Pentest Red Team Infrastucture

[dEEpEst]

RED TEAM INFRASTRUCTURE​

RED TEAM INFRASTRUCTURE:

A Red Team infrastructure is the steps that are being taken to set up your Environment for a successful Red Team Engagement.

I did a heavy reference on this GitHub project:

This link is hidden for visitors. Please Log in or register now.

And Red Team Course

Courses Thread 'Zero Point Security - Red Team Ops 2025'

Feb 16, 2025

Red Team Ops​

Adversary Simulation and Red Team Operations.

Red Team Ops is an online, self-study course that teaches the basic principles, tools and techniques synonymous with red teaming.

Students will first cover the core concepts of adversary simulation, command & control, engagement planning and reporting.

They will then go through each stage of the attack lifecycle - from initial compromise to full domain takeover, data hunting and exfiltration. Students will learn how common "OPSEC failures" can lead to detection by defenders, and how to carry out those attacks in a...

• dEEpEst
• Replies: 0
• Forum: Courses

Also MITRE ATT&CK

This link is hidden for visitors. Please Log in or register now.

Many of these techniques are beginner nothing advanced or too complicated, if you would like more details on the technique or probably research more of them do please refer to my Red Team notes to check out other methods as well, and if that does not answer your questions. Google is the best teacher out there.

 

[dEEpEst]

Domain Name and Categorization​

Domains are classified using a combination of Machine Learning (ML) and human inspection. New Domains are always uncategorized and do not know how to

categorize the domains, for example when a new Domain is registered, they are usually left uncategorized and are known to be malicious, but a regular domain

such as a shopping site can be categorized correctly as a shop, e-commerce, or business site aging a site is helpful since a known malicious site is known for being "fresh" or recently purchased.

This is a preference that just started from my personal experience, it does not need to follow these, but I've only worked with these tools, you can choose any person you want.

NameCheap:

At Namecheap, we need to change the NS servers and have them point to the AWS one and remember to categorize and age the site domain name

Domain:

This link is hidden for visitors. Please Log in or register now.

In AWS we will need to use Route53 and Create Records to have them point to Namecheap, so the domain name shows instead of the IP

AWS: Holds a fake Instagram Webpage on an EWS Instance free, no need for more power since it can hold enough for payloads or webpages.



Certificates:

An SSL certificate is important for the website as it adds more legitimacy to the domain an option for this would be Let's Encrypt as others as well, do not limit yourself to only 1 option.

 

[dEEpEst]

Reconnaissance​

Reconnaissance is the first step into gaining access to the target for example if this is an individual target the more information we can gather about the user the better our delivery in Phishing can be, if this is corporate say then the more information we can gather in our recon we might not need the Phishing Method for Initial Access maybe there is a public exploit that help us gain access but we can also take the approach of gaining employee information and work as if it was an individual user.

There are 2 methods for gathering information Passive and Active.

Passive:



This is a good approach for gathering information as we will NOT touch the target in any way such as Scanning Ports making an unusual request to the user/business to gather information.



Active:



This method is NOISY this method in approaching the target is a great method for gathering even more personal, specific, or more information about a target that is usually not found in the passive method but it's a great way to get caught.

 

[dEEpEst]

Passive​

OSINT:

Open-source intelligence (OSINT) is the collection and analysis of data gathered from open sources (Publicly available sources) to produce actionable intelligence.

In this section of OSINT we will use various methods to gather Intelligence with Open Sources (Google, Bing, Yandex) there are a few tools that can help us reach these goals. A few tools that can help us with this in Email Gathering, Phones, Names, Addresses, and the possibility of Locations.



The information collected in this method is only as good collected as the Operator since this section can have a plethora of information being collected and to be confirmed positive results that are real.

Some great frameworks that can be used in this approach are datasploit, SpiderFoot or Recon-ng

Example:

This link is hidden for visitors. Please Log in or register now.

