For some people Red Teaming seems to be something like the holy grail and many people want to do it. In my opinion a Red Teamer should have experience in Penetration Testing before starting. Some experience in DFIR might also be useful, or at least you should have some understanding of this topic.
For me (I am planning and leading internal Red Team engagements since about two years now), Red Teaming is very different from pentesting, although experience here is important.
“Penetration testers have this problem where they frequently can’t see past the end of their Kali USB. They establish the false equivalence of: “China hacked $X; I can hack $X; therefore, I am an APT and an APT is like me.” An APT is literally the instantiation of a nation state’s will. It is not a toolchain.” https://medium.com/@thegrugq/cyber-ignorethe-penetration-testers-900e76a49500
This sums up my experience. Some pentesters think: OK, let’s just use bloodhound, mimikatz and empire and and start firing, when I am domain admin it is red teaming. Well, maybe kind of.
But do real attackers think that way? Think more about WHY a malicious actor is trying to hack you, and then how. What are attackers looking for? That might define the scope of your engagement. You should read threat intel and incident reports for being up to date regarding TTPs and scope. When doing Red Teaming you should start thinking more into this direction.
I also tend to go through single scenarios, and not only full blown attack simulations, like: • Account compromisation • Exfiltration if possible • APT traffic simulation for testing and enhancing capabilities of the blue team • Phishing • Water Holing • Malware Simulation
This is also a good starting point for enhancing a penetration tester career, since usually you are not able to start with full blown Red Team engagments.
I can recommend “The Hacker Playbook” series, review for the third issue here. Further the book “Advanced Penetration Testing” is a good read.
Writing good reports is in my opinion one of the most import tasks for people who work in security, no matter if pentesting, forensics or other topics. The report is the final product of your work, it is leaving an impression even after some time and it represents your company, your department and yourself. Unfortunately some people underestimate this topic.
Course Syllabus: * Module 1: Telling a Story * Module 2: Writing Penetration Testing Reports * Module 3: Forensic Writing * Module 4: Most Common Writing Mistakes
The price is pretty fair, 97$ at the time of this writing. Even folks who don’t like to write reports gave me great feedback, and for myself I can highly recommend it. It takes about 6-8h for going through, you have access to forums and in the end you get a certificate of completion. Although writing lot’s of reports over the past years I got some great new ideas for imrovement.
So it is not possible to review all of it, this post is just meant to give a rough overview and some examples.
Pentester Academy
As said before, in the courses sections are 40+ courses available. The topics include for example (all from a security perspective, but some are also from a defenders viewpoint): Python, ADS, shellcoding (I made SLAE 2015, helped me also with my OSCE certification), Javascript, web app pentesting, some forensics topics, WiFi and network pentesting, exploitation and much more.
Currently I started the course Traffic Analysis: Tshark unleashed, so this is the short example for this post.
Screenshot from the Tshark course.
What comes really handy is that you can just start the labs in the AttackDefense labs, so you don’t need to setup own VMs only for following the courses:
Screenshot from one of the Traffic Analysis: Tshark unleashed course
What is also great, you can download the videos, so you can also watch them later.
As far as I can say, all the videos are suitable more or less for beginners.
AttackDefense Labs
The labs include a huge amount of topics, including: Webapps, MSF, Pivilege Escalation, Eploiting, Wi-Fi, Forensincs, Reversing, Cracking, Python and so on. Some labs include a small task, but others include for example full blown webapps like juiceshop.
Some examples from the Wab Apps labs.
In this case there was a small issue (for me), the labs are timing out after some time, which might be a bit annoying when having a full web app. For the smaller labs I never had problems.
As advanced labs there are also some CTF style labs available.
Verifiable Badges
With verifiable badges it is possible to verfiy your knowlege to an external source, as I did here:
Network Scanning Basics – Daniel Sauder : Accredible : Certificates, Badges and Blockchain. https://t.co/4R5R5ruN49
“The holder of this badge has successfully completed the Network Pentesting challenge exercises in Pentester Academy’s AttackDefense labs. These challenge exercises test a practical understanding of how to perform remote network reconnaissance of various infrastructure components.” (https://www.credential.net/b5050be1-05c9-41fa-93a9-ea0b5cd8825f#.Xg8KBMQX5XM.twitter)
As far as I could see all badges have three small challenges where you have to find flags (like a small CTF), badges are available for lot’s of topics (19 badges are available at the time of this writing) and most of them can be done after you viewed and worked through the courses.
Yes, the machine itself is called writeup. My first step was running nmap:
# nmap 10.10.10.138
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-03 21:54 CEST
Nmap scan report for 10.10.10.138
Host is up (0.021s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 4.74 seconds
# nmap -A -p 22,80 10.10.10.138
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-03 22:06 CEST
Nmap scan report for 10.10.10.138
Host is up (0.022s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 20.28 ms 10.10.12.1
2 20.47 ms 10.10.10.138
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds
Login to cms is protected with a .htaccess file, creds are not valid here. Good that there is a thing called password re-use.
