Red Team Archives - Page 7 of 7 - Cobalt Strike Research and Development
fortra logo

WRCCDC – A Red Team Member’s Perspective

Western Regional CCDC was pretty epic. Given the level of interest in red activity, I’d like to share what I can. So much happened, I couldn’t keep up with all of it. That said, here’s my attempt to document some of the red team fun from my perspective at Western Regional CCDC.

* . . . . o o o o o
*               _____      o       _______
*      ____====  ]OO|_n_n__][.     |lamer|
*     [________]_|__|________)<    |ville|
*      oo    oo  'oo OOOO-| oo\\_   ~~~|~~~
*  +--+--+--+--+--+--+--+--+--+--+--+--+--+

The scenario was interesting. Students were put in charge of a Computer Crime Defense Center. Part of their job involved protecting a repository of computer viruses.

Blue teams were given a 2-hour head start to secure their systems and change passwords. I was a little worried about this, but this worry was unfounded. The WRCCDC Black Team is far more evil than any red team I have ever seen. Students had to cope with a very strange network which included things like kill yelling at them for not saying the magic word, gratuitous appearances of ASCIIQuarium, and systems named in very confusing ways. Imagine my surprise when a UNIX box I quickly backdoored called home as winxp. Yeah…

Everyone loves pwnies

The Low Hanging Fruit

Once the waiting period was over, we sat down at our systems and prepared to “facilitate” a learning experience. The first hint that we started was Vyrus’s music blasting through the convention center.

It took us a few minutes to get going. Apparently ICMP was not passing through from our space to the teams. So we had to resort to finding systems by looking for open services. I started with a quick sweep for port 22 and 445 with the Metasploit Framework’s ssh_version and smb_version modules. I focused on one team space at a time, to allow myself to learn the layout of the competition environment without waiting forever.

It didn’t take long to discover a few Windows 2003 systems. Even after a 2-hour delay, these were pretty easy to sweep with ms08_067_netapi. Stopping access to port 445 with a host-based firewall would have easily defeated this.

Once I had access to a few Windows systems, Windows Credential Editor helped me get ahold of the default password: Opensolaris1. A few of us discovered and pasted this credential to IRC at about the same time.

Output of a Cortana script that runs Windows Credential Editor.
Output of a Cortana script that runs Windows Credential Editor.

I had a Cortana script ready to persist like crazy on the Windows systems. I’m not giving away my full kit for this year, yet… but it’s spiritually similar to last year’s kit. I also made a special effort to drop files to disk that anti-virus does not catch at this time.

I was able to verify that persistence worked by viewing the Beacons on the three Cobalt Strike team servers I had up. Cobalt Strike’s Beacon is an asynchronous post-exploitation agent. It doesn’t maintain a persistent connection to me, rather it periodically calls home to request the tasks that it should run.

Once I had default credentials, my next step was to attempt to login to all UNIX systems over SSH and to sweep all other Windows systems (with port 445 open) with psexec.

Maus owned a healthy number of UNIX machines too. *pHEAR*
Maus owned a healthy number of UNIX machines too. *pHEAR*

Even 2-hours in, the default credentials bore a lot of fruit. They allowed us to lay down some persistence on the UNIX systems and to capture a Windows 2012 server system from one team.

Taking Points

The red team is able to affect blue team scores in three ways. Gaining access to a host takes away points. Stealing certain data flags takes away points. We’re also able to disrupt services or deface websites, which takes away points because the teams will fail service checks.

Managing Persistence

I spent most of my time during the competition managing Beacons across multiple servers. I would task Beacons to spawn sessions to one of the team servers my red team compatriots were connected to. The idea is this, if a blue team member sees notepad.exe connecting to an IP address, they may squash that connection and block that IP address, but so long as they don’t discover the Beacons, they can’t keep us out.

netstat -nab is a tool to help you discover rogue notepad.exe instances connecting to the internet
netstat -nab is a tool to help you discover rogue notepad.exe instances connecting to the internet

Sometimes, we’d get access to a Windows system that we did not have before. This may be because the team’s system or network was down during  our earlier exploiting frenzy. When this happened, I’d help whoever gained access to the system pass it to me, so I could install persistence on it. This system would now be available for anyone connected to the team server to abuse or pivot through.

Sometimes, I’d fight to protect our persistence:

Later in the event, the two lead teams had creative egress filtering and routing in place. I spent my time trying to understand, through trial and error, what they would and wouldn’t allow. Eventually, I ended up having to task Beacon to send reverse https sessions to a team server located in Amazon’s EC2. This gave the folks interested in dealing with these teams the opportunity to do so.

