In this post, I would like to talk about red team techniques and tactics to achieve their goals, to organize ourselves we will use the Cyber Kill Chain. If you are not familiar with it here you can read more about it!
Reconing: To attack something first we need a target right? Reconing has many types but for simpleness, we will reduce this to active and passive reconing.In very simple terms, passive reconing is when we are NOT interacting directly with the company for example we gather information passively via WHOIS lookups, using search engines like google or searching for employee names and email addresses.
On the other hand, active reconing is when we are interacting with the target company by scanning their public IP, enumerating the subdomains of their website or simply talking to one of their employees to extract some data from them about the company.
Planning, reconing and enumeration is the most important part of an attack or a pentest and usually takes the most time of an engagement. Techniques used in this phase can be OSINT, HUMINT (extracting data from humans via social engineering), physical recon or using social media (on Linkedin sometimes you can find the full employee list and hierarchy of the company).
Firstly you collect as much data as possible and then analyze it, so the data will become information then you analyze the information which will be intel. In a war, intel can be the location and number of the enemy or patrolling routes. In cyber intel can be the OS of a server, the version number of the service running on it or the version number of the application providing that service.
In this phase we can use tools for passive scanning like the OSINT framework, WHOIS lookups, Public IP and DNS information, social media (Linkedin, Facebook, Instagram), and haveibeenpwned to look for exposed credentials. I would put searching for public exploits here, too.
For active scanning, we have everyone’s favourite: NMAP. But there are more techniques and programs out there like: fuzzing, social engineering, subdomain and directory enumeration for the company website, we can email an employee who is willing to expose data from the data or just simply ping one of their servers to see if it’s up and running.
Weaponize: After this, we arm ourselves with a public exploit and modificate it or develop one if we have sufficient time and funds. Our payload can be stateless or staged. Stateless means that a single payload containing the exploit and full shell code for the selected task while staged payloads send the stager first which connects back to the attacker and downloads the rest of it. The first option is more stable because we have the whole exploit in one file and the second one helps us with evading detection.
Also, for more evasion techniques we can use encryption or packing.Explaning these techniques are out of the scope of this post but i highly recommend you to do your own research.
Delivery: Okay, we have our targets and our scripts, now it’s time to deliver our exploit.But how? Well, we can use a Watering Hole attack which is compromising a website which is frequently visited by the company employees and tricking them to download it. We can go inside the company using social engineering techniques and just installs it. We can do an email phishing campaign where we send our payload attached to the emails, drop an USB containing it in the parking of the company and many many more.
Exploitation, Installation, C2 and Actions on objectives: So our payload was delivered and now we are waiting. When the user visits an infected website, executes our malware or plugs a USB with malicious code in his computer we jump into this phase. In practice, we just waiting for the exploit the connect back to ourselves for further exploitation. After the malware connects back to us we can use lateral movement, privilege escalation, and install ransom or disruptive malware. Moreover, we can start to exfiltrate data via SSH, HTTPS, RDP, BITS, and DNS. As you can see we have tons of options to damage a company.
This was all for today, if you can get only one thing out of this post then I ask you that will be the importance of reckoning. Without a proper reconossiance attacking is like hitting a needle with a ball from 20 m, with proper recon it would be the same just you will have to hit a house not a needle. 🙂
