What we’ll be learning
Let’s go, red team! Let’s go! Clap clap clap clap clap… No, when discussing red teams in cybersecurity, the image should not be a team of players sporting red jerseys running up and down a field with a ball. Though, you may see some cheering!
In cybersecurity, red teams are essential in challenging the security posture of an organization. Defenses are tested against traditional and latest exploitation tactics to assess the defenses of an organization. Its good practice to be familiar with the red teams’ role in cybersecurity assessments, as well as learn about the tools and techniques they may employ.
In this article, you will learn the following:
- The purpose of a red team.
- The 7-step hacking process.
- Common red team tools and techniques.
Note: The tools and topics discussed in this article are solely for educational purposes in preparation for a cybersecurity role. Though the article does not go into detail about cyberattack methods with the mentioned tools, it should be addressed that these tools may be used for malicious and illegal purposes. This article does not condone the use of any of these tools except for legal purposes with the consent of the owner of the systems and networks these tools are utilized on.
What is a red team?
In the world of cybersecurity, it is common practice to challenge the security posture of an organization’s networks. A team of authorized cybersecurity professionals skilled in penetration testing and other offensive tactics is hired to test the security implemented by the organization by emulating adversarial attacks. This team engages in offense operations while another team, typically internal to the organization, defends the organization from the emulated attacks. The team on defense is referred to as a blue team, while the team on offense is labeled the red team.
Red teams engage the organization’s defenses by performing common intrusion and ethical hacking tactics. They will follow a process known as “the hacking process”:
- Footprinting: Passive information gathering of targets before active attack activities. Also known as the “Reconnaissance” phase.
- Scanning: Initial active/passive scanning techniques to gather technical information on target systems.
- Enumeration: The consolidation and gathering of more detailed information on target systems and networks. At this step, the attackers may build a network or logical maps of the target systems.
- System hacking: The planning and execution of attacks are conducted based on the information gathered in the previous steps.
- Escalation of privilege: Once penetration is successful, the attackers will work to gain escalated privilege in the systems/networks of the organization. The attackers may pivot to other systems and repeat preceding steps as needed to further compromise systems on the network.
- Planting backdoors: Leaving an entry point to a compromised system for easy access in further attack activities.
- Covering tracks: The act of removing/destroying signs of intrusion and activities performed on a system.
For each of these steps in the process, red teams may use different tools and techniques to compromise an organization’s networks and/or computer systems.
Enterprise vs. personal security tactics
The tools and techniques of red teams may be used to assess the security of large complex organizations or to test the security of your personal laptop and smartphone. It’s much easier to compromise a personal computer asset versus compromising a large network. Therefore, it’s important to learn how adversaries compromise single assets before fully understanding how they may compromise an entire network.
The divide between the enterprise defense mindset compared to personal defense isn’t very different. Many of the same types of tools used to secure or attack large networks will be used on a single personal device. Unlike defense tools, the versions used to attack personal devices are mostly the same versions used to attack enterprise devices. In fact, offense software is becoming easier and easier to use, but traditionally offensive tactics require advanced skills necessary to successfully compromise systems without detection. Red team professionals have the skills necessary to attack single and enterprise devices without detection.
Common red team tools & software
Footprinting is mostly passive. This means that the information gathered by attackers is done without direct interaction with the target organization or any of its technology. Just like public real-estate records and other public information, some information about an organization’s IT and security posture may be gathered through publicly available sources. In the footprinting phase, a few tools used to gather target information are:
Google and other search engines
Have you ever googled yourself? Search engine crawlers are very good at indexing any web-accessible sites. This may include public-facing resources of an organization such as login portals or unsecured intranet pages. Other types of information that may reveal target details are things like: job postings, discussion groups, social media posts, or company news releases which are all easily found through a search engine.
DNS queries and zone transfers
Domain Name System (DNS) servers perform zone transfers to keep records up-to-date. The information in a zone transfer contains a plethora of domain-specific information. This information may be host records (hostnames), service type information, other name server information, etc.
Web domains must be registered when purchased. The registration contains information such as registrar contact, name servers, and ownership details. Attackers can use this information to conduct social engineering.
A more active type of information gathering, social engineering is the act of exploiting humans for information or access to a target system.
