Welcome back to the deep dive. Ready to dive into some ethical hacking today.
Always ready, we're.
Going to be looking specifically at red teaming. We've got a great guide for this one, the Hacker Playbook three by Peter Kim.
Oh yeah, great book. It's like kind of flipping this script, right, learning to think like the bad guys exactly.
So how would you explain red teaming for someone who might not be, you know, super familiar with it.
It's kind of like, well, it's more than just you know, checking for vulnerabilities. It's more about like simulating a real.
Attack, so like more than just a vulnerability scan.
Right, It's like, okay, traditional pen testing that's like checking the locks on your doors, but red teaming that's like hiring someone to actually try and break into your house.
Ethically of course, well, of course ethically. Yeah, that's a great analogy. So, like, how would that kind of approach actually benefit an organization?
I think it just gives them a much better understanding of, you know, where their weaknesses are, like how an attacker would actually exploit those vulnerability.
So it helps them prioritize right totally instead of just being like, oh, we have this vulnerability.
It's like, okay, but how could someone actually.
Exploit that makes sense? So what kind of tools would a red team or actually use in one of these simulated attacks.
Oh, there's a ton of specialized tools this book talks about, like metasploit for example. Yeah, metasploit that's a framework for like developing and testing exploits. And then you got things like cobalt strike, which is like what they'd use after they've already gotten in to really move around.
So Metasploit's kind of like the battering ram, and then cobalt strike is what they use once they're inside.
Yeah, kind of like that. There's also Responder. It's a cool one. It takes advantage of how Windows networks talk to each other to like capture sensitive information.
So like usernames and passwords.
Yeah, exactly. Basically they're eavesdropping on the network.
So just by being on a network, someone could like potentially snag my log in credentials potentially.
Yeah, there are ways to mitigate that risk though.
Okay, that's good to know. I'm already feeling a little vulnerable here, and we can't forget about passwords, right, those are still a huge target.
Totally This book goes into like all the different ways attackers can crack passwords, route force attacks, dictionary attacks. It's pretty crazy.
So a strong unique password is still like the best offense.
It's one of the most important for sure. Like having a really good lock on your front door makes sense.
So let's say our red teamer they've got their tools ready to go. What's the first step in one of these attacks.
Reconnaissance. You's got to start with recon recon Yeah, reconnaissance gathering information about their target, like as much as possible.
So they're basically spying on their target, but in a good way.
Right, Like it's like a detective gathering evidence before they go make an arrest.
That makes sense. So what kind of techniques do they use for that?
Well, the book talks about things like n map. It's a tool that can scan networks see what ports and services are open.
Okay, en map. What else?
Oh, there's eyewitness That one takes screenshots of websites to get info about you know, how they're structured.
So end map is like locking on the doors, seeing who answers, and then eyewitnesses like peeking through the windows exactly, pretty sneaky. What about cloud environments, Like, how do they factor into all of this?
Cloud scanning is a big deal these days. There are tools that can find misconfigurations or like exposed data in the cloud.
Makes sense since everything's moving to the cloud these days.
Yeah, for sure. And then there's you know, subdomain discovery trying to find all those hidden parts of a website that might be vulnerable.
So they're leaving no stone unturned. They're looking for weaknesses everywhere.
Yep. That's the whole point of red teaming, simulating a real attack, which means finding any weakness they can.
So I'm curious, is it all like technical vulnerabilities they're looking for or do they also use you know, social engineering?
Oh, social engineer is huge. The book even gives an example of how they might use a like a phishing emails.
Right, the classic try to trick you into clicking on a.
Bad link yep, exactly, praying on people's you know, natural tendency to trust to be helpful.
So even if someone's like pretty savvy with technology, they can still fall victim to these social engineering attacks.
Totally, it's all about psychology, So it's not just about having you know, good tech defenses. It's also about educating people.
Making sure everyone's aware of the risks.
Exactly because the human element that's often the weakest link.
Makes sense. So let's say hypothetically someone does fall victim to one of these phishing attacks.
