and it’s hard to detect by security device

• Malleable C2 (customs profile)

we can customs cobalt profile and change a lot of things like useragent, sleep, default behavior...

note: we can find customs cobalt profile on GitHub

https://github.com/threatexpress/random_c2_profile

we can add different profile to cobalt and we see for example different types of user agent like jitter

sample of APT 29 profile:

https://github.com/xx0hcd/Malleable-C2-Profiles/commit/2061553d12ea3f1954477e216843ebbe83be43f9

Random C2 Profile Generator

https://github.com/threatexpress/random_c2_profile

Createromotethread: put shell code to memory of another and process and do threat to run the shell

https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread

or use native in search:

• Createremotethread native api • Createremotethread undocumented api

https://cocomelonc.github.io/tutorial/2021/12/06/malware-injection-9.html

• CTI cyber threat intelligence tools and CTI is a separate team from SOC one of CTI’s task about review of signature and we change signature to prevent to detecting

in CTI use tools such as MISP MISP can feed with different resource such as fire eye, OSSIN, crowd… IOC is on MISP by default and we should integrate it with SIEM

• Hipe is an IMS tools

2.2 Caldera

another tools in Bas field

MITRE caldera is a cybersecurity platform designed automate adversary emulate, assist manual red-teams, and automate incident response, it is built on the MITRE ATT&CK framework and is an active research project at MITRE

https://github.com/mitre/caldera

installing Caldera

Git clone https://github.com/mitre/caldera

pip3 install -r requirements.txt

Running Cladera

#python3 server.py –insecure

there are three types of agents in caldera:

• Sandcat (54ndc47): A Golang agent which communicates through HTTP, Git, or P2P over SMB contacts • Manx: A Golang agent which communicates via the TCP contact and functions as a reverse-shell • Ragdoll: A python agent which communicates via the HTML contact

Note: in SO we should check google cloud or site simulate trust but not hacker can use cloud domain and in soc we should monitor traffic of git

Abilities: An ability is a specific ATT&CK tactics/technique implementation which can be executed on running agents. Abilities will include the command(s) to run

Adversaries: Adversary profiles are groups of abilities, representing the tactics, techniques, and procedure (TTPs) available to a threat actor. Adversary profiles are used when an operation to determine which abilities be executed

Operation: Operations run abilities on agent groups. Adversary profiles are used to determine which abilities will be run and agent groups are used to determine which agents the abilities will be run on

note: communication platform by Sandcat is on http, git or SMB over p2p

note: Sandcat agent ->you can check git traffic in your network and detect malicious traffic

• make new agent: note:check training caldera example: use sandcat

• make adversary we make some ability and group in adversary

• Operation Run adversaries

note: you can define your C2 on google cloud (aws Microsoft, amazon, Cloudflare…)

so, when we see domain with …. google.com it can be malicious and hacker buy x.google.com

we should check the structure of the connection:

• src • dest • packet size • content packet • ioc in connection

note: search about tcp connection note: we use sancat for first red team operation note: we can use name of common agent like splunkd for splunk

note: we can’t use abilities because of Adversaries, we should use adversaries for integrate different abilities for test a MITRE tactics

for example: you want do privilege escalation, in this field there is subtitle which call access token manipulation. for test this we make a adversary

review:

• BAS

• cobalt strike Beacons Malleable • Caldera agent abilities adversary operation CALDERA benefits Create ability Adversary -> New profile -> cleanup ->executera Creating a user called blue

• MITRE navigator It can be used to visualize defensive coverage, red/blue team planning, the frequency of detected techniques, and more. note:we can log in in caldera with blu user and checl log of attacks https://mitre-attack.github.io/attack-navigator/

Module 3: Initial Access 3.1 hardware initial access Initial Access with Hardware note: hackpie First scenario: direct access to the network node we use raspberry device with modem LTE

note: with some tools like solar or manage engines we can scan our network and maybe we find a raspberry device with his mac address but it can change mac already

in above scenario the script run on raspberry and make a tunnel to VPS, then we run ssh from VPS to raspberry and now we can see the target network note: we should omit additional node on network second scenario: insert hardware tools on network on inline mood

third scenario .. Jr1-6

3.2 Exploit public facing

Jr1-7

for search exploit for public exploit, we use these sites:

https://sploitus.com/

https://vulners.com/

first, we search in above sites for exploit of technologies we considered

If we want to find minio that vulnerable we use shodan

note: use Shodan site by command line and don’t login

• CVE-2022-1388

https://github.com/qusaialhaddad/F5-BigIP-CVE-2022-1388

how use shodan:

• http title • icon product(hash) • vuln

we want to give shell from f5

shodden:

http.title:"BIG-ip&reg" port:"443"

we check some site such as sploitus to find exploit and then check github and finally we can use Metasploit to exploit or other way to run exploit

maybe we have a lot of problems such as find a propriate exploit and maybe we should change it or maybe the server is not accessible from outside

note: we can check accessible of site from outside by some sites

http://pingb.in/

this site send request to server check if server has connection to outside or not

jr1-9

note: method of give shell access on cisco (initial access on cisco)

telnet -l

A bind shell is a type of shell in computer security that opens a network socket and "binds" itself to it, waiting for an incoming connection from a remote client. When a connection is established, the bind shell allows the remote client to interact with the system's command shell or execute commands on the target system. In other words, it provides a network-based command-line interface to the system. Bind shells are often used by attackers as a means of gaining unauthorized access to a system. Once a bind shell is established on a victim's machine, the attacker can remotely control and manipulate the system by sending commands over the network.