Special Attention

Friday, before dinner, I opted to give each team special attention. My goal was to loop through each team, one at a time, understand their networks, understand what changed, and find the low hanging fruit I could grab and persist on again. I didn’t want to miss easy access opportunities from being too busy.

I started with team 13 and tasked any beacons I had calling home to give me a session. Once I had my sessions, I ran Windows Credential Editor again to get any plaintext passwords. I also dumped password hashes and gave them a quick pass through John the Ripper.

I then setup a pivot through a Windows system, discovered live hosts with an ARP scan, and used several Metasploit Framework modules to discover the open services.

If I didn’t have access to a Windows host for a team, I would try to work from a Linux system. Conveniently, the competition black team had a Raspberry Pi device installed on each team’s network. It was taped under a table and connected directly to their switch. These devices had default credentials and NMap. In several cases, I was able to use the Raspberry Pi to run NMap against a team and import the results into Cobalt Strike.

In the few cases that we didn’t have access to any systems (one team adopted a strategy of staying down the entire event!), I would run NMap from a non-team server system and import the results into Cobalt Strike.

Once I understood which services the team had open, I would then attempt all known credentials against their Windows and UNIX hosts. If a Windows 2003 system was not hooked, I would use the trusty ms08_067_netapi exploit again. I should state–ms08_067_netapi is the only memory corruption exploit I used during this event.

Ok, I'm not going to be re-exploiting this box anytime soon. Oh well :)
Ok, I’m not going to be re-exploiting this box anytime soon. Oh well 🙂

During this step of the game, I got lucky as several blue teams opted to use the same password on different systems. This reused password allowed me to get access to and persist on their Windows 2012 systems.

Checking a few choice file locations yielded access to other assets as well:


The Western Regional CCDC  Red Team had some crazy scary talent. Alex Levinson spent a lot of time administering forums for the blue teams. Alex, Vyrus, and Maus also built a system to track our accesses, credentials, and report our activity to the competition judges. This was a big help and we were able to pilot some ways to have the Metasploit Framework feed data to this system, automagically.

Kos took over the X desktop for two teams and gave them full screen VNC access to each other.

I also heard of minecraft servers getting setup on blue team systems. An important way to provide red team with a break.

I spent some time poisoning hosts entries on student systems to prevent them from getting to their inject scoring engine site, google, and others.

A lot of pretty funny pranks came from the red team. I wish I was able to keep up with all of it and detail it to you here. Despite this shortcoming, I hope this perspective helped shed some light on the red team activity that took place over the weekend.

One last note to close with, like any effective team, we specialize. Our red team had an infrastructure specialist, folks going after web applications, some going after access via other means, and still others handling post-exploitation on Windows and UNIX. There really was a lot happening.

Tactics to Hack an Enterprise Network

In June 2012, I released Cobalt Strike, a commercial penetration testing package that picks up where Armitage leaves off. Cobalt Strike is a direct expression of what I think a penetration test looks like. If you’re interested in this vision, this post will walk you through it.

The term penetration test is overloaded and may mean something different with each person that you ask to define it. To some people, a penetration test is a vulnerability verification exercise. To others, it’s an expert using the tactics and techniques of a skilled adversary to assess a mature security program’s ability to cope with a targeted attack.

I used to work as a contractor, providing red team services to a DoD customer. I saw gaps between the abilities of my tools and what I had to do. There isn’t much help for those of us who have to execute a full-scope external engagement. I wrote Cobalt Strike to fill the gaps I saw. Cobalt Strike is a tool execute a targeted attack. Let’s go through what a targeted attack looks like.


We’ll start where the active part of a penetration test begins, reconnaissance. Cobalt Strike’s system profiler is a web application to probe and report the client-side attack surface of anyone who visits it. The system profiler reports the applications a user is running along with version information. This report isn’t comprehensive. The system profiler can’t discover all applications, but it does discover the common ones that attackers target. I liken this to the client-side version of a port scan with a banner grab.

Once you have a system profile, you can plan an attack. If your client doesn’t allow client-side attacks, that’s fine. A system profile alone is enough to generate a client-side vulnerability report. If you’re allowed to go further, the tools are there.


Cobalt Strike recommends client-side exploits based on a system profile. You may choose to use one of these exploits in  your targeted attack. You have one problem though. The client-side exploits in the Metasploit Framework are caught by most anti-virus products. I don’t blame the Metasploit Framework for this. The project does not promise anti-virus evasion. This is a problem that’s up to the user to solve.

