@April 30, 2022 6:12 PM (EST)
Or at least done safely.
(5/18/22 Edit:) Hey there! I ended up doing a stream with Taggart on this subject . It was a good time. Check it out here:
🏹 Intro
Let’s take a look at how to build out safe and resilient red team infrastructure from the ground up, step by step.
You may be familiar with Tim MalcomVetter’s blog post on Safe Red Team Infrastructure, where he lays out the high level overview of how to make a safe red team operational network. That post changed my life, but it did lack the technical details on how to do this process in a practical sense.
So I wanted to write this as an answer to that blog post and combine some other wisdom I’ve picked up over the years. People like RastaMouse and byt3bl33d3r have shaped my understanding of this task.
byt3bl33d3r’s take on this task makes it into a CI/CD containerized swarm high-availability dream that scales infinitely. Rasta uses Terraform and Ansible to command cloud assets at the press of a button. They both end up with extremely impressive solutions and my HuskyHat goes off to them for it.
But for me, well, my brain is a bit more on the smooth side. My brain is so smooth you could skip it across a pond at sunrise while you meditate on your life’s choices.
So I’ll be taking the long road. My implementation has a larger footprint and takes a bit longer to set up. But it does step through each part of the setup and point out security considerations along the way.
This post should be interpreted as an instructional session for building your infrastructure. It is not all-encompassing and can probably be improved in several ways. But here, as with all things:
Understand first; automate second.
I am a fan of automation/containerization for this task, but only after understanding the major security considerations at play.
By the end of this note, if you follow the steps, you will have a small POC-sized network of red team infrastructure that can support operations. This small network will be able to scale infinitely on a mesh overlay VPN called Nebula.
Most importantly, this infrastructure will be safe and responsible from a red teaming perspective. It will minimize the risk to your client’s data as it is siphoned from their environment in a calculated fashion.
In future posts, I will write on how you can make it swat down prying eyes that try to examine your infrastructure with a little help from Nginx.
Let’s get it.
🏗️ Design Philosophy
This is from Tim MalcomVetter’s original blog post. We will use this as a reference point, but we will make several iterations and improvements on this as we go.
The following sections are collapsed into toggles for organizational purposes, but they should be followed in order.
🔴 Teamserver Setup
☁️ Provision Cloud Assets
🌌 Set Up Nebula
⛓️ Set Up Reverse Port Forwarding & SOCAT
🔒 OPSEC, Ahoy! TLS and HTTPS
🐰 Follow The White Rabbit
🍣 The Roll Up (Sushi Roll, Get It? Like A Sushi Roll. Because... Nevermind)
— — — — — — > Back to Blog
🌐 Where You Can Find Me
🐦 Twitter | 📡 Main Blog | 👽 GitHub | 📺 YouTube
📒Recent Notes
8/30/22 Content Creators, I Will Teach You Cyber Jiu-Jitsu
8/12/22 The Responsible Red Teamer’s Manifesto
7/30/22 On Patching Binaries
7/16/22 MS-Interloper: On the Subject of Malicious MSIs
4/22/22 Failing All The Way To Token Manipulation, Part 1
4/16/22 COM Hijacking Creative Cloud
