The use of 0days and custom tools in red teaming

@TheColonial had a tweet that im interested in hearing more opinions on:

120 chars is not enough to discuss. Thought i’d offer this thread up.

cc @geekspeed @norsec0de @jcran


I think my general stance this holds true. I think I saw a stats tweet by @thegrugq saying that something like 98% of breaches are not 0day (don’t quote me on that). If most can’t defend against MSF, as practitioners of offensive security services, I would keep using MSF. When the clients CAN defend against patch<30 day exploits and detect and squash meterpreter then I’ll start using custom stuff. I’ll always use the path of least resistance though; post-exploitation via powershell tricks, etc…

I’m not sure I have the energy for this again! :tired_face: Especially given that the title of this forum thread is already misquoting me. It doesn’t really start things off on the right foot.

The tweet was off the back of Dino saying something that implied “you’re not doing proper red teaming if you’re a grad using MSF” (probably misquoted, but hey).

All I was trying to say was that if you’re doing an assessment on an org and MSF is more than enough to get you complete control of the org, then using 0days, custom tools or any other “cutting edge” bits and pieces is just unnecessary. After that, lots of people twisted words, begged the question, puts words in my mouth, attempted to skew the meaning of the original post.

Did I say “MSF is all that’s ever needed”? No. Did I say “Use Meterpreter for everything”? No. Did I say “No orgs are able to detect typical MSF/Meterp behaviour”? No. All of these things were suggested, and more, and it was rather infuriating.

If I’m playing a game against a weak team, I don’t flog the crap out of them, as it’s not productive. Attack simulation at any level of maturity is useful. Most organisations I’ve done attack sims against fail to catch the absolute basics of MSF/Meterp usage, and so I don’t bother using any of the other tools that I have, because it’s pointless.

In short, there’s nothing wrong with using MSF for proper offensive engagements. When teams are able to hold their own against it, that’s when it’s time to level up and use other stuff.

That’s all I’m going to say on the topic. But thanks for re-opening the wound @jhaddix :wink:

Hey @TheColonial ! I didn’t mean to re-open something traumatic. I actually agree with you and thought the twitter replies missed the point entirely. I’m also a big fan of MSF…

< rant >

A lot of people treat MSF as COTS software. It annoys me.

MSF was envisioned as a framework and the guys I know who actually write 0day for a living use it like that (guys from ZDI, DoD, or 1day guys submitting to exploithub, etc). The framework allows use of a ton of templated code and helpers but, in no way requires you to use anything. What it really does is help you modular-ize your exploit creation process. Decoupling crash identification, gadgets, payloads, etc, makes exploit creation faster. You don’t need to use meterpreter at all, you can have your own custom payload and attach it to any existing exploit easily. Without something like MSF, we go back to using txt files lol.

As far as meterpreter goes, it’s is by far one of the most capable payloads available in all exploit dev, even in the blackhat world. Meterpreter being detected and actively defended against is a testament to its’ greatness. Also, what other FREE payload have you seen that offers so many options (direct API interaction, priv escalation via multiple methods, route setting, ++ )?

< /rant >

Anyways, one of my goals is to bring good discussion to the forum. Feel free to check out from this one if it seems laborious. Honestly, I saw your twitter-storm and felt bad.

Thanks @jhaddix I wasn’t in any way throwing anger at you :wink: I knew your intent. I appreciate you clarifying.

I think you’ve hit on the key points nicely, and I don’t really have much I can add on top of what you’ve said. MSF is indeed a toolkit, if it’s used as one then it’s actually a great red teaming tool even when a client is good enough to detect it.

I am of course going to be slightly biased towards Meterpreter. That thing is part of me now. But is it the king of payloads? No. Is it the only payload you should use? No. Is it the only payload that I use? No :wink:

But it is a damned good option once you’ve established a presence on a network, as it really aid in lateral movement.

Peace!

Most organizations need to learn how to walk before they can run; hell, in most cases, organizations have no idea why they need legs in the first place :wink:

But on a serious note, they should do the following:

  1. Vulnerability Scanning
  2. Penetration Testing
  3. Other assessments
  4. Red Teaming

The “Other Assessments” are things like telephone social engineering, e-mail phishing, wireless penetration testing, physical assessments, etc…

Why? Because a red team assessment may not focus on network or application, it’s about infiltrating the target; if that means I clone a security guard’s badge, badge into your server room on a Saturday, and backdoor a server, then that’s completely reasonable and something a mature organization should be ready for.

