Hands-On Red Team Tactics

4 (7 reviews total)
By Himanshu Sharma , Harpreet Singh
    Advance your knowledge in tech with a Packt subscription

  • Instant online access to over 7,500+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Red-Teaming and Pentesting

About this book

Red Teaming is used to enhance security by performing simulated attacks on an organization in order to detect network and system vulnerabilities. Hands-On Red Team Tactics starts with an overview of pentesting and Red Teaming, before giving you an introduction to few of the latest pentesting tools. We will then move on to exploring Metasploit and getting to grips with Armitage. Once you have studied the fundamentals, you will learn how to use Cobalt Strike and how to set up its team server.

The book introduces some common lesser known techniques for pivoting and how to pivot over SSH, before using Cobalt Strike to pivot. This comprehensive guide demonstrates advanced methods of post-exploitation using Cobalt Strike and introduces you to Command and Control (C2) servers and redirectors. All this will help you achieve persistence using beacons and data exfiltration, and will also give you the chance to run through the methodology to use Red Team activity tools such as Empire during a Red Team activity on Active Directory and Domain Controller.

In addition to this, you will explore maintaining persistent access, staying untraceable, and getting reverse connections over different C2 covert channels.

By the end of this book, you will have learned about advanced penetration testing tools, techniques to get reverse shells over encrypted channels, and processes for post-exploitation.

Publication date:
September 2018


Red-Teaming and Pentesting

Pentesting is an attack on a computer system, done to evaluate the security of the system/network. This test is performed to identify vulnerabilities and the risks they possess.

The 1960's marked the true beginning of the age of computer security. In this chapter, we will cover the methodology of pentesting that is widely used, as well as the red-teaming approach, which is now being adopted across different corporations.

In this chapter, we will cover the following topics:

  • Pentesting 101
  • A different approach

Pentesting 101

As we all know, penetration testing follows a standard. There are various standards, such as the Open Web Application Security Project (OWASP), the Open Source Security Testing Methodology Manual (OSSTMM), the Information Systems Security Assessment Framework (ISSAF), and so on. Most of them follow the same methodology, but the phases have been named differently. We will take a look at each of them in the following sections and cover the Penetration Testing Execution Standards (PTES) in detail.


OWASP is a worldwide not-for-profit charitable organization that focuses on improving the security of software.

It's a community of like-minded professionals who release software and knowledge-based documentation on application security, covering such subjects as:

  • Information gathering
  • Configuration and deployment management testing
  • Identity management testing
  • Authentication testing
  • Authorization testing
  • Session management testing
  • Input validation testing
  • Error handling
  • Cryptography
  • Business logic testing
  • Client-side testing

Open Source Security Testing Methodology Manual (OSSTMM)

As mentioned on their official website, this is a peer-reviewed manual of security testing and analysis, providing verified facts. These facts provide actionable information that can measurably improve your operational security.

The OSSTMM includes the following key sections:

  • Operational security metrics
  • Trust analysis
  • Work flow
  • Human security testing
  • Physical security testing
  • Wireless security testing
  • Telecommunications security testing
  • Data networks security testing
  • Compliance regulations
  • Reporting with the Security Test Audit Report (STAR)

Information Systems Security Assessment Framework (ISSAF)

ISSAF is not very active, but the guide it has provided is quite comprehensive. It aims to evaluate the information security policy and process of an organization with regard to its compliance with IT industry standards, along with laws and regulatory requirements. The current version of ISSAF is 0.2.

The stages that it covers can be found at https://www.owasp.org/index.php/Penetration_testing_methodologies.

Penetration Testing Execution Standard (PTES)

This standard is the most widely used standard and covers almost everything related to pentesting.

PTES is divided into the following seven phases:

  1. Pre-engagement interactions
  2. Intelligence gathering
  3. Threat modeling
  4. Vulnerability analysis
  5. Exploitation
  6. Post-exploitation
  7. Reporting

Let's take a brief look at what each of these phases involves.

Pre-engagement interactions

These actions involve multiple processes to be carried out before an activity kicks off, such as defining the scope of the activity, which usually involves mapping the network IPs, web applications, wireless networks, and so on.

Once the scoping is done, lines of communication are established across both the vendors and the incident reporting process is finalized. These interactions also include status updates, calls, legal processes, and the start and end dates of the project.

Intelligence gathering

This is a process that is used to gather as much as information as possible about the target. This is the most critical part of pentesting, as the more information we have, the more attack vectors we can plan to perform the activity. In case of a whitebox activity, all this information is already provided to the testing team.

