Attack Trees

To start off in the red team as someone without hacking experience, we recommend following a story of a small grove in the forest first. The red team tries out all kinds of details of the forest.

• On the grove and the forest

Grove

• Introduction
• Kali Linux
• Red and blue teaming with Mitre Att&ck Caldera
• Windows PC
• macOS
• Linux PC
• Metasploitable2
• Goat and wolf
• MSFvenom Payload Creator
• Empire

Reconnaissance

• Introduction
• Gathering info about an organisation
• Gathering info about a person
• Gather DNS information
• Fingerprint webserver
• Crawl website
• Gathering application information
• Discovering application vulnerabilities
• War-dialing-driving-flying-shipping

Scanning

• Introduction
• Host discovery with ICMP
• Host discovery with TCP
• Host discovery with UDP
• Discover vulnerabilities
• Service and OS detection
• Diving deeper in discovery

Enumeration

• Introduction
• Input vectors enumeration
• Enumerate webserver directories
• Network enumeration
• macOS enumeration
• Linux enumeration
• Windows enumeration

Database

• Introduction
• Access password database
• Cracking the database root password
• Using known database exploits
• SQL injection
• Confirm SQL injection vulnerability
• SQL injection login bypass
• Extracting data from the database
• Read and write local files outside of www root
• Get shell and control target server
• Automated exploitation

Application

• Introduction
• Web application mapping
• Exploit file upload vulnerabilities
• Exploit remote code execution vulnerabilities
• Shell from local file inclusion vulnerabilities
• Shell from remote file inclusion vulnerabilities
• Cross-site scripting (XSS)
• Discover XSS vulnerabilities
• Hooking targets to BeEF using XSS
• Become admin by manipulating cookies
• Clickjacking
• Cross-Site Request Forgery (CSRF)
• Last resort: Brute force & Dictionary attacks
• Man-in-the-Browser (MitB)
• Browser-based attacks
• Zed Attack Proxy (ZAP)
• Post exploitation

Server

• Introduction
• Directory traversal
• HTTP Response splitting
• Poison cache
• Spoof webserver
• Hijack session (application)
• HTTPS spoofing
• MitM between users and webserver
• Bruteforce available services
• Escalate a reverse shell to a more powerful shell
• Privilege escalation on a web server

Malware

• Introduction
• Creating malware
• Windows malware
• Keylogger
• Password recovery tool
• Modifying code to bypass AV
• Simple Windows trojan
• macOS malware
• Simple macOS trojan
• Linux malware
• Simple Linux trojan
• Run payload on target device

Social engineering

• Introduction
• Mail delivery
• Steal access info with fake login page
• Webpage with BeEF hook
• Phishing
• Pharming
• Use analytics to lure a target
• Fake prompts everywhere
• Getting out of the box

System

• Introduction
• Gain unauthorised access
• Upgrade basic shell access to meterpreter/empire access
• Maintaining access on Windows
• Maintaining access on macOS
• Upload and execute using empire
• Backdoor a Windows system process with empire
• Privilege escalation on macOS
• Privilege escalation on Windows
• Privilege escalation on Linux
• Pivoting using meterpreter autoroute

Forest

• Introduction
• Using a VPN
• Location, location, location
• Ephemeral OS
• Bouncing servers
• Metasploit container for Linux and macOS targets
• SilentTrinity container for Windows targets
• Infrastructure frontend
• IP masquerading
• Automating the server setup

API's

• Introduction
• Passive reconnaissance
• Active reconnaissance
• Analyse API endpoints
• Attack authentication
• Fuzzing wide and deep
• Exploit authorisation
• Inject with mass assignment
• Try traditional injections
• Rate limit tests
• Evasive techniques
• Attack GraphQL

CI/CD pipeline

• Introduction
• Poison open source supply chains

Network

• Introduction
• Sniffing
• ARP spoofing
• Compromise router
• Attack domestic WiFi
• IP spoofing
• Denial of Service (DoS)
• Distributed Denial of Service (DDoS)
• Distributed Deflection Denial of Service (DrDoS)
• Hijack session (network)
• Replay attack
• TCP sequence prediction attack
• Hijack BGP
• DNS spoofing
• DNS attacks
• SSL Beast
• SSL Hijacking
• SSL Stripping
• Man-in-the-Middle (MitM)
• Port redirection
• Virtual host confusion attack

Crypto

• Introduction
• Brute-force
• Chosen ciphertext attack
• Chosen plaintext attack
• Forgery attack
• Impersonation attack (Group message)
• Read a PGP encrypted message
• Side-channel attack
• Unknown key share attack

Malware on steroids

• Introduction
• About C&C
• Create a botnet
• BYOB
• Credential stuffing
• SEO poisoning

Troubleshooting

• Introduction
• BeEF unable to load extensions
• Bettercap starts with SSL strip disabled
• Empire cannot import name ‘Mapping’ from ‘collections’
• Python 2.7 end of life problems
• Veil Installation error Failed to run (wine) Python pip pefile… Exit code: 1
• Zlogger chokes on missing import _bootlocale