Moving inside

So, you managed to social engineer your way into the network. You have backdoors installed and full control of a system with admin level access.

Now what?

A big part of the red team exercises is to show the vulnerabilities in an organization, be it digital, physical or human. Adversarial exercises provide another view of security and help the decision makers have a better understanding of where they are having problems.

Thinking like an attacker is key here.

The problem is, attackers learn, adapt and change tactics all the time. So should you as part of a red team.

Going back to the first paragraph of this post, once you are inside what do you do? Well, think like an attacker. What are you after? Data? A specific computer or server? A specific person? Total disruption of the network? Once you know your target or what you want to achieve then make plan. Create a diagram of what you know and what your next 4-5 moves will be. Create contingency moves for each one, you never know. It’s a good thing to have when a good sysadmin or security guy on the other side discovered you and is trying to block you.

What I usually plan first is the recon of the network. These are complex things. Modern networks, even on small to medium organizations, can have a lot of complexity and security features built in. Plan a stealthy recon. Depending on how much time you have try to move slowly. Do not set any alarms. Add each potentially good system you find to an overall map of the network as you know it. Record their names, IP address, OS, apps running, etc. The idea is to have as much information in front of you on the whiteboard as possible, then plan the next phase: where to go and what to extract. Plan the egress routes and the protocols you’ll use to egress the information. Set different servers ready to receive the data (encrypted of course since it’s proprietary of your customer). Have fallback servers as well: Mr. Murphy is always present.
Once you are done with the planning, execute. Again, stealth is key here. Unless you were specifically hired to test the reaction of the organization’s quick reaction teams, you should try to be as quiet as a sign language. Move slowly and copy information in small bits.
When you are done with the execution, then vanish. Clean backdoors and other tools you might have left on the network. This is done not only to avoid being detected, but if there is an actual bad guy in the network you don’t want to aid her with tools or backdoors. Do not erase logs. These are great educational tools for the security guys at the organizations and they can learn forensics through them.

So, what do we do once we are in? Plan, execute and vanish.

Fieldcraft

When you do it right…