Threat modeling

Threat modeling model depends on the amount of information gathered. Depending on that, the activity can be divided and then performed using automated tools, logical attacks, and so on. The following diagram illustrates an example of a mindmap of a threat model:

Vulnerability analysis

This is a process of discovering flaws that can be used by an attacker. These flaws can be anything ranging from open ports/service misconfiguration to an SQL injection. There are lots of tools available that can help in performing a vulnerability analysis.

These include Nmap, Acunetix, and Burp Suite. We can also see new tools being released every few weeks.


This is a process of gaining access to the system by evading the protection mechanism on the system based on the vulnerability assessment. Exploits can be public, or a zero day.


This is a process where the goal is to determine the criticality of the compromise and then maintain access for future use. This phase must always follow the rules of the engagement that is protecting the client and protecting ourselves (covering the tracks as per the activity's requirements).


This is one of the most important phases, as the patching of all the issues totally depends on the details presented in the report. The report must contain three key elements:

  • Criticality of the bug
  • Steps of reproduction of the bug
  • Patch suggestions

In summary, the pentest life cycle phases are presented in the following diagram:


A different approach

Let's discuss a different approach: red-teaming. The main objective of red-teaming is to assess and obtain the real level of risk a company has at that moment in time. In this activity, networks, applications, physical, and people (social engineering) are tested against weaknesses.

Red-teaming can also be considered as a simulation of a real-world hack.


Red-teaming is based on the PTES standard as the foundation. However, there's much more to it. It can be said that the penetration testing activity is performed with the aim of finding as many vulnerabilities in the given amount of time as possible. However, red-teaming is performed with only one goal and by staying discreet.

The methodology used in a red-team activity involves the following:

  • Reconnaissance
  • Compromise
  • Persistence
  • Command and control
  • Privilege escalation
  • Pivoting
  • Reporting and cleanup

The following cycle basically repeats for every new piece of information that is found about the client until the goal is met:

How is it different?

Let's look at it with a different perspective to get a clearer picture:

Looking at the preceding diagram, we can see that red-teaming involves using every means to achieve the goals. We can summarize the major difference between red-teaming and pentesting as follows:

  • Red-teaming involves finding and exploiting only those vulnerabilities that help to achieve our goal, whereas pentesting involves finding and exploiting vulnerabilities in the given scope, which is limited to digital assets
  • Red-teaming has an extremely flexible methodology, whereas pentesting has fixed static methods
  • During red-teaming, the security teams of the organizations have no information about it, whereas during pentesting, security teams are notified
  • Red-teaming attacks can happen 24/7, while pentesting activities are mostly limited to office hours
  • Red-teaming is more about measuring the business impact of the vulnerabilities, whereas pentesting is about finding and exploiting vulnerabilities.



Wrapping up the chapter, we learned about different standards of pentesting followed across the industry, and we went through the seven phases of the PTES standard in detail. We also looked at red-teaming and how it is different from pentesting.

In the next chapter, we will look at a few of the latest post-exploitation tools and examine in detail how they work.



  1. What are the different pentesting standards?
  2. What are the different phases of PTES?
  3. What is the difference between red-teaming and pentesting?
  4. What are the key elements of a report?
  5. What is the main objective of a red-team activity?

Further reading

For more information on the topics discussed in this chapter, please visit the following links:

About the Authors

  • Himanshu Sharma

    Himanshu Sharma has already achieved fame for finding security loopholes and vulnerabilities in Apple, Google, Microsoft, Facebook, Adobe, Uber, AT&T, Avira, and many others. He has assisted international celebrities such as Harbajan Singh in recovering their hacked accounts. He has been a speaker and trainer at international conferences such as Botconf 2013, CONFidence, RSA Singapore, LeHack, Hacktivity, Hack In the Box, and SEC-T. He also spoke at the IEEE Conference for Tedx. Currently, he is the cofounder of BugsBounty, a crowdsourced security platform.

    Browse publications by this author
  • Harpreet Singh

    Harpreet Singh is the author of Hands-On Red Team Tactics published by Packt Publishing and has more than 7 years of experience in the fields of ethical hacking, penetration testing, vulnerability research, and red teaming. He is also a certified OSCP (Offensive Security Certified Professional) and OSWP (Offensive Security Wireless Professional). Over the years, Harpreet has acquired an offensive skill set as well as a defensive skill set. He is a professional who specializes in wireless and network exploitation, including but not limited to mobile exploitation and web application exploitation, and he has also performed red team engagements for banks and financial groups.

    Browse publications by this author

Latest Reviews

(7 reviews total)
Parfait j’ai bien aimé ce livre
Awesome Book! Good insight on the red team exercise!
Excellent insights into Red Team field operations.

Recommended For You

Hands-On Red Team Tactics
Unlock this book and the full library for $5 a month*
Start now