I used a combination of Dorks that can help me gather information, in this example it's Google.com and I am looking for specific file types PDF and in the PDF files, it needs to contain the words passwords.

We can tell that this PDF contains the words passwords, nothing being leaked but it gives us exactly what we were looking for and this can help to probably locate other files that are known for containing these passwords.

This method is considered Passive.

 

[dEEpEst]

Active​

The active approach moves on to touching the target environment and gathering information that can probably get us caught.

This approach is usually taken with tools, some popular ones to mention are Nmap, SpoofCheck, AQUATONE, or dnsrecon.

Example:

Tool: Nmap

In this scenario, we managed to grab the IP of one of the corporate servers pointing out to the internet (yes, this happens) and we start port scanning with Nmap, this will leave logs on the servers that someone was trying to enumerate the machine this happens normally all over the internet usually to locate these specific enumeration tactics they will require some research to be done.

A variety of tools can achieve this, but some are more sport-specific, if we are trying to get maybe SMB enumeration then enum4linux,smbmap, etc., can be a great tool for this.



This method is considered Active.

 

[dEEpEst]

Weaponization​

Weaponizing or Payload Development, it's time to build the payload that will give us a foothold on the target's network, we can use the information we have gathered from the target to help us build a payload that will work, evade defenses and give us access.

I will be speaking of the Modern Methods and Common Attachment Payloads in my examples if you would like to read more methods look for my RedTeam Notes 2.0

Red Team Notes 2.0

Well in this new book I will start to learn some Red Team Topics, and I will work on learning as much as possible, I will try to keep this updated, to newer things that I may find, I think this will help around in my future projects. I am following the MITRE ATTACK Framework and just adapting it to something for me to understand, I will make this public for anyone that want's to learn in this awesome field. If anything is wrong I will try my best to fix it.

This is currently my way of just learning things, and you know, practice makes perfect right?; and what better way than screenshots and videos to explain it to myself, and others. I'm especially trying to "dumb it down" for myself since sometimes, just starting in a new field can be very exhausting by just trying to "guess" what to learn and what to be searching for. This will probably help in shortening the learning process.

I will try and keep this as accurate as possible, with some examples of how the technique works. Nothing advanced this is just the basics and hopefully, well in the future it will help some to understand what "Key Words" or areas to search for when trying to find more sophisticated articles.

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

https://www.buymeacoffee.com/dmcxblue

My Social Sites

Twitter: dmcxblue
GitHub: dmcxblue
Discord: dmcxblue
NetSecFocus: dmcxblue
Website: https://dmcxblue.net

 

[dEEpEst]

Macros​

To start let's use the information we have gathered from our current target. So, what do we have:

OS: Windows 10 Enterprise 19043 (Windows 10 Enterprise 6.3)

Computer name: DESKTOP-ECHO

Domain name: DOMINIONCYBER.local

Also, we know that we can deliver different types of payloads to the target from the information we have gathered in our passive recon it seems that they work with PDF and DOCX Files, the SMB port is open as well as some known SMB exploits exist that can help us gain access.

The Word metadata tells us they work with a pretty old version of Office, we can probably attach an exploit to a Doc and gain access

The approach will take in weaponizing this payload will be a DOCM Document with Macro-Enabled.

I will use a personal favorite tool to create a macro-enabled payload called MacroPack will grab our VBA payload this one is built with CS

While creating this payload I used common options and an obfuscation parameter built-in macro pack this method of weaponization is one of many I just decided to go with this approach but will leave examples of plenty of others. And with this, we have weaponized a working Macro-Enabled Document Payload

 

[dEEpEst]

HTA​

Will use a couple of tools for weaponizing an HTA Payload.

HTA payloads are another method of attachments, but these also work better with Spearphishing via Links since we won’t be attaching a non-standard file on an email, it would stick out a file that is usually never seen by a regular everyday user (not focus on the security of course). So will be showing this via the Link method.