What happens next, Well, the attacker would want to you know, gain a foothold in the network and then start moving laterally, moving laterally, yeah, like spreading to other systems. They might use a tool like you know, Responder, which we talked about earlier, to grab credentials and get access to other accounts.
So it's like a domino effect kind of.
Yeah, one compromise system leads to another, and so on until they reach their final objective.
Which could be anything I guess stealing sensitive data, disrupting operations.
It depends on the attackers goals, but yeah, it could be pretty scary stuff. And they might even try to escalate their privileges. Yeah, you know, get admin access.
So they can have even more control. Wow, it's a whole like a chess match, isn't it? Trying to stay one step ahead?
It really is. It's a fascinating field.
Well, we're definitely just scratching the surface here. We haven't even gotten into like NTLM hashes or you know all those other technical details.
We'll save those for next time.
Sounds good, Stay tuned for part two of our deep dive into red teaming. We'll be getting into even more of the the nitty gritty details.
Can't wait back for more red teaming fun.
Oh yeah, I'm hooked.
Good. Good because we left off with our attacker getting a foothold.
Remember, yeah, like sneaking through a window or something.
Right now, they need to deploy some malware.
And the Hacker playbook it mentioned something about custom droppers.
Oh yeah, droppers. There's sneaky little things.
I'm guessing it's more than just dropping a five.
Somewhere way more. It's like, think of it like a trojan.
Horse, ah, hiding the bad stuff inside something that looks harmless exactly.
The Hacker Playbook actually walks through like building one from scratch.
Wow, that's pretty hardcore. What's the what kind of malware are they hiding in there?
Well, the example of the book, it's a payload that can either like execute shell code or load a DLL.
Shell code DLLs I know I've heard those terms before.
Right, So shell code that's basically a small program, but it can do some serious damage, okay. And a DLL DL stands for Dynamic Link Library. It's like a collection of code that other programs.
Can use, So the attacker could like hijack a legitimate program using that DLL yep, or.
Add malicious functionality to a program that's already there.
Sneaky. I bet this stuff can get past antivirus pretty easily.
Oh yeah, Antivirus evasion is a whole other game, and this book it dives deep into that too.
Oh man, sounds complicated.
It can be, but think of it like a like a cat mouse. You know, attackers are always coming up with new tricks and the antivirus guys are trying to stay one step ahead.
So what are some of those tricks? How do they actually get around antivirus?
Well, one common technique is obfuscation, like scrambling the code so the anti virus can't really understand what it's looking at.
So it's like writing a secret message that only the attacker can read.
Pretty much. The book also talks about code packing, which is like compressing and encrypting.
The code, making it even harder to analyze yep.
And then there's just straight up encryption too.
So even if the anti virus does detect it, it can't really do anything unless it can decrypt it.
Exactly. It's a constant arms rice.
What if a company has like a really strict application white listing policy, can attackers get around that? Oh?
Yeah they can. The hacker playbook actually shows how to do it, like using built in Windows programs to execute malicious code.
Whoa, so they're taking a legitimate tool and twisting it to do something bad.
Exactly. There's this one example with MS build dot ex. It's supposed to be for building software, but they can use it to run malicious code disguised as a project file.
That's crazy. Are there other examples like that?
Oh yeah, they're a bunch like REGSVR thirty two dot ex run to L thirty two dot ex. These are all programs that are already on Windows systems, so they often fly under the radar.
So it's all about finding those loopholes huh yep.
And once an attacker is in, they'll want to make sure they can stay in even if their initial access gets shut down.
Ah So back doors exactly.
Back doors ways to sneak back in if the front door is locked and.
The hacker playbook. I'm guessing it has some tips on those two Oh.
Yeah, tons of them, modifying system files, installing rootkits.
Rootkits those are like the ultimate back door, right, They're pretty nasty.
Basically, they're designed to like completely hide themselves.
On the system, so the anti virus wouldn't even see them.
Right, It's like they blend in perfectly.
This is starting to feel like a spy movie a little bit.
The book also talks about hijacking legitimate processes. So the malicious code is running, but it's hit and inside something that looks totally normal.