If you want to deliver a client-side memory corruption exploit, that’s fine. Set up a virtual machine and install the anti-virus product your target uses. Change obvious strings in the Metasploit module until it passes the anti-virus product you’re interested in. Cobalt Strike will happily use your modified Metasploit Framework modules.

Java Drive-by Exploits

Lately, the client-side whipping boy is Java. Several Java attacks disable the Java security sandbox and allow an attacker to silently execute code without alerting the user. These attacks are extremely reliable and do not rely on memory corruption. If the user’s Java is patched, you may deliver a signed Java applet to a user and hope they give your applet permission to run without restrictions. This is a staple social engineering attack.

This week’s Java 1.7u11 release makes some attempts to mitigate Java attacks in a generic way. We’ll see how much the new security settings affect penetration testers. You may find a target is running an outdated Java, giving you a free pass into their system. You may find your target is up to date and this may influence your attack strategy.

If you do choose to use a Java attack, know that there is a downside. The Metasploit Framework’s Java exploits are tightly coupled to a few payload options with no randomization at all. Popular anti-virus products detect the Java exploits and payloads. There is no option to use an anti-virus safe Jar file with a Java exploit module.

If you want to use a Java attack in a penetration test, you must reimplement it and host it yourself. I did this for you. Cobalt Strike includes an implementation of the signed Java applet attack. I also include a Smart Applet attack that detects the current version of Java and disables the security sandbox with an exploit before it executes your payload. If you want something intelligent, start the Web Drive-by Exploit server and tell it to use Java attacks only. With this feature, Cobalt Strike will detect the version of Java a visitor has and deploy the Smart Applet attack if it makes sense or fall back to the Signed Applet.

Of course, there’s another problem: anti-virus. It’s only a matter of time before every anti-virus product on the planet screams at the sight of my Java attack kit. For my customers, I provide a small SDK with the source code to Cobalt Strike’s Applet Kit. The build files are there. Modify the code as you see fit and rebuild it. Load an included Cortana script to make Cobalt Strike use your changes. This collection of source code, ready to tweak for AV evasion, is the Cobalt Strike arsenal.

Hacking with Features

Exploits aside, there’s another class of attacks well supported by Cobalt Strike: features. I expose several gems in the Metasploit Framework to add a Macro to Word and Excel files, generate a Java JAR file, or trojanize a Windows executable. If there’s no exploitation opportunity, use Cobalt Strike to add an agent to a regular file.

At this point, you have a package that will execute code on workstation. Great! Now, let’s make this package into something that won’t raise suspicion. You can register a domain and setup a fake website that plays to your pretext. If you’re in a hurry, use Cobalt Strike’s website clone tool to clone a site and embed your attack into it.

Spear Phishing

Now, you need to get the attack to the user. Spear phishing is a common way. Let’s talk about that. Most penetration testers have a dust-covered Perl script that will connect to a mail server and deliver a message. This piece is trivial to do. The hard part is crafting a message that matches your pretext. No matter how hard any tool developer tries, our hacking tools can’t and should not try to replace a modern email client to compose a message. If this sounds out of left field, stay with me for a minute.

A successful spear phishing attack requires a good pretext. Period. The pretext is the ruse you create to convince a user to open your attack package and give you access to that system. In your pretext, someone is sending the message. This person works for an organization. They have a signature block, they use certain fonts in their message, they may have that stupid legal notice at the bottom. Whatever it is, you should base your phish on a real message. If you have a message from that person, save it and edit it in a text editor to say what you want. If the phish’s sender isn’t real, compose a message in an email client and send it to yourself. In both cases, you have a message composed in an email program that looks right and says what it needs to support your pretext.

Now, you need to repurpose this message and get it to the user. This is where Cobalt Strike helps. Its spear phishing tool imports saved email messages. Import the message and Cobalt Strike will strip most of the headers from it. Cobalt Strike will also replace all links in the message with a link to your attack package. If you want to attach a file, that’s OK too.

Cobalt Strike’s spear phishing tool communicates directly with your target’s external mail server to deliver the message. If you have a mail server that will deliver messages, give Cobalt Strike the details to authenticate to it and Cobalt Strike will use this option instead.

Command and Control

Now, you have a package that will give you code execution, pass host anti-virus, and a way to deliver it. What else is there? Command and control.

