Red Team Training by Mr.Un1k0d3r
Notes from the training given by Mr.Un1k0d3r (Charles F. Hamilton)
I had the chance to follow this training as part of the NorthSec 2021 edition.
Initial foothold
Recon & OSINT
The objective here is to collect as much information as we can about our target. We might want an exhaustive enumeration of all services and assets that our target has exposed on the Internet as well as information about the employees of the company. We want to pay a closer attention to services and portals from which we could gain an internal network entrance.
DNS Enumeration
Recursive DNS enumeration.
It is recommended not to perform DNS Enumeration from a server we own to avoid IP leakage.
Certificate Enumeration
Inspect the certificates to identify DNS entry and others information related to the company.
Search for subject Alternatives Names to find extra domains own by a company.
Search Engine
Perform Google Dorking with the three main following search terms
inurl
,intext
,site
.TruffleHogs can be used to find accidentally leaks secrets on GitHub.
Use Shodan and/or Censys to find assets owned by the target.
Services portals
Services portals can be leveraged to penetrate into an internal network (Citrix, OWA, VPN, F5, Fortinet, Cisco, etc). We can look for exploit to compromise these services or use collected credentials.
We can try to password spray those portals and determined if it is associated with Active Directory under the hood.
Port scanning using nmap
Scan only a list of common ports.
Use a proxy when scanning to hide your IP address.
The
-sT
is recommended to our traffic to look legitimate.Our scan traffic will be blend with the normal scanning traffic that is overflowing everyday. So we might stay stealthy.
Web application snapshot fly over
Use the nmap output with tools such as aquatone, eyewitness, gowitness, etc to get a better overview of your web attack surface.
Exchange Web Services endpoints
Check for EWS (Exchange Web Services) endpoints. Patterns are like: https://your.target/EWS/Exchange.asmx
.
Harvesting credentials and users
Check for Github information leakage and use advanced search terms such as org:
Do not forget to check for commits as it might reveal some interesting information!
Also check in leaked database.
Inspecting Jobs Offering
Check for Tech jobs offers by a company as it may reveals some technologies in use by the organization.
Phishing
Pretext (new policy) vs Context (ex: Covid).
Email spoofing - SPF, DMARC and DKIM
Test this script from Mr. Un1k0d3r to spoof SPF policy. We might be able to send an email using the company domain if DNS policies are not properly enforced.
Check if the SPF simply allows emails from popular mail sender such as Sendgrid. This makes the SPF, DKIM and DMARC policies useless since all email sent from Sendgrid are allowed.
Leverage Office 365 to send phishing email
When registering for a domain on GoDaddy ask for the option to spawn a Office365 email. Email sent from Office 365 are more likely to get trusted by the company. If we can not leverage Office 365, try another trusted email service.
Warming up the domain by sending daily email to inbox you own few days before the engagement. Sending emails to inbox that will not get reported days before the engagement could help not being detected as a malicious sender by the client.
Obfuscate the payload
We can obfuscate our payload endpoints by using the rewrite_mod (redirect) function in Apache. We can also obfuscate the link by concatenating the URL or by writing a JS script that will upload the web page or the payload when the user will click on the link.
Domain name
Use the company name as a subdomain instead of using typo squatting. For example, we might want to create a fake Human Resources services and add the company name as a subdomain. People are used to see their company name as a subdomain for different services.
Example: https://gosecure.humanresources.com
It is possible to buy an already categorized domain name that expired or that has already gained a good reputation.
The main trick for the domain reputation is to let age your domains which can take quite a long time. If our domain is too new, it might be categorized as newly created domain and proxy will bock the access.
Last updated