Red Team Tool Roundup

In many cases Red Team tools are not written because someone feels
like writing a tool, or wakes up one morning thinking, “I want to
write a tool today”. Red Teamers generally identify tedious tasks in
their methodology and then create tools that automate these tasks for
current and future assessments. As my boss likes to say, jokingly:
laziness breeds ingenuity!

At Mandiant, we’ve developed (or significantly contributed to) a
fair number of tools and scripts to make our lives easier. In order to
ensure the broader security community is aware of these tools and
where to download them from, we’re going to start releasing a “tool
roundup” blog post on a semi-regular basis. The intent of these blog
posts is to highlight newly developed tools, or major changes to
existing tools. We also make this a fun read by including some case
studies to demonstrate tool use.

Our Red
Team
is frequently introduced to diverse networks, technologies,
defenses, and organizational structures. Each network presents new
challenges that must be overcome, and with all clients, there is
overlap with infrastructure and configuration. Existing public tools
might not scale properly in larger environments or might not help the
Red Team address specific phases of an attack
life cycle
. The tools being discussed have all been revised or
developed in some form or fashion over the last couple of months. We
hope they make your engagements easier and bring awareness to the community.

Domain Enumeration

Tool: ADEnumerator (https://github.com/chango77747/AdEnumerator)

Domain enumeration is an essential task during the reconnaissance
phase of the attack life cycle. When you compromise a domain-joined
system, it is fairly simple to enumerate objects from the domain using
Active Directory Service Interfaces (ADSI) or the Windows “net
commands. ADSI works well from non-domain joined systems using the
“runas” command with the “netonly” switch, as shown in Figure 1. It
can be a hassle to craft detailed LDAP queries for ADSI to perform
domain enumeration, so we automated this processing using raw LDAP
queries in a tool called ADEnumerator.

Figure 1. Using PowerShell and ADSI for domain enumeration

ADEnumerator is a PowerShell module designed to query Active
Directory servers from non-domain systems. The following use cases
apply to ADEnumerator:

  1. You harvest domain credentials from a printer, via NBNS
    spoofing, etc., and want to start performing domain enumeration.
    Note: Any domain user credential can query LDAP.
  2. You want
    to gather more information about an account you harvested. Group
    naming conventions often reveal where you can use those credentials
    (for example, group name {systemName}_localAdmin).
  3. You are
    provided with credentials to start an internal penetration test from
    a known compromise perspective, but not a domain-joined system.
  4. You want to perform Active Directory enumeration from the
    command line so you can chain commands together.

Figure 2 demonstrates importing the ADEnumerator.psm1 module,
establishing an LDAP connection to a domain controller, and executing
various domain enumeration methods. There are plenty of additional
methods within ADEnumerator – see the header of the script for a full
list of methods.

Figure 2. ADEnumertor.psm1 import and enumeration

Alternatively, you can install Remote
Server Administration Tools
on your attack platform and use
“runas” to execute “mmc” and add the Active Directory snap-in. Then
you can change the domain to your target domain and view the entire
Active Directory structure in a GUI, as shown in Figure 3.

Figure 3. Active Directory snap-in running as
different user

Privilege Escalation and Lateral Movement

Tools: CredNinja (https://github.com/Raikia/CredNinja) & WMIOps (https://github.com/ChrisTruncer/WMIOps)

Have you been in a situation where you have a list of more than 100
credentials, but you are not sure which credentials are valid? Or,
you’re not sure which credentials have administrative rights to a
target system? CredNinja was created for just that (and it can do
more!). Use cases and general functionality are as follows:

  • Leverages SMB access (TCP port 445)
  • Attempts to mount
    C$ of all provided systems, returns:

        o   Logon Failure – Invalid credentials (protection against
locking out accounts included)
        o   Access Denied – Not
local admin
        o   File listing – Local admin!

  • Multi-threaded – so you can scale properly in those large
    environments
  • Fingerprints target operating system version and
    domain membership
  • If “–users” flag is enabled, it will
    perform a directory listing of “C:\Users” (or C:\Documents and
    Settings if its XP), look at the timestamp of all the home folders,
    and print out the users that have a home folder modified timestamp
    of within 100 days (this value is customizable, but the default is
    100 days).
        o   Provides a quick user-hunting functionality
    to identify active users on the targeted system.

CredNinja is very useful when performing privilege escalation and
lateral movement because you can identify systems for which your
credentials have elevated privileges, and continue dumping credentials
on those systems. Figure 4 demonstrates the power of CredNinja by
identifying various systems where the domain credentials have local
administrator rights, and whether or not credentials are invalid.
CredNinja can also be run against a single system to clean up your
credential list by removing invalid credentials.

Figure 4. CredNinja run against various systems
using credential list

Windows Management Instrumentation (WMI) is the new hotness
in terms of offensive capabilities. WMIOps is a PowerShell script that
uses WMI to perform a variety of actions on hosts, local or remote,
within a Windows environment. It was designed primarily for use on
penetration tests or Red Team engagements. Some existing tools use WMI
for offensive tasks; WMIOps was built to combine these techniques into
a single tool to accomplish various tasks in the attack life cycle.

