WEBVTT 1 00:00:00.120 --> 00:00:03.240 Welcome to the deep dive. We're diving into the world 2 00:00:03.319 --> 00:00:05.839 of red teaming today and our guide is going to 3 00:00:05.879 --> 00:00:09.599 be hands on red team tactics by Himanshu Sharma and 4 00:00:09.640 --> 00:00:11.839 heartbreat Singh and these authors. 5 00:00:11.880 --> 00:00:15.880 You know, they're not just they're not just theorists. Himanshu 6 00:00:15.960 --> 00:00:22.679 has found vulnerabilities in major companies Apple, Google, Microsoft, Wow, 7 00:00:22.879 --> 00:00:26.920 even help celebrities get their accounts back after they were hacked. 8 00:00:27.519 --> 00:00:29.920 That's the kind of experience I want on my side. 9 00:00:30.679 --> 00:00:35.439 And Hartrey brings years of ethical hacking red teaming expertise, 10 00:00:35.920 --> 00:00:41.000 working with huge banks, racking up top certifications. So you know, 11 00:00:41.200 --> 00:00:43.840 the preface of this book really got me thinking, Okay, 12 00:00:44.000 --> 00:00:47.399 what if you could simulate a real world attack to 13 00:00:47.520 --> 00:00:50.880 test your company's defenses. Yeah, that's what red teaming is 14 00:00:50.880 --> 00:00:51.320 all about. 15 00:00:51.560 --> 00:00:54.719 No, it is about pushing the boundaries, finding those weaknesses 16 00:00:55.000 --> 00:00:57.840 before the bad guys do. Right. It goes beyond your 17 00:00:57.880 --> 00:01:02.520 typical security checks, uncovering vulnerabilities that you know might slip 18 00:01:02.520 --> 00:01:03.159 through the cracks. 19 00:01:03.240 --> 00:01:06.640 So it's more than just like a basic penetration test. Absolutely, 20 00:01:06.719 --> 00:01:10.159 it's like really stepping into the shoes of a real attacker, 21 00:01:10.760 --> 00:01:12.120 trying to think like they do. 22 00:01:12.280 --> 00:01:16.000 Yeah, it's about understanding their mindset, the tactics they use 23 00:01:16.040 --> 00:01:16.879 in the real world. 24 00:01:17.280 --> 00:01:20.799 You know, I used to think that penetration testing and 25 00:01:20.920 --> 00:01:25.000 red teaming were the same thing, but reading this book, 26 00:01:25.079 --> 00:01:26.959 I realized there are some key differences. 27 00:01:27.079 --> 00:01:30.959 You're right. Penetration testing or pen testing, it usually follows 28 00:01:31.000 --> 00:01:35.640 a more structured process, often guided by industry standards, things like, okay, 29 00:01:35.680 --> 00:01:42.159 the Penetration Testing Execution Standard PTE, PTEs, GUYSWAPS, STMM, and ISF. 30 00:01:42.599 --> 00:01:44.239 Okay, so those are like those those are kind of. 31 00:01:44.159 --> 00:01:46.920 Like the frameworks, right, framework the guidelines for how these 32 00:01:46.959 --> 00:01:48.319 tests should be conducted. 33 00:01:48.400 --> 00:01:50.560 All right, So let's break down PTEs a little bit. 34 00:01:50.920 --> 00:01:52.200 What are the steps involved there? 35 00:01:52.480 --> 00:01:59.319 So PTEs starts with pre engagement interactions, defining the scope, right, okay, 36 00:01:59.359 --> 00:02:01.840 making sure everybod he's on the same page. Then there's 37 00:02:01.840 --> 00:02:07.920 intelligence gathering, rep modeling, vulnerability analysis, and of course the 38 00:02:07.959 --> 00:02:11.960 actual exploitation phase right right where you try to break in, 39 00:02:12.360 --> 00:02:14.520 you know, see if you can get through the defenses, 40 00:02:14.599 --> 00:02:18.439 put it to the test. And finally there's post exploitation 41 00:02:18.840 --> 00:02:23.000 and reporting. Okay, so documenting what you found, what you 42 00:02:23.039 --> 00:02:24.280 were able to do, right. 43 00:02:24.159 --> 00:02:26.520 So it's very thorough, Yeah, It's kind of like a 44 00:02:26.680 --> 00:02:27.879 scheduled checkup, you know. 45 00:02:28.000 --> 00:02:30.639 Yeah, you know what to expect when you're going in 46 00:02:30.680 --> 00:02:36.400 for appentist red teaming. It's all about surprise. Oh okay, 47 00:02:36.520 --> 00:02:39.800 imagine the organization doesn't even know what's happening, right. That 48 00:02:39.919 --> 00:02:44.520 element of surprise really helps you see how they would 49 00:02:44.560 --> 00:02:46.919 react to a real world attack. 