Re: Best attack strategy for a Red Team?

["sr." <staticrez () gmail com>]

Hello,

I would definitely not stop at just a scan. Get as much information
about the target network as possible, including zone transfers (if you
can), this increases your attack surface, increasing your chances of
success.

As for which machines to attack first, see what you can do with the
boxes with outdated software on them. You'll have more of a chance
there as well. And don't rule out scanning the linux machines for
netbios ports. this can be overlooked sometimes. Samba has been known
to be exploitable.

fabrizio


On Tue, Mar 10, 2009 at 11:33 AM, Scott <opiesan () gmail com> wrote:
> Lol.  Thanks Chip. I'm learning from everyone that cares to reply to
> my question. I've used MSF a number of times although I've never gone
> to the level of adding code from other sources. Sorry about the
> mention of Brian's post. I didn't notice that was a direct reply to me
> and not the list.
>
> More than the tools to use, I'm looking for recommendations on when
> you would choose to take one path over another. For example, I've run
> a scan on the network and found a few Windows workstations, a Win 2k3
> server, and a linux based DNS server. If I were coming in cold without
> the scan information and found the DNS server, I would try to do a
> zone transfer of the domain info to gain more insight into what
> systems the target network has. Since I have the scan data though,
> would you still probe the DNS data to gain any additional information
> or would you move on?
>
> Would you target the Windows machines or the linux box first? I assume
> that depends on the OS/Patch versions you've been able to determine so
> that you'd try to find the weakest point first and start there.
>
> I don't expect an exhaustive list of if/then scenarios since that
> would be too much to ask from anyone. I'm more looking for tried and
> true guidelines or recommended approaches that might be high level but
> keep the process moving. If that's unrealistic given the nature of pen
> testing that would be helpful to know as well. I'm tired of hearing
> the term "best practices" but that's along the lines of what I was
> thinking.
>
> Scott
>
> On Tue, Mar 10, 2009 at 10:11 AM, Chip Panarchy <forumanarchy () gmail com> wrote:
> > Ah, you want education.
> >
> > Hacking=Learning
> >
> > not
> >
> > Hacking=Destroying
> >
> > !!!
> >
> > Okay, can't see Brian's post...
>
> SNIP
>
> > Anyways, back on the topic of exploiting, the easiest (free) way to Exploit is;
> >
> > Metasploit (Use milw0rm to search for exploits, then Metasploit to
> > perform the exploits)
> >
> > Very simple once you understand the idea.
> >
> > Others will probably be of more help.
> >
> > Though hopefully you would've learnt from conversing with me.
> >
> > Panarchy
> >
> > On Wed, Mar 11, 2009 at 12:41 AM, Scott <opiesan () gmail com> wrote:
> > > Thanks for the feedback Chris. The only problem with this approach
> > > stems from what Brian mentioned above. The goal isn't to destroy the
> > > student teams' systems because all that really teaches you is how to
> > > reinstall HW/SW.  Consider it the softer side of attacking a system
> > > where we're supposed to get in and disable services, maintain access
> > > through installed backdoors, and generally exploit whatever
> > > vulnerabilities we can. Afterwards we go through a detailed debriefing
> > > with the student teams explaining the areas they were weak and strong
> > > so they can benefit from the experience gained on both sides of the
> > > fence.
> > >
> > > Some examples of past attacks were to compromise the VOIP server and
> > > reroute the team phones to the phone we had so that we could intercept
> > > their business inject calls. We later offered to "fix" their phones in
> > > exchange for 5 minutes of root access on one of their systems. Some of
> > > them turned us into the LE reps that were working in the game, some
> > > just flat out denied the offer.  Another example was installing a
> > > program that, when launched, made it look like the computer was
> > > installing Windows ME on top of their Win 2k3 server.  Those were the
> > > fun ones to watch and everyone got a laugh about it later while still
> > > learning something.
> > >
> > > This is an educational game that let's both sides get a taste of the
> > > real thing but through a controlled environment. As attackers we're
> > > learning as much as the students.
> > >
> > > Scott
> > >
> > > On Tue, Mar 10, 2009 at 7:42 AM, Chip Panarchy <forumanarchy () gmail com> wrote:
> > > > Hi
> > > >
> > > > Sounds like fun.
> > > >
> > > > Since you say that you are the least experienced, go for the unexpected.
> > > >
> > > > Once again, I must promote the use of Neodymium Magnets. These are
> > > > very small magnets, that have the same power has industrial magnets
> > > > (very cheap).
> > > >
> > > > So if you want to, destroy there network, the above way will do the
> > > > most damage, with the least chance of them knowing the method used.
> > > >
> > > > Maybe go for a bit of Social Engineering, or as I prefer to call it,
> > > > Industrial Espionage.
> > > >
> > > > This could involve distracting them for a little while then placing
> > > > some Neodymium Magnets under the desk where they have there laptop,
> > > > Computer or Server running.
> > > >
> > > > Nice and simple, and you'd be thinking outside the square.
> > > >
> > > > Good Luck!
> > > >
> > > > Panarchy
> > > >
> > > > On Tue, Mar 10, 2009 at 4:55 AM, Scott <opiesan () gmail com> wrote:
> > > > > Howdy folks!
> > > > >
> > > > > I'm part of a Red Team for the Mid-Atlantic region CCDC competition
> > > > > (Collegiate Cyber Defense Competition). There are some pretty talented
> > > > > folks on the team and I'm arguably the least experienced (for now).
> > > > > The short version explanation is that teams of college students are
> > > > > tasked with operating and defending a "corporate" network of systems
> > > > > ranging from web, email, DB, MS Domain servers, VoIP, and normal
> > > > > workstations. They have to patch a wide variety of holes while keeping
> > > > > designated services available for scoring. The team with the most
> > > > > uptime wins. Meanwhile, the red team is busy attacking these services
> > > > > along with anything else we can get into and create havoc for the
> > > > > student teams.
> > > > >
> > > > > My question to all of you is what you would recommend for an attack
> > > > > strategy here. In previous competitions it's been challenging to know
> > > > > where to start as there are many options. Should I find a hole and dig
> > > > > in with backdoors, create new user accounts, take over the admin
> > > > > accounts and lock out the student teams??? Technically the red team is
> > > > > supposed to bring down or deny access to the services the students are
> > > > > scored on (primary objective). There's always more going than that
> > > > > however. I'd like to stay focused when we go into the 3 day event this
> > > > > month so I need a plan.
> > > > >
> > > > > How would you do it if you didn't know more than possibly what types
> > > > > of systems you'll find on the target networks? Thanks.
> > > > >
> > > > > Scott