SKILLS FOR A RED TEAMER

2017 DEFCON 25 – SE Village

 WHO ARE THESE GUYS AGAIN?

Tim Roberts (byt3boy) Brent White (B!TK!LL3R)

@ZanshinH4x @brentwdesign
Sr. Security Consultants, Threat
Sr. Security Consultants| TrustedSec
Services | NTT Security

Tim lies good, does stuff, has a real (sharp) ninja star, Brent has held very heavy (dinner) roles in information
phenomenal high kicker, and are good with computing security, protecting the cybers, cybering, and has his
well, English. own cell phone.

wehackpeople.com
 WHAT DO YOU MEAN “RED TEAMER”?

A “Red Team” is often a group of security

testers who attempt to covertly identify gaps
in security by imitating internal and external
threats to a company’s assets – often
including a review of physical and onsite
social engineering risks with extensive threat
modeling and targeted attacks.
Therefore, a “red teamer” would be an active
member of a “Red Team”. Go team!
(*everyone cheers*)
COVERT, OVERT AND HYBRID
 COVERT ASSESSMENTS

What is this covert Tom Clancy

garbage you’re talking about?
Staying under the radar and taking
the approach of someone with
criminal or malicious intent. To
avoid detection.
Assessment types that often include
attempts to enter unauthorized
locations, manipulate employees
into divulging sensitive information
and gaining physical access to
locations and data.
 COVERT ASSESSMENTS

Social Engineering
• Onsite efforts to gain a better understanding of the human risks associated with face-
to-face interaction.
• Fake badges, client-side attacks, etc. Lies! So many lies! USB drops, card cloning, key
loggers, so many options…
• Remote / Pretexting: OSINT, Google Maps,Vishing, Phishing

Physical Security Bypassing

• Onsite efforts to enter unauthorized locations and bypass physical security controls.
• Lock picking, UtD, Crash bar tool, Latch bypassing, Request-to-Exit sensors
• Identifying and avoiding areas of coverage – Bathrooms and dead spots
• After hours vs. business hours – Which is better for the target facility? More people
throughout the day? Less of a risk?
 COVERT ASSESSMENTS

What you can / Cannot do

• Discuss methods and techniques to determine what is
in scope with the client before the assessment.
• Is hacking in scope?
• Is it okay to plug into the network to sniff traffic,
grab hashes, MitM, server-side and client-side
attacks?
• Can you remove devices?
• If you grab a laptop or have access to an un-racked
server, can you physically remove it from the
premises?

If hacking is in scope
• Go in quietly and stay quiet with evasion techniques!
 SECURITY AWARENESS / INCIDENT
RESPONSE TESTING

If their incident response is part of the

assessment, then you may eventually
try to get caught.
Do things that are obvious and give
them a chance to catch you.
• Usually best to wait until then end
after you’ve had a chance to do
whatever you can.
 OVERT ASSESSMENTS

These typically involve an escorted walkthrough of the facilities with

the point-of-contact. This allows for Q&A, a more relaxed, and more
focused view.
• PSA checklists, standards and practices such as :
• Sensitive Areas– Data centers, executive suites and offices,
Security control rooms, disposal bins, mail room, elevator,
electrical and communications closets
• High Risk Areas – Data center (floor to ceiling, IDS, coverage
etc), guards, cleaning crew
• Physical Security Controls – Locks, fencing, biometric readers,
floor-to-ceiling, gaps in the door frame, perimeters, security
guards and monitoring services
EXAMPLE “DEMO” FOR CLIENT
Fake Badge
HID Size: 85 x 5 x 1.9mm/ 3.34" X 2.16" X0.75"(L*W*H)

Elliot Alderson
 OVERT ASSESSMENTS

Demonstrate to the client

• Looking for flaws the the deployment of physical security
controls.
• Point out deviated plates, exposed hinges, exposed screws,
door gaps, floor-to-ceiling, etc.
• Showing how a simple tool lets you bypass the external door
for entry into the building.
• Shove knife, Shrum tool, UtD, a piece of plastic…
• Request-to-Exit sensor?
• Show how compressed air, vape smoke and even whiskey
can bypass them...and many other bypass methods.
 HYBRID SECURITY ASSESSMENTS

Hybrid assessments include multiple assessment types such as social engineering, wireless,
network, application and physical testing
• Utilizing information from one attack vector to gain a foothold and/or assist in other attack
vectors.
• Inside man / Outside man
• How can the external attacker help the internal attacker and vice-versa?
• Drops, rogue APs etc.
• External man can set up a rogue wireless AP, grab creds through phishing and then pass
those along.
 BOLD VS. SAFE

When is it appropriate to keep pushing?

• When should you move on to something else?
• This is good. This isn’t good…this guard wants to
punch me in the face right now.
• Owned. Now what?
 BOLD VS. SAFE

Escalation, Points of Contact, legal documentation

• Always have a way to contact the client if things go sideways.
• Make sure they didn’t forget that you’re doing the assessment that week
and went on vacation. -- yes, it has happened.
• Carry the legitimate “Letter of Authorization” and/or Rules of Engagement
document, or often referred to as the ole “Get out of jail free” card.
• This includes who to contact and signatures showing that what you’re
doing is okay.
• Try another guise? What about that fake letter?
• When things are bad and you’ve been compromised, call the point of
contact and let them know what is going on.
• Strongly encourage whoever catches you to call the POC before
escalating straight to law enforcement officials.
 BASELINE SKILLSETS

Lock picking, bypass methods, etc.

