HackMiami Con 7


Red Teaming as a Service: Simulating Blackhat Attacks for Organisations

By Aman Sachdev and Himanshu Sharma

Register Now!

The goal of the training is to give a red teamer's perspective to hackers and penetration testers who want to up their game of VAPT. We will start first with the fundamental concepts of red teaming and its process followed by differentiating how red-teaming is different than normal pentesting and the benefits of having a red-teaming approach towards application security testing. After this, the training will build upon from the ground up starting with the fundamental concepts of Information Gathering and Recon + various un-common tools and techniques to gather much more information about a target. We will then share red-teaming techniques for VA of Web and Mobile Applications where we will discuss various tools and tricks to find more bugs which will be followed by exploitation and data extraction methodologies. Not only will we be going through various automated tools and manual analysis, but the focus will also be on making the tools work efficiently and effectively by tweaking and debugging them. This will also include multiple case studies of interesting Business Logic vulnerabilities and how to spot them. Then we will cover numerous pivoting and privilege escalation mechanisms that help a red teamer move swiftly inside a corporate network without alerting the SOCs. The training will be packed with tons of real-life case studies we encounter during our staple + BONUS: A step by step case study of how we owned various pharmaceutical devices inside a corporate manufacturing network of a million dollar pharma client who wanted more than VAPT.

What we do

What is the training going to be about
Lab Setup for real-life red teaming
Red Teaming techniques,  methodologies and tricks across phases of VAPT
Real life Case studies, interesting hacks and how they were done
Red Teaming – What and Why

The process

Demand: A complete black box red teaming exercise to test how well the existing security team is doing
Information: The name of the organisation and the most critical assets
VAPT Process to follow:
Information Gathering and Recon
Asset Mapping and Level 2 Recon
Vulnerability Assessment – P0s and P1s only
Penetration - Find the single most critical point of entry that will lead us quickest to the HVTs
Escalate pivot Escalate pivot.... till we own everything
Assess the damage on each pawned asset

Lab setup
Security Configuration
Tools to install
Pro Tips
Information Gathering and Recon

What to gather - Domains, subdomains, IP ranges, server arch, other online devices, emails, leaked passwords, SSL signatures, Whois, related organisations, related people, web applications, mobile applications, development technologies used, etc
How to gather – Automated and Manual Recon
Asset Mapping and Level 2 Recon
Identifying critical assets
Per-asset recon - Port and Service Enumeration, Web App technology stacks, Server software in use, Mobile app stack, Physical network architecture, domain history, server hosting history, etc

Web Application VAPT
Information gathering on web apps and servers
Subdomain harvesting
Shodan and Censys
Directory brute forcing
Port and Service Scanning
Exploit Db and searchsploit

Common Vulnerabilities we will look at:
Command execution
Code Injection
Shell uploading
File inclusions
Business Logic Flaws
Payment Gateway Flaws
Authentication /Authorisation flaws
Components with known vulnerabilities
Security Misconfigurations
Brute force/ Rate-limiting Flaws

Interesting Case Studies and Tricky Firewalls

From Web apps to Servers and Servers to Network
Common ways to gain server access
File inclusions
Command/Code injection
Misconfigured Services
Components with vulnerabilities
Lab Setup
Metasploit with DB
Workspaces and importing Nmap scans
Team Server and Armitage
Reverse Shell tricks
Privilege escalation
Local exploits
Exploiting misconfigurations
Looting passwords, hashes, tokens and much more
Network Pivoting
Pass the hash
Hacking from within
Tips to avoid making too much noise

Case Studies

Supporting Documents:
Links to previous talks around redteaming:

Register Now!

Red Teaming as a Service: Simulating Blackhat Attacks for Organisations

By Aman Sachdev and Himanshu Sharma

Aman Sachdev is a programmer at heart and an information security professional with 5+ years of experience in Information Security Training and Testing has trained over 5000 individuals. His love for breaking challenging WAFs landed him in the core team as a red team pentester at Bugsbounty. Aman has done his Bachelor's in Computer Applications and also holds an OSCP certification apart from his vast experience in web application development. At BugsBounty he solves cybersecurity problems in the day and creates them at night. He has presented at numerous security conferences including RSA, CONFIDENCE Poland and CONFIDENCE London among others.

Himanshu Sharma (Co-Trainer): : Himanshu Sharma, has been in the field of bug bounty since 2009 and has been listed in Apple, Google, Microsoft, Facebook, Adobe, Uber, AT&T, Avira, and many more with hall of fame listings as proofs. . He has helped celebrities such as Harbhajan Singh in recovering their hacked accounts, and also assisted an international singer in tracking down his hacked account and recovering it. He has been a speaker at multiple international conferences Botconf '13, Confidence 2018 and RSA Asia Pacific and Japan '18 . He also spoke at IEEE Conference in California and Malaysia as well as for TedX. Currently, he is the cofounder of BugsBounty, a crowd-sourced security platform for ethical hackers and companies interested in cyber services. He also authored a book on Kali Linux titled "Kali Linux - An Ethical Hacker's Cookbook"