Red Team Toolkit Essentials

Many types of red team and physical security assessment toolkits are utilized across the industry. Through our experiences in the NTT Security Threat Services group, we have developed a mixed bag of devices and tools that we commonly use with hybrid assessment types.

The lists below are not intended to be comprehensive, but a quick reference for red team specific toolkits – which often include technical devices and physical tools.

As always, it is assumed that you have permission from your client, have the proper documentation on hand and the defined scope is your primary consideration before attempting to compromise a target facility. Please make sure that you have plenty of experience with bypass and lock picking tools in order to reduce the risk of damaging doors, locking cores and mechanisms etc. Always be responsible!

Note: Many tools commonly utilized in on-site social engineering, covert physical security assessments and red team assessments may not be listed below. Although there are popular vendors for specific tools, alternatives may exist.

Toolkit Travel Tips

When deciding what to bring to an assessment, it is important to understand the facility, industry type, dress codes, etc. Often you may not discover this kind of information until you are already on site, so it is important that you arrive at least the day before an engagement in order to observe the entry points, employees and access controls. Allow yourself enough time for reconnaissance, especially if there is more than one target facility. From on-site observations, you may need to adjust your toolkit accordingly. Remember that the lighter the kit, the easier it will be to move about and stay discrete.

Keep a printout of “TSA approved items” just in case you run into any issues at the airport. Often TSA agents aren’t knowledgeable about the tools nor aware that the tools are allowed for carry-on.

Another handy tip, recommended by fellow red team assessors, is to carry a stamped envelope in case you need to mail something back to yourself.

If you’re worried about your carry-on, just check your tools in as a checked bag.

Toolkit Bags

When arriving for the on-site assessment, it is advised that you do not carry a large backpack or your super awesome tactical military bag. Here are some additional considerations:

  • Wear a bag that is a neutral color.
  • If you must use a tactical bag consider a Versipack®, sling bag, laptop or shoulder bag. Maxpedition® makes an excellent jumbo Versipack with multiple built-in, organized and concealed pockets that isn’t overly “tactical.” One of our favorite bags is the Maxpedition Mongo™ Verispack. A cheaper version of the Maxpedition Mongo bag is the SHANGRI-LA Multi-functional.
  • DO NOT walk in with your hacker patches and pins all over your bag or stickers all over your laptop and gear – unless you intend to make yourself stand out on purpose.
  • Organizer grids (Cocoon Grid-It) help to keep cables and small devices organized in your bag for quick access.

Toolkit Examples

Minus the patches and pins when on-site – All of the below fits in a single bag (as shown in the picture below). 

Red Team Toolkit Example #1

  • Lock picks (pocket) – commonly used picks
  • Under-the-door tool
  • Canned air, hand warmers (request-to-exit bypass, etc.)
  • Shove knife/shrum tool
  • Crash bar tool
  • Dimple lock gun
  • Tubular lock picks
  • Fire/emergency elevator key set
  • USB keylogger and Hak5 rubber ducky
  • Hak5 LAN turtle
  • Pineapple nano
  • LAN tap
  • Wafer and warded pick set
  • Laptop or mobile device
  • External hard drive
  • Fake letter of authorization (as a plan B and to test incident response)
  • Real letter of authorization
  • Props for guises if utilizing social engineering
  • RFID thief/cloner (something that is easy to hide – I often use a clipboard like the one shown in the picture above)
  • Camera (or just use your smartphone)