various types of shells are used, each serving different purposes. Here are some common types:

  1. Command Shells: • Bourne Shell (sh): The original Unix shell. • Bash (Bourne Again Shell): An enhanced version of the Bourne Shell and one of the most widely used.
  2. Scripting Shells: • Python Shell (IDLE): An interactive shell for the Python programming language. • PowerShell: A task automation framework from Microsoft, used primarily for system administration.
  3. Remote Shells: • SSH (Secure Shell): A protocol for secure remote login and command execution. • Telnet: An older protocol for remote terminal access, now largely replaced by SSH due to security concerns.
  4. Web Shells: • PHP Shell: A web-based interface allowing command execution on a server. • ASP Shell: Similar to PHP shell but written in Active Server Pages.
  5. Reverse Shells: • Reverse Shell: Connects back to the attacker's machine, often used in penetration testing for remote access.
  6. Bind Shells: • Bind Shell: Listens on a specific network port and waits for incoming connections, allowing remote control.
  7. Restricted Shells: • rbash (Restricted Bash): A restricted shell for limiting user access in a Unix-like operating system.
  8. Container Shells: • Docker Shell (docker exec): Allows running commands inside a Docker container. • Kubernetes Shell (kubectl exec): Permits executing commands in a Kubernetes pod.
  9. Exploitation Shells: • Meterpreter: A post-exploitation shell used in the Metasploit framework. • Empire: A post-exploitation framework with a focus on PowerShell.

-write script for get info from shodan and then check every ip by our special command and make report

Note: shodan has library in script we set out API-KEY in script and command, we can upload payload in sever and make a url and define url of different exploit

Sample: import requests

def search_shodan(query, api_key): url = "https://api.shodan.io/shodan/host/search" params = { "query": query, "key": api_key } response = requests.get(url, params=params) if response.status_code == 200: return response.json()["matches"] else: print(f"Error searching Shodan: {response.text}") return None

def get_vulnerable_ips(vulnerable_data): vulnerable_ips = [] for item in vulnerable_data: vulnerable_ips.append(item["ip_str"]) return vulnerable_ips

def main(): api_key = "YOUR_API_KEY" query = "port:8080 cve:2020-1234"

vulnerable_data = search_shodan(query, api_key)
if vulnerable_data is not None:
    vulnerable_ips = get_vulnerable_ips(vulnerable_data)
    print("Vulnerable IPs:")
    for ip in vulnerable_ips:
        print(ip)

if name == "main": main()

proxyshell exchanage cve-

• nuclei

it is an open-source tool that can be customized and extended using YAML and DSL templates to scan for vulnerabilities in various network protocols and services, including TCP, SSH, DNS, HTTP, SSL, and more. Nuclei's versatility and flexibility allow it to be used in various security assessment workflows, such as testing for exposed API tokens, enumerating usernames, and testing for specific CVEs. In summary, while Nuclei is primarily used for web penetration testing, it can be customized and extended to scan for vulnerabilities in various network protocols and services, making it a valuable tool for various security assessments beyond web pentesting. You can give output from shodan and give nuclei for test

To write a Python program that uses Shodan to get a list of hosts and then sends the output to Nuclei for vulnerability checking, you can follow these steps:

  1. Install the required libraries: You will need to install the shodan and requests libraries in Python. You can install them using pip: pip install shodan requests

  2. Get your Shodan API key: Sign up for a Shodan account and get your API key from the Shodan website.

  3. Write the Python program: Here's an example Python program that uses Shodan to get a list of hosts and then sends the output to Nuclei for vulnerability checking:

import shodan import requests

Set your Shodan API key here

SHODAN_API_KEY = "your_shodan_api_key_here"

Set the search query here

search_query = "org:your_org_name"

Initialize the Shodan API client

api = shodan.Shodan(SHODAN_API_KEY)

Search Shodan for hosts

results = api.search(search_query)

Extract the IP addresses of the hosts

hosts = [result['ip_str'] for result in results['matches']]

Set the URL for the Nuclei API

nuclei_url = "http://localhost:9393/v1/scan"

Set the Nuclei template URL

template_url = "https://github.com/projectdiscovery/nuclei-templates/raw/master/protocols/rcon-command.yaml"

Send the hosts to Nuclei for vulnerability checking

for host in hosts: data = { "url": f"http://{host}", "templates": [template_url] } response = requests.post(nuclei_url, json=data) print(f"Scan results for {host}: {response.text}") Replace your_shodan_api_key_here with your Shodan API key and your_org_name with your organization name. This program searches for hosts in your organization and sends them to Nuclei for vulnerability checking using the rcon-command.yaml template. 4. Run the Python program: Save the Python program to a file (e.g., shodan_to_nuclei.py) and run it using the following command:

python shodan_to_nuclei.py

This will search for hosts in Shodan and send them to Nuclei for vulnerability checking. The results will be printed to the console. Note: This is just an example program. You can modify it to suit your needs and use different Nuclei templates for vulnerability checking. Also, make sure that the Nuclei server is running and accessible at the URL specified in the nuclei_url variable.