How to break into red teaming - Part 2
Avoid the two behaviors that make it harder to get into red teaming. In part 2 I cover five specific actions to take for learning how to red team.
How to prepare
This picks up from Part 1 of my "how to break into red teaming" series, and focuses on practical actions to prepare you for red teaming.
This set of actions is not intended to be a foolproof, one-size-fists-all path to becoming an excellent red teamer; instead, my goal is to provide a structured learning path to help correct some of the learning mistakes I consistently see aspiring red teamers make. Even if you are just interested in security in general, this should be a fairly effective path for you.
If you already know something that I address here, awesome, skip ahead! In particular, if you already have pretty good exploitation and post-exploitation skills, then skip ahead to the capstone portion at the end, which is where I dig into the most red team specific training.
First, learn Linux and Windows (free)
Linux and Windows are two common operating systems, and you'll need a solid understanding of both to be an effective red teamer.
To learn Linux basics, go through OverTheWire's Bandit.
To learn windows basics, you can do something as simple as search learn windows fundamentals and you'll get results from tryhackme and from letsdefend, both of which appear to be free and fairly decent.
Second, learn absolute basics of virtualization (free)
Having learned the basics of Linux and Windows, you need an environment where you can dig into more intermediate challenges. Virtualization (taking the resources of one physical computer, and subdividing them logically—as opposed to physically—to run virtual computers) permits you to create that environment for free.
By creating virtual machines (VMs) on your existing computer you'll be able to:
- Avoid having to pay for cloud computing resources anytime you want to test things out.
- Avoid having to use HTB pwnboxes or other expensive platform-based machines.
- Run untrusted software more safely, and play around with risky actions in your VM that would otherwise potentially jeopardize your data on your host machine.
Additionally, virtualization is a core part of modern infrastructure, and getting even a basic exposure to virtualization will help your understanding there.
VirtualBox is free software that allows you to create VMs on your computer. Ubuntu provides a great overview of how to set up a VM with virtualbox, and VirtualBox provides a far more detailed manual on virtualbox.
Third, use HackTheBox (low cost)
HackTheBox (HTB) is a training provider offering a wide variety of courses and ranges, at a variety of price points. HTB is a tool that can be used well or poorly. And as I've warned earlier, it is a poor tool to choose for meeting all of your red team training needs. However, HTB can be an excellent tool for getting some modular training on security-focused topics.
Creating an account is free, but accessing Academy modules (the discrete building blocks of learning in HTB) costs 'cubes' (HTB's weird platform currency). You get a small amount of cubes by completing some initial tutorials, and you get a larger monthly disbursement of cubes by paying for a monthly subscription. If you have a student account ($8/mo at the time of this writing) you basically get unlimited cubes.
Here are my recommended HTB modules (throughout I'll link directly to the Academy Modules, which you'll need to be logged in to view. You can just search the course name and htb to find the public-facing details on the courses):
Linux Fundamentals
Linux fundamentals is 10 cubes, which means you can do it right off the bat for free (you get over 60 cubes just for signing up and going through some basic tutorials).
Windows Fundamentals
Windows fundamentals is also 10 cubes.
Intro to Sliver
Sliver is a common Command and Control (C2) tool. It is free and open source, which makes it an excellent choice for training. HTB's Intro to Sliver course that walks you through much of Sliver's capabilities for 500 cubes (which means you need a subscription to access it, unfortunately).
Having a basic understanding of Sliver will help you as we move into more advanced training elements.
Introduction to Threat Hunting & Hunting with Elastic
HTB's threat hunting introduction course is 100 cubes and provides basic instruction on how to find bad activity. This helps you gain an understanding of how defenders find malicious activity, and what kinds of activity are easiest to see. This is where you start to deviate from pentest and shift into red team-specific knowledge.
Security monitoring and SIEM fundamentals
Security monitoring and SIEM fundamentals is 100 cubes. A SIEM (Security Information and Event Management) is how most security teams monitor for malicious activity in their environments.
