Red Team Plan
Purpose: The purpose of this red team exercise is to assess an organization's security
posture by simulating real-world attacks and identifying vulnerabilities.
Scope: Scope includes aspects of the organization's external and internal networks, physical
security, human resources, and social engineering.
1. Goals and Objectives
1.1 Identify vulnerabilities in your organization's infrastructure and applications.
1.2 Test the effectiveness of your incident response and security monitoring capabilities.
1.3 Assess organization's ability to detect and respond to complex threats.
1.4 Provide recommendations to improve security.
2. Methodology
Below is the method to conduct the Red Teaming Exercise
Scanning and Gaining Post Maintenance Removing
Reconnaissance
Enumeration Access Exploitation Persistence Footprints
Reconnaissance Phase
This phase focused on obtaining the information related the to target machine.
Using Tools we can collect all the information related to our target.
Obtain publicly available information using which can never detect target.
Active reconnaissance consist of making actual connection to target as Passive
reconnaissance consist of its own limitation obtain specific amount of information.
Example: “ABC”’ - Access Employee information, social engineering, (OSINT) Open
source intelligence, identify entry points, and attack vectors
Tools –
Active Reconnaissance Tools – Wireshark, Recon-Ng. Theharvester, Maltego. Amass,
Nslookup, Spider foot, sublist3r,
Passive Reconnaissance – Shodan, whois lookup, GitHub repo, Dork search, Virus total,
hunter.io, etc.
�Scanning and Enumeration
It consist of Host Discovery – ARP & ICMP Scan(live host), TCP Port Scanning – full
scan, SYN scan, ACK scan, FIN/RST/PSH scan.
Service version detection, OS Detection, UDP Port scanning.
Netdiscover is to find the on either wireless or switch networks (netdiscover -r ip/24)
Use of Nmap to find all information about target and perform above verity of
scanning
Perform the vulnerability assessment and review of security weakness in system.
And evaluate known vulnerabilities and assign severity level of those vulnerabilities.
Tools- Nessus Pro, Acunetix, Invicti – netsparkar, Metasploit (scanner module)
Exploitation –
Web Based - Exploitation
Once vulnerability/mis-configuration identified one go for exploitation
Generally, server which host website is called web server and listen on tcp 80, in
case services run on default one, as its small step to check security.
While connecting web service responds by providing the requested contents such as
HTML/JavaScript, etc.
The webserver to fetch content from the database server at the backend to fetch
content from database.
Set of rules or protocols used to communicate between server and client runs in
layers 7 in the OSI model.
Multiple Vulnerabilities or Misconfiguration in the website allows attacker to
compromise the website and server which is running.
Find the common mistake – Password found on source code pages of website,
IP Address of internal server or API Keys and token in console of website. And CMS
running at server is not patched and running older version, check GHDB publicly
available website.
Common OWASP Top 10 vulnerability covered such as Cross site scripting, SQL
Injection, Broken Access Control, Cryptographic Failure, Code injection, Brute force
website parameter/fields, file upload vulnerabilities, CSRF,SSRF, Old cms or js files,
insecure design, etc.
Network – Exploitation
Identification of open ports, Services, version is important for exploitation
Access to sensitive information like password, classified files and bank accounts
details present on the systems.
Find vulnerabilities in target system to secure the network.
�Post – Exploitation
The goal is to maintain foothold in the compromised system after successful
exploitation.
After going through the cumbersome efforts of enumerating targets, finding
vulnerabilities and exploiting the weak links we need persistence.
Various persistence method exists depending on the nature of the target system.
Methods – User Land Persistence, Kernel land persistence, Boot-level persistence
Pivoting
Activity is focus on mapping the network devices, hosts present in the internal
environment.
The attackers leverage in-built tools to enumerate and map live hosts in the
environment.
Internal network mostly comprises of active directory environment will focus on
abusing the mis-configurations
Internal Network Enumeration
Tools – nmap, netcat or built-in utilities like PowerShell can be used for
enumeration purposes.
Scanning open TCP ports from a PowerShell Query.
Active Directory Essentials
User Windows PowerShell, Windows native executable for the enumeration and
exploration purposes – Domain Controller, Application server, User System.