If you get code execution on a user’s system, you need a way for their system to communicate with you. This is necessary if you’re going to take data from the system or use it as a hop point for other attacks

One option is Meterpreter. Its reverse HTTP[S] payloads will communicate through a transparent proxy. Its reverse TCP payload will connect to you on an any port you choose. Cobalt Strike supports these options.

An alternative is Cobalt Strike’s Beacon payload. Beacon works like some of the advanced malware in the wild. Once it’s staged, it limits its communication to you. Beacon will make a DNS request using the resolver built into Windows. It will ask if a host exists on one of several domains you control. If the host exists, Beacon uses this as a signal to phone home and request a task. If the domain doesn’t exist, Beacon goes to sleep. To manage this, Cobalt Strike ships with its own DNS server. You simply point the NS records to your attacker system and Cobalt Strike takes care of the rest.

Beacon is the tool to maintain a foothold in a network. Beacon has a few post exploitation capabilities too. It will log keystrokes, execute commands, and inject shellcode into memory. With Beacon in place, you may give yourself a Meterpreter session when you’re ready to use it.

As a placeholder, Beacon has several advantages over Meterpreter. It’s not chatty. It communicates with you on a set interval. The DNS variation of Beacon, will not communicate with you unless there is a task. Further, you may deploy Beacon with multiple domains embedded inside of it. If one of your domains is blocked, Beacon will still reach you through the others. This makes your placeholder more resilient. These capabilities make Beacon desirable for your first access. You don’t want to go to the trouble to get an access and then lose it because Meterpreter crashed or your attacker IP was blocked.

Post Exploitation

For post-exploitation, Cobalt Strike offers the same tools as Armitage to control Meterpreter. You can setup proxy pivots, launch privilege escalation exploits, download and upload files, take screenshots, and interact with a command shell. As an added bonus, you can automate your post-exploitation activity using Cortana scripts. Cortana is the scripting technology paid for by DARPA’s Cyber Fast Track program. It’s open source. You can use Cortana scripts with Armitage or Co

balt Strike.

During a targeted attack, another problem arises that Cobalt Strike is well suited for. It’s likely you have one or two accesses into a network and multiple teammates. I built Cobalt Strike’s tools into Armitage because I saw a natural complement here. Armitage is a solid foundation for red team collaboration. You may communicate activity in a chatroom, share sessions, and have access to the same data as your teammates. Now, those one or two sessions aren’t a problem. Your team, each member with a different job to do, can set to work on the target’s network by sharing those accesses. If a penetration tester encounters a system they don’t have the knowledge to deal with, a specialist can connect to the teamserver and set to work from the position in the network you worked hard to get.

Lateral Movement

It’s unlikely that the system you land on is your destination. Once you have a foothold in a network, you will need to attack other hosts. With Armitage and Cobalt Strike, you can set up a pivot through Meterpreter, discover and scan hosts, and launch remote exploits. While this is nice, the juicy stuff is abusing trust relationships.

Lateral movement in a network involves abusing your position of trust to compromise otherwise patched hosts. In an active directory network, you simply authenticate to a host, copy an executable to it, and schedule this executable to run. To authenticate to a Windows host, there are three artifacts that will help you: tokens, password hashes, and plaintext passwords.

Token Stealing

In Windows, every thread has an access token associated with it. This token acts as a cookie to identify the user, their groups, and the privileges the token holds. If an attacker controlled thread has a token for say, a domain administrator, then the attacker may do anything that the domain administrator user can do. These actions aren’t restricted to local actions either. You can execute commands to interrogate a host, list files, and move files between hosts. Why, you can even schedule tasks if you’re an administrator.

Meterpreter has a lot of functionality for listing and stealing tokens. Both Armitage and Cobalt Strike have dialogs to manage this functionality. You can steal a token directly from a process–this gives your meterpreter session the rights of that user or you can list all tokens available on the system and impersonate one of them.

To move laterally with a token, Cobalt Strike provides a dialog for the Metasploit Framework’s psexec with current user token module. This dialog lists all meterpreter sessions you have and which token is associated with each. Simply select one and the Metasploit Framework will create a share through the meterpreter session you select and ask the target hosts to schedule a job to execute a program hosted in that share.


The phrase execute a program should raise a red flag and signal alarm bells in your head. This is an opportunity for our very dear friend anti-virus to stop us. If you rely on the executable generated by the Metasploit Framework, you’re caught.

Cobalt Strike’s psexec dialogs allow you to specify any executable that you’d like. This saves you from the executable generated by the Metasploit Framework, but it forces you to step away from the flow of the penetration test and work on crafting an executable that anti-virus doesn’t catch.