I created a very standard HTA Generator that will point to a PowerShell command to execute a PS1 Script via a Webserver but I will change this to execute calc only various examples and methods are all over the internet a simple google search will point you in the right

This link is hidden for visitors. Please Log in or register now.

.

I used the HTA Generator tool to create the HTA File which will open the calculator

Will use any phishing method to have the user Open or Save the HTA File IE is a great way to have the user open these files as it will give the option to Open directly instead of saving like other Browser but this will need thorough testing as some EDRs block because a file directly executes when downloading, suspicious right? So will continue saving the file here.

We deliver our payload with any method at our disposal in this example a benign word document containing the malicious link

User follows instruction

The user proceeds to open the file. And we achieve execution

This method is also another way to weaponize obfuscation and encryption exist for this procedure some tools are very popular for creating these payloads sometimes the attachments of a file are completely unnecessary when sending our links, we just use this to avoid some AV scanning on the email providers. But please feel to explore and try different techniques.

 

[dEEpEst]

ZIP​

Zip files are a popular method to deliver payloads as they are common extensions, but I think they are not normal in a work environment (Please do correct me if anything). A good reason why this file format is a great delivery method is we can have it password protected and avoid an AV to scan our malware compressed on the zip file since the AV wouldn't have the access necessary to scan the file in the interior, it’s a good method to deliver but we need to still be aware the file will be scanned again once uncompressed and executed by the user this is just a method to avoid some initial detection.

In this demonstration I will use a simple binary built with msfvenom as this tool is well known in security and AV this is a great demonstration of how zip-protected files can bypass Email Security and even AVs for delivery.

Will create the payload then deliver it to prove detection:

Now we deliver it to our target and:

Immediate detection will also get detected if compressed without a password, the password is the way to encrypt and avoid the AV having access to our payload so will move on to compressing the payload onto a protected ZIP file to avoid immediate detection you can use any favorite ZIP compressing tool

PASS: Evasion

Will deliver this new payload and we see we don't immediately get flagged we have options now:

I will save this so it can touch the disk and even prove further that the detection is still evaded

We have successfully delivered our payload to the target machine, usually, only pretexts can have us move further and have the user interact with the file and have them Open

 

[dEEpEst]

ISO​

An ISO file is an exact copy of an entire optical disk such as a CD, DVD, or Blu-Ray archived in a single file. This file, which is also sometimes referred to as an ISO image, is a smaller-sized duplicate of large sets of data.

The reason I speak of ISO files is because of a security feature called Mark-of-the-Web (MOTW) a security feature originally introduced by Internet Explorer to force saved webpages to run in the security zone of the location the paged was saved from.

This link is hidden for visitors. Please Log in or register now.

Since the ISO file is just a compression method for files I will show the example of grabbing a regular EXE payload and compressing this onto the ISO file will demonstrate the mark of the web avoidance, since this is helpful Microsoft doesn't check if the file comes from the Internet and we can avoid the SmartScreen protection that usually comes when a file is from the Internet.

I will show a small demonstration of why MOTW is an important factor when delivering payloads:

SmartScreen, simple this feature protects windows from files that are being downloaded from the internet when the payload is executed you will receive a warning from SmartScreen

I will follow with the execution on the payload

Makes sense with the MOTW feature now let's remove it:

Immediate execution no checkups of any sort.

Will demonstrate this now by packing the payload onto an ISO file image and executing it for a reverse shell. For demo purposes we can use an amazing tool called PackMyPayload or we can take a blast to the past and use a tool called Nero

PackmyPayload:

I will fill the requirements for the tool to give us our ISO image, multiple formats are supported but I will demonstrate ISO in this example

Will pack our payload

Then send this to our user

Now will verify the MOTW on the ISO file

But will see that the payload in the ISO does not have the MOTW

And if we try and run this, will get an immediate execution

 

[dEEpEst]

Delivery​

Our method for delivering our phishing payloads this is an important step in our red team infrastructure as this is a deciding factor if our payload will be even delivered to our user, a framework that can deliver our payloads with success is a great tool fortunately also counting all the pre-steps taking in the Domain Section the majority of these are well known and open source.

