Red Teaming Activity

All organizations around the world should implement a Red Team where they will provide the service of detecting new tactics and techniques been used by attackers or cyber criminals out there. The reason Red Team should be implemented within any organization is that their mindset is just like a real attacker.

Red Teamer will focus on the offensive side of CyberSecurity which their method will be familiar with all techniques and methods that have been used by a real attacker. The Red Teamer will contain whitehat (ethnical hackers and offensive security professionals)

There’s Two Scenario that will activate the Cyber Kill Chain

  • Scenario 1: Cyber Kill Chain activity can be occur whenever a normal Pentration Testing activity have been completed with everything is fine. After Red Team coming into the picture, they will dig deeper on the system even though they didn’t find anything wrong with Penteration Testing Report.
  • Scenario 2: During the Penetration Testing activity, the tester have verify that the network access controls is running according the best practice and secure. After Red Team coming into the picture, they managed to do some Social Engineering on all the non-IT staff within the orgnaization.

Red Team Approach

Those are the approach that Red Teamer will be using during their testing:

  • Reconnaissance
  • Weaponization
  • Delivery.
  • Exploitation
  • Privilege Escalation
  • Laternal Movement
  • Command and Control
  • Exfiltrate and complete


For any Red Teaming Activity or Penetration Testing activity, they will normally start the activity by doing reconnaissance and information gathering to obtain any information on the target’s machine as much as possible. The purpose of the Reconnaissance activity is to gain information on the target’s machine such as system vulnerabilities and potential attack vectors.

There have two types of reconnaissance methods which are active and passive

Active reconnaissance

One the reconnaissance method is active reconnaissance where it will normally gathering information from the target’s machine actively. The tools should be pre-install within Kali Linux or Parrot Security Operating System.


Those who have experience in the CyberSecurity field should have an idea of the Nmap tool. For those who are not familiar with Nmap, don’t fret about it. Network Mapper or also known as Nmap is an open-source tool and available to the public for free since it been launched in the year 1997.

The purpose of Nmap is to detecting any open ports on the targeted device and also provided full details of the target’s device such as Operating System, DNS, Hosts, Vulnerabilities and other more information. For Red Teamer, Nmap can be considered as one of the useful and important tools in order to gather information on the target’s device.


sqlmap can be considered as one of the Penetration Testing tools which tools are categorized as an open-source tool. The purpose of sqlmap is to execute a bunch of SQL injection tests where it can provide the tester with result of issues and vulnerabilities the tool discover.

The Key feature of sqlmap can be seen below:

  • Capabilities of code injection
  • User enumeration
  • Password cracked
  • Some common SQL code will be executed.


For web vulnerability scanners, we can use an open-source tool called Nikto where are open-source tools. The main function of Nikto is it will be able to scan web servers and find any security vulnerabilities that might be dangerous to the webserver.

The tool also can help the red teamer in terms of detecting any outdated software application and other vulnerabilities such as insecure files, server misconfiguration and interesting directory discovery. Aside from that, Nikto also provide attack features such as IDS evasion, XSS vulnerability test and some more that can benefit to Red Teamer.


Nowadays, people have called the tool OpenVAS but previously it has been called Nessus (original name). As people should have aware of Nessus, OpenVAS is also an open-source tool that executes tests related to network vulnerabilities. Besides, OpenVAS also detected any other vulnerabilities within the Web Application and Mobile Application.

As for red team activity, OpenVAS can be helpful in obtain results related to hosting scans, false-positive and scheduled scans, and some normal tests such as network vulnerability.


For any security testing especially red teaming, we need to use Gobuster to brute-force URIs which contain directories and files within the website and DNS subdomains with the support of wildcard.

The main purpose of using gobuster is that the tools didn’t have a fat Java GUI, also not running a recursive brute-force where we can brute-force folders and multiple extensions at once.


ffuf is another enumeration tool that we can use besides gobuster which is an open-source web fuzzing tool. The main purpose of ffuf is like gobuster which will focus on discovering the elements and content on the web applications, or web servers.

When you are required to fuzzing the application that uses entry points or API endpoints, then the choice of tool would be ffuf.

Even though gobuster and ffuf is having a similar purpose but it will go down to the user’s choice. Some users like to use gobuster and otherwise.

The download URL:


We need to understand the Domain Name Server or also known as DNS on the targeted machine where we are required to execute some DNS enumeration tools such as DNSrecon. The tool will be helpful to the tester or user to study the targeted machine DNS details during some process of a security assessment or network troubleshooting.

Aside from DNS Enumeration, DNSrecon also provided the function such as mentioned below:

  • Any General DNS Records and NameServer(NS) records that used witihin the Zone Transfers for a Domain will be enumerate by the tool
  • Expansion of the Top Level Domain(TLD) will be checking
  • The tools can also BruteForce a subdomain directory and some Records using wordlist
  • The tools will perform a lookup on PTR Records on the targeted’s machine


The tool such as dirsearch main purpose would be to brute-force any hidden web directories and files which also can be executed within Windows, Linux, and macOS Operating System. The tool can be considered as a powerful command-line interface even though it’s a simple one.

