Red Team penetration in the process will use some of the core tools, some common tools.
Metasploit Framework:
Although the Metasploit Framework was originally developed in 2003, but it still is a great tool. This is because the original developer HD Moore and a very active community to provide continued support for it. This community-driven framework, it seems that is updated daily with all the latest public vulnerability of use, after penetration with modules, auxiliary modules and so on.
For the red team projects, we may use Metasploit vulnerability by MS17-010 Eternal Blue harm internal system to get our first network shell, or we may use Metasploit to generate a Meterpreter payload for our social engineering attacks.
Specific use will be described in detail later.
Cobalt Strike:
Cobalt Strike is one of the red team simulation tool by far my favorite. Cobalt Strike What is it? It is a durable post for penetration, lateral movement, hide traffic, data theft tool. Cobalt Strike no direct exploits, nor to undermine the system by the latest 0-Day vulnerabilities. When you have performed the CS malicious code on the server or CS as part of phishing activity at the time, you can feel how extensive CS functions and powerful yes. Once you can perform payload Cobalt Strike on the machine, it creates a Beacon (Trojan remote control function) is connected to the connection back to the C2 server (teamserver).
The new Cobalt Strike license fee of $ (Single User year) 3500, so it is not a cheap tool. However, the software has a limited free trial version. (Future tutorials will provide a cracked version)
Cobalt Strike the Aggressor script
Cobalt Strike project has many contributors. Aggressor Script is a scripting language for the red team and the opponent simulation of the operation, inspired by scriptable IRC client and robots. Develop Its purpose is twofold:
1. You can create a long-running robot to simulate virtual red team members and hacking side by side with you
2. You can also use it for official functions extended and modified Cobalt Strike client presentation page according to your needs: https: //www.cobalt strike.com/aggressor-script/index.html
Examples: HarleyQu1nn different Aggressor script in a project available to you for subsequent exploits: http://bit.ly/2qxIwPE
PowerShell Empire
Empire is a late exploit framework that contains a pure PowerShell2.0 the Windows agent and a pure Python Linux / OS X Agent 2.6 / 2.7. It is merging former PowerShell Empire and Python EmPyre projects. The framework provides secure encrypted communication and flexible architecture. In terms of PowerShell, Empire can be achieved without having to run PowerShell powershell.exe proxy functionality. There are a lot of late and Empire can be quickly deployed exploit module from keyloggers to Mimikatz. Empire can also adjust the communication network to avoid detection. All of these features are encapsulated in a frame of the focus of practicality.
For the red team personnel, PowerShell is one of our best friends. After initialization effective payload, all subsequent attacks are stored in memory. Empire is that it is the best place to developers actively maintained and updated so that you can use the latest exploits of the late modules attacks. They also have a suitable and C2 is connected OS X, Linux. So, you can still create a MAC-based Office macro, when implemented, we have a new agent in the Empire
dnscat2
Net exports within the general outbound traffic was strictly limit, but usually does not limit DNS requests, that is, UDP 53 requests. dnscat2 is a use of the DNS protocol to create an encrypted tunnel to control the tool C2 server, so that this tunnel can be used almost in each network.
dnscat2 by the client and server side of two parts. DNS-based penetration scheme C2 server connection provides a good mechanism to hide your traffic, avoid network sensors and bypass network restrictions. In many restrictive environment or production environment, we encountered network either directly does not allow outbound traffic, or traffic will be strictly limited or monitored. In order to circumvent these protections, we can use tools like dnscat2. We are concerned about the reason dnscat2 because it does not require root privileges to allow shell access and data transmission. In many secure environment, direct outbound TCP or UDP use will be limited. Why not take advantage of the infrastructure already built-in services? Many protected network includes a DNS server to resolve the internal hosts, while still allowing resolve external resources. By setting a malicious domain name server authority we have, we can use these DNS resolution to our malware command and control.
Nishang
Nishang is a framework and a set of scripts and payload may be offensive security testing, penetration testing and red team tests using PowerShell. Nishang are useful in all phases of penetration testing. Although Nishang actually a collection of PowerShell scripts of a series of stunning, but also includes some lightweight C2 script
to sum up:
Reds whole process might use a lot of artifacts, to name a common part, please add :)
