Disclaimer: Educational purposes, personal reference, don’t do illegal hacking, IANAL, etc.
Note: THP3 is my primary source for this. I’m putting my thoughts and notes to help me remember the info while avoiding putting too much info from the book here. If you are considering buying the book, I highly recommend it.
So we’ve hit the home stretch, and I’ve decided to combine my notes for the last 3 chapters because I don’t think standalone posts are needed. There’s still good stuff, but the book is definitely winding down.
THP3 08 – Special Teams – Cracking, Exploits, and Tricks
This chapter is basically a resource chapter – helpful stuff that may not get used every engagement, but is good to have in your back pocket for when it’s needed.
Behavior-based detection and protection software continues to improve, so attacks must become quicker to stay ahead of detection. Kim talks about getting caught on the first attempt using basic stuff to learn how the target handles things. Basically, poke the bear and see what happens.
You can automate Metasploit by using AutoRunScripts, and Kim provides a walkthrough of the process. There’s also a write-up by Nyxs that I found helpful. Empire can be automated, and directions are provided. I found a couple useful posts on automating Empire in slightly different ways – to set up common listeners, create unattended deployment and teardown, and get domain admin using DeathStar. And Cobalt Strike can be automated with Aggressor Scripts.
The long and short of it is that automating things is important from both a sanity and time perspective.
Kim talks about a password dump with 1.4 billion creds. This post provides a nice overview of the dump. Password dumps are happening frequently, so watch for them. Check legality before downloading, but having the passwords can be helpful. Kim has created a list of just the passwords. You can build a password cracking rig for around 10 grand, but that is not going to be something a lot of us are going to invest in. You can use the cloud to do your password cracking or go with some different specs to create a cheaper, albeit slower rig.
Have I Been Pwned is another good resource. You can use it to get password info for cracking, check if emails have been included in breaches, and even monitor a domain for inclusion in breaches. That last one can be helpful from the blue team side of things since credential stuffing is such a popular attack vector.
It’s important to be on the lookout for new password dumps so your list can be updated. There are a ton of ways to watch for new info, and Kali includes a fair number of the standard wordlists. And don’t forget about tools like Crunch to develop password lists based on info you’ve found about the targets.
Then you can add rules to find even more options. For instance, you can tell Hashcat to modify the list to try various modifications. Kim provides a link to Korelogic contest rules that are helpful for explaining rules in the context of password cracking and several other rules sets.
- Hashcat Rules
- NSAKEY Rules forked to his GitHub
- Praetorian-inc Hob0Rules forked to his GitHub
- NotSoSecure also forked
Gotta Crack Em All – Quickly Cracking as Many as You Can
This section is basically an explanation of password cracking strategy. Kim notes that although all you really need are a couple of high value accounts, he tends to want to crack them all. I can relate to that… You have to understand the format of the hashes to crack things most efficiently. For instance, I’ve noticed that John The Ripper goes much faster when I specify NTLM hashes rather than letting it detect the type automatically. The walkthrough is step by step through cracking a file of password hashes. Basically the steps were short passwords, common passwords, different rule sets, rule sets for other password lists, ad characters at end, add characters at beginning, use Hashcat Utils, use other lists like the Google 100 words with Hashcat utils, use tools like Brutescrape and Burp Word List Extractor to create custom wordlists based on stuff related to the target, take cracked password and create masks using PACK, crack using the new masks, and put the passwords lists through Pipal to analyze. That’s an incredible oversimplification, but should give you the general idea. I really appreciate being able to see the logic Kim uses when cracking passwords. Kim wrapped the section with links to A Deep Learning Approach for Password Guessing and Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks for additional study on password cracking research.
This section talks about the need for red teams to be creative, and Kim likes simulating ransomware. Definitely something that will show up on most organization’s threat models. Checking your prevention and recovery methods is certainly a valuable process. Kim didn’t include any examples of ransomware because of the risk. I’m sure you can dig some up if you really want or (preferably) develop your own tools to test clients in a way that won’t get you in trouble.
Simulating ransomware needs to be handled appropriately. Kim offers some tips to managing an engagement. You may not be able to actually encrypt or delete things, so your sim may need to demonstrate what you were able to touch in a different fashion. Studying ransomware in the wild for how it attacks systems can help you better identify what files to target. If you can encrypt things, don’t go overboard – not being able to decrypt things would be very bad. Test what you are using. Repeatedly. Because not being able to decrypt things would be very bad. And be aware that AV is starting to use actions in a chain to ransomware, so you should consider adjusting your tool actions to evade it.
Disabling PowerShell Logging
Because PowerShell has become fairly popular, it is getting logged in most environments. Being able to disable logging would come in handy. One such method is by leechristensen. I’m sure if you spend some time digging you can find other methods, or write your own.