50 00:02:47.120 --> 00:02:50.360 That makes sense. Yeah, this book, it dives into a 51 00:02:50.400 --> 00:02:53.840 whole bunch of tools that red teams use. Yeah, some 52 00:02:54.000 --> 00:02:57.240 are familiar, like metasploit and map, but the pin Testing 53 00:02:57.280 --> 00:03:00.639 twenty eighteen chapter introduce me to some nuance. 54 00:03:00.879 --> 00:03:06.719 Yeah, like the MSF payload creator okay, MSFPC MSFPC, which 55 00:03:06.759 --> 00:03:11.439 makes generating payloads, especially for those tricky reverse shell connections, 56 00:03:11.960 --> 00:03:12.759 so much easier. 57 00:03:12.800 --> 00:03:14.680 We'll have to get into those verse shells a little 58 00:03:14.680 --> 00:03:17.080 bit later, definitely. But you also mentioned another tool that 59 00:03:17.120 --> 00:03:20.919 caught my eye. What's interesting about Kowitic? 60 00:03:21.120 --> 00:03:24.759 So what's interesting about koatic is okay, it uses Windows 61 00:03:24.800 --> 00:03:29.240 script hosts to execute its payloads. A lot of anti 62 00:03:29.560 --> 00:03:33.639 virus programs these days, Yes, they're focused on PowerShell activity, 63 00:03:34.319 --> 00:03:37.479 and so this can help Koitic fly under the radar 64 00:03:37.520 --> 00:03:38.319 a little bit, just like. 65 00:03:38.319 --> 00:03:40.439 A ninja sneaking path to the defenses. 66 00:03:40.680 --> 00:03:41.520 Yeah, exactly. 67 00:03:41.639 --> 00:03:44.719 It seems like staying hidden is crucial for red teams. 68 00:03:45.000 --> 00:03:49.319 Absolutely. Yeah, red teams need to operate undetected if they 69 00:03:49.400 --> 00:03:53.120 really want to accurately assess an organization's security. 70 00:03:53.319 --> 00:03:57.039 Makes sense, right, speaking of essential tools. Yeah, no, red 71 00:03:57.080 --> 00:04:01.120 teaming conversation is complete right without talking about the metasploit framework. 72 00:04:02.000 --> 00:04:04.199 I've messed around with it a little bit myself, Okay, 73 00:04:04.479 --> 00:04:06.120 but maybe we could do a quick refresher. 74 00:04:06.199 --> 00:04:09.479 Sure, the book assumes some familiarity, so we don't need 75 00:04:09.520 --> 00:04:13.879 to go too deep. But think of metasploit like a toolbox, okay, 76 00:04:14.039 --> 00:04:18.959 filled with modules, little programs designed for specific tasks. There 77 00:04:19.040 --> 00:04:22.720 are auxiliaries, which are helper tools for things like scanning 78 00:04:22.839 --> 00:04:27.199 exploits to target vulnerabilities, and payloads, which are the actions 79 00:04:27.279 --> 00:04:30.120 taken after a successful. 80 00:04:29.519 --> 00:04:31.879 Exploit, like opening a back door, right. 81 00:04:31.839 --> 00:04:35.720 Opening a back door, stealing data, stealing beta, things like that, 82 00:04:35.800 --> 00:04:39.360 And then you have encoders to make those payloads harder 83 00:04:39.439 --> 00:04:40.480 to detect. 84 00:04:40.160 --> 00:04:42.839 Right, Yeah. I remember using armitage, yeah, which is that 85 00:04:42.959 --> 00:04:46.319 graphical interface for metasploity, just to make things a little 86 00:04:46.319 --> 00:04:47.319 bit easier to manage. 87 00:04:47.560 --> 00:04:49.720 Armitage is great for streamlining attacks. 88 00:04:49.959 --> 00:04:53.360 Yeah, you can even automate tasks with Quortana scripting. 89 00:04:53.519 --> 00:04:57.600 Oh wow. Yeah, speaking of powerful tools, there's another one 90 00:04:57.600 --> 00:04:59.040 that came up a lot in this book. 91 00:04:59.560 --> 00:05:01.560 Cooboal Strike Cobalt strikes. 92 00:05:01.560 --> 00:05:02.720 It sounds like a favorite. 93 00:05:02.879 --> 00:05:06.720 It is, It's a favorite among Red teamers. Cobalt Strike 94 00:05:06.839 --> 00:05:12.279 is really about simulating those advanced persistent threats that you 95 00:05:12.360 --> 00:05:16.720 hear about so much. It's built for those later stages 96 00:05:16.759 --> 00:05:19.240 of an engagement, and it uses what's called a team 97 00:05:19.360 --> 00:05:23.600 server as a central hub for controlling those compromise systems. 