So, after a really great run at BlackHat Las Vegas (basically packing the second round of the training full), and an oversold class at DerbyCon, We are getting ready to hop over to Seattle with BlackHat's West Coast Training.
We plan to bring back the full class, with some added juice such as the good old red team bag (expect some extras!), as well as more hands-on practice of some of the techniques we were talking about in class (beyond intel gathering - some attack practice, and of course - social engineering night ;-) ).
Feel free to reach out to Chris and myself if you have any questions - we are both really looking forward for some fun in Seattle!
This is just the start of our master OSINT list, but i wanted to put out the ones we talked about in class as a reference for further practice. Many links and edits will be made to this page in the future so watch close! And as always GET THE MONEY!
http://www.jigsaw.com/ <- find employees info
http://www.linkedin.com/ <-<- find employees info
http://entitycube.research.microsoft.com/ <- business and personal relationship maps
http://www.hoovers.com/ <- finance, market and executive info
http://www.intelius.com/<- find business relationships and personal info
http://littlesis.org/ <- find business relationships
http://muckety.com/ <- find business relationships
http://pentest-standard.org/index.php/PTES_Technical_Guidelines <- Primer on Intel Gatehering with step by step
http://www.microsoft.com/web/solutions/bing-twitter.aspx <- see who is tweeting in a specific area
http://www.spokeo.com/<- Find target personal info
http://www.advancedbackgroundchecks.com/ <- good for finding addresses n locating people
http://namechk.com/ <- find targets alias on many social networks
http://knowem.com/ <- find targets alias on many social networks checks 500+ sites for username
https://appexchange.salesforce.com/category/intelligence <- Personell intel/osint
http://pastebin.com/ <- look for intel leaks, hacks, password drops
http://www.emailsherlock.com/ <- find syntax for any corp email address
https://github.com/ <- look for their sourcecode/passwords/etc
http://www.robtex.com/ <- find network/netblock info
http://www.shodanhq.com/ <-search portscan and banners of target
https://github.com/wick2o/gitDigger <- search github archive passwords and sensetive info
http://tineye.com <- image based search
http://www.jailbase.com/ <- search mugshots with facial recognition
http://www.bing.com/ <- remember... bing powers facebook's graph search AND has facial recognition
http://wigle.net/ <- global wifi network search
http://webmii.com/ <- Personal info/pix
http://www.zabasearch.com/ <- personal info like spokeo and others, make a fake facebook acct and get premium for free!
https://pipl.com/ <- another spokeo/zabba type site
http://pentest-tools.com/?p=home <-remote portscan and profile company
https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Home RECON-NG <- Osint framework
https://www.elevenpaths.com/labstools/foca/index.html FOCA <-metadata,docs,newtork discovery
http://www.offensivecountermeasures.com/forum/topics/pushpin-1 PUSHPIN <-social network monitoring
http://www.paterva.com/web6/ MALTEGO/CASEFILE <- Osint framework/information mapping tool
http://www.touchgraph.com/navigator Touchgraph NAVIGATOR<- relationship mapping
http://nodexl.codeplex.com/<- NODE XL relationship mapping
https://github.com/SMRFoundation/ThreadMill <- ThreadMill is a software framework for processing and visualizing message-board post data.
http://www.netglub.org/ <- free maltego like base
http://ilektrojohn.github.com/creepy/ CREE.py <- geolocation tool for twitter/fb and others
http://www.rtl-sdr.com/big-list-rtl-sdr-supported-software/ <-Software Defined Radio List of Programs.
http://www.onstrat.com/osint/ <- IMO, the best collection of OSINT links on the internet!
http://www.phibetaiota.net/ <- tons of intel based resources/reviews and blogs
http://www.phibetaiota.net/wp-content/uploads/2013/07/2013-07-11-OSINT-2ool-Kit-On-The-Go-Bag-O-Tradecraft.pdf <- 2013 osint guide AWESOME!.... best PDF on osint i have ever read.
