As defined by the U.S. National Security Agency (NSA), a red team is an entity that specializes in breaking & entering, acquiring classified information, and leaving no trace behind. In the cyber realm, Red teams focus on penetration testing of different systems and their levels of security. They help detect, prevent, and eliminate weaknesses while putting a spotlight on glaring vulnerabilities. A red team goes about this by imitating real-world cyber-using all existing data/network penetration techniques. This helps organizations identify the vulnerabilities that can pose a threat to their system.
Popular tools used for red team assessments:
Nmap, or Network Mapper, is an open source and free security tool that’s also one of the oldest in the game—it launched in 1997. Regardless, it’s actively maintained and effectively used for detecting open ports on remote hosts, network mapping and enumeration; gathering hosts, OS, DNS and other information; and several other tasks that aid in red team operations. Nmap is, in our opinion, one of the most important red team open source tools out there.
sqlmap is a very cool open source penetration testing tool that launches SQL injection tests and discovers issues and vulnerabilities. Some of its key features include automatic code injection capabilities, user enumeration, password hash recognition, dictionary-based password cracking, executing remote SQL SELECTS and more.
Spiderfoot is one of the best (and one of our favorite) reconnaissance tools for automated OSINT. Written by Steve Micallef, Spiderfoot queries over 100 public data sources and gathers intelligence about names, email addresses, domain names, IP addresses and more. All of the data is centralized in one single tool, helping red teams make their information-gathering process that much faster and more efficient.
EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
Dnsrecon is a tool for DNS Enumeration.
truffleHog searches through git repositories for secrets, digging deep into commit history and branches.
Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates.
OSINT Framework is another one of our favorite security information gathering tools; so much so that we even have a fully dedicated article to it. This cybersecurity framework is used for reconnaissance, intel gathering and OSINT research. OSINT Framework is a handy collection of OSINT tools filtered by categories, making red teams’ intel gathering tasks much easier.
Often called the ‘search engine for hackers’, Shodan is focused on the deep web and the IoT. With the IoT frequently lacking proper security, it can offer multiple points of entry. Shodan is used to scan almost anything that is connected to the internet, such as servers, routers and webcams—but when we say “anything that is connected to the Internet”—we mean it. Among numerous examples, Shodan lets you scan traffic light systems, heating systems, nuclear power plants and much more.
Social Engineering Toolkit (SET)
The Social Engineering Toolkit, or SET for short, is a free open source security tool that features numerous attack techniques for social engineering. These include creating a phishing page by cloning the original, and attack options such as phishing, spear phishing, website attacks, mass mailing and much more.
Metasploit is an open source project that offers both commercial and free versions. Metasploit is useful for many security professionals and red teams in discovering security vulnerabilities and developing, testing and executing exploits. Their ‘Metasploit Framework’ version offers capabilities for evading detection systems, running vulnerability scans, enumerating hosts and more.Invoke-Obfuscation PowerShell Obfuscator. https://github.com/danielbohannon/Invoke-Obfuscation
PowerShell remote download cradle generator and obfuscator. https://github.com/danielbohannon/Invoke-CradleCrafter
cmd.exe Command Obfuscation Generator & Detection Test Harness. https://github.com/danielbohannon/Invoke-DOSfuscation
Morphing Cobalt Strike’s evil.HTA. https://github.com/vysec/morphHTA
It is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. https://github.com/trustedsec/unicorn
It is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created. https://www.shellterproject.com/
It Embed and hide any file in an HTML file. https://github.com/Arno0x/EmbedInHTML
Stealing Signatures and Making One Invalid Signature at a Time. https://github.com/secretsquirrel/SigThief
Veil Framework is one of the most popular antivirus evasion tools available and one of the most valuable red team tools. Red teams can use it to generate Metasploit payloads in Python and Ruby, among others, and to bypass many common antivirus solutions.
Invoke-PSImage is a tool to embeded a PowerShell script in the pixels of a PNG file and generates a oneliner to execute. https://github.com/peewpw/Invoke-PSImage
run PowerShell with rundll32. Bypass software restrictions. https://github.com/p3nt4/PowerShdll
(AntiVirusEvasionTool) is targeting windows machines with executable files using different evasion techniques. https://github.com/govolution/avet
Gophish is an open-source phishing framework that’s highly useful in red team operations. It can help create phishing campaigns easily and schedule them, launch them, and finally track results from the campaign to test an organization’s awareness of and susceptibility to phishing attacks.
Hashcat is, as they claim, the “world’s fastest password cracker.” It’s an open source password hash cracker that red teams can utilize for brute forcing passwords and performing dictionary attacks, among other utilities for advanced password cracking. Hashcat is great, easy red team open source tool to have in your arsenal.
King Phisher is an open source phishing campaign tool that simulates real-world phishing attacks. This phishing tool can be used to run different and separate campaigns simultaneously, and use them for simple security awareness training as part of your cybersecurity culture. It’s also effective for more complex scenarios involving credential harvesting.