Another option is to load a Cortana script that intercepts any psexec actions, extracts your payload parameters, and generates an AV-safe executable for you. I wrote a generic HOWTO on anti-virus evasion with Cortana awhile ago. For Cobalt Strike customers, I went a step further. I wrote a simple AV by-pass executable and made it and its source code available in the Cobalt Strike arsenal.


Cobalt Strike and Armitage expose Meterpreter’s ability to extract password hashes if you’re SYSTEM on a host. You may use the password hash to login to a host, copy an executable, and schedule it to run. This is the pass-the-hash attack. It works because the password hash is not salted and it’s all you need to authenticate to a host with. This doesn’t work with all users though. You need a password hash for a local administrator or domain administrator user.

Fun with Passwords

If you manage to get plaintext credentials, you can use them with Cobalt Strike’s psexec dialog, the same as you would use password hashes. One way to get plaintext password is to log keystrokes. I built the keystroke logger into Beacon for this purpose. Beacon’s keystroke logger tracks the active window with the current keystrokes.

Separate from Cobalt Strike, there are two innovative programs you should know about: mimikatz and Windows Credential Editor. These programs will grab cached Windows user credentials from memory for you. I’d include either of these programs in Cobalt Strike if I could work out a licensing deal with either author. In the meantime, you can use Cortana to integrate either of these tools into Cobalt Strike. I wrote a script for Windows Credential Editor already. The freedom to integrate external tools with Cortana is one of Cobalt Strike’s strengths.

Plaintext credentials are the best thing that can happen to you. You may use them to login to internal web applications, servers, maybe access a VPN for employees, or use RDP. The sooner you can dump hacking tools and switch to normal administration tools–the better.

VPN Pivoting

Once you’re inside a network, there’s a lot more you can do. You can sniff traffic and attempt to capture information that way. You can host a rogue smb server and use it to capture or relay the credentials of any system that touches your server. There’s a lot of opportunity that opens up.

Unfortunately, these opportunities require being inside the network. Layer 2 access, as if your system is plugged into that network.

Cobalt Strike can help you here. Its Covert VPN feature bridges you into your target’s network using a compromised Windows workstation as a hop point. How does it work? Think of it as a two-way packet sniffer. Covert VPN sets up a network interface on your attacker system. Anything that passes through this interface is dumped as-is on your target’s network. On the compromised host, acting as a relay, any frames it sees are made available to the network interface created by Covert VPN.

The covert part of Covert VPN is the ability to choose how it relays traffic back and forth. You can relay frames using a UDP transport. This is fast and works like a traditional VPN. You can relay frames using a reverse TCP connection. Or, you can relay frames as HTTP GET and POST requests. This last option is useful if the only way out of a network is through a proxy server. None of these options is very quiet though, a VPN is always chatty.

With Covert VPN, you have the option to bring other tools into your engagement. You’re now in the target’s network and can do what you need to do.


This is where Cobalt Strike will take you to. We started at the beginning of an attack, the reconnaissance phase. I showed you how a system profiler will help you gather the information necessary to execute an attack. We talked about attack options and anti-virus evasion. We then brought spear phishing into the picture. Once you gained a foothold, I discussed how to abuse it to spy on the user and to abuse your position in the network to attack other hosts. From the perspective of Cobalt Strike, this is how you hack into a typical enterprise network.

How to Milk a Computer Science Education for Offensive Security Skills

Recently, a poster on reddit asked how to get into offensive security as a student studying Computer Science. Before the post was removed, the poster expressed an interest in penetration testing or reverse engineering.

I studied Computer Science at different schools (BSc/MSc/Whateverz). This is timely as a new semester is about to begin and students still have an opportunity to change their schedules if needed. 

Offensive security is multi-disciplinary and people come into it with different backgrounds. Any background you master will equip you to become a useful contributor. Studying Computer Science (or even having a degree in the first place) is not the only path into this niche of security.

If you want to milk your Computer Science education for offensive security skills, here are my tips.

In general

You should learn to program in a systems language, a managed language, and a scripting language. Learn at least one computer architecture really well too.

Programming Languages

Many schools will give you the opportunity to learn Java or C#. This will check the managed language box. I’ve used Java to develop graphical user interfaces and to write middleware for distributed systems. You may find Java and C# aren’t interesting, that’s fine.

For the systems language side, take a course that will teach you C. I prefer C over C++. Working in C will force you to cast blobs of memory into different structures and to use function pointers. C will help you develop a mental model of how data and code are organized in memory.