98 00:05:23.720 --> 00:05:26.920 So like a command center for the Red Team. Sounds 99 00:05:26.959 --> 00:05:31.040 like Cobalt Strike is designed to really mimic what those 100 00:05:31.120 --> 00:05:32.959 really sophisticated attackers do. 101 00:05:33.199 --> 00:05:36.959 Yeah, the real deal, those nation state actors, APT groups, 102 00:05:36.959 --> 00:05:41.079 that kind of thing. So to really understand how it's used, 103 00:05:41.600 --> 00:05:43.800 we need to talk about what's called the Cyber Kill 104 00:05:43.879 --> 00:05:49.759 Chain the CKC. It's a framework that breaks down and 105 00:05:49.879 --> 00:05:53.439 attack into stages. Okay, I'm intrigued. What are the stages? 106 00:05:54.399 --> 00:05:57.519 Think of it like planning a heist, right, Okay, First 107 00:05:57.639 --> 00:06:02.600 you need to gather information about your target, right, that's reconnaissance. Okay, 108 00:06:02.720 --> 00:06:07.319 Then you prepare your tools your weapons. That's weaponization makes sense. 109 00:06:07.480 --> 00:06:10.879 Next comes figuring out how to deliver your attack. Right. 110 00:06:11.000 --> 00:06:14.680 Then the exploitation phase. You actually break in right, right, 111 00:06:15.160 --> 00:06:16.600 you know you're through the door. 112 00:06:16.439 --> 00:06:19.399 Now, okay, So it's not just about getting in, it's. 113 00:06:19.240 --> 00:06:21.839 About it's about what you do once you're in. 114 00:06:22.000 --> 00:06:22.360 Okay. 115 00:06:22.560 --> 00:06:26.600 Right, So after you've exploited a vulnerability, you need to 116 00:06:26.639 --> 00:06:30.959 install your tools and establish a way to maintain control. 117 00:06:31.160 --> 00:06:31.279 Right. 118 00:06:31.480 --> 00:06:35.680 That's installation and command and control. And finally you carry 119 00:06:35.680 --> 00:06:40.279 out your objective, right, whether it's stealing data, disrupting operations, 120 00:06:40.279 --> 00:06:41.120 whatever it might be. 121 00:06:41.439 --> 00:06:43.759 So it's a whole operation, like a multi phase. 122 00:06:43.759 --> 00:06:46.480 It is a campaign, it's not just a smash and grab, 123 00:06:46.639 --> 00:06:49.800 you know, gotcha, And Cobalt Strike gives you the tools 124 00:06:50.439 --> 00:06:52.160 to carry out each of these phases. 125 00:06:52.279 --> 00:06:55.120 So it's like a comprehensive toolkit. Yeah. 126 00:06:55.199 --> 00:06:58.800 It helps them simulate that full life cycle of a 127 00:06:58.839 --> 00:07:03.279 really sophisticated attack from the very beginning to achieving those objectives. 128 00:07:03.800 --> 00:07:07.560 Now, one technique that keeps popping up is the reverse shell, 129 00:07:08.839 --> 00:07:10.879 and it sounds like a really clever way to get 130 00:07:10.920 --> 00:07:15.959 around it is those pesky firewalls, yes, that block incoming connections. 131 00:07:16.040 --> 00:07:20.879 So a reverse shell allows the attacker to gain control 132 00:07:20.959 --> 00:07:25.720 of a system by having the target system initiate a 133 00:07:25.800 --> 00:07:28.560 connection back to the attacker's machine. 134 00:07:28.680 --> 00:07:31.279 So instead of the attacker trying to force their way in, 135 00:07:31.800 --> 00:07:35.240 they're tricking the target into reaching out to them exactly. 136 00:07:35.319 --> 00:07:37.680 It's kind of like a judo move. You're using their 137 00:07:37.680 --> 00:07:38.959 own momentum against them. 138 00:07:39.120 --> 00:07:40.560 Makes sense, and this. 139 00:07:40.360 --> 00:07:43.920 Can be really helpful, especially when you have those firewalls 140 00:07:44.279 --> 00:07:49.519 that are blocking incoming connections but they allow outgoing traffic. 141 00:07:50.000 --> 00:07:53.519 It's a common configuration and reverse shells take advantage of that. 142 00:07:53.759 --> 00:07:56.319 It sounds pretty sneaky. It is, it is, but I 143 00:07:56.319 --> 00:07:58.759 imagine there are different ways to establish. 144 00:07:58.360 --> 00:08:03.160 There areless way is to use a tool like netcat. Okay, 145 00:08:03.199 --> 00:08:06.279 but that creates an unencrypted connection, right, which can be 146 00:08:06.319 --> 00:08:09.839 easily detected if somebody's looking for it. Makes sense, so 147 00:08:10.000 --> 00:08:15.480 for stealth red teamers use encryption with tools like OpenSSL 148 00:08:15.639 --> 00:08:19.319 and cat, socat, crypt cat, all sorts of tools out there. 