This crazy stuff. How do they even come up with this?
Well, they have to be creative, right, and they're always looking for new ways to, you know, to stay hidden. Like the book even mentions backdoors that communicate over DNS traffic.
DNS traffic isn't that like just for looking up websites?
Yeah, but it's also a way to like send commands and receive data, and security tools don't always pay close attention to it.
Wow, So they're using like the Internet's plumbing system to sneak data.
Out something like that.
This is making my head spin. And you know what else I noticed in the Hacker Playbook. They seem to really love PowerShell.
Oh yeah, PowerShell is like a favorite tool for both sissedminds and attackers. How come, Well, it's built into Windows, so it's already there on most systems. Yeah, and it's really powerful. You can do a lot with it.
It sounds dangerous, it can be.
Attackers can use it for everything from like automating tasks to downloading and running malicious code.
And I bet it's good at evading those security tools huh.
Oh yeah. The book has a whole section on PowerShell attack and evasion techniques, like, well, there's obfuscation, just like we talked about with regular code, but there's also encoding, which uses like different character sets and encryption.
Making it even harder to understand.
Yep. And they're always coming up the new ways to do it, you.
Know, so even if someone knows to look out for PowerShell, it might not be that easy to spot exactly.
Yeah. And the book even talks about how to run PowerShell code without actually using like the PowerShell program.
Wait, what, how is that even possible?
There are a few tricks. They can embed the code in other files like office documents or PDFs.
So when you open the document, it just like runs in the background.
Yep. And there are ways to use other programs like WMI to execute the code indirectly.
So they're basically hiding it in plain sight.
You got it.
Okay, I'm starting to see how this PowerShell thing can be so dangerous. But let's go back to that two minute drill scenario for a second. Remember they got in with the fish attack.
Oh yeah, I'm curious what happens next.
Me too. So they're in the network, now what.
Well, the next step involves a tool called Bloodhound.
Bloodhound sounds intense.
It is. It's designed to map out active directory.
Active directory that's how Windows networks manage users and computers.
Right, yep. And Bloodhound basically shows the attacker like all the relationships and permissions. It's like a roadmap of the network.
Whoa, So they can see exactly how everything's connected pretty much.
Yeah, and that helps them figure out the best way to move around to get to their target.
That's kind of scary, actually can be.
So in the book The Attacker, they compromise a system belonging to an employee named buzz Aldron.
Buzz Aldron, like the astronaut yep.
I guess the author has a sense of humor. So what happens with Buzz, Well, they find out that Buzz's system has access to some sensitive data on another system called CSK lab, but they don't have admin rights on that system.
Yet another roadblock yep.
The is this PowerShell script called power up to find misconfigurations on the system.
So they're looking for those little new poles again.
Yep, always looking for loopholes, and in this case, they find a vulnerability that lets them like basically write their own code to a specific location and then a system service will execute.
It, so they get full control over the system pretty much.
They call it system level access.
Wow, impressive, but what about like staying in control? What if they lose their initial access?
Redundancy is key in the book. They establish a second connection using Cobalt Strike.
Always got to have a backup plan always.
Cobalt Strike can tunnel traffic through these things called named pipes, which are like hidden communication channels within the.
Network, so even if one connection goes down, they still have another way in exactly, this attacker is pretty persistent. I was reading ahead a bit, and they actually find the eternal Blue vulnerability. The one that want to Cry use.
Oh yeah, Eternal Blue. That was a big one, a really bad vulnerability window.
I remember hearing about want to Cry. It was all over the news. Caused a ton of damage.
Yep, ransomware spreading like wildfire. And in the Hacker playbook, the attacker uses Eternal Blue to get into a semi isolated network.
So even though it was years ago, that vulnerability is still out there.
Yep. Sometimes systems don't get patched and attackers can take advantage of that.
Crazy So back to our two minute drill. They've got Eternal Blue. Now they're in deeper, getting closer to those rocket secrets. What happens next?
To find a connection to a database server. It's got even more sensitive data, but of.
Course it's encrypted.
Of course, there's always another hurdle.
And does the book tell us how they crack the encryption.