Python and Ruby are the preferred scripting languages in the security community. I lean towards emphasizing Python over Ruby. There are a lot of great libraries and books [1, 2] on doing security stuff with Python.

If you want to tinker with the Metasploit Framework, your best bet is Ruby. Ultimately–pick a project and use that as an excuse to master a language or tool. This is how you will acquire any skill you want (during and after college).

Operating Systems

Take an operating systems course and the advanced OS course if you can. Usually these courses require you to work in a kernel and do a lot of C programming. Knowing how to work in a kernel will make you a better programmer and teach you to manipulate a system at the lowest levels if you need to.

After a good first course in operating systems, you will know how to program user-level programs, understand which services the OS provides you, and ideally you will have modified or extended a kernel in a simple way.

Take a compiler construction course to follow up with an architecture course. By the time you get through architecture and compiler construction, you will know assembly language for a specific architecture and how to use a debugger really well.

One note on the above: some CS departments offer watered down versions of these courses. They may force you to work in Nachos instead of a UNIX kernel. If this is the case, see if your school’s EE department offers an equivalent course that teaches skills tied to real systems.

Theory is Cool Too

Again, this is a very systems centric slant on CS. The theoretical side has a lot of opportunity too. Some universities have courses on formal methods for software engineering, model checking, and the like. There’s some great work happening in this area. Read Ross Anderson’s Security Engineering book to see if anything stands out and try to map it to a course.

To appreciate how broad security research is, read the list of DARPA’s Cyber Fast Track awards or go through the papers published at the USENIX Workshop on Offensive Technologies. You’ll see both the systems side of CS and the theoretical side making appearances in both of these places.

Don’t Expect This…

Active Directory administration, configuring Cisco routers and firewalls, using hacking tools, and other practical system administration skills are not usually covered in a CS curriculum. Be ready for this. If this is what you want, there are some good programs on Systems Administration and you may want to consider a switch.

Also, it’s not common for computer science departments to teach courses in web application development. If you want to learn a web application stack, you’ll need to take courses in another department or learn this on your own.

Independent Study

If you get through the foundational material and find yourself hungry for more, try to arrange an independent study. I like independent study. It’s a chance for you to work on your own and produce something to prove you’ve acquired a skill or mastered a process. If your independent study produces open source or a useful paper, you may find the independent study boosts your career more than an academic transcript ever will.

Let’s say that you’re stuck and do not have a project idea for an independent study. That’s fine. Take a look at courses offered by other universities. See if there’s a way to tailor the course content and projects into a study plan that a professor at your university may supervise.

Since you’re interested in offensive security, here are my two suggestions:

NYU Poly offers an Application Security and Vulnerability Analysis course. All of the lectures, homework, and project materials are available on the website. If you want to learn how to find vulnerabilities and write exploits, you could work through this course at an accelerated pace and spend the rest of the semester on a final project.

Syracuse University publishes the Instruction Laboratories for Security Education (SEED). This collection contains guided labs to explore software, web application, and network protocol vulnerabilities.

SEED also has open-ended implementation labs to add security features to the Minix and Linux kernels. If you ever wanted to write a VPN, develop your own firewall, or try a new security concept–these labs are a great start and any one of them could seed an independent study project. These labs were designed to provide a challenging end of course project. Two of these would make a very interesting semester of independent study.

How to Get Experience

If you have an idea about what you want to do while in college, then use internships, open source projects, and extra curricular activities to build up a portfolio of skills relevant to your dream job. These activities will either make you stand out to get your dream position or help you decide that the dream position isn’t so exciting.

To get involved with open source, pick a project and start doing something with it. If this is too open-ended, take a look at the Google Summer of Code Project List and see if there’s anything here that strikes your fancy.

Another opportunity is the National Science Foundation’s Research Experience for Undergraduates program. This program provides an opportunity to participate on a research project at another university over the summer.

If you’re an Air Force ROTC cadet, you should spend a summer with the Advanced Course in Engineering Cyber Security Bootcamp. This 10 week course will teach you how to write and tackle difficult problems with a computer and network security focus.

If you think you want to do services work, I recommend finding an internship with a security services company. Exposing yourself to multiple opportunities will help you decide the best place for you.