User flag
But ssh worked with the creds:
# ssh jkr@10.10.10.138
jkr@10.10.10.138's password:
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 4 14:51:59 2019 from 10.10.12.57
jkr@writeup:~$
jkr@writeup:~$ ls
pspy64s user.txt
jkr@writeup:~$ cat user.txt
d4e493fd4068afc9eb1aa6a55319f978
So user flag was done…
Root flag
For escalating to root I first used exploit suggester and tried the exploits, but without success.
So I did some research and came across a tool called pyspy. For transfering the file I used apache and wget.
While I wrotethearticles about how to start a pentesting career I came accross more great resources that I did not mention before, so here they are. Most of it is hands-on :).
The Complete Beginner Network Penetration Testing Course for 2019
After the getting started article, here is a walkthrough for hackthebox netmon, to get an impression how to pwn machines. This was a nice one and I guess one of the the easier.
Portscan
Nmap 7.70 scan initiated Thu May 23 21:38:11 2019 as: nmap -A -oA netmon 10.10.10.152
Nmap scan report for 10.10.10.152
Host is up (0.043s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM inetpub
| 07-16-16 09:18AM PerfLogs
| 02-25-19 10:56PM Program Files
| 02-03-19 12:28AM Program Files (x86)
| 02-03-19 08:08AM Users
|02-25-19 11:49PM Windows
| ftp-syst:
| SYST: Windows_NT
80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=5/23%OT=21%CT=1%CU=30959%PV=Y%DS=2%DC=T%G=Y%TM=5CE6F6C
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%CI=I%II=I%TS=A)SEQ(SP=1
OS:07%GCD=1%ISR=108%TS=A)SEQ(SP=107%GCD=1%ISR=108%II=I%TS=A)OPS(O1=M54DNW8S
OS:T11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54D
OS:ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=
OS:80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2
OS:(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%
OS:F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD
OS:=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL
OS:=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 54.00 ms 10.10.12.1
2 54.08 ms 10.10.10.152
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Thu May 23 21:38:40 2019 -- 1 IP address (1 host up) scanned in 29.10 seconds
Connect via FTP
The user hash is easily found:
Now we have a look at the running web server. A PRTG instance is running here. After some searching the web it was clear that this might be a vulnerable version of PRTG (https://www.codewatch.org/blog/?p=453). No login with std creds (prtgadmin/prtgadmin) possible…
But we have the FTP server, which gives us some infomation:Some interesting stuff in the windows dir:
Here the credentials are encrypted. Some research show that in older versions that might be a problem (TODO, link). So I spent some time in finding valid credentials.
Also in c:\windows:
c:\ProgrammData is hidden but can be seen if you access it directly:
Get netmon prtgadmin credentials:
Something interesting in PRTG Configuration.old.bak:
After some trying I found out that the new password was: PrTg@admin2019, so this is something you have sometimes in real life, finding some credentials but still need to try around a bit. Then I followed mostly this description of the vulnerability: https://www.codewatch.org/blog/?p=453
Add a notification:
Leave defaults and choose “Execute Program” with the following settings:
Success, we can now get the hash from the test,txt file:
Pwnd! What I liked on this machine was that you needed to combine vulnerabilities. First find the credentials, then alter them to the working credentials. After that you had RCE.
Penetration Testing – “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.” (From wikipedia)
The scope of the article is to help to get your first job as a penetration tester. If you have more great links or recommendations please add them in the comments section. Becoming a good penetration tester requires much more skills than described here. It also means that you never stop learning.
If you don’t know the IT- and IT security basics yet, please have a look here. When you want to start a career in Penetration Testing you should know that most of the penetration tests performed today are Web Application tests. Therefore this article is focusing on this topic. Later I will add new posts with Specializiation Paths for more advanced topics like exploitation, red teaming and so on.
As already mentioned in the article Career
Path Security Basics, I strongly suggest that you make a plan what goal you
want to reach. For example playing CTF all the time might be fun for some
people, but if you need the OSCP it might not be helpful to waste too much
time.
Web App Penetration Testing
Port Swigger: Web Security Academy Content: Teaches the basics of Web Application Security, so far SQL Injection, XSS, OS command injection and File Path traversal. Comes with small labs. Career: Penetration Test but I recommend it also for everyone interested in security Level: Beginner Price: Free
OSCP If you want to start a career in Penetration Testing you might consider to make the OSCP certification. But you should have in mind that the OSCP is extremely time consuming and it is not a must have, but definitely a door opener. Therefore I recommend to do the OSCP certification. Here is an article about pros & cons of certifications.
Hands On
Here are some hands on for labs and learning. Some of them are online, others have to be installed and run by yourself.