The tool has features that we can use during the assessment such as

  • multihreading
  • proxy support
  • request delaying
  • user agent randomization
  • support for multiple extensions


Aside from Web Penetration Testing activity, we might be doing some Cloud Penetration activity where the tool will be used are Amazon Web Server Command Line Interface (awscli). The tester should be able to control multiple AWS services by downloading and configure the tool itself.

From my knowledge, the current version of awscli is version 2 where some new features have been added into it such as new configuration options like AWS Single Sign-On(SSO), various new interactive features with improving installers for the user to use.

Passive recon

Reconnaissance also has a different process than previously discussed which is Passive recon. For those who are not familiar with Passive Reconnaissance, it’s normally been done using another method such as third-party sites and resources.


Maltego is an exceptionally good example of tools to gather information and doing some reconnaissance on websites, organizations,, and people.

The information that we will be gaining during the reconnaissance activity would be something such as below:

  • Names
  • Phone Numbers
  • Email Addresses
  • Organizations
  • Social Media accounts

OSINT Framework

There is one favourite tool that is used for gathering security information which is called OSINT Framework. The main purpose of OSINT Framework is that they will execute some special reconnaissance such as intel gathering and OSINT research. The activity will make the red teamer’s team gather information much easier.


Shodan are normally been labelled as a ‘search engine for any hackers” out there which will focus on the deep web and the IoT device. Shodan can be considered a good search engine where it will provide a scan result of everything on the domain or device that has been connected to the internet.


A network traffic analyzer such as Wireshark is also an open-source tool that helps the red teamer by alerting any security issues within the target’s network.

What Wireshark will analyze and help red teamer would be

  • Network traffic in real time whether any malicious packet been detected
  • It also can intercept the packet and presented it in plaintext which it can be easier for the tester


For Linux users, whois has been pre-installed into the Operating System where it will provide some records in the databases. The information can be provided by Internet Assigned Numbers Authority(IANA) whois server, ARIN,, NORID and other servers.


Aside from other passive reconnaissance tools, FOCA can only be used in Windows Operating System where it will find metadata and hidden information on the file that we upload into the tool. The tools can analyse any documents that can access on web pages where it can be found on search engines like Google, Bing and DuckDuckGo.

The format of the document that has been analysing by the FOCA tool can be such as:

  • Microsoft Office
  • Open Office
  • PDF files
  • Adobe InDesign
  • SVG files


For those who have a challenging time gathering information, there’s a tool called theHarvester where it will use for open-source intelligence (OSINT) gathering. It was designed for red teamer or pentester to use during the initial stages of information gathering.

Information that will be processed using this tool would be:

  • Emails
  • Names
  • Subdomains
  • IPs
  • Website URLs


Once we have all the information needed, we can proceed with the next stage which is Weaponization. The Red Teamer will think just like an actual attacker during this phase where they will build an exploit and try to compromise the targeted’s machine.

The main purpose of Weaponization is to use malicious file payloads such as malware/trojan/backdoor/RAT to compromise the targeted’s machine without the victim’s awareness and to bypass or avoid all security measures such as WAF, Firewall and Antivirus.


During the Red Teaming activity, they will use a command-line search tool such as searchploit that usually link-up with Exploit-DB for the tester to use any exploit from Exploit-DB. The tool will be able to provide a detailed search through your copy of the repository.

For any offline security assessment or activity, the tool has been extremely useful where the tool has stored a bunch of exploits which can be found at the Exploit Database Binary Exploits repository


Metasploit is a well-known tool that has been used by cybercriminals as well as ethical hackers to find vulnerabilities on networks and servers. msfvenom is a Metasploit framework that usually together with Metasploit to get some privileges access on the targeted’s machine.

If comparing to the old framework, msfvenom have the upper hand such as:

  • One single tool
  • Standarized command-line options
  • Increased speed

In detail, msfvenom have been replaced msfpayload and msfencode since June 8th, 2015 until today where msfvenom can be used as good as msfpayload and msfencode.


Previously, I did mention on searchsploit that they are using Exploit-DB as their database. For those who are not familiar with Exploit-DB, the database is a CVE compliant archive that contains public exploits either latest or old which might be useful for any vulnerable software and system.

Delivery and exploitation

After we managed to find a vulnerability exploitation method, we are required to execute the payload that we gained previously. This phase is called Delivery and Exploitation which normally used some tool to transmitting the payload created to the targeted’s machine.

During Red Team activity, this the phase that they will try to exploit any unpatched security vulnerabilities or launching any common method which is phishing attacks.


Hashcat is an open-source password hash cracker where the red teamer will normally use it to try brute-forcing the passwords from the hashes. The tools is been favour of Red Teamer where it will be utilized to execute some attacks that related to password dictionary.


The tool named Browser Exploitation Framework or also known as BeEF is a security framework that has been utilized by Red Teamer with the client-side attack vendors (practical). The tool’s function is quite like BurpSuite where it will bypass the hardened perimeter which also allows access to the security vulnerabilities from the web browser’s point of the angle.


I’m pretty sure Metasploit is well-known to the public which the creator of the tools offers both commercial and free versions. For security professionals and Red Teamers can be considered as a useful tool especially exploitation phase.

The main purpose of the tools covers such as:

  • Discovering security vulnerabilities and developing
  • Testing and executing exploit
  • Evading detection system
  • Running Vulnerability scans
  • Enumerating hosts


BurpSuite Professional is usually used for checking web application security even though they’re one of the most popular Penetration Testing and Vulnerability scanner tools. Similiar with BeEF, it’s a tool that used to evaluate the security vulnerability on web-based applications and do hands-on testing

We can use other tools to communicate with BurpSuite such as Curl and Web Browser (Recently, Burpsuite tools have their own browser that we can use during the testing)


Red Teamer will not only test on the device solely but also on the human side which weak-link of organization would be people itself. As a result, a tool such as Social Engineering Toolkit or also know as SET(shortly) is been created by TrustedSec

The main purpose of the tools is to conduct an attack related to social engineering which the Red Teamer will be creating and configure a phishing page. The Victim will receive the email that contains the phishing page from the Red Teamer and most people might fall for it.

John the ripper

Red Teamer will surely require a tool that will focus on auditing the password security which I will prefer using John The Ripper for this activity. The tool has supported a huge number of hash and cipher types which include Operating systems (Windows, Linux and Unix), also Systems such as CMS, and finally on databases with network traffic captures.

Privilege escalation

You can read the Linux Privileges Escalation over here

You can read the Windows Privileges Escalation over here

Lateral movement

Lateral Movement is an important phase for the APT life cycle which is normally Red Teaming Operation will be used on their activity. Red Teamer will use this Lateral Movement for moving some compromised hosts into another compromised host.

The Main Purpose of the Lateral Movement is to access any information or details labelled a sensitive to the organization or targeted’s machine. The Bad Guys and Red Teamer will use any techniques such as Reverse Shell to obtain access to the remote systems on the targeted’s network.


An Open-Source tool such as Mimikatz where it can be considered a crucial tool for Red Teamer to obtain credential information by extracting and collecting from the targeted’s machine(Windows OS). Aside from that, the tool can also able to execute some attacks such as pass-the-hash, pass-the-ticket and build golden tickets.


CrackMapExec is a tool that has been written on Python Programming where it can be used to evaluates and exploits vulnerabilities.


PowerSploit is normally a collection of Microsoft PowerShell modules that will assist Red Teamer and Pentester during the security assessment. The tools contain the following modules such as:

  • Invoke-DllInjection
  • Invoke-ReflectivePEInjection
  • Invoke-Shellcode
  • Invoke-WmiCommand


There’s a single page Javascript web application such as BloodHound where it uses graph theory in order to expose any hidden and often unintended connection on the Active Directory environment.

Both teams (Blue and Red) can be made use of BloodHount to gain a deeper understanding of the privilege relationships in the Active Directory environment easily.


There’s a tool called Responder which can be a poisoner for LLMNR, NBT-NS and MDNS. The main purpose of the tool is to obtain some queries based on their name suffix which related to File Server Service request like SMB/


A framework and collection of scripts and payloads which need to enable usage of PowerShell for any Red Teaming and Penetration Testing(All phases is useful)


Impacket is a collection of Python classes that focused on providing low-level programmatic access to the packets. The library provides a set of tools as examples of what can be done within the context of this library.

Command and control

The last phase for Cyber Kill Chain would be Command and Control (C&C) which will involve steps and techniques that related to controlled system access in the targeted’s network via remote access will be a persistent communication


For Red Teamer to access the targeted’s machine especially Windows, they will use Evil-Winrm (Windows Remote Management) where the tools have enabled the feature of Microsoft Windows Servers. The main purpose of the evil-winrm is to provide a nice and easy-to-use feature which it used especially in a post-exploitation pentesting phrase.


PsExec is a telnet replacement that the Red Teamer will use to execute some processes on the targeted’s system without been have to manually install the client software. PsExec can be considered as useful to the Red Teamer where it can execute some interactive command-prompts on the remote systems and remote-enabling tools.


Netstat or also known as nc is very well-known, especially in the Penetration Testing Perspective. Netstat is been used for the Reverse Shell and Bind Shells which both of those have similarity in terms of execution

A reverse shell is a shell that is initiated from the target hos back to the attack box while Bind Shell is been execute on the target’s host and bind to a specific port to listens for an incoming connection from the attack box.