The Big Picture

A Computer Science degree generally prepares you for research. It’s not job training for developers, QA people, software engineers, etc. What you will get out of CS is a foundation. You will come to view systems as complex layers glued together by abstractions. Security problems find their way into systems when a developer fails to understand the details in a lower layer. The Computer Science foundation will help you become a person who can seamlessly think in multiple levels of abstraction and manage a lot of details at one time. This ability is necessary if you want to break or secure systems.

Hacking like APT

Lately, I’ve seen several announcements, presentations, and blog posts about “hacking like” Advanced Persistent Threat. This new wave of material focuses on mapping features in the Metasploit Framework to the steps shown in Mandiant’s 2010 M-Trends Report: The Advanced Persistent Threat. While this is an interesting thought exercise, there are a few classic treatments of the adversary emulation topic that deserve your attention.

Here are my favorite presentations.

Information Operations (2008)

This video discusses “techniques to attack secure networks and successfully conduct long term penetrations into them. New Immunity technologies for large scale client-side attacks, application based backdoors will be demonstrated as will a methodology for high-value target attack. Design decisions for specialized trojans, attack techniques, and temporary access tools will be discussed and evaluated.”

MetaPhish (2009)

MetaPhish describes how to attack a network like a real adversary. This presentation covers the information gathering phase (targeting), it lays out the needs for a spear phishing and web drive-by framework, and it discusses covert communication using Tor. You should read the MetaPhish white paper as well.

Modern Network Attack (2011)

In 2011, I spoke at the TSA ISSO meeting about how I view the penetration testing process. This talk is a breakdown of how I saw threat emulation. You’ll see hints of MetaPhish and Tactical Exploitation in here.

I wouldn’t call this my favorite presentation–it’s mine after all. But this is one of the first talks I gave when I was starting to participate in the open source security community. Adversary emulation is a topic near and dear to my heart. So much so, I built a product for it.

Adaptive Penetration Testing (2011)

This talk calls on the community to revisit the reasons we penetration test: We’re trying to simulate an adversary and go after something meaningful to the organization we’re testing. Included in this talk are a lot of stories, an argument for why social engineering should be in scope, and a lot of tactical things.

Tactical Exploitation (2007)

This is a classic talk by HD Moore and Val Smith on how to attack a network by leveraging functionality, not exploits. This talk is very reconnaissance heavy (go figure, so is threat emulation). I highly recommend reading the Tactical Exploitation white paper too.

Common Themes

If you’re interested in providing adversary emulation in your pen tests, it helps to mimic their tactics, their tools, and attack similar goals. How do you do this? Here are the common themes from these sources:

Offense in Depth

I regularly receive emails along the lines of “I tried these actions and nothing worked. What am I doing wrong?”

Hacking tools are not magical keys into any network you desire. They’re tools to aid you through a process, a process that requires coping with many unknowns.

If you’re interested in penetration testing as a profession, you’ll need to learn to think on your feet, get good at guessing what’s in your way, design experiments to test your guess, and come up with creative ways around the defense hurdles before you.

For the sake of discussion, we will focus on the process of getting a foothold. To get a foothold, we will assume the usual steps: craft a convincing message, embed some malware, and send it off to the user. Pretty easy, right?

Let’s walk through this process. The green bubbles represent milestones in an attack. As an attacker, I need to get to each of these milestones and evade defenses that are in place to stop or detect me. If I fail to achieve any of these milestones, my attack is a failure.


Goal: Message Delivered

Let’s begin our attack. At this point, I’ve researched targets. I’ve used Google, I’ve browsed LinkedIn, and I’ve created a list of targets. Go me! I’ve also spent time coming up with a convincing pretext and designed a message that will entice the user to open it. Now, I just need to send the message and get it to the user. Easy!

What can go wrong?

Email has evolved since 1997. It’s still trivial to spoof a message, but a number of mechanisms are deployed to make spoofing messages harder. Sender Policy Framework is one of them. Sender Policy Framework is a standard that uses DNS records to specify which IP addresses are authorized to send email for a domain. Some mail servers do not verify SPF records.

When you’re crafting that clever spear phishing email, you have to pay attention to which address you’re spoofing. If you’re really paranoid, register a typo of a domain, setup the proper SPF and DKIM records, and send phishes through your server.

Beware, this problem will get harder. Standards such as DMARC are pushing consistent deployment and use of the SPF and DKIM standards to make sure messages are from a system authorized to relay messages for that domain.

Let’s say your message doesn’t get squashed as spam. Next, it’s highly likely a gateway anti-virus device will look at your message. If the contents of your message is flagged by this device, game over.