149 00:08:19.399 --> 00:08:22.680 Can I see that metasploid also has dedicated tayloads. It 150 00:08:22.720 --> 00:08:26.319 does yeah for this, like reverse CRAP and reverse CPRC four, 151 00:08:27.079 --> 00:08:29.160 I bet that RC four adds it does. 152 00:08:29.319 --> 00:08:32.960 RC four is an encryption algorithm. It adds an extra 153 00:08:33.080 --> 00:08:36.320 layer of encryption to make it even harder to detect. 154 00:08:36.639 --> 00:08:38.679 So it's all about blending in. It is with that 155 00:08:38.759 --> 00:08:39.759 normal network. 156 00:08:39.480 --> 00:08:42.200 Traffic hiding in plane sight, right, that's the name of 157 00:08:42.200 --> 00:08:42.559 the game. 158 00:08:42.960 --> 00:08:48.240 And once a red team has that initial foothold, they 159 00:08:48.279 --> 00:08:52.679 often need to move deeper into the network. And that's 160 00:08:52.679 --> 00:08:54.080 where pivoting comes in. 161 00:08:54.159 --> 00:08:55.120 Pivoting exactly. 162 00:08:55.200 --> 00:08:58.600 Imagine pivoting is like it is using one compromise system 163 00:08:58.799 --> 00:09:01.360 to hop to another like a stepping stone. Like a 164 00:09:01.360 --> 00:09:03.159 stepping stone exactly, you. 165 00:09:03.159 --> 00:09:06.519 Get a foothold on one machine and then you use 166 00:09:06.600 --> 00:09:09.919 that to reach another one makes sense deeper into the network. 167 00:09:10.039 --> 00:09:13.559 So the book covers a few it does pivoting techniques. 168 00:09:13.639 --> 00:09:18.399 One is SSH tunneling, where you use SSH to access 169 00:09:18.559 --> 00:09:22.279 hidden services on a compromise machine, you know, something like 170 00:09:22.360 --> 00:09:26.639 V and C. You can tunnel that traffic over SSH. 171 00:09:27.159 --> 00:09:31.799 And then there's interpreter port forwarding, which creates tunnels through 172 00:09:31.960 --> 00:09:34.919 an interpreter session to reach other machines. 173 00:09:35.039 --> 00:09:37.879 And then there's the level pivoting, multi level pivoting, which 174 00:09:37.879 --> 00:09:40.519 is where it gets really fun. Yeah, that's where you 175 00:09:40.600 --> 00:09:45.080 chain those pivots together, okay, to access multiple subnets. You're 176 00:09:45.159 --> 00:09:48.519 expanding that attack surface. You're really going you going deep. 177 00:09:48.919 --> 00:09:52.759 It's like exploring a maze. You know. Wow, it's amazing 178 00:09:52.799 --> 00:09:56.679 how Red teams can they can navigate these complex networks. 179 00:09:56.720 --> 00:09:59.840 They do. It's a skill. Yeah, it takes practice for sure, But. 180 00:09:59.840 --> 00:10:05.879 I imagine managing all those compromise systems maintaining that access. 181 00:10:06.960 --> 00:10:08.720 It can be pretty tricky. 182 00:10:08.519 --> 00:10:12.399 It is. That's where that's where post exploitation frameworks come in. 183 00:10:12.480 --> 00:10:17.159 Post exploitations frameworks, they're essential for maintaining that control and persistence. 184 00:10:17.720 --> 00:10:21.799 Okay, So one that stands out in this book is Empire. 185 00:10:21.879 --> 00:10:23.000 Empire Empire. 186 00:10:23.720 --> 00:10:29.600 So Empire gives Red teams a centralized platform to manage 187 00:10:29.639 --> 00:10:34.399 all those compromise systems, execute commands and pivot deeper into 188 00:10:34.399 --> 00:10:37.039 the network. It's like a remote control for all those 189 00:10:37.080 --> 00:10:38.120 compromised devices. 190 00:10:38.200 --> 00:10:40.879 It's like the puppet master. It is pulling the strings 191 00:10:40.879 --> 00:10:41.559 behind the scenes. 192 00:10:41.759 --> 00:10:43.759 Yeah, you got it. I'm curious how it works. 193 00:10:44.240 --> 00:10:47.720 So the core concept and Empire is setting up what's 194 00:10:47.759 --> 00:10:51.919 called a listener, similar to a handler in metasploitt. The 195 00:10:52.000 --> 00:10:56.240 listener is just waiting for connections from those compromise systems, 196 00:10:56.720 --> 00:10:59.960 which are called agents in Empire agents. So those compromises 197 00:11:00.759 --> 00:11:03.840 they connect back to the Empire server, to the Empire server. 