 

[dEEpEst]

Gophish​

Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily set up and executes phishing engagements and security awareness training.



A little documentation and info on the tool

This link is hidden for visitors. Please Log in or register now.

Once downloaded we can proceed to unzip the file and execute the binary named gophish in the current directory in which it was downloaded

Will receive the proper information for the first-time login

Now I will not demonstrate the complete setup of the framework as there are multiple sources and you can get more information on the Documentation page, I will demonstrate a Phishing technique and show some features of the tool.

When our framework is fully setup we can try and create a New Campaign and send our phishing emails to our targeted users

Will send the Emails to our target users

The user will check their inbox

This is an example utilizing the GoPhish framework, of course, a more sophisticated approach can be made by adding encryption and header information that looks a little more presentable and not spam but this was a high-level approach.

 

[dEEpEst]

EvilGinx​

Evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies which in turn allows bypassing 2-factor authentication protection

Now I won't go into a detailed explanation on setting this up as there are plenty of sources even on its Github page and I can probably be using a different VPS provider that won't match these steps, but the basic configuration is:

Will choose our phishlets I chose LinkedIn

Configure the domain and IP and enable the phishlet

Once set evilginx2 will create an SSL certificate utilizing Let's Encrypt if this is unsuccessful you can do this manually but from here, we can create the lures and grab the URLs needed to send to the target

When the user logs in we will capture cleartext credentials and the Cookie needed to bypass MFA Authentication

If MFA is enabled and the user logged in successfully, we will receive the Cookie as well, since this demo those not contain a legitimate user, the cookie is not demonstrated but the cleartext attempt is logged.

 

[dEEpEst]

PwnDrop​

I wanted to demonstrate this amazing tool for setting up delivery payloads with a spoofing method that can allow more legitimate-looking links for Payload deliveries as the Tool description implies it's a self-deployable file hosting service for sending out red teaming payloads or securely sharing private files over HTTP and WebDav.

Now I won’t write the setup here since it's well written and demonstrated on the Github page already.

Here is a sample of the tool functioning, will create a simple payload with msfvenom

Now run the tool and the tool on its first execution will create a .ini file with the configurations to access the pwndrops admin panel, where the files will be stored and the admin files data.

If anyone with incorrect information such as the wrong path they will be redirected to another page of choosing or simply a 404 error.

When uploading our payload we need 2 things the payload itself and a Facade file which we can use as a means of spoofing our original file when sending our link

In that manner when the target receives the link it is a spoofed linked and will be redirected to the original file that would be our payload.

A small demonstration

 

[dEEpEst]

Situational Awareness​

In this life cycle of the red team engagement the operator is gaining as much information about the compromised environment and the domain network, there is no predefined list of commands to execute but the information gathered is essential to what the next actions will be taken towards persistence, lateral movement or privilege escalation.

 

[dEEpEst]

Covenant and C#​

A demonstration of this would be using a few tools made in C-Sharp that are great to gather multiple information in a single step, these are some of the common things to be looking for to proceed to our next steps Seatbelt has packed the most common methods and the information considered important and valuable. Seatbelt has 3 groups that are valuable in the information gathering phase which should be run in different levels of permissions as some users can see more than others.

Covenant has a great built-in command already in its Tasks functions.

I will be demonstrating a few tools that are built-in Covenant and other methods related to the usage of C# tools via a C2 these can as well be placed on the Disk of the workstation and run normally as a binary on the console CMD & Powershell

Covenant

Seatbelt -group=system

Now Covenant accepts C# binaries to execute them in memory such as Cobalt Strikes famous execute-assembly method this is a great method to avoid our tool dropping onto the disk and leaving a footprint this task is called Assembly in Covenant will simply run this, select our binary and add any parameters

Choose the binary

The first box gives the assembly a name and the second the parameters, when this is added we can execute

Execution

This method is perfect since the seatbelt version from Covenant to our binary is different, unfortunately, Covenant hasn't received an update for a while so the built-in tools are a little outdated, but with this method, we can call our own C# tools current up to date.