To get a handle on these defenses, I recommend that you craft a message to a non-existent user at your target’s site and send it. The non-delivery notice that comes back may contain clues about which devices touched your message and how they interpreted it. I’ve used this technique to learn about the anti-virus and anti-spam mechanism I had to defeat.

Goal: Code Execution

Ok great, you can get a message to a user. Next, you need a package that will execute code on the user’s system. This package may exploit the user when they view content or it may require the user to allow some action.  If the user doesn’t open your file or follow through on an action you need them to take–all your hard work went for nothing.

If you send an exploit and the user isn’t running vulnerable software, your attack will fail. I wrote a System Profiler to collect system information from anyone who visits a website I setup. If you’re planning to execute a targeted phishing attack, you will want something like this in your arsenal. Visit to learn what’s possible in a system profiling tool.

What can go wrong?

Assuming your attack is plausible and the user follows through, you have another problem: anti-virus. If anti-virus flags you, game over.

Evading anti-virus is part of the penetration tester’s tradecraft. If it’s a client-side exploit, you may need to modify it until it passes checks. If your attack is a dressed up executable, you have a lot of options to obfuscate it. This process is greatly helped by knowing the anti-virus product you’re up against.

Discovering the anti-virus product that’s in use is harder. You may find hints about the preferred product during your information gathering phase. Job postings and resumes are a goldmine. I once had success feeding a list of common anti-virus update servers to a DNS server susceptible to cache snooping.

Goal: Positive Control

You’d think that after a user gets the message, opens your file, and possibly performs some other action–you’re done. This is not true. Even after your code is executing on the target’s system, your attack is still vulnerable.

Many exploits corrupt memory to take control of a process. The amount of code an exploit may execute is usually very small. This constraint drives a design decision that ripples through the Metasploit Framework. Namely, payloads, the code that executes when an attack is successful, are split into two pieces.

The first piece, known as the stager, is small and limited. It connects to you, the attacker, and downloads the second part of the payload, the stage. In the Metasploit Framework, the stage is a reflective DLL. Once the stage is downloaded, the stager passes control to it and the stage executes. Saying “the payload is staged” means this process was successful.


What can go wrong?

You are vulnerable here. Functionally, there aren’t many stagers in the Metasploit Framework. You may stage a payload using a TCP connection or use a stager that takes advantage of WinInet to download the stage from a URL.

If firewall egress rules prevent your stager from connecting to you, then your payload will not stage. You will not get control of the system. You will have wasted all of that effort.

Once a payload is staged, you’re in good shape. The Metasploit Framework encrypts meterpreter traffic. If you’re using Beacon, you have a low and slow agent that’s periodically asking you for tasks.


Wireshark Capture of Meterpreter Staging

Beware though. The stager does not encrypt traffic! This means when your attack lands, a network admin has the opportunity to see an unobfuscated DLL coming over the network. Most Intrusion Detection Systems ship with rules to detect executables traversing the network.

The only stager that encrypts the stage is reverse_https. Keep this in mind when planning your attack.

Know Your Tools

This blog post is not a comprehensive list of defenses that will stop an attack. Rather, it is my hope to get you thinking about the attack process and the hurdles that you must get past. When you know your tools and how they work, you can use this information to plan your attack and actively think about the clues a defender may use to spot you. Likewise, as an attacker, you have to use clues to understand the defender’s game and know the attack surface.

If you’re a network defender who understands the attack tools and how they work, you can take advantage of this working knowledge to detect attack indicators or develop defenses to stop the less malleable pieces of the attacker’s toolkit.

Red Team Post Exploitation Videos

Each year, I play on a volunteer red team at several cyber defense exercise/competition events. Here’s a small collection of videos from this year and last year demonstrating the fun we have as a red team. One of the things that differentiates these events from a penetration test–we can do whatever we want (within reason).

Enjoy a little red team fun.

ISTS 2012: Team 12 TV

These videos are from the RIT Information Security Talent Search event. Here, we have access to a student’s system. We’re projecting his desktop onto the projector. At the same time, we’re logging his keystrokes and using proxychains to connect to his mail server via a pivot into his local system. We use his mail server to send friendly messages to him, some of which contain his password.

In case the screen is hard to read in the cell phone video, here’s the screen recording of these events:

PRCCDC 2012: A little VNC + key logging fun

This video is from the Pacific Rim CCDC regional event. It’s just a little harmless fun with VNC and a keystroke logger.

NECCDC 2011: Red Team Update

This video is the 2011 Red Team Update from NECCDC. This is a compilation of screenshots and other great moments from the 2011 event.