198 00:11:04.039 --> 00:11:04.960 But how does that happen? 199 00:11:05.320 --> 00:11:09.639 Through a process called staging. Okay, so Empire generates a 200 00:11:09.639 --> 00:11:13.480 little piece of code called a stager that gets executed 201 00:11:13.480 --> 00:11:18.360 on the target system, and that stager reaches out and 202 00:11:18.399 --> 00:11:22.360 pulls down a larger agent which establishes that connection. 203 00:11:22.519 --> 00:11:24.399 So it's like a covert channel. 204 00:11:24.480 --> 00:11:26.799 It is a covert channel for communication. 205 00:11:27.000 --> 00:11:28.679 And once that connection is made. 206 00:11:28.679 --> 00:11:32.879 Then the fun begins. The Red team can really start digging. 207 00:11:32.600 --> 00:11:33.919 In, can really dig in. 208 00:11:34.000 --> 00:11:39.000 Yeah. Empire has this huge library it does of post exploitation. 209 00:11:38.519 --> 00:11:41.480 Modules, some massive library. 210 00:11:41.159 --> 00:11:46.279 Categorized by function. So there are modules for executing code, 211 00:11:46.840 --> 00:11:53.679 collecting data, stealing credentials, xfiltrating information, basically anything you can 212 00:11:53.720 --> 00:11:57.159 think of. Ye, pretty much anything that a sophisticated attacker would. 213 00:11:56.919 --> 00:11:59.200 Do, that a sophisticated attacker would want to do. 214 00:11:59.519 --> 00:12:01.720 It is a toolbox. 215 00:12:01.240 --> 00:12:04.960 For all those post exploitation activity post exploitation activities. 216 00:12:04.960 --> 00:12:06.600 It's like you've gotten in, now what are you going 217 00:12:06.679 --> 00:12:09.320 to do? Empire gives you the tools to do it. 218 00:12:09.399 --> 00:12:13.919 And I see that it can target oh yeah, Windows, Linux, 219 00:12:15.080 --> 00:12:16.799 even macOS. 220 00:12:16.399 --> 00:12:19.440 It's incredibly versatile. Wow, you can use it in so 221 00:12:19.519 --> 00:12:20.799 many different situations. 222 00:12:20.840 --> 00:12:25.480 So it's really valuable for red teams that are operating 223 00:12:25.519 --> 00:12:29.919 in all these different environments. No, imagine a red team 224 00:12:30.000 --> 00:12:35.159 gets into an enterprise network. What would be their ultimate goal? 225 00:12:35.440 --> 00:12:37.159 What do you think if they really want to cause 226 00:12:37.159 --> 00:12:40.120 some chaos, wouldn't they go for the domain controller? 227 00:12:40.639 --> 00:12:43.879 You're thinking like a red team or already? The domain 228 00:12:43.879 --> 00:12:46.399 controller is the heart of the network. It's the keys 229 00:12:46.399 --> 00:12:50.039 to the kingdom. If you can compromise the domain controller, 230 00:12:50.399 --> 00:12:53.919 you basically control the whole domain. And the book actually 231 00:12:53.960 --> 00:12:58.120 details how Empire can be used to target domain controllers, right, 232 00:12:58.240 --> 00:13:03.480 I'm all yours. First, they need to gain higher privileges 233 00:13:03.639 --> 00:13:08.120 on a compromised machine, so Empire has modules for that, 234 00:13:08.559 --> 00:13:13.399 things like bypasswas vnlwright. Then they need to steal credentials. 235 00:13:13.919 --> 00:13:18.600 Oftentimes they'll use a tool called mimicats to extract passwords 236 00:13:18.639 --> 00:13:22.919 from memory, and that might include domain user credentials. 237 00:13:23.120 --> 00:13:25.960 So they escalate privileges. Yeah, grab those credentials. 238 00:13:26.320 --> 00:13:30.480 Then what then they use those stolen credentials to laterally 239 00:13:30.559 --> 00:13:34.480 move to the domain controller itself. Once they're on the domain. 240 00:13:34.159 --> 00:13:36.320 Controller, yeah, they're on the driver's seat, and I. 241 00:13:36.279 --> 00:13:40.440 Read about this script called death Star. Death Star, Yeah, 242 00:13:40.639 --> 00:13:43.279 that can actually automate. It can the whole process. 243 00:13:43.440 --> 00:13:44.600 It can automate a lot of that. 244 00:13:44.639 --> 00:13:50.840 Yet exploiting active directory to gain domain admin access. 