EXAMPLE Red Team Toolkit #2

  • Lock picks (pocket) – common
  • Lock picks (backpack) – expanded set
  • Under-the-door tool
  • Shove knife/shrum tool
  • Crash bar tool
  • Snap gun with interchangeable needles
  • Dimple lock gun
  • Tubular lock picks
  • Hand warmers/canned air
  • Leather gloves/good shoes
  • Fire/emergency elevator key set
  • USB keylogger and Hak5 rubber ducky
  • Hak5 LAN turtle
  • LAN tap
  • Wafers and warded pick set
  • Laptop if needed
  • External hard drive
  • Malicious drops x4 (USB, etc.)
  • Rogue access point (PwnPlug, Pi, whatever your flavor of choice)
  • Hak5 pineapple
  • 15dbi wireless antenna (for outside, not really something you want to stuff in your bag inside).
  • Nexus 7 with nethunter, TP-link adapter etc.
  • Props for guises if utilizing social engineering
  • Fake letter of authorization (as a plan B and to test incident response)
  • Real letter of authorization
  • RFID thief/cloner
  • Camera (or just use your smartphone)
  • Snake camera (a bonus for looking over drop ceilings or floors)
  • Multi-tool

**A few example resource links for some of the above tools

Miscellanies Considerations

  • Various USB cables (A, B, mini, micro, OTG, etc.)
  • SD Cards, microSD cards
  • Smartphone (earpiece if with a team)
  • Body camera (GoPro/ACE Cameras are sometimes handy with client approval)
  • Extra power packs/batteries
  • Small flashlight (low lumen)
  • RTFM: Red Team Field Manual

Lock Pick Laws

If you purchase lock picks and bypass tools, it is important that you understand your state’s laws regarding them. Some states are strict about possession of burglary tools and some couldn’t care less. States to consider:

MS, NV, OH, VA– Possession of picks and bypass tools may be considered evidence of criminal intent.

TN– Lock picks and bypass tools are considerably restricted under current law.

**TOOOL is an excellent resource: http://toool.us/laws.html

Final Toolkit Thoughts

The above information will help to assist anyone starting their own red team bag. As I said above, please be responsible and only attempt relevant on-site assessments when directed from the target organization, and with the proper legal documents signed and in place.

You can also reach out to us at NTT Security. We can assist your organization with any questions on these types of assessments, what kind of risks these attack vectors may be to your organization, and any other security concerns you may have. Cheers and stay aware!

Best open-source Red Team tools

One of the best features of the cybersecurity community is the vast number of free and open-source tools that are available. Many very smart and skilled hackers have developed tools for a variety of purposes and made them available to the community.

As a result, there are tons of options for open-source tools for Red Teaming. Even choosing the tool that is best at its particular job leaves a huge list of options. In this article, we’ll discuss some of the best open-source tools for Red Teaming, organized by the role in the cyberattack life cycle. Many of these tools are built into the default Kali Linux distribution.

 

Reconnaissance

The first stage in any Red Team assessment is reconnaissance. The Red Team typically goes into the assessment with little or no knowledge of the target environment. However, a wide variety of open-source tools exist for fixing this problem.

Nmap is probably the most well-known tool for reconnaissance. It is a network scanner with a wide variety of useful features. Using nmap, a Red Team can learn a great deal about any reachable computer on the network. However, network scanning must be used carefully, since it can be easily detected.

Dnsrecon is another useful tool for reconnaissance. It allows the Red Team to identify different domain names within the target network and the associated IP addresses, which can be useful for targeting different types of attacks. It also has additional DNS-related functionality like testing for zone transfers.

Shodan is a search engine for internet-connected devices. The wide deployment of IoT devices and their poor security in general makes them a promising initial entry point for a Red Team. Shodan can help with finding and identifying these devices.

Slurp is designed to help with discovery of poorly-secured AWS cloud deployments. It allows scanning within a particular domain or by keywords, allowing the Red Team to discover the customer’s potentially vulnerable AWS accounts.

Gaining and maintaining access

Once the Red Team has a feel for the target network, it’s time to try to exploit it. This stage includes both gaining initial access to the target environment and establishing a way to maintain and exploit this access.

Metasploit is primarily intended as a commercial tool, but its Community edition is still extremely powerful. Metasploit is considered the world leader in exploitation frameworks, with over 1500 different exploits built in and the ability to develop and integrate custom ones.