Windows Download File from Internet Command Line
Getting a shell in Windows gives you the opportunity to get additional malware on the machine. arno0x0x and @subtee have done a lot of research on how to do this. The link is a good read and also explains context for the one-liners.
I also think this is a good reminder to not neglect the Windows Command Line as you are working on your skills. Since the vast majority of boxes available to target are Linux, it can be easy to overlook functioning in Windows. But most org environments are running Windows, so you have to find a way to work on it. And you still may habitually type in ‘ls’ the first time instead of ‘dir’. Not that that is something I ever do.
Getting System from Local Admin
Going from local admin to system is probably most commonly done with Metasploit’s “getsystem”, but options are good. One other option is psgetsystem by decoder-it.
Retrieving NTLM Hashes without Touching LSASS
This touches on the Internal Monologue Attack by Elad Shamir. Cool stuff since Mimikatz was getting blocked on Win10 and WinServer2016 machines.
Building Training Labs and Monitor with Defensive Tools
Testing things is important, and the time to stand-up a solid testing environment is time that could be spent elsewhere. Detection Lab by Chris Long is referenced as a quick way to create the environment. It comes prepped with endpoint security and logging best practices, so this is something I’ll be digging into. The project is explained in a blog post by Long. It’s a pretty cool project, and I plan to use it to test both red and blue team purposes.
Ch 8 Wrap Up
Lots of kind of quick hit information in this chapter. Good insight into how a red teamer thinks, and a lot of great tool recommendations. I’m especially interested in working with Detection Lab because getting an environment built takes a fair amount of time. And since you may want a “clean” environment to test against, being able to speed up the process is important.
Ch 9 Two-Minute Drill – From Zero To Hero
This chapter just walks through an engagement with some info on the thought process behind choosing various attack vectors. The context was the last day of an engagement and needing to get some results. A few things that stuck out…
- Review your notes to see what you might have missed
- SE links can be more effective than sending a custom malware payload
- Automate, automate, automate
- Pivot quickly
- Get comfortable with PowerShell
- Consider commercial tools such as Cobalt Strike (and of course know your terms of engagement to know what kinds of tools you can use)
- Be prepared to modify exploits
- Use your time wisely
- Set up additional backdoors
- Spread access across boxes
Short chapter, but a good opportunity to really get into the headspace of an engagement where you need to show results under pressure.
10 Post Game Analysis – Reporting
Ah, the not so fun part of pentesting and red teaming. I actually like this part, but I know it’s not everyone’s cup of tea. From a learning perspective, writing up what you’ve done helps you remember things you’ve learned for future engagements. But from a business perspective, this is really where you are earning your fee. It’s kind of like music where the joke is “I play for free – the money is to pay for hauling gear, setting up, and breaking down.” The breaking in part is free, writing it up so the org can learn from it and remediate issues, that’s where the fee comes in. Kim recommends reporting the good and the bad, and that general approach is a good idea. Long-term business is often easier to cultivate when you point out at least something that the org is doing well.
Since taking notes during an engagement isn’t always the highest priority, Kim suggests setting up a server to record activities, with only basic info captured (event, servers, descriptions, impacts, alerts, screenshots). I think this is a great option, but notes should be taken as well. I’m also a fan of screenshots and screen capture videos to document what was done.
Report components include intro/scope, indicators, timeline, time to detect and time to mitigate (TTD and TTM), feedback from IR/Forensics staff, and suggestions for improvement.
Kim finishes with some ideas for continuing education – blogging, GitHub, speaking at local conferences, bug bounties, CTFs, labbing with friends, studying the bad guys, subscribing to THP, and they offer training as well. I’m a big fan of continuing ed. I think it’s beneficial to make it public for accountability and the added bonus of helping support your resume. I’m working on getting more on my GitHub. I’ve also found InfoSec Twitter to be a great resource. LinkedIn is also a good place to connect and learn. I’m a huge fan of podcasts and plan to update my list somewhat regularly.
I think the big thing with continuing ed is to make sure there’s some way to keep it an appropriately high priority. It’s easy to plan to do things or want to do things, and then never get around to them. For me, blogging has helped keep me accountable as well as being active on social media and being in a book club. Working toward certifications and degrees is another way to stay accountable, though considerably more expensive.
I loved working through this book. I learned a lot and challenged myself. Blogging was an effective way to make sure I did more than just read. It also forced me to work through quite a few things that would have been easy to give up on otherwise.
The book club has moved on to Social Engineering: The Science of Human Hacking, 2nd Edition. I won’t be blogging notes, but I’ll probably write a summary/review when we finish. I have a few VulnHub boxes that I want to work through and a long list of things that I want to learn. I’ll be keeping THP3 close at hand because it’s a great resource. And I’ve put all the link that I found helpful up on Github. I may have missed some that Kim included in the book, but I also included a lot of extra ones that I found helpful working through the book. I hope these notes have been helpful to someone.