In terms of using 0day vulnerabilities during a red team assessment, absolutely fair game, because some of the things you are assessing during a red team engagement are detection and response capabilities. Even if I pop you with an 0day in an application on your perimeter (that likely should have been identified during the application penetration test you had performed against that application… you did have an application penetration test performed against apps on your perimeter before you engaged in a red team assessment, right?), your team should be able to detect and respond to that in a reasonable time-frame (not to mention, you should know if I was able to pivot anywhere else after that).

Lastly, in terms of MSF, someone who says “You should be able to detect MSF” is probably talking about meterpreter specifically… If I drop meterpreter.exe (you get what I’m saying) on disk and you cannot detect that, that’s a problem. But I can tell you that a red team won’t just drop it onto disk, and most security products (that most organizations are using) won’t pick it up when running it in memory.

2 Likes

My original tweets were less about 0day and more about using custom tools that mirror tactics actually seen in the wild. If you’re comparing what actually happens in the wild vs red team style engagements generally the payloads/droppers are ahead of what you’re seeing in MSF.

MSF is great don’t get me wrong but when it comes to long term C&C and persistence there are better options available in the malware world. DNS based C&C, multiple C&C servers, etc.

I also want to mention I love MSF and use it often there are just some weak points right now.

Using analogies around “playing a game against a weak team” isn’t helping anyone they’re not segregated from the rest of the internet they can be exposed to higher level threats.

I’m also trying to understand why you’re doing red team engagements on companies who are not mature enough to defend against pretty standard threats? There are other exercises that would be more beneficial until they get to a maturity level thats warrants actual red teaming. I know of a few companies out there who stay busy just specializing in red team attacks using 0day, custom C&C, multi month engagements.

A lot of clients who are in the intermediate space between pentesting and actually needing redteaming have done well by building simulated scenarios such as

Run exe/payload on workstation simulating compromise via 0day or whatever method

Run/Give payload/user access to DMZ host

Using either of those methods along with keeping strong timelines/notes allows blue teams to start down the path of understanding how to respond/react/generate proper alerts around initial compromised hosts. The above techniques also need to be combined with table top style meetings between whoever is testing and whoever is defending to openly discuss negatives/positives and allow both sides to learn from each other.

There is no right or wrong answer and everyone has a point of view based on personal experience.

~J

I think alot of that discussion was crippled by the 140char limit of the medium. While I agree that beating up a lame child with a ‘bring all your guns’ philosophy may seem a bit cruel. In practice – it serves as a tipping point moment. Though it has to be treated as an ongoing engagement, a cycle of build break teach rinse repeat. Popping a box with meterp is all well and good – but it doesnt give the victim anything but ‘damn, i shouldve caught that’ – whereas popping them with some mystery uber zero day – instills upon them the drive to get better and to research and to make themselves better. Having worked on teams where we did both – the buy in i got from the latter vs the fromer was over 2:1. Meaning after the engagment the teams where we used more specialized craft continued to study and get better – vs the teams where we used meterp – kinda just went about their lives oblivious. At some point we need to transition to a platform of teaching, and part of that requires breaking down the student and having a few come-to-jesus moments. Then again, thats just my $0.02…

It seems to me that most people are missing or misrepresenting the initial tweet.

I doubt @TheColonial was suggesting you shouldn’t be using 0days on red teams, or if you do somehow it’s not valid, simply that if an organizations security can be subverted with a lower level of sophistication there is no reason to use a higher level. A number of reasons,

  • If I spend months developing an 0day, why would I ever use it when I don’t need to? All it does is increase the risk of discovery via logs / packet captures for zero benefit on my side.
  • If an organization can’t adaquately defend against a metasploit user (aka any hacker with a publicly avaliable tool), then it should be more of a concern for them as opposed to some ‘super duper l33t simulating state sponsored 0day dropping threat’ that while possible, by definiton will be much rarer.

Impact should be demonstrated by your post exploitation and information gathering, not only by the exploitation method.

Anyway, just feels like the posts arguing “why are you red teaming against that org?” or “metasploit isn’t always the best tool for everything” or “yeah but organizations need to defend against zero days as well” are missing the point and intent behind the original tweet.

Then again, someone said a thing in less than 120 characters, perhaps even I am doing them a disservice trying to read what their intent was.

2 Likes