It actually leaves that part as a challenge for the reader. But based on everything we've learned so.
Far, I bet we can guess.
Oh yeah, there are a few possibilities they could try to find, like a backdoor in the database software itself, you know, some kind of vulnerability, or.
Maybe try to steal the encryption key could.
Be maybe by by compromising another system that has access to the key.
Lots of possibilities, and I guess there's always route forcing, but that could take forever.
It could. Yeah, it all depends on how strong the encryption is.
Man, this is intense. I feel like I'm right there with the attacker trying to figure out the next move.
That's the whole point of this book, you know, to get you thinking like an attacker so you can understand how they operate and how to defend against them.
It's working. I'm definitely thinking differently about security now.
Good, that's what we want.
Well, we've covered a lot of ground malware, back doors, PowerShell, eternal glue.
My head is spinning and we're not done yet. We still to talk about password cracking, how attackers break those digital locks and get access to sensitive information. That's coming up in part three.
Can't wait. This has been a wild ride so far. All right, back for the final.
Round, Round three. Ready to rumble.
So we've made it to the part I've been kind of dreading password cracking.
Yeah, this is where it gets real.
I mean, we've already talked about how attackers use those huge password lists and powerful cracking rigs.
Mind boggling, right totally.
I mean, where do those lists even come from? Are we talking about like every password ever used?
Pretty much? Think about all the data breaches that happen, all those stolen passwords, they end up online and attackers collect them.
So it's like they're learning from all our bad password habit exactly.
The Hacker playbook talks about this one list. It's got over one point four billion username and password combinations. One point four billion.
That's insane. But even with a list that big, they still need some serious horsepower to actually crack them, right.
Oh yeah, we're not talking about your average laptop here. These are dedicated cracking rigs with multiple GPUs.
Like the kind of stuff gamers use, similar.
But way more powerful. They're basically building supercomputers just for this.
Wow. So brute force is obviously a big part of it. But is that all they do.
Nope, They've got other tricks up their sleeves too, like dictionary attacks.
Dictionary attack.
Yeah, they use a list of like common words and frey is that people use in their passwords, so.
They're not just randomly guessing letters, they're actually trying real words yep.
And then there are rule based attacks where they take those dictionary words and modify them, like replacing an A with an AD symbol.
So it's a mix of brute force and strategy exactly.
The more they understand about the target system and how it hashes passwords, the more effective their attacks can be.
Makes sense. So let's bring it back to that two minute drill scenario. Our attacker is facing down that encrypted database. How do they crack it?
Well, the book doesn't actually spell it out. It leaves it as a challenge.
Ooh, a cliffhanger, but we can speculate. Okay, let's put on our hacker hats for a minute. What are some possibilities.
One option would be to look for vulnerabilities in the database software.
Itself, like a back door that lets them bypass the encryption altogether exactly.
Or maybe a way to like extract the encryption key from somewhere.
Ah, that would be a nice shortcut. But how would they do that?
Could be a lot of ways. Maybe they compse a system that has access to the key, or use a key logger to capture it when someone types it in.
Wow, sneaky. It's all about finding the weakest link, huh.
Yep. And of course they can always just try brute forcing the encryption key itself.
With the supercomputers the very same.
It might take a while, though, depending on how strong the encryption is.
Okay, so even encryption isn't a silver bullet, it's more like buying time.
Yeah, it makes the attackers job harder, but it doesn't make them impossible.
Well, this has been an eye opening journey, to say the least.
I agree. We've covered a lot of ground, haven't we.
From creating malware to exploiting vulnerabilities to cracking passwords. It's amazing how creative and determined these attackers can be.
That's why it's so important for us to understand their methods so we can defend against them totally.
The Hacker Playbook three is a great resource for that, even if it's a little scary at times.
Yeah, it definitely makes you think twice about your own security for sure.
Well, thanks for guiding us through this deep dive. It's been fascinating, if a little unsettling, My pleasure.
Remember, folks, stay vigilant, keep learning, and always choose strong passwords.
Words to live by. We'll see you next time on the deep dive