| Name | Description | URL |
|---|---|---|
| Atomic Red Team | Atomic Red Team™ is a library of tests mapped to the MITRE ATT&CK® framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments. | https://github.com/redcanaryco/atomic-red-team |
| Awesome Markdown | A collection of awesome markdown goodies (libraries, services, editors, tools, cheatsheets, etc.) | https://github.com/mundimark/awesome-markdown |
| Caldera | CALDERA™ is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response. | https://github.com/mitre/caldera |
| Cervantes | Cervantes is an opensource collaborative platform for pentesters or red teams who want to save time to manage their projects, clients, vulnerabilities and reports in one place. | https://github.com/CervantesSec/cervantes |
| Ghostwriter | Ghostwriter is a Django-based web application designed to be used by an individual or a team of red team operators. | https://github.com/GhostManager/Ghostwriter |
| Obsidian | Obsidian is a powerful knowledge base on top of a local folder of plain text Markdown files. | https://obsidian.md |
| OWASP Threat Dragon | Threat Dragon is a free, open-source, cross-platform threat modeling application including system diagramming and a rule engine to auto-generate threats/mitigations. | https://github.com/mike-goodwin/owasp-threat-dragon-desktop |
| PwnDoc-ng | Pentest Report Generator | https://github.com/pwndoc-ng/pwndoc-ng |
| SysReptor | Pentest Reporting Easy As Pie | https://github.com/Syslifters/sysreptor |
| VECTR | VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios. | https://github.com/SecurityRiskAdvisors/VECTR |
| WriteHat | A pentest reporting tool written in Python. Free yourself from Microsoft Word. | https://github.com/blacklanternsecurity/writehat |
| XMind | Full-featured mind mapping and brainstorming app. | https://www.xmind.net |
- Slow and steady. Confidence is key.
- Use proxychains if applicable.
- Work out of Docker containers if possible to keey a low profile.
- After landing on the beachhead, always acting like a normal user (for example whoami /all or BloodHound collection method -ALL, use -dc-only instead).
- Don't interrupt infrastructre longer as needed.
- Cleanup after you finished. Don't let anykind of file laying around.
- Build back changes (DNS spoofing for example).
- Nmap -A -T4 is probably not a good idea. It's not a CTF!
| Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Sunday | |
|---|---|---|---|---|---|---|---|
| Start | Engagement Kickoff | Sync | Weekly Review | ||||
| Weekly | Planning | Sync | Weekly Review | ||||
| Closing | Planning | Sync | Closing / Engagement Review |
engagement_name
├── 0-operations
├── 1-osint
├── 2-recon
├── 3-targets
│ ├── domain_name
│ │ └── exfil
│ └── ip_hostname
│ └── exfil
├── 4-screenshots
│ └── YYYYMMDD_HHMM_IP_description.png
├── 5-payloads
├── 6-loot
├── 7-logs
└── README.mdI highly recommend to dump a timeline.md with the following notation
into a internally hosted Git Repository.
# <ENGAGEMENT_NAME>
## Timeline
### Duration
#### YYYY-MM-DD
HH:MM <TASK>, <DESCRIPTION>
<COMMAND>So it's easier to keep track of your actions and merge them later as input for the report.
# RTA-01 Active Directory
## Timeline
### Duration 2022-08-01 - 2022-09-01
#### 2022-08-01
09:15 Reconnaissance, Port Scan Domain Controller
$ nmap 192.168.1.10
#### 2022-08-02
...
...
...- 20220801_1508_10.10.1.106_nmap_tcp445.png
- 20220801_1508_10.10.1.106_smb_enumeration.png
- 20220801_1508_10.10.1.106_smb_password_file.png
# <ENGAGEMENT_NAME> ENGAGEMENT REPORT
#### <COMPANY>
##### <REPORTER>
## Table of Contents
- 1. Introduction
- 2. Executive Summary
- 2.1 Scope of Work (SoW)
- 2.2 Project Objectives
- 2.3 Assumption
- 2.4 Project Phases
- 2.4.1 Phase 1: <PHASE_Name>
- 2.4.2 Phase 2: <PHASE_NAME>
- 2.5 Project Duration
- 2.6 Summary of Findings
- 2.6.1 Initial Approach
- 2.6.1.1 <FINDING>
- 2.6.1.2 <FINDING>
- 2.6.1.3 <FINDING>
- 2.6.2 Overall Posture
- 2.6.3 Risk Rating
- 2.6.3.1 Critical
- 2.6.3.2 High
- 2.6.3.3 Medium
- 2.6.3.4 Low
- 3. Methodology
- 3.1 Planning
- 3.2 Exploitation
- 3.3 Reporting
- 4. Deliverables
- 4.1 Reconnaissance
- 4.2 Weaponization
- 4.3 Delivery
- 4.4 Exploitation
- 4.5 Installation
- 4.6 Command and Control
- 4.7 Actions on Objective
- 5. Recommendations
- 5.1 Critical Risk
- 5.2 High Risk
- 5.3 Medium Risk
- 5.4 Low Risk
- 6. References
- Appendix A
- Appendix B
- Appendix C- Screenshot everything!
- Note every attempt even it's a failure
- Create and update a report storyboard during the process
For adding time and date and the current IP address, add the required commands to either the .bashrc or to the .zshrc.
