Dear PenTest Readers,
This month we are proud to present you the issue in which 9 out of 10 articles are related to the main topic. Red Team and Blue Team operations are definitely the areas that deserve thorough depiction. Our contributors have done a magnificent job, presenting the Red Team/Blue Team world from various angles, based on their impressive professional experience. The articles are mostly practical tutorials and case studies with the use of most efficient tools, and we are convinced that it will help you to broaden your pentesting perspective and skills. Also, you can find a solid theoretical background for a better fundamental understanding of offensive and defensive procedures, and the way of thinking which should be applied during such operations.
Without unnecessarily long introduction, let’s the content speak of itself. In a reference to the cover of this issue, choose the colour of your own pill and dive into reading!
Enjoy the content!
PenTest Magazine’s Editorial Team.
Table of Contents
Red Teaming Operations and Threat Emulation
by Boumediene Kaddour
In a real Red Team engagement, making communications occur directly between the target and C2 server is a silly decision for an advanced operator. Attackers and Red Teamers use C2 redirectors to hide the real C2 server for the purpose of protecting the C2 server IP address from identification. The best way to build a C2 infrastructure is to wisely choose legitimate domain names with valid SSL certificate (LetsEncrypt), IP addresses, and well-known protocols like HTTP(s). There’s various techniques and tools that can be used to implement a C2 redirector, including iptables, socat and the built-in Microsoft tool netsh.
Red Team C2 and Blue Team Detection
by Jesse F. Moore
Blue Teams can simulate Red Team Tactics by leveraging Redcanary’s Atomic Red Teams Github. They have provided many Red Team techniques to test detection mechanisms. Blue Teams can detect what Red Teams techniques are used by standing up a Kansa environment. Kansa is a free tool from Github. Kansa framework helps defenders detect activities with the use of WinRM and PowerShell on Windows Operating systems. If you can script it with PowerShell then Kansa is able to push that script out to a fleet of Windows machines and return the output to further analyze activities for adversarial techniques.
50 Shades Of Red
by Bruce Williams
Red Teamers are hard to find. They come in many shades of Red. It is hard to spot critical thinkers and the handbooks are great. I love some techniques that are not in the Red Team handbooks but allow me to see how people think. This might be a good time to mention Ship of Theseus. Where does a Blue Team become a Red Team?
Red Team Exercise As A Real Targeted Attack Simulation
by Eduardo Arriols Nuñez
Another outstanding aspect for a Red Team is to have an infrastructure that provides anonymity to the actions developed, both to avoid the identification of the Red Team as the origin of the tests and to prevent the Blue Team from being aware of the exercise. In addition, this may be relevant in cases where an asset has been compromised that is not ultimately within scope. It must be taken into account that these types of exercises are developed in full black box mode, where the Red Team only knows the name of the organization, allowed vectors and test dates, which makes it possible to identify assets that are finally outside the scope. In these cases, having an anonymity platform allows you to cover your back and avoid problems.
Red Team Scenario: Delivering a Trigger-able Outlook Malware via Macros
by Alexandros Pappas
By executing this malware, the Red Teamer can bypass this security prompt and in fact make the security prompt disappear from the end-user’s screen. Red Teamer can achieve this by loading simultaneously those series of keystrokes that grant attacker access to the victim’s email box. In fact, by tuning out the sleep values, the whole outlook security prompt will never appear in front of the user’s screen.
Anatomy of a Red Team
by Mithun Smith Dias
The infamous SQLSlammer16 worm used a single vulnerability in Microsoft SQL server to infect thousands of computers connected to the Internet. So, any application consuming SQL DB could be tested for this vulnerability. The Red Team would need to have experts in each of security areas. For instance, skills to exploit social engineering vulnerabilities differ from those needed to test network security or security audits. Therefore, the team needs to have a mix of individuals who are skilled in each of these areas.
Blue Team Training with BT3 Framework
by Bruno Rodrigues
This lost “war” is also an issue for Blue Team/Red Team – it’s easy to understand that Red Team training is widely available. They can simply hack away using the multiple free online resources available (not getting into details about this, as I could write an entire article on it). But how do Blue Teams train? How can they test different defenses? How would they know if the defenses in place are efficient or not?
Red Team versus Blue Team: How to Attack and How to Defend
by Dinesh Sharma
Now the team wants to check whether the active attack can breach their security or not. The bank team hired some active hackers who can perform penetration testing as well as offensive hacking for good cause. These hired hackers tried all the possible ways to hack into the network and outer network by attacking on the Web Server, DNS Server, Mail Server, Cloud Infrastructure, etc. This makes them eventually get remote access to the servers or leak the data to generate the proof of concept.
Playing with RFID TAGs
by Siddhartha Tripathy
As most of you may know, MiFare Classic 1k cards can be cloned easily and there are various tutorials available online for this as well. However, a short tutorial is also mentioned here to clone a MiFare Class 1k tag. Proxmark3 Kit contains a MiFare S50 tag and a Magic UID tag where the UID can be changeable. In this tutorial, we will clone the MiFare S50 tag into the Magic UID tag.
How To Write a Penetration Testing Report – For Beginners
by Dr. Narendiran Chandrasekaran
Writing a Penetration Testing report is an Art. Although there is lot of penetration testing materials which are available in the Web, still there is a lack towards Report Writing Material, Methodology, and Approach which leads to a gap Particularly for the Beginners those who are writing Penetration Testing Report. It is always essential to make sure that the Report will deliver the right message to the right people. Particularly, this article describes a Step-by-Step approach on How to Write a Penetration Testing Report for beginners.