245 00:13:50.919 --> 00:13:54.399 It could do it in seconds. It's a really powerful tool. 246 00:13:54.720 --> 00:13:57.000 It just shows you the power of automation. 247 00:13:57.240 --> 00:13:58.960 So death Star is like the Red Teams. 248 00:13:59.200 --> 00:14:01.840 He's kind of like they're step secret weapon. Yeah, okay, 249 00:14:01.960 --> 00:14:03.120 it's a very effective tool. 250 00:14:03.279 --> 00:14:06.039 We've talked a lot about Empire, but let's circle back 251 00:14:06.519 --> 00:14:12.279 to Cobalt Strike. The book really emphasizes its usefulness in 252 00:14:12.320 --> 00:14:13.519 those later stages. 253 00:14:13.639 --> 00:14:17.720 It's a post exploitation powerhouse. Oh okay, it's designed for 254 00:14:17.879 --> 00:14:21.159 those later stages of a Red Team engagement. So what 255 00:14:21.240 --> 00:14:25.159 makes it so, what's fascinating about Cobalt Strike is that 256 00:14:25.200 --> 00:14:29.080 it goes beyond just the initial exploitation. It gives you 257 00:14:29.120 --> 00:14:31.840 a whole suite of tools. 258 00:14:31.759 --> 00:14:34.320 For post exploitation activities. 259 00:14:34.600 --> 00:14:36.639 So it's really a comprehensive platform. It is. 260 00:14:36.679 --> 00:14:38.000 It's a platform for Red teaming. 261 00:14:38.120 --> 00:14:40.120 Tell me more about those advanced capabilities. 262 00:14:40.600 --> 00:14:44.639 So one of the things that excels at is payload generation. 263 00:14:45.200 --> 00:14:49.519 It supports all sorts of attack vectors. You know, packages, 264 00:14:49.759 --> 00:14:52.480 web drive buys, spear phishing. 265 00:14:52.759 --> 00:14:53.000 Wow. 266 00:14:53.279 --> 00:14:56.360 And once they're in, Cobalt Strike gives you all sorts 267 00:14:56.399 --> 00:15:02.159 of post exploitation tools, you know, screen shot capture, keystroke logging, 268 00:15:02.360 --> 00:15:05.000 process injection, file browsing, you name. 269 00:15:05.039 --> 00:15:07.159 It sounds like a spy's dream toolkit. 270 00:15:07.559 --> 00:15:08.799 It's pretty powerful stuff. 271 00:15:08.919 --> 00:15:12.399 And we can't forget about pivoting. We can't forget pivoting. 272 00:15:12.039 --> 00:15:13.240 Some kind of pivoting methods. 273 00:15:13.440 --> 00:15:16.519 So Cobalt Strike gives you several different options. You can 274 00:15:16.559 --> 00:15:21.279 set up a soocks server, you can create listeners that 275 00:15:21.480 --> 00:15:26.879 tunnel traffic through compromise systems. You can even deploy VPNs 276 00:15:27.159 --> 00:15:28.960 wow for covert communication. 277 00:15:29.240 --> 00:15:30.759 It sounds like they thought of everything. 278 00:15:31.200 --> 00:15:34.720 Yeah, they really did. I read about this aggressor script. 279 00:15:34.799 --> 00:15:38.879 Aggressor script which lets you automate tasks and customize attacks. 280 00:15:39.000 --> 00:15:40.879 It's a scripting language. 281 00:15:40.399 --> 00:15:41.799 Within Cobalt Strike. 282 00:15:41.600 --> 00:15:43.080 Built right into cobalt strikes. 283 00:15:43.120 --> 00:15:44.679 Okay, so what can you tell me about that? 284 00:15:44.759 --> 00:15:46.679 So aggressorscript is really powerful. 285 00:15:46.879 --> 00:15:47.120 Okay. 286 00:15:47.320 --> 00:15:54.080 You can define custom behaviors, automate complex sequences of actions. So, 287 00:15:54.120 --> 00:15:57.840 for example, you could use it to automatically gather information 288 00:15:57.919 --> 00:16:01.840 about a target network or launch a series of attacks 289 00:16:02.360 --> 00:16:06.279 against specific systems, can get really creative with it. 290 00:16:06.519 --> 00:16:10.120 Yeah, it's powerful stuff. It is regardless of what tools 291 00:16:10.120 --> 00:16:13.360 are being used, command and control or C two. 292 00:16:13.840 --> 00:16:15.159 C two, it's the heart of it. 293 00:16:15.200 --> 00:16:18.360 All is crucial for any Red Team operation. 294 00:16:18.879 --> 00:16:21.639 Could you read more? C two servers are those central 295 00:16:21.720 --> 00:16:26.240 hubs for communicating with all those compromise systems. They allow 296 00:16:26.279 --> 00:16:33.000 the Red Team to issue commands, receive data, maintain that 297 00:16:33.240 --> 00:16:35.360 persistent access. 