Red Team Life Cycle
That is why you fail.
Why?
There are tons of internal pentest guides out there and they are probably a lot better than what you are about to see. But I find they are either over comprehensive or just too high level. Internal pentest is messy. The purpose of this post is to organise and integrate methodology, techniques and tools so that whenever you are stuck, there is always another path you can take to continue the “Try Harder” motto.
Warning: I try my best to regularly update and improve the content of this blog. But there is no guarantee that I can always be up to date with the latest techniques. At the end of the day, I do have a life. :)
1. Initial Network Access
Goals:
- Obtain an internal IP
- Identified internal network structure
Plug straight to ethernet port
This is obviously the first thing you would do at a client. 50% of the time you will get an IP and you can just get started straight away. However more and more organisations are implementing some sort of NAC to reduce the attack surface. works if there is not any network access controls.
Bypassing NAC
1. Plug at the back of IP Phone
It fairly common for organisations to use an IP phone as a layer 3 switch on each desk for their SOEs.
2. Spoofing MAC addresses
Even if the organisation implemented NAC, sometimes they have to whitelist
2. Initial Reconnaissance
Goals:
- Identify Domain Controllers
- Extract domain info
- Extract all domain users
- Identify all internal hosts
- Identify all authentication portals
Sharphound (Previously known as Bloodhound)
afsdfdsasdf
DumpSec
afsdfdsasdf
Goodi
afsdfdsasdf
3. Establish Foothold
Goals:
- Built for Jekyll
- Developed on GitHub and hosted for free on GitHub Pages
Compromise Domain Credentials
afsdfdsasdf
4. Lateral Movement
Goals:
- Built for Jekyll
- Developed on GitHub and hosted for free on GitHub Pages
Horizontal Password Spraying Domain Credentials
afsdfdsasdf
5. Escalate Privileges
Goals:
- Built for Jekyll
- Developed on GitHub and hosted for free on GitHub Pages
6. Privileged Reconnaissance
Goals:
- Built for Jekyll
- Developed on GitHub and hosted for free on GitHub Pages
7. Escalate to Domain Administrator
Goals:
- Built for Jekyll
- Developed on GitHub and hosted for free on GitHub Pages
8. Data Exfiltration
Goals:
- Built for Jekyll
- Developed on GitH
9. Maintain Access (Optional)
Goals:
- Built for Jekyll
- Developed on GitHub and hosted for free on GitHub Pages
Have questions or suggestions? Feel free to email me or ask me on Instagram .
Thanks for reading!