Example of scanning tools
Scanning may be done to identify available entry ports or services, or they may reveal vulnerabilities present on a system or application. Scanning may be done passively or actively. Passive scanning is preferred when scanning activities need to go undetected.
- Nmap: The most utilized scanning tool. Nmap offers passive and active network scanning capabilities that reveal network information such as: open/closed ports, IP and MAC addresses, OS details, signs of network filtering, and more.
- Angry IP Scanner: Another tool used to scan for IP and port information.
- Sboxr: An open-source web vulnerability tool that effectively identifies any gaps in the security of websites and web apps.
- Kismet: A wireless scanner. Scans and sniffs wireless traffic.
- Tenable Nessus: Vulnerability scanner that may passively or actively scan systems for open vulnerabilities. Used to identify gaps in security.
Example of enumeration tools
- Maltego: A digital forensics tool that offers many enumeration features. May be used for DNS and network enumeration.
- Superscan: A GUI-based tool used to enumerate Windows machines. Targets NetBIOS protocol and other proprietary protocols.
Example of system hacking tools
Once the target network’s available services, ports, network addresses, OS detail, and vulnerabilities are identified, an attacker will move to the hacking phase of the process. The system hacking phase may leverage the same tools and techniques later used for privilege escalation, such as the following:
- Hashcat: A robust password cracking tool. Offers other hash cracking features such as identifying the data captured in a captured hash value.
- IKECrack: Another cracking tool that is very efficient in cryptography tasks during hacking a system. Open-source and highly used.
- Aircrack-ng: A suite of tools used to assess (and attack) wireless network security.
- Aireplay-ng: Part of the Aircrack-ng suite used for manually injecting and replaying wireless frames.
- Airmon-ng: Another Aircrack-ng tool used for disabling and enabling wireless interface monitoring capabilities.
- hping3: A packet crafting tool that allows an attacker to make packets targeting port services.
- Metasploit: An all-in-one penetration testing framework that assesses and aids in the exploitation of vulnerabilities of a system.
- Cain and Abel: One of the most utilized passwords cracking exploitation tools for penetration testers and hackers.
Backdoors are entry points left behind by attackers for re-access to compromised systems. Backdoors must remain hidden from detection, therefore different techniques and tools such as the following are used to assist in maintaining and hiding backdoors:
- Netcat: A networking utility that allows the setup of network listening ports on compromised systems. Netcat is one of the oldest used in red team techniques.
- Rootkits: Rootkits are a general tool that give attackers persistent access to a system if properly hidden. There are many rootkits in circulation, therefore a single rootkit is not selected.
- Steganography Tools: Tools like Snow and Steghide give attackers the ability of hiding files within files.
The most common red team tools & software
This section deserves its own section to emphasize the importance of understanding the following concept.
The MOST common tools and software used by offensive actors in a network and the systems hosted within are the default out-of-the-box tools and software that comes installed on those networks and computer systems.
That’s right! The tools built into the operating systems of network devices and servers/clients are the most leveraged by entities intruding from one system to the next. For example, once the appropriate system permissions are gained in a given system, tools like PowerShell for Windows offer the intruder almost all necessary capabilities to extract the payload of the current system or pivot to the next system in the network. In fact, red teams capture many of the scripts and commands used with default system tools in a document titled “The Red Team Field Manual” (RTFM).
These realities should prove the necessity of securing the systems of an organization thoroughly. It should also reemphasize the importance of understanding the systems defended, familiarizing oneself with the many tools installed within the systems, and their capabilities. As a Cybersecurity Analyst, you should know the default tools of an OS, as well as those tools specifically designed for exploitation and hacking.
Red teams hack. They are highly skilled in exploitation but apply their skills for ethical purposes. Though malicious intrusion may leverage unknown or rare hack tools and techniques (i.e., zero-days), many of the current intrusion incidents observed in cyberspace still leverage the same red team tools and techniques. Therefore, the red team is an important part of certifying the security of an organization’s computing infrastructure and networks.
Cybersecurity Analysts must be familiar with the red team/blue team practice and should be studied on the tactics of both teams. Understanding the tools and techniques that a red team may apply in assessments fortifies the analyst’s defensive function. This is especially important for the identification and analysis of possible cyberattacks and intrusions that may affect the organization after red team assessments.