298 00:16:35.559 --> 00:16:37.320 Right, and this is where things is where it gets 299 00:16:37.480 --> 00:16:41.720 get really interesting because the book dives into some really 300 00:16:41.879 --> 00:16:46.559 ingenious techniques for setting up and disguising those C two servers. 301 00:16:46.639 --> 00:16:49.679 You have to be creative. You can't just use the 302 00:16:49.759 --> 00:16:50.799 same old techniques. 303 00:16:50.840 --> 00:16:54.000 So one that stood out to me was using cloud 304 00:16:54.039 --> 00:17:00.240 based file sharing services like Dropbox. And one drives two. 305 00:17:00.080 --> 00:17:02.879 Channels, so you're using drop Box red teaming. 306 00:17:03.000 --> 00:17:05.480 It's all about blending in with legitimate traffic. 307 00:17:05.559 --> 00:17:06.599 Okay, how does that work? 308 00:17:06.880 --> 00:17:10.319 You can set up a listener in Empire that communicates 309 00:17:10.319 --> 00:17:13.920 through Dropbox, so all that C two traffic just looks 310 00:17:13.920 --> 00:17:15.839 like normal file uploads and downloads. 311 00:17:15.960 --> 00:17:17.839 So you're hiding in plane site, you. 312 00:17:17.759 --> 00:17:21.319 Are, You're hiding in plane sighte wow. And one drive 313 00:17:21.400 --> 00:17:24.000 can be used in a similar way. But the book 314 00:17:24.039 --> 00:17:29.960 also talks about C two covert channels, which take things 315 00:17:29.960 --> 00:17:32.839 to a whole new level. What are covert channels? 316 00:17:33.000 --> 00:17:36.559 So, covert channels are all about hiding the very existence 317 00:17:36.559 --> 00:17:41.119 of communication. So it's not just encrypting the data. You're 318 00:17:41.200 --> 00:17:47.920 using existing protocols like DNA, S, HTTP, ICMP, WebDAV to 319 00:17:48.000 --> 00:17:51.359 create hidden tunnels for your C two traffic. 320 00:17:51.559 --> 00:17:54.359 It's like whispering secrets. It is in a crowded room, 321 00:17:55.119 --> 00:17:57.200 but digitally nobody even knows. 322 00:17:57.400 --> 00:17:59.799 Nobody even knows the conversation is happening. 323 00:18:00.039 --> 00:18:02.279 Conversations happening. That's a great analogy. 324 00:18:02.400 --> 00:18:03.039 I like that one. 325 00:18:03.079 --> 00:18:06.119 But even with these techniques, yeah, C two servers can 326 00:18:06.160 --> 00:18:09.119 still be detected, we can and blocked. Right. That's where 327 00:18:09.119 --> 00:18:13.119 redirectors come. Indirectors, redirectors. Okay, I'm sensing another layer. 328 00:18:12.920 --> 00:18:16.880 Another layer of obfuscation here, exactly. So a redirector acts 329 00:18:16.920 --> 00:18:21.680 as a proxy, Okay, it forwards traffic to the actual 330 00:18:21.759 --> 00:18:26.279 C two server, right, but it masks its true IP address. 331 00:18:26.559 --> 00:18:30.599 So if the blue team exactly detects the redirector, they're 332 00:18:30.599 --> 00:18:31.359 not actually. 333 00:18:31.160 --> 00:18:33.440 Getting getting to the real C two server, to the 334 00:18:33.440 --> 00:18:36.039 C two server. Right, it's like a decoy, Okay, it 335 00:18:36.119 --> 00:18:38.200 draws attention away from the real target. 336 00:18:38.359 --> 00:18:42.240 So the book discusses different types of redirection it does. 337 00:18:42.359 --> 00:18:46.599 Yeah, from simple forwarding using a tool like socat to 338 00:18:46.720 --> 00:18:52.279 more sophisticated methods that mimic legitimate traffic. You can even 339 00:18:52.400 --> 00:18:56.119 use web services like Apache wow, to make it look 340 00:18:56.200 --> 00:18:58.400 like you're just communicating with a web server. And then 341 00:18:58.440 --> 00:19:01.799 there's this technique, and then there's domain funding domain fronting, 342 00:19:01.839 --> 00:19:03.839 which sounds really advanced. 343 00:19:03.880 --> 00:19:06.519 It's pretty advanced, okay, So what is that Domain fronting 344 00:19:07.240 --> 00:19:12.440 leverages legitimate services like Google app Engine or cloud flare 345 00:19:13.240 --> 00:19:18.160 to mask that C two traffic as communication with trusted domains. 346 00:19:18.279 --> 00:19:21.319 So it's like hiding it is a secret message and 347 00:19:21.359 --> 00:19:22.680 an official envelope exactly. 