Well, not really just "Attack!". That's where a lot of the differences between a proper red team and glorified pentest are showing up.
Previous posts talked about the value of intelligence gathering, and a consistent and exhaustive methodology for red teaming. This stays true for the actual attack phase. One cannot simply "red team" a target by launching some random attack vector at it just to feel special. After all the intelligence gathering, there are two critical phases which include threat modeling, and vulnerability research.
This post won't go through these in details, but it is important to mention these as without threat modeling, there isn't really a point of red teaming. Otherwise - how would you know _which_ adversary to simulate? Based on what set of capabilities and accessibility to the assents in question? And which assets to target? These all go into the threat modeling phase.
Furthermore, why launch an attack before conducting proper vulnerability research. And again - this isn't limited to just the software components that one can identify by probing the target's web servers and network infrastructure and searching for exploits for the versions that show up. Proper vulnerability research takes into account all the elements that the target organization operates with - physical presence, operational procedures, 3rd parties and suppliers, customers, personnel, and more. Finding vulnerabilities in these, and especially in elements that traditionally fall "between the cracks" of traditional organizational hierarchies are golden opportunities for later exploitation.
Which brings us to the "Attack!" part. Much unlike a pentest, launching an attack during a red team is a highly orchestrated act. The premise is that you only have one chance (again - unlike the common perception that attackers need to succeed once, and defenders need to always get it right). Often times, a failed attack would alert the defenders, and induce changes in the analyzed vulnerabilities and attack surface to a point where additional planning would be needed to launch the next attack. This means that you are not just jumping on the first exploitable vulnerability found on some obscure server, but think really hard - now what? Once you got that exploit in, and managed to escalate your privileges - how far did this get you in compromising the assets you were targeting in the first place? Could it be that other "less sexy" exploits would bring you to a more advantageous position on your way to the gold? How would an attack vector be perceived by the defenders? Would it be possible to use the hub-hub caused by such an attack being detected to attack another part of the target and get more leverage?
As you can see from this short discussion on "Attack!", there is much more to it at the strategic level, and in terms of accomplishing what you were brought in to do. So yes, the "Attack!" phase IS a lot of fun. It IS exciting to play that game of chess with the organization and map out your moves 3 or 4 plays in advance. It IS extremely more valuable to the organization to experience how an actual adversary would go about when targeting it. BUT - it DOES require a lot of preliminary work to be put in at the earlier stages, it requires planning, analysis, and understanding of what really matters to the organization, and how its adversaries would target it. But I guess that this is what we are all here for :-)
Last but not least - remember that bag of toys we are bringing to Vegas to hand out to all of our participants? yeah, well, the "attack!" portion has a lot to do with it... We'll learn how to use all the tools we threw in there (I know! these weren't just random items we picked up...), and more importantly - figure out new ways to leverage these in order to get you into a better position on your next red team task.
Vegas is approaching quickly, and the classes are filling up! Make sure to secure your place in them early (more importantly so we can make sure we have enough bags for everyone)... See you all there!
In the previous post we talked a bit about what red team engagements are, and generally what we'll cover during the training. In this post I'd like to talk a bit about one of the critical parts of a red team test, which separates it from a standard pentest: intelligence gathering.
I often like to think that a red team engagement is decided at it's earliest stages - during intelligence gathering. At that point, I can usually tell how successful will the engagement be. That's because when intel gathering is done correctly, you almost certainly have all the information you need to accomplish your goal. In the "information age" there is so much that can be gathered on an organization, it's employees, and business partners, that it has become an issue of data processing and analysis rather than actual data collection (as the guys who run PRISM ;-) ).
In the training, we'll focus on different types of intelligence gathering and profiling. We'll obviously cover the OSINT (Open Source INTelligence) methodology, while utilizing open resources, social networks, assortment of government and organizational information sites, and more.