• Don’t practice this stuff while on site! Learn what you’re doing before you go do it.
• Techniques that don’t involve messing up locking mechanisms, cores, frames, hinges,
request-to-exit sensors, etc.
 BASELINE SKILLSETS

Professional liar
• Playing the part
• Being able to talk your way into an area or out of a situation
• Convincing employees to do things outside of the norm
 CLIENT COLLABORATION

What are specific areas of concern?

• Departments, Locations
• Where is the treasure? What is the primary goal?
• Are employees, security guards, etc. following procedures?

Partial or non-disclosure assessment types

• White (“Crystal”), Grey, Black - TECHNICOLOR!
• What is provided? What can be obtained? What does the digital footprint look like?

More than just targeting the data center

• Many security testers will head straight for the DC.
• How to provide benefit other than just owning the location.
 CLIENT COLLABORATION

Incident response tests

• What are the current procedures? Do they even have an
escalation process? Again, are they being followed?
• It may be a good idea to request information about how
incidents are escalated, during the kick-off call.

How do you test this?

• Take some risks.
• The good ole fake LoA is always handy.
• Plug super evil devices into the network.
 RED TEAM TOOLKITS

Practical vs. Impractical

• Bags, tools, appearance and considerations
• When arriving for the on-site assessment, it is advised that you do not
carry a large backpack or your super awesome tactical military bag.
• Wear a bag that is a neutral color.
• Remove hacker patches & pins from your bag.
• If you must use a tactical bag, consider a Versipack®, sling bag, laptop or
shoulder bag. Maxpedition® makes an excellent jumbo Versipack with
multiple built-in, organized and concealed pockets that isn't overly
"tacticool.”
• Maxpedition Mongo™ Verispack. A cheaper version of the
Maxpedition Mongo bag is the SHANGRI-LA Multi-functional.
• Organizer grids (Cocoon Grid-It) help to keep cables and small devices
organized in your bag for quick access.
 EXAMPLE TOOLKIT

Minus the patches and pins when on-site – All of the below fits in a single bag
The point of the photo is to show how much can fit in one bag. I have added a blurb
to further indicate the usefulness of said photo.
 EXAMPLE TOOLKIT

Note: The lists coming up are not intended to be comprehensive, but a quick
reference for red team specific toolkits - which often include a combination of
technical devices and physical tools in relatively small bags.
Many tools commonly utilized in on-site social engineering, covert physical security
assessments and red team assessments may not be listed below. Although there are
popular vendors for specific tools, alternatives may exist.
Red Team Toolkit Example #1
• Lock picks (pocket) - commonly used picks, wafer and warded pick set
• Under-the-door tool
• Canned air, hand warmers (request-to-exit bypass, etc.)
• Shove knife/shrum tool
• Crash bar tool
• Dimple lock gun
• Tubular lock picks
• Fire/emergency elevator key set
• USB keylogger and Hak5 rubber ducky
• Hak5 LAN turtle
• Pineapple nano
• LAN tap
• Laptop or mobile device
• External hard drive
• Fake letter of authorization (as a plan B and to test incident response)
• Real letter of authorization
• Props for guises if utilizing social engineering
• RFID thief/cloner (something that is easy to hide - I often use a clipboard like the one shown in the picture above)
• Camera (or just use your smartphone)
EXAMPLE Red Team Toolkit #2
• Lock picks (pocket) - common
• Lock picks (backpack) - expanded set
• Under-the-door tool
• Shove knife/shrum tool
• Crash bar tool
• Snap gun with interchangeable needles
• Dimple lock picks, Tubular lock picks, Fire/emergency elevator key set
• Hand warmers/canned air/vape/whiskey? J
• Leather gloves/good shoes
• USB keylogger and Hak5 rubber ducky
• Hak5 LAN turtle, LAN tap
• Wafers and warded pick set
• Malicious drops x4 (USB, etc.)
• Rogue access point (PwnPlug, Pi, whatever your flavor of choice), Hak5 pineapple, 15dbi wireless antenna (for outside, not really something
you want to stuff in your bag inside).
• NetHunter tablet, TP-link adapter etc.
• Props for guises if utilizing social engineering
• Fake letter of authorization (as a plan B and to test incident response)
• Real letter of authorization
• RFID thief/cloner
• Camera (or just use your smartphone), Snake camera (a bonus for looking over drop ceilings or floors), Multi-tool
 MISC. CONSIDERATIONS

• Various USB cables (A, B, mini, micro, OTG, etc.)

• SD Cards, microSD cards
• Smartphone (earpiece if with a team)
• Body camera (GoPro/ACE Cameras are sometimes handy with client approval)
• Extra power packs/batteries
• Small flashlight (low lumen)
• RTFM: Red Team Field Manual
 TRAVEL TIPS

When deciding what to bring to an assessment, it is important to understand the facility,

industry type, dress codes, etc. Allow yourself enough time for reconnaissance, especially if
there is more than one target facility. From on-site observations, you may need to adjust your
toolkit accordingly.
Remember that the lighter the kit, the easier it will be to move about and stay discrete.
• Keep a printout of "TSA approved items" just in case you run into any issues at the airport.
Often TSA agents aren’t knowledgeable about the tools nor aware that the tools are allowed
for carry-on.
• Another handy tip that has been recommended by additional industry leaders is to carry a
stamped envelope, in case you need to mail something back to yourself.
• If you're worried about your carry-on, just check your tools in as a checked bag.
 QUESTIONS?

“I got robbed by a sweet old lady on a motorized cart.

I didn’t even see it coming!”
THE END!