348 00:19:22.720 --> 00:19:23.920 Nobody's going to question that. 349 00:19:24.000 --> 00:19:29.799 Right, it looks completely legitimate. Wow, Okay, not a clever technique. Yeah, 350 00:19:29.920 --> 00:19:32.000 rub out my head around that one a little bit more, definitely. 351 00:19:32.039 --> 00:19:34.440 But let's talk about the end game, all right, Data 352 00:19:34.519 --> 00:19:38.160 ex filtration, Data ex filtration, getting the goods out right, 353 00:19:38.200 --> 00:19:39.240 that's the whole point. 354 00:19:39.160 --> 00:19:42.799 Right yea, So how do red teams actually get that 355 00:19:42.920 --> 00:19:43.559 data out? 356 00:19:43.920 --> 00:19:46.920 So there are lots of different methods, each with its 357 00:19:47.000 --> 00:19:50.720 pros and cons. You know, basic tools like netcat and 358 00:19:50.799 --> 00:19:55.680 open SSL they lack stealth. Okay, PowerShell can be used 359 00:19:55.680 --> 00:19:59.480 to exfiltrate data over HTTP. But you got to be 360 00:19:59.480 --> 00:20:02.079 careful with your scripting. Okay, make sure you're not tripping 361 00:20:02.079 --> 00:20:03.240 any alarms. 362 00:20:02.960 --> 00:20:03.680 Right, you know. 363 00:20:03.880 --> 00:20:08.720 The book also mentions steganography, Yes, steganogaway, which is basically 364 00:20:08.880 --> 00:20:14.640 hiding data within seemingly innocent files. Right, It's like hiding 365 00:20:14.720 --> 00:20:16.000 a message in plain sight. 366 00:20:16.480 --> 00:20:18.599 Yeah, so you could hide sensitive information. 367 00:20:18.759 --> 00:20:21.039 You could hide it in a recipe, wow, in a 368 00:20:21.079 --> 00:20:22.880 news article. Anything you can think of. 369 00:20:23.279 --> 00:20:23.880 That's wild. 370 00:20:24.000 --> 00:20:26.960 It's a clever technique, okay. And then there's DNS tunneling 371 00:20:27.200 --> 00:20:32.799 DNS tunneling, which uses DNS requests. DNS tunneling uses DNS 372 00:20:32.880 --> 00:20:36.400 requests to kind of sneak data out of the network. 373 00:20:36.240 --> 00:20:36.519 Okay. 374 00:20:36.720 --> 00:20:39.559 The book mentions a tool called dn. 375 00:20:39.240 --> 00:20:41.240 Steel dn steel for this purpose. 376 00:20:41.400 --> 00:20:45.200 And of course Empire has its own yeah, modules for 377 00:20:45.640 --> 00:20:46.640 data exfiltration. 378 00:20:46.839 --> 00:20:49.160 Absolutely, Empire has modules for all sorts of things. 379 00:20:49.240 --> 00:20:52.519 Right, So Empire's modules offer a lot of flexibility control 380 00:20:52.640 --> 00:20:54.319 over the exfiltration process. 381 00:20:54.400 --> 00:20:54.960 You got it. 382 00:20:55.079 --> 00:20:57.799 But you know, the goal of red teaming isn't just 383 00:20:57.799 --> 00:20:58.559 to steal data. 384 00:20:58.680 --> 00:21:01.960 It's not just about getting in and grabbing stuff. It's 385 00:21:01.960 --> 00:21:07.480 about maintaining that access, demonstrating the potential impact of a 386 00:21:07.519 --> 00:21:10.559 real attack which brings us to which it brings. 387 00:21:10.440 --> 00:21:11.960 Us to persistence. 388 00:21:12.119 --> 00:21:12.680 Persistence. 389 00:21:12.759 --> 00:21:16.759 Yet, that art of staying under the radar and keeping 390 00:21:16.759 --> 00:21:20.920 that access even if the initial entry points are closed. 391 00:21:20.799 --> 00:21:23.839 You get a persistence is all about making. 392 00:21:23.519 --> 00:21:27.319 Sure that the red team can maintain access. Right those 393 00:21:27.359 --> 00:21:29.799 back doors, Yeah, those back door those implants. 394 00:21:29.440 --> 00:21:30.720 Yah, those implants they leave behind. 395 00:21:31.039 --> 00:21:32.440 You've got to have a way to get back in. 396 00:21:33.200 --> 00:21:35.039 I'm eager to learn about the specifics. 397 00:21:35.200 --> 00:21:40.640 Yeah. So one common method is manipulating scheduled tasks. Okay, 398 00:21:40.680 --> 00:21:42.599 you know these are tasks that are set to run 399 00:21:42.680 --> 00:21:47.839 automatically at certain times. Attackers can hijack these to launch 400 00:21:47.880 --> 00:21:52.119 their own malicious payloads. So they're blending in hiding their 401 00:21:52.279 --> 00:21:57.200