Additionally, there is nothing more effective than actually seeing and experiencing your targets, so physical and electronic intelligence are also a crucial part of the intel gathering phase. It's always nice to already have close familiarity with a building (outside, and in) that you may end up operating in, especially when it comes to establishing a backstory and in cases where social engineering is involved.
So, DO expect to meet some really cool techniques for monitoring, recording, and visiting physical facilities, along with where and how to obtain the tools to do so (some of which we plan to include in the (in)famous goodie bag that Chris already told you about in the previous post…).
We'll discuss who to disseminate information effectively, and how to store it in ways that would make it accessible and meaningful in later parts of the red team engagement. As intel is the basis for all red team operations, he who owns the information is more likely to have an advantage when facing challenging circumstances in the field.
So far for this quick post - as I mentioned earlier, the goodie bag is shaping up to be of epic proportions, and my partner in crime is pulling some amazing tricks to make it happen for Vegas. Until next time!
p.s. image: red team pulling some intel
Recent conversations with some of the BADASS MOFO's signed up for the class prompted this post.
Ian and I LOVE toys. Red Teamers LOVE TOYS.... SO, I though I would post a list of toys YOU will be gettin/using/taking home from class. Mind you, we are paying for this stuff OUT OF POCKET, so I thought we could show ya a taste of where we are gonna go with the class... and the FUN (read trouble) you are getting yourself into.
Basic Pick Set w/ standards
Bogota Picks - Steel
Key Blank * 2
Multitool instead of Pliers
k22 Door Opener
Cuff Keys x 2
Cuff Shims x 2
Mini Crow Bar - Steel
Hand Warmer Packets X 4
Party Animal Balloons (Mylar)
Blank plastic badges x 2
Customized BAG for all your fun new goodies
Ps. We are working with a few intel and software vendors to get you some neato hookups on that side... but we are gonna keep THAT one on the Down Low till I have it all set and in place.
Hi everyone, this is the first in a series of 4-5 posts related to our Red-Team Training class offered during BlackHat USA 2013.
First things first - why? Well, we only have two days, and trust us, they are going to be packed. Therefore, we figured it would be best to provide some background material and previews on what to expect from the training.
First, Red Team. The term itself is overused and abused. This is especially true with the demise of "penetration testing" which has replaced "vulnerability scanning" as the term-du-jour in the security industry. Red Teaming depicts the pinnacle of security and risk assessments for organizations.
It means a no holds barred testing of one's security and is not limited by scope of a certain technological, social, organizational or physical aspects. In a red-team engagement the point is to simulate a real-world adversary. This is in contrast to more traditional (penetration testing and vulnerability assessments) engagements where specific aspects of the technical infrastructure of the organizations are reviewed for their security posture.
In the training, we will focus on how red team engagements are ran, and how to provide the best value for the organization they are conducted against.
The training will combine Red Teaming methodology aspects, as well as technical and hands-on portions in order to gain a bit of experience in how engagements should be executed in the field.
From a "what you get" perspective - one thing to note is that this is NOT a tools class. Tools are part of every red team engagements, but are not the point of it. Tools can be used interchangeably, and should be used based on the specific challenge at hand and personal taste. There is no "one tool to rule them all" - especially in red-teaming. However, as we try to make sure the training has enough hands-on portions, tool usage will be part of the two day ordeal, and we'll have a chance to use them in situations similar to actual red-team engagements.
So to conclude the first post in this series - we are expecting a packed schedule, where we will vary between methodology and hands-on practice, we'll get to do some field-work (and in Vegas of all places. get your lawyers/livers ready), and last but not least - have fun! Our goal for the training is to get everyone to a state of mind of constant observation and criticism of anything security. In the past we managed to build our trainings around our classes (i.e. you!) and are really looking forward to challenging ourselves (and everyone who will be in the class) again.
Lastly, and we'll save some surprises for later posts, everyone in the training will walk away with actual tools they would use on red-team engagements.
Please, subscribe to get an access.