PS1="[`date +"%Y-%m-%d %H:%M"`]\[\033[01;31m\] `ip a | grep -A 1 eth0 | grep inet | awk '{ print $2 }' | cut -d '/' -f 1`\[\033[00m\] \[\033[01;34m\]\w\[\033[00m\] \$ "PS1='[`date +"%Y-%m-%d %H:%M"`]\[\033[01;31m\] `curl -s ifconfig.co`\[\033[00m\] \[\033[01;34m\]\w\[\033[00m\] \$ 'PS1="[20%D %T] %B%F{red}$(ip a | grep -A 1 eth0 | grep inet | awk '{ print $2 }' | cut -d '/' -f 1)%f%b %B%F{blue}%1~%f%b $ "PS1="[20%D %T] %B%F{red}$(curl -s ifconfig.co)%f%b %B%F{blue}%1~%f%b $ "PROMPT="%F{white,bold}%W %* $(ip a | grep -A 1 eth0 | grep inet | awk '{ print $2 }' | cut -d '/' -f 1)"$'%F{%(#.blue.green)}\n┌──${debian_chroot:+($debian_chroot)─}${VIRTUAL_ENV:+($(basename $VIRTUAL_ENV))─}(%B%F{%(#.red.blue)}%n'$prompt_symbol$'%m%b%F{%(#.blue.green)})-[%B%F{reset}%(6~.%-1~/…/%4~.%5~)%b%F{%(#.blue.green)}]\n└─%B%(#.%F{red}#.%F{blue}$)%b%F{reset} 'For PowerShell paste it into the open terminal.
$IPv4 = Test-Connection -ComputerName (hostname) -Count 1 | Select -ExpandProperty IPV4Address; function prompt{ "PS" + " [$(Get-Date)] $IPv4> $(get-location) " }command args | tee <FILE>.logcommand args | tee -a <FILE>.logscript <FILE>.logscript -c 'command args' <FILE>.logGet-ChildItem -Path D: -File -System -Recurse | Tee-Object -FilePath "C:\temp\<FILE>.txt" -Append | Out-File C:\temp\<FILE>.txtmsf> spool <FILE>.log
root@operations:~# apt-get update && apt-get upgrade && apt-get dist-upgrade && apt-get autoremove && apt-get autocleanroot@operations:~# timedatectl set-timezone <COUNTRY>/<CITY>root@operations:~# apt-get install apt-transport-https fail2ban git golang p7zip-full pst-utils python3-pip python3-tk tree ziproot@operations:~# useradd -m ops
root@operations:~# passwd ops
root@operations:~# usermod -aG sudo ops
root@operations:~# usermod -s /bin/bash ops
ops@operations:~$ ln /dev/null ~/.bash_history -sfroot@operations:~# vi /etc/fstab
proc /proc proc defaults,hidepid=2 0 0
none /dev/pts devpts rw,gid=5,mode=620 0 0
none /run/shm tmpfs defaults 0 0root@operations:~# chmod 644 /home/ops/.ssh/authorized_keys
root@operations:~# chown root /home/ops/.ssh/authorized_keys- Copy fail2ban.conf to /etc/fail2ban/
- Copy jail.local to /etc/fail2ban/
- Copy nginx-badbots.conf to /etc/fail2ban/filter.d/
- Copy nginx-noscript.conf /etc/fail2ban/filter.d/
- copy psad.conf to /etc/psad/ if you already have one
* Create iptables.sh in /root/.scripts/
root@operations:~/.scripts# cat iptables.sh
#!/bin/bash
/sbin/iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -I INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p tcp --match multiport --dports 22 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/netfilter-persistent save
/usr/sbin/iptables-save > /root/custom-ip-tables-rules
root@operations:~# chmod +x iptables.sh
root@operations:~# ./iptables.shIt is recommendet to only allow access from known IP addresses!
ops@operations:~$ git clone https://github.com/tmux-plugins/tpm ~/.tmux/plugins/tpmset -g default-terminal screen-256color
set -g history-limit 10000
set -g base-index 1
set -g mouse on
set -g terminal-overrides "xterm*:XT:smcup@:rmcup@:"
set -g renumber-windows on
set -g set-clipboard on
set -g status-interval 3
set -sg escape-time 0
setw -g mode-keys vi
set-option -g allow-rename off
set-window-option -g automatic-rename off
set -g @plugin 'tmux-plugins/tpm'
set -g @plugin 'tmux-plugins/tmux-sensible'
set -g @plugin 'tmux-plugins/tmux-resurrect'
run '~/.tmux/plugins/tpm/tpm'
run-shell ~/clone/path/resurrect.tmuxops@operations:~$ git clone https://github.com/mitre/caldera.git --recursive
ops@operations:~$ cd caldera
ops@operations:~/opt/caldera$ pip3 install -r requirements.txt
ops@operations:~/opt/caldera$ python3 server.py --insecureops@operations:~$ pip3 install -U cryptography
ops@operations:~$ sudo apt-get remove python3-openssl -y
ops@operations:~$ sudo apt-get autoremove
ops@operations:~$ pip3 install -U cryptographyroot@operations:/# curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
root@operations:/# add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
root@operations:/# apt-get update
root@operations:/# apt-get install docker-ce docker-ce-cli containerd.io docker-compose unzip
root@operations:/# apt-get upgrade
root@operations:/# systemctl enable docker
ops@operations:~/opt$ mkdir vectr
ops@operations:~/opt/vectr$ wget https://github.com/SecurityRiskAdvisors/VECTR/releases/download/ce-8.4.3/sra-vectr-runtime-8.4.3-ce.zip
ops@operations:~/opt/vectr$ unzip sra-vectr-runtime-8.4.3-ce.zip
ops@operations:~/opt/vectr$ sudo docker-compose up -dRelated to the port forwarding, it is necessary to add the name of the configuration to
the /etc/hosts file.
127.0.0.1 sravectr.internal$ ssh -i ~/.ssh/id_rsa ops@<RHOST> -L 8081:localhost:8081 -N -fops@operations:~/opt$ git clone https://github.com/GhostManager/Ghostwriter.git
ops@operations:~/opt/Ghostwriter$ ./ghostwriter-cli-linux install