The Web Application Hackers Handbook Authors: Daffy Stuttard, Marcus Pinto Content: The standard book about hacking Web Applications, goes into depth about the most important topics. Authors also created the BurpSuit. Career: Penetration Tester Level: Good for beginners, but also useful for experienced penetration testers
Penetration Testing: A Hands-On Introduction to Hacking Author: Georgia Weidman Content: A great introduction into penetration testing. Career: Penetration Tester Level: Beginner
Metasploit: A Penetration Tester’s Guide Authors: David Kennedy, Jim O’Gorman, Devon Kearns, Mati Aharoni Content: Introduction to Metasploit and penetration testing Career: Penetration Tester Level: Beginner, Intermediate
The Hacker Playbook 2 Author: Peter Kim Content: Book for penetration testing, hands on hacking, pivoting, evasion and so on. Career: Penetration Tester Level: All
Network Security Assessment Author: Chris McNab Content: Assessment of various network services. Career: Penetration Tester Level: All
German Book: Hacking mit Metasploit Author: Michael Messner Content: Great introduction to penetration testing and metasploit. Career: Penetration Tester Level: Beginner/Intermediate
The materials and labs exloded over the last months: Web cache poisoning Information disclosure vulnerabilities Insecure deserialization Authentication SQL injection Cross-site scripting Cross-site request forgery (CSRF) XML external entity (XXE) injection Clickjacking (UI redressing) Cross-origin resource sharing (CORS) Server-side request forgery (SSRF) HTTP request smuggling OS command injection Server-side template injection Directory traversal Access control vulnerabilities and privilege escalation Testing for WebSockets security vulnerabilities DOM-based vulnerabilities
The full list of labs is not included here, it is simply too long!
Link: Web Security Academy Content: Teaches the basics of Web Application Security, so far SQL Injection, XSS, OS command injection and File Path traversal. Comes with small labs. Career: Penetration Tester but I recommend it also for everyone interested in security Level: Beginner Price: Free
Web Security Academy
The description from the originial website: “Welcome to the Web Security Academy. This is a brand new learning resource providing free training on web security vulnerabilities, techniques for finding and exploiting bugs, and defensive measures for avoiding them. The Web Security Academy contains high-quality learning materials, interactive vulnerability labs, and video tutorials. You can learn at your own pace, wherever and whenever suits you. Best of all, everything is free!”
For tracking and doing the labs you need to create an accout.
I found the explanations and the labs very suitable for beginners and I think it is a great starting point for web application security.
The team behind it is the same that is behind the Burpsuite and the famous Web Application Hackers Handbook (consider buying it if you want to go deeper into the topic):
The Web Application Hackers Handbook Authors: Daffy Stuttard, Marcus Pinto Content: The standard book about hacking Web Applications, goes into depth about the most important topics. Authors also created the BurpSuit. Career: Penetration Tester Level: Good for beginners, but also useful for experienced penetration testers
Most people starting a career in IT security have a huge interest in topics like hacking, programming, system administration, networking and so on. When you apply for a junior position, employers normally expect basic skills and huge motivation. In this article you can find some useful resources for learning the basic skills that are useful for all career paths in IT security. More specific articles for specialized career paths like penetration tester, DFIR expert, malware expert and so on, are about to follow.
If you have any ideas or suggestions for additional useful courses, please feel free to leave a reply in the comment section below or just add them to your personal training list.
I suggest to look for suitable courses or certifications, to set yourself a goal and make a plan how to reach your goal.
If you want to read how I started my career in IT security have a look here.
Programming
Depending on your career, you should have knowledge in various programming languages. As a penetration tester, these could be assembly, C, javascript, HTML, python and bash for the beginning. Programming skills are not only useful for penetration testers, but also for other career paths. For example in a blue team, programming skills are very useful for automatization.
In this section you can find some examples for learning basic programming, more specialized examples follow in the career path sections.
Professor Messer’s CompTIA N10-007 Network+ Course Content: Great and free video course for preparing the CompTIA Network+ exam, I recommend to add a book nevertheless. Career: All Level: Beginner Price: Videos are free
All in One CompTIA Network+ Author: Mike Meyers Content: Coverage of the CompTIA Network+ certification exam objectives, goes into the topics in depth. I liked the questions after each chapter. Came with a CD with an exam simulator long ago, now the content is online. Career: All Level: Beginner Buy at Amazon U.S. Buy at Amazon Germany
You may consider to do the certification for the CV.
The Cuckoo’s Egg Decompiled Course Content: Highly recommended course by Chris Sanders, teaching the basics of attacking and defending networks through the lens of the famous “The cuckoos Egg” book by Clifford Stoll. Career: All Level: Beginner Price: Free
Professor Messer’s CompTIA SY0-501 Security+ Course Content: Same as the Network+ course for Security+, I also recommend to read a book additional for preparation. Career: All Level: Beginner Price: Videos are free
Mike Meyers’ CompTIA Security+ Certification Passport Author: Dawn Dunkerley Content: For preparing the CompTIA Security+ Certification this book is recommended. It covers every topic from the exam and also includes review questions as well as a practice exam. Career: All Level: Beginner
You may consider to do the certification for the CV.
Introducion to Cybersecurity Content: Short non technical introduction course for everyone who is curious about cybersecurity. Explains the basic concepts from a higher level. Career: All Level: Beginner Price: Free or with certificate
We learn Security! 