Domain Enumeration

One of the things to keep in mind is that most C2 currently have their methods for enumerating the Domain Network of an environment for example Covenant has built-in commands that act like PowerView which can take parameters as well, depending on the tool and acceptable parameters for this.

Get-DomainComputers

Get-DomainUsers

Specific User (parameter demonstration)

Get-Processes

GetLocalGroup Information

LoggedOnUsers

To finish of this I just wanted to demonstrate the usage of Covenant and the works of using C# binaries and how they are great for automating a few information gathering techniques, this those not remove the fact of verifying things manually it's just a great way to gather plenty of information needed for our next actions

 

[dEEpEst]

Empire and PowerShell​

Empire 4,0 is a post-exploitation framework that includes pure-PowerShell Windows agents, Python 3. x Linux/OS X agents, and C# agents. It is the merger of the previous PowerShell Empire and Python Empyre projects. Empire premiered at the BSidesLV in 2015.

BC Security presented updates to further evade Microsoft Antimalware Scan Interface (AMSI) at DEFCON 27. Empire was originally built by other developers but since it was no longer active as "It has served its purpose" it was no longer maintained and BCSecurity forked the project and continued its development.

I will demonstrate some situational techniques with Empire, Empire has the full functionality of PowerView to enumerate a domain and workstation as also other tools for lateral, privesc, and persistence techniques.

I will not demonstrate set up as there are already, awesome tutorials and the own GitHub repository for these but Empire will essentially need a listener, a stager, and the agent once called back to the C2.

The agent will start enumerating the host and domain

Host Recon is a good start with enumeration

Seatbelt PowerShell integrated with Empire a few settings are needed to get started with the proper group or individual command

Domain User Enumeration

Privilege Escalation Enumeration

And a plethora more modules that empire can execute around 399 of the time of writing.

 

[dEEpEst]

Credential Dumping​

This section demonstrates techniques on how to access credentials on the OS workstation I was having a few problems deciding where to locate this section as some of these techniques are only accessed when achieving Administrator Privileges, but I will demonstrate here a few user-level access and then demonstrate a few Administrators access techniques

 

[dEEpEst]

Mimikatz​

A tool built by @gentilkiwi to learn C and Windows Security if you are fully aware plaintext credentials, PINS, and Kerberos Tickets can be extracted from memory. A few examples will be given with the tool

A requirement is to elevate permissions to Administrator or SYSTEM

Windows has implemented more security into its OS that plaintext credentials are now a little more difficult to achieve, but we can still grab the LM Hash of the OS and crack this offline or utilize the PTH technique within mimikatz or other tools.

Attackers can take advantage of Administrator permissions and enable this feature again, to allow the grab of cleartext credentials

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

This allows the gathering of cleartext credentials, as demonstrated below after a user authenticates again

 

[dEEpEst]

Lsass Dumping​

Now we are aware of dumping credentials in memory and running tools on the OS host, but we have offline methods as well, where the operator can dump the lsass process and attack the file offline. One tool that allows us this is the Task Manager itself, it will create a Dumps' file of the process for inspection, but we can grab this file and attack it offline

Requires Administrator Permissions

TaskManager

The file is dumped successfully in the mentioned folder location

We can grab this file and move it offline for dumping credentials

Requires SYSTEM permissions

MinidumpW

A LOLBAS is available for dumping the lsass process, the required permission is SYSTEM we can use the following command to dump the process onto a file

rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump PID C:\Users\HelpDesk\Desktop\lsass.dmp full

The PID is of the lsass process

We can do the same with mimikatz and attack the file offline

Requires Administrator permissions

ProcDump

ProcDump from the Sysinternals family, which purpose is for monitoring an application for CPU spikes and generating crash dumps. The tool is simple