Well here it is, I am finally going for a Red Team Job (Jr) am I nervous? Yes…totally, was wondering how will I explain myself if I manage to ace this interview. I mean I have been studying the MITRE ATTACK Framework as it was the bible, created a gitbook page to demonstrate attacks and make it easy to understand with new comer’s. But let me explain a little on Red Teaming, yeah it’s awesome, sure you get to feel like a bad guy hacking into a Network trying to Social-Engineer your way in, pff of course there is physical testing been learning how to lock pick on my spare time, got the hang of it whenever the bathroom gets locked I just lock pick it. I don’t even care if I forget to lock it or not I try to pick it later, Now ask me how that works out when you REALLY need to go!! But OK back to where I was at. Red Teaming in my own words.
Red Team Engagements, are simulations of an APT (Advanced Persistent Threat), emulate their TTPs (Tactics, Techniques and Procedures) of an adversary these engagements are similar to Penetration Tests but differ in way’s that make them different, one example is, in a Penetration Test they are trying to find as many vulnerabilities as possible in a set amount of time, find a POC (Proof-Of-Concept) Exploit and measure the risk, these are usually set in a short amount of time could be days to a couple weeks. But here is where Red Team is different, here they do NOT need to find as many exploits as possible the difference here is that they are testing the Incident Responders their response time [Blue Team] “TTD and TTM” (Time To Detect and Time To Mitigate).TTD is the time between the initial occurrence of the incident to when an analyst detects and starts working on the incident. TTM. This timeline is recorded when the firewall block, DNS sinkhole, or network isolation is implemented. Yes they can find vulnerabilities but they are only used if it help’s to achieve their goal, no need to exploit an XSS in an Active Directory Domain if it doesn’t help with let’s say Persistence or Privilege Escalation.
And of course they differentiate in other ways such as their Methodology
Let’s check the Methodology here: [Not personal experience just following the pen test-standards
Very important step this is where you interact with the client some simple questions and setups here on how to work on the assessment. Grab some emergency contacts, Who do we call when a system goes down? (Ghost buster’s) What is the Scope, Range of Ip’s and Domains?. The get out of Jail Free Card, The important document where you have written permission on hacking the system very important. The Duration of the Engagement a couple days or weeks? When is it good for testing, during work hours? To test the IT response, after hours? To not interrupt production or cause down time?. This is a general idea on what goes on for a Pre-Engagement.
First step going into hacking the system, Intelligence Gathering, Recon, Enumeration this can split in 2 part’s Passive and Active. As the name implies Passive is where we don’t touch the infrastructure, Yet. We can use google, Yahoo, Bing, Shodan, LinkedIn,WHOIS. Public resources that do not even give the place a hint that they are being watched, check some metadata on file’s usually PDF publicly available, craw the website start exploring, view the source code these are common techniques on using passive recon. Then here is Active this is where we start pinging the infrastructure checking if there any open ports (nmap, masscan), Look for hidden directories (gobuster,dirscan,dirsearch,wfuzz) this is where we start interacting and getting responses from the target site/server, DNS Discovery, Zone Transfers we create more noise but get more value in information.
Vulnerability Gathering is the process of discovering flaws in the system and applications which can be used by an attacker. These flaws can range anywhere from host and service misconfiguration, or insecure application design. Usually this step if done quickly there are the use of vulnerability scanner they they simple scan and examine responses and determine if a vulnerability exist based on that response. There are also Port based scanning this is usually a first step, this will determine if a port is open or closed and based on that response they can determine what type of services are running some just are pee-determined on a response let’s say port 80 is open so one can assume that HTTP is running but here is where banner grabbing can help determine what is going on since they communicate with the port and examine the response. This is usually categorized in some Active Scanning, there is also Passive I’m not fully knowledge on this but some examples are, Metadata and Traffic Monitoring.
Aah the fun part here it comes, when we actually do the Hack this is usually done solely to establish access to a system or to prove that the vulnerability exists with this we demonstrate with a POC that when reported a capable IT team is able to replicate the demonstrated issue. This area can be detailed more precisely since the basics of this section is just to show and prove that the system is vulnerable usually here it is heavily helpful when using public exploits, since it is highly unlikely, BUT still possible that there was a use of a Zero Day, usually these techniques 0day are often a last resort this attack represents on focused attacks but this subject is usually done to report undiscovered vulnerability that usually don’t have any use of penetration tests are you are testing for currently known exploits. As there is no way to demonstrate or identify this vulnerability during en engagement unless proper and long research is done.
According to Pentest Standards this is usually done to determine the value of the compromised machine and to maintain control of the machine, now this is a little bit tricky as unless previously agreed upon, some services and applications need to be modified to achieve a certain goal such as persistence or privilege escalation, cause these situations can can data loos, denial of service and others. This is only necessary if there is a need to achieve a certain goal like to access a drive or to gain Domain Admin but sometimes just gaining access into a System is surely enough here. As you probably would not need high privileges to exfiltrate Data or to Read important files, all is needed is just the right user.
The reason you are getting paid for.. This one has to be very detailed and comprehensible in ways that the IT Team can understand what is going on, and when needed they can replicate the attack. I don’t have much experience with this so Here ya go.
So here I am currently pursuing an amazing job but highly skilled people are the one’s that deserve to be here, trying my best to even have a speck of knowledge on what they have. And hopefully can help others to at least have a chance on what all this means, and see for themselves how it works from my Gitbook page where other’s don’t just read, but can also see and test themselves on how these techniques work in the most basic way’s.