Figure 5 shows the Get-ProcessOwnersWMI method in WMIOps to get a
list of users from target system Win7-Client02. User “Dick.Grayson”
had local administrator privileges on Win7-Client02 and was authorized
to execute arbitrary WMI commands. User “Bruce.Wayne” had running
processes on Win7-Client02, which indicates that the user potentially
has clear text credentials stored in Local Security Authority
Subsystem Service (LSASS).

To obtain credentials for “Bruce.Wayne”, WMIOps method
Invoke-RemoteScriptWithOutput is used in Figure 6 to execute a remote
PowerShell process that issues command “Invoke-Expression” to download
and execute the “Invoke-Mimikatz” script over HTTPS. The command also
instructs the output to be sent to web server 10.181.73.210 listening
on HTTPS. Mimikatz output was sent to the web server, as shown in
Figure 7.

Figure 5. Get-ProcessOwnersWMI method in WMIOps
to get a list of users with running processes

Figure 6. Invoke-RemoteScriptWithOutput method
to call Invoke-Mimikatz and send output to the "callbacksite"

Figure 7. Mimikatz output sent from the command
executed in Figure 4

Initial Vectors

Tool: EyeWitness (https://github.com/ChrisTruncer/EyeWitness)

One of the most common initial vectors into a network is default
credentials to known web administrative portals such as Jboss, Apache
Tomcat, Jenkins, etc. EyeWitness is known to scale networks by taking
screenshots of the web page of each web server identified in your
reconnaissance phase. We added an “active-scan” module to EyeWitness
that provides the following functionalities:

  • Signature authentication – Checks if the host has a known
    default credential signature and attempts to login using default
    credentials stored in a data file.
  • Check for login – Checks
    to see if the root path is a web login form, or is HTTP basic
    authentication, and attempts to authenticate to the web application
    using username and password combinations stored in a data file.
  • Append URLs to check for logins – Appends a list of common login
    pages to the web root directory. Examples of these pages are
    “admin”, “login”, “login.php” and more. The list of pages is stored
    in a data file so that it is easily customizable; feel free to add
    more and contribute!
        o   If a page receives a HTTP 200
    response code, it will check to see if it’s a login form.
       
    o   EyeWitness will attempt to login to the form using username and
    password combinations stored in a data file.

The “active-scan” Boolean flag is shown in Figure 8. Example report
and console output is shown in Figure 9 and Figure 10. An additional
category called “Identified Logins” is also added to the report if
EyeWitness identified a login, but was not able to authenticate to it.
If you want to learn more about this module, a full blog post on this
module was written here: https://www.christophertruncer.com/eyewitness-and-active-account-enumeration/.

Figure 8. Active-scan flag in EyeWitness

Figure 9. Successful authentication using the
active-scan module

Figure 10. EyeWitness report output

Attacker Simulation

Tool: Egress-Assess (https://github.com/ChrisTruncer/Egress-Assess)

The combined capabilities of Mandiant, FireEye, and iSIGHT Partners
brings unparalleled threat intelligence and technology to every
engagement. Clients regularly ask us to identify threat actors
targeting their industry specifically and to emulate their TTPs to
assess the organization’s current detection capabilities.
Egress-Assess is a Python tool that was created to emulate known
attacker TTPs, such as IP addresses and Fully Qualified Domain Names
(FQDNs) connecting to the Internet. Egress-Assess is publicly
available; however, Mandiant maintains a proprietary version of
Egress-Assess that contains known network-based indicators (NBIs) that
replicate real threat groups.

Egress-Assess modifies the host value in the HTTP(s) header request
to be a known-bad IP address or FQDN, and generates web requests to
known-bad URIs. Furthermore, the tool can generate fake PII, PHI, or
PCI data to emulate data theft. We use Egress-Assess to assess our
client’s detection capabilities by emulating real threat group
indicators and/or data theft. A list of supported threat actor groups
available in the public version of Egress-Assess is shown in Figure
11. If you want to learn more about this Egress-Assess, a full blog
post on this module was written here: https://www.christophertruncer.com/egress-assess-testing-egress-data-detection-capabilities/.

Figure 11. List of threat actors available in Egress-Assess

Conclusion

These are just a handful of tools and practical examples of using
those tools for Red Team operations. We encourage you to play with
these tools and start using them on your assessments or in your labs.

We want to reemphasize that each tool was created or modified as the
need was identified. It can be very exciting to identify a need and
develop tools and techniques to automate a task or accomplish an
objective. Some tools introduce new techniques to accomplish a goal,
while other tools simply automate existing tools and techniques to
scale better. Whatever your motive, introducing new tools and
techniques is an excellent way to provide awareness in our industry
and generate higher quality security.

*** This is a Security Bloggers Network syndicated blog from Threat Research Blog authored by Threat Research Blog. Read the original post at: http://www.fireeye.com/blog/threat-research/2016/07/red_team_tool_roundup.html