It is a flexible and powerful reverse proxy, that will take your ethical phishing campaigns to the next level. https://github.com/drk1wi/Modlishka
It is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. https://github.com/kgretzky/evilginx2
BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. https://github.com/beefproject/beef
It is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens. https://github.com/ustayready/CredSniper
It is a web application framework for launching and managing OAuth abuse campaigns. https://github.com/fireeye/PwnAuth
PowerUp is a PowerShell tool that offers checks for common Windows misconfigurations as well as a number of Windows privilege attack methods, to help you with local privilege escalation on Windows systems. Additionally, it offers methods to abuse vulnerable services and other escalation opportunities.
BeRoot is a privilege escalation project. This project is a post-exploitation tool that checks against common misconfigurations, allowing it to help red teams escalate privileges. BeRoot is used to detect misconfigurations but not exploit them, although if you do find something, you can create a template which can be used to exploit it.
BloodHound is a widely used security tool for both red and blue teams. This tool is used to visualize active directory environments and reveal access control lists, users and the relationships within it. As a tool for red teaming BloodHound helps in finding different attack paths to the target and seeing privilege relationships when performing domain escalations.
PAExec is a free remote administration tool designed to help in post-exploitation activities. This remote shell aids in remote execution and interactive shell sessions with remote Windows machines, without the need to install client software.
CrackMapExec—or as the creator’s claim, “the swiss army knife for pen testing networks”—is a Python-based utility that evaluates and exploits vulnerabilities in an active directory environment. Leveraging Mimikatz to obtain credentials, it moves laterally through the active directory.
It is a tool to automatically exercise an attack plan generated by the BloodHound application. https://github.com/GoFetchAD/GoFetch
C# Rewrite of the BloodHound Ingestor. https://github.com/BloodHoundAD/SharpHound
It is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. https://github.com/PowerShellMafia/PowerSploit
It is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing. https://github.com/samratashok/nishang
It is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (for instance NMB, SMB1-3 and MS-DCERPC) the protocol implementation itself. https://github.com/CoreSecurity/impacket
It is a pen-testing / red-teaming tool for Windows environments. https://github.com/nccgroup/redsnarf
It is a Windows PowerShell LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool. https://github.com/Kevin-Robertson/Inveigh
It is a PowerShell Toolkit for Attacking SQL Server. https://github.com/NetSPI/PowerUpSQL
It is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). https://github.com/dafthack/MailSniper
It is a tool written in PowerShell to perform a password spray attack against users of a domain. https://github.com/dafthack/DomainPasswordSpray
It is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment. It’s designed primarily for use on penetration tests or red team engagements. https://github.com/ChrisTruncer/WMIOps
Command and Control
It is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python. https://github.com/n1nj4sec/pupy
It is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. https://github.com/EmpireProject/Empire
It is a software for Adversary Simulations and Red Team Operations and RAT. https://cobaltstrike.com/
Exfiltrate and complete
In red team operations, collecting important information from the target is important, but also important is finding ways to transfer that data without getting revealed. Cloakify Factory is a tool that transforms the data into strings, which gives it the ability to hide the data in plain site without triggering any network alerts.
Another tool to aid in file transfer and data exfiltration is DNSExfiltrator. This tool encodes the data to fit into DNS requests, then transfers the data over a DNS request covert channel.
DET, or Data Exfiltration Toolkit, is a really easy tool to use. It is actually a proof of concept that identifies DLP (data loss prevention) failures and performs data exfiltration using ICMP, social media platforms, or even through Gmail. This can all be done using either a single channel or multiple channels at the same time.
PowerShell-RAT is a Python- and Powershell-based tool used to backdoor Windows. It uses Gmail to exfiltrate data as an e-mail attachment and is undetectable by common antivirus solutions.
It is a Python Package for Data Exfiltration. https://github.com/ytisf/PyExfil
It is a tool used to test egress data detection capabilities. https://github.com/ChrisTruncer/Egress-Assess
- MITRE’s ATT&CK™ is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. https://attack.mitre.org/wiki/Main_Page
- PRE-ATT&CK Adversarial Tactics, Techniques & Common Knowledge for Left-of-Exploit. https://attack.mitre.org/pre-attack/index.php/Main_Page
- Adversary OPSEC consists of the use of various technologies or 3rd party services to obfuscate, hide, or blend in with accepted network traffic or system behavior. https://attack.mitre.org/pre-attack/index.php/Adversary_OPSEC
- Adversary Emulation Plans To showcase the practical use of ATT&CK for offensive operators and defenders, MITRE created Adversary Emulation Plans. https://attack.mitre.org/wiki/Adversary_Emulation_Plans
- Red-Team-Infrastructure-Wiki Wiki to collect Red Team infrastructure hardening resources. https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
- Advanced Threat Tactics – Course and Notes This is a course on red team operations and adversary simulations. https://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes
- Awesome Red Teaming List of Awesome Red Team / Red Teaming Resources. https://github.com/yeyintminthuhtut/Awesome-Red-Teaming
- ATT&CK for Enterprise Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK. https://attack.mitre.org/wiki/Software
- Planning a Red Team exercise This document helps inform red team planning by contrasting against the very specific red team style described in Red Teams. https://github.com/magoo/redteam-plan
- Awesome Lockpicking a curated list of awesome guides, tools, and other resources related to the security and compromise of locks, safes, and keys. https://github.com/meitar/awesome-lockpicking