Ncat is known as the Swiss Army knife of information security. Its main purpose is to create a TCP/UDP connection with any port. It can be used for port scanning, banner grabbing, data exfiltration, setting up a remote shell and many other purposes.

Social Engineer Toolkit (SET) is a tool for building phishing attacks to test the customer’s resilience against social engineering. It can help with building phishing emails, websites and malicious attachments.

Network analysis

If the Red Team can gain access to the customer’s internal network, it can provide a wealth of valuable data. Even passive network reconnaissance can provide information about the network infrastructure, services running and used by different machines, and even user credentials if they are using insecure protocols.

Aircrack-ng is a network traffic analysis tool focused on Wi-Fi security. It has built-in support for monitoring traffic sent over Wi-Fi, performing common Wi-Fi-focused attacks and cracking passwords for weak wireless security protocols (WEP and WPA).

Wireshark is the best-known network traffic analysis tool available. It has the ability to capture traffic live off the wire or load from a saved packet capture. Its built-in dissectors and other features make it easy to extract useful intelligence from network traffic.

Password cracking

Once the Red Team has access to a machine on the customer’s network, password cracking is a promising way to escalate privileges or move laterally throughout the network.

Hashcat is a popular password hash cracker used in Red Team engagements. It has GPU support, which allows it to brute-force any eight-character Windows password (which is the default minimum length) in a couple of hours.

Mimikatz is an open-source tool for collecting Windows password information from a compromised machine. It can also provide credential-based attacks like Pass-the-Hash and building golden tickets.

Planning and reporting

Some of the most underrated tools for Red Team engagements are those designed to help with planning and reporting. While the Red Team may enjoy the attacking phases of the assessment the most, the customer benefits most from receiving a comprehensive report on the vulnerabilities discovered within their network.

MITRE ATT&CK is a framework that breaks the cyberattack life cycle into its component parts and describes various methods that each stage can be accomplished. It is valuable both for the planning stages of an assessment, by ensuring that a Red Team doesn’t always use the same methods of attack and providing additional context to the customer regarding discovered vulnerabilities.

Dradis is a reporting and collaboration tool for information security professionals. It can be used to generate one-click reports and track the activities of the Red Team throughout an assessment. It also has the ability to integrate directly with tools like Nmap and Nessus.

Conclusion: Building a Red Team toolkit

Red team assessments can be an extremely fast-paced environment and having the right tools can mean the difference between a successful assessment and failing to identify or exploit a critical vulnerability.

A good starting point for building a Red Team toolkit is downloading and installing Kali Linux, as many of the tools mentioned here are included in the default distribution. From there, additional tools can be acquired and added to address specific use cases. When building a toolkit, it’s important not to focus on the network side of the assessment to the exclusion of the physical aspects. A Red Team is also likely expected to try physical attack vectors against the customer’s security and needs to have the appropriate tools for that part of the work as well.

 

Sources

  1. Red-Teaming-Toolkit, GitHub
  2. Latest Kali Linux News and Tutorials, Kali
  3. Nmap, nmap.org
  4. DNSRecon Package Description, Kali Tools
  5. Shodan, shodan.io
  6. Slurp – Amazon AWS S3 Bucket Enumerator, darknet.org.uk
  7. Get Metasploit, Metasploit
  8. Ncat Users’ Guide, nmap.org
  9. The Social-Engineer Toolkit (SET), TrustedSec
  10. Aircrack-ng, aircrack-ng.org
  11. About Wireshark, Wireshark
  12. Hashcat, hashcat.net
  13. Use an 8-char Windows NTLM password? Don’t. Every single one can be cracked in under 2.5hrs, The Register
  14. Mimikatz, GitHub
  15. ATT&CK, MITRE
  16. Dradis Pro, dradisframework.com

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create your website with WordPress.com
Get started
%d bloggers like this: