Red Team Village

November 18th / 19th 10:00 - 18:00 (GMT +4)

Capture The Flag

The goal of the Red Team Village CTF is serve as a plaform for red team tactics knowledge sharing and excercises. We constantly create new real world scenarios and challenges for our CTF villages, where cyber security enthusiasts can participate in real world challenges and learn new attack vectors, techniques and more. The idea behind this CTF is to touch on a little bit of everything – from OSINT to post exploitation techniques.

A target company named Victim Corporation has been set up that has a wide list of assets.  The assets can be digital, physical, or even employees. There will be Windows Active Directory infrastructure, Linux systems, IoT devices, even phishing campaigns and other attack frameworks. Digital lockers and other physical challenges would be introduced.

The final challenge would be for the Red Teams to attack a target monitored by a Blue team/SoC and retrieve flags without getting caught!

18th November

19th November

13:00 - 15:00

Workshop: Penetration Testing of ECU (Red Team Version)

Arun Mane, Founder and Director, Amynasec Labs LLP
“Connected” cars is a buzzword nowadays. As well, the internals of the cars is connected too. The significance may vary though, per se, scanning, ignition control, infotainment, etc. With the number of such joints in the connectivity, there well is a set of threats lurking over this whole mobile machine (car). Car theft is nowadays a part of daily crime news. The car networks are prevailing to be of utter importance due to their usability, and hence the various methods and frequency of attacks too. Considering the state of the present threat, understanding car network security is of prime importance. The session will make available attendees understand and perform such methods and attacks as well will make them think about the potential ways to secure those networks.
 
In this workshop, I Will demonstrate and explain each and every aspect online, it’s not a pre-recorded session. As we have an online studio, With the help of CAMERA and required setup this workshop will be fun and more interactive.
 
The logical progression of the workshop deliverables:
 
· Briefing of ECU

· Briefing of Vehicle Networks
· Briefing of Vehicle Protocols
· Understanding and briefing CANBUS protocols
· Briefing of CANBUS frame
· Briefing of CAR hacking Tools
· Reverse Engineering of CANBUS – Identify the Arbitration ID of specific vehicle event
· Replay the CANBUS message
· Sending Forged CANBUS messages
· DOS Attack on CANBUS network
· Introduction to Vehicle Diagnostics
List of Components
· Instrument Cluster
· ECU
· Harnesser
· Hardware tool for CanBus testing

 
Key Takeaways:
 
· Pre-built VM containing tools for security assessment of car networks.

· Exposure to vehicle protocol threats.
· An understanding of doing vehicle security modules.
· Significance and hands-on usage experience of various tools in this specific flavor of security.

15:00 - 16:00

Panel discussion: Pre-empting attacks – Relevance of red teaming in enterprises

Manu Zacharia, President at ISRA, Founder of c0c0n International Hacking & Information Security Conference

16:00 - 17:00

Zero trust networks: Opportunities and challenges for red team Ops

Dan Levy, Senior Manager at EY Israel Advanced Security Center.

Work from home is on the rise (thanks COVID), and with it, proponents of the zero-trust model are also gaining in popularity. But what does this entail for red team operations? What will hacking enterprises look like in the upcoming few years?

We’ll review together major trends surrounding cyber security in the zero-trust era – and not marketing concepts, buzz words or academic theory. This talk will look at the future of network security, how our favorite vendors are aligning their tool stack for 0-trust security, but also the up and rising start-ups that have already raised millions of $ to help enterprises implement zero trust.

17:00 - 18:00

Evolution of Offensive Security – it was always about providing business value

Jorge Orchilles, CTO – SCYTHE & Bryson Bort, CEO – SCYTHE

Celebrating 15 Years of Security Weekly means we should go through the evolution of offensive security/ethical hacking. Where did this all start, where are we now, and where are we going? This talk covers everything from the early days of vulnerability scanning, vulnerability assessment, and vulnerability management (probably the hardest part of infosec today!). We then evolved to penetration testing to gain access and further test defenses.

We realized that attackers don’t just go after technology, so we began testing people and process as well as testing assumptions. Eventually we realized we had to work closer with the blue team (defenders) and built a purple team function to collaborate and more efficiently improve. Understanding and collaborating with the defenders led us to leverage cyber threat intelligence to provide the best business value by performing adversary emulations.

This talk will cover all of these, best practices, tips, tricks, and of course, a use case where we can demonstrate it’s value so you too can convince management to perform similar assessments.

18:00 - 19:00

Attacking Storage Services : the Lynchpin of Cloud Services

Anant Shrivastava, Technical Director, NotSoSecure Global Services

We all agree that most organizations have some or the other service leveraged over cloud environments. To add to it, there are assets that are not linked directly to the public and not easily spotted. When it comes to Red Team Engagements it boils down to a simple statement. “Are you able to find something that wasn’t supposed to be visible in the first place ?”.

Storage services by the cloud providers are usually not visible directly to the end user and are often overlooked by pentesters and Red Teamers. In this talk we will be leveraging the possibility of Storage Services of different cloud vendors and how if not properly configured could lead to a lot of Damage to the organization.

Storage services are almost always the second service started by cloud vendors after IaaS, it is done in that order for a reason. Cloud Storage irrespective of how simple it looks, is a complex deeply integrated component for cloud services.

The primary purpose of storage services is to hold data of all kinds, besides its primary function it also performs multiple other actions. Storage allows building higher abstraction services on top of the it such as Static file hosting,FaaS or PaaS code hosting and Log storage

Due to its versatility storage is an area which should be looked at with a fine tooth comb. However the situation is far worse than what we can imagine. From exposing buckets to public, to leaking api keys or ssh keys in public. Things go from bad to worse when buckets also are leaking write access to source code leading to full account takeover scenarios.

19:00 - 20:00

Privilege Escalation in da House

Carlos Polop Martin, Sec-1 (Claranet)

Local privilege escalation techniques are far beyond checking the Windows/Kernel version, looking for unquoted service paths or checking SUID binaries. Moreover, a local privilege escalation could make a huge difference when trying to comprise a domain. Several tools have been created to find possible privilege escalation paths, but most of the tools for Red Team and Pentesting just check for a few possible paths, so pentesters need to use several tools and do some manual recon to check for everything.

During this talk I will present a suite of open source privesc enumerators that I have created called PEASS (Privilege Escalation Awesome Scripts Suite). The goal of this suite is to check and highlight every possible privesc path so professionals don’t need to execute several different tools and can very easily find the vulnerabilities. At the moment, this suite contains the most complete and user friendly privesc enumerators for Windows (in .Net and bat) and Unix (Linux, MacOS, OpenBSD, FreeBSD). Moreover, I will also show the privilege escalation parts of my book (https://book.hacktricks.xyz/) so people interested the topic can learn more more after the talk.

Notice that independently of the technical level of the audience I’m sure that they will learn some new privilege escalation vector.

13:00 - 14:00

Threat Hunting With Elastic Security

Aravind Putrevu, Developer Advocate, Elastic & Haran Kumar, Solutions Architect – Security Specialist at Elastic

The workshop will be based on a real world attack scenario such as Advanced persistent threats(APT) and hunting malicious artifacts efficiently. Get hands-on with latest APT detections and threat investigations.We will be using a threat hunting platform like Elastic including SIEM and machine learning in efficiently finding known unknown and unknown unknowns. We will also utilise the MITRE ATT&CK framework throughout the exercise.

 
What we will cover:
 
LAB 0 : Familiarising yourself with the Lab Setup

LAB 1 : Analyse and Visualise MITRE TTPs
LAB 2 : Overview of Elastic SIEM
LAB 3 : Hunt the artifacts
LAB 4 : Using the Detection Engine
LAB 5 : Using Cases for collaborative incident response

14:00 - 15:00

Visibility In The Clouds: Introducing a New Open Source Tool for Cloud Security

Ilia Rabinovich, Adversarial Tactics Team Leader, Sygnia & Oleg Lerner, Cyber Security Expert, Sygnia

The accelerated transition to cloud services and the rising adoption of cloud hybrid architecture is being leveraged by threat actors, who are both targeting cloud environments and weaponizing them as an attacking surface. On-premise misconfigurations and vulnerabilities have been replaced with new risks and attack paths which abuse cloud and cross-platform connectivity. In this session, the Sygnia team will discuss a few of the major trends in cloud environment attacks and present a new open-source tool, designed to support rapid visualization and the identification of potential attack paths in cloud environments.

15:00 - 16:00

Offensive Embedded Exploitation : Getting Your hands dirty with Hardware Hacking and Firmware Analysis

kaustubh Padwad, Security Researcher & Arun Mane, Founder and Director, Amynasec Labs LLP

The world is moving towards smart culture everything nowadays is smart, and mostly all are those smart devices are basically embedded devices with internet connectivity or some provision to connect with the internet. Since these devices are booming in the market this also tempting lots of people/groups for hacking.

In this 1 hour talk we will discuss how to test the embedded/IoT devices, it would give you a methodology for assessment, how to extract firmware from storage chipset with help of Hardware Testing, how to perform firmware analysis, identifying vulnerable components, basic approach for reverse-engineering the binaries to discover potential remote code execution, memory corruption vulnerabilities by looking for native vulnerable functions in C or bad implementation of functions like System, popen, pclose etc.

After conducting static analysis, firmware analysis we will move towards a dynamic testing approach which includes web application testing, Underlying OS security testing, identifying vulnerabilities and misconfiguration in the device. At last, we will move towards fuzzing the device via web application parameters and installing an appropriate debugger on the device to identify memory corruption vulnerabilities.

16:00 - 17:00

Payload delivery for initial access in Red Team engagement and Adversary Simulation

Jean Marie Bourbon, Head of Forensics & Offensive Security Dept., POST Luxembourg

How to perform payload delivery and compromise a company that have a very small attack surface during an Offensive Security exercise? Let’s talk about this through a real-life feedback! The goal is to provide both blue and red perspective sharing some TTPs and tips from payload creation, mitigations each redteamer have to deal with and how defender can detect it. Jean-marie will presents a customized (and how to do that) payload delivery from 0 to pwn using the well known .hta (T1218).

17:00 - 18:00

Old Still Cool: Classic SE formats merge for high complex context in three peculiar tales

Daniel Isler, Sr Social Engineer Pentester, Dreamlab Technologies

Obtaining access and sensitive information of critical and high awareness areas through the combination of classic formats of Social Engineering attacks.

Controls and filters advance according to market demands and it is becoming increasingly difficult to perform generic phishing simulations with a considerable scope, without these being rejected by security systems, reaching the spam mailbox or alerting security filters and preventing the integrated display of malicious mail.

How to bypass an antivirus in a service under a black box format? How to bypass firewalls so that systems can be accessed without being stopped? Is it necessary to go unnoticed? As a unit we have specialized in the last five years in the development of pretexting, persuasion techniques and extremely particular and effective simulation scenarios.

This paper presents 3 cases of mergers of classic Social Engineering formats united under concepts that we call Physical Spear Phishing and Vishing Web Scam. The physical-digital tools and techniques used for the realization of objectives will be explained. One of the first difficulties we have in SE services is the short time we have in relation to an organized criminal band. They manage to carry out effective attacks after periods of six to twelve months of research and testing. We only have 5 to 10 days for the entire project: Information gathering, execution and reporting. So, trying to replicate the real-time flow of an attack’s entirety is unworkable and trying to emulate it in such a narrow time only yields results that are not close to reality, thus generating false security in the collaborators involved in the simulation.

For this we were obliged to look for processes and techniques that would place us in a realistic scenario of high reach.

18:00 - 18:15

CLOSING CEREMONY

Red Team Village Organizing Crew

END

About Red Team Village

Red Team Village (https://redteamvillage.org) is a community driven combat readiness platform for Adversarial attack simulation, Red teaming tactics and Offensive security operations. This community is managed by a group of cyber security and red team tactics enthusiasts. A red teamer needs to be skilled in every aspect of Adversarial Simulation and offensive security operations. We can consider this as a platform to share tactics, techniques, and tools related to various domains of adversarial attack simulation.

We have been organizing workshops, talks, demonstrations, open discussions, Capture the flag challenges (CTF) and other exercises at Cyber Security conferences for the past 4 years. We do design real life corporate CTF scenarios with the same network architecture and defensive mechanisms used by the organizations. The CTF players needs to do the red teaming against this infrastructure which protected and monitored by Blue teams. This village welcomes Red teams, Blue teams and Purple teams. Blue teams get to know the attack tactics used by the adversaries, and Red teams get to learn the security monitoring/detection techniques used by the SoC teams. A collaborative purple teaming culture can be cultivated.

We have organized more than 10 villages (Talks, CTF and training) along with cyber security conferences such as Nullcon, c0c0n, OWASP, DEFCON Group Trivandrum etc