Red Team utilities
Adversary simulation attacks
Exploit Pack helps Red Teams with a set of useful tools to conduct professional adversary simulation attacks during exercises. Here you will learn about how to use these agents and utilities to execute several types of Red Team scenarios.
The following type of scenarios are supported:
- 1.Remote agents for Windows, Linux and OSX
- 2.Browser agents to bypass restricted networks
- 3.Phishing campaigns
- 4.Ransomware attacks simulation
- 5.Office macros attacks
- 7.Stepping-stone attack
The interface: When you open the Red Team utilities tab, you will notice that you have a set of available features such as Agent creation, Agent connection, Deployment and more, let's go one by one:
After you deploy an agent, it will appear on the connection list, on this example, we have a mix of VBS agents and Browser.
Select one of the agents from your current list to display the properties associated with it:
If the agent type allows it, you can interact directly with it from the remote console, as shown in the following screenshot, also several important messages from your agent will appear on this screen:
Next, if your agent deployed allows you to take a remote screenshot you will see it under Target's Desktop. The screenshot will be updated every time you run the feature.
Under network connectivity, you can see your connection to the agent and the availability.
On the right side of the screen, you can make changes on the fly to the agent code in case you need to modify, add or adapt the code, on this screenshot the code for the VBS agent is shown.
Use Agent Setup to deploy different types of agents available or to remotely kill a connection with an agent. Once you select one of the options you will be presented with a Wizard to help you create that agent.
The agent interaction part of the screen will change as you select different agents, on the following screenshot you can see different commands available for the VBS agent.
And once the Browser agent is selected you will see a different set of commands available.
Last but not least the commands available for the Python agent as shown in the screenshot.
Here you can see an example of the VBS agent running the command "Grab info" the agent will gather information from the target and show it in your Exploit Pack framework, you can see it from the log or from the editor, along with the log of the last commands.
Another example, from a different type of agent. Here we have deployed a Python agent, then ran "Open shell". This action will Spawn a shell so you can run commands directly on your agent, from the screenshot we have simply executed the command "dir" as an example.
It's time to deploy your first agent. Let's start by deploying a Python agent, select Reverse shell as shown below, this will pop up the Reverse shell wizard.
Click "next" when you are ready and then you will be presented with the final code for your customized Python reverse shell as shown in the following screenshot, carefully check that the IP address points to the one associated with Exploit Pack.
Next let's deploy a browser agent. You can do this by selecting "Browser-Shell" from the agent deployment menu as shown here:
You can modify the IP address where the agent is going to point if you select the agent directly from the utilities tab as shown here, you will see that the agent by default goes to 127.0.0.1.
The browser agent can also be used during the phishing campaigns, these campaigns can be launched directly ( manually ) or you can use Exploit Pack to send email to one user or a list as shown below.
If you wish to use the email campaigns feature of the phishing wizard you must first go to Edit -> Preferences and set the necessary configuration for the SMTP server to be used as shown below:
When you click on "Next" you will be shown the different types of login screens you can use ( or abuse ) during your Red Team scenario to trick users. This is particularly interesting during Awareness campaigns so you can show without a doubt if the employees of your company are really aware or not of cybercriminal attacks coming outside their safe zone.
And the last agent you can deploy is the "Office shell". This is a VBS shell type that can be injected into an Office document through macros or executed directly using WScript. You need to set up a set of options before deployment, as shown in the image. When you are ready click "Generate & Next".
Again as with the other agents carefully verify that the hostname points to where Exploit Pack is listening, check the code and make any adjustments if needed before deployment.
And here is an example of a VBS agent connected to Exploit Pack, the agent is running inside a Virtual Machine for testing purposes.