Like the Threat Hunting course, this will help you start to learn how to look for malicious activity.
Fourth, learn Python basics (free)
Learning at least a little bit of a basic programming language will help you immensely! Python is a beginner-friendly language that is also used heavily in security work, which makes it a great choice.
Kaggle's python course is my favorite of the free coding courses I've seen online. They use jupyter notebooks so you don't have to set up a local development environment (although now that you have a VM running you can do so!), and the content is very good. You'll also get familiarity with the kaggle platform, which has many other high-quality tutorials.
Capstone: Ludus (free or ~$300) and CRTO ($500)
This is the part that I get really excited about! Up until now you've focused on learning raw building blocks, but this is where you get creative and put everything together.
Ludus provides the environment and monitoring, and if you would like more structure for your training you can also buy the unaffiliated Certified Red Team Operater (CRTO) course to provide that structure.
Ludus
Ludus provides free sets of templates to automatically deploy multiple machines. You learned how to deploy Virtual Machines (VMs) manually earlier, but Ludus uses Infrastructure as Code to deploy multiple VMs and configure them so they can connect and interact with each other.
Ludus deploys in a few different ways, including on VMs hosted in Azure (expensive, at over $250/month), or on hardware that you own. My preference is to install proxmox first, and then follow Ludus' instructions for Proxmox. Either way, the most cost-effective solution is to buy your own hardware.
Buying a machine with better hardware will result in a snappier and less frustrating lab experience—John Ruskin's quote applies here—but I'm trying to price out a shoestring budget approach to building experience to become a red teamer. If you can afford better hardware, you'll enjoy it. In any event, do some research on hardware before you buy anything. reddit's /r/homelab and their discord can help you with that if you don't know what to look for.
Once you have Ludus installed, I recommend merging the GOAD NHA (Game Of Active Directory Ninja Hacker Academy) template with the Elastic template (you'll need to merge the templates, including adding the ansible roles for the elastic agent to all of the machines from GOAD NHA).
As you experiment and practice in Ludus, take good notes on what actions are noisy (and why), and figure out how to accomplish your goals more quietly.
For example, if you want to find paths to escalate your privileges on a machine, try running winpeas and then see what happens in Elastic. You'll see that there are many alerts! You might research quieter options than winpeas and come across PowerUp and SharpUp. Run both of those and compare the alerts you get. You could then do research on detecting powershell, and search for quieter methods of execution. After that you might try using SharpUp via sliver's execute-assembly command and seeing how that looks in Elastic. That will lead you to see how the fork-and-run approach for execute-assembly can be very noisy, and as you search for better choices you'll hear about "BOFs" and discover TrustedSec's SA BOFs. Now you have a much stealthier way to find privesc opportunities (although it is much more manual).
1. Start to give you a feel for how visible your actions are to defenders;
2. Start to give you an understanding of how to prevent/detect/respond to malicious activity;
3. Give you some framework for learning how to understand how noisy a given action might be.
Having an experienced red teamer to mentor you will make this much less painful, but in the absence of a mentor you can take advantage of discord and slack channels like TrustedSec's discord or SpecterOps' slack.
CRTO
If you need more structure than just playing around in Ludus, Zero Point Security's CRTO course is ~$500 and walks you through many of the core parts of a red team operation. If you go through CRTO while replicating what you can in Ludus and learning how noisy a given action is, you'll learn much more than by merely taking CRTO on its own.
Go learn
There aren't any foolproof paths to red team; it's a niche sector with very few entry-level roles available, and luck still seems to be the driving factor in getting into red team. But I think that you'll find more luck if you follow this general path and:
- View red team as a separate discipline from pentest rather than a more advanced discipline;
- Build the right muscle memory by prioritizing an understanding of all of the artifacts your actions produce, rather than prioritizing access to new systems.
Good luck, and go learn!
Interest piqued? Disagree? Reach out to me at TwelveTablesBlog [at] protonmail.com with your thoughts. Or better yet, comment below!