The Hacker Playbook 3 – Comprehensive Bullet Notes

PREFACE

  • Third iteration of The Hacker Playbook (THP) series – focus on Red Team vs. traditional penetration testing
  • Adds content on: AD/Kerberos abuse, advanced web attacks, cloud vulns, faster password-cracking, “living-off-the-land”, physical attacks, metrics (TTD/TTM) and lab building
  • Goal: teach practical, non-theoretical tactics seen in real engagements; promote building a public Github / technical blog

PENETRATION TESTING VS. RED TEAMING

  • Pen Test: short (1–2 wk), scoped, vulnerability-centric; often announced; outcome = vuln matrix for IT
  • Red Team: weeks-to-months; emulate attacker TTPs; stealth; no vulnerability scanning; outcome = security-program gaps (process, policy, tools, skills)
  • Key metrics: Time-To-Detect (TTD) and Time-To-Mitigate (TTM)
  • Campaign planning questions:
    • End-goal? Flag, DA, DB exfil or blue-team drill?
    • ATT&CK techniques to emulate?
    • COTS vs. custom C2?

PREGAME – LAB & INFRA

VPS / Lightsail Steps

  • Create Ubuntu droplet ⇒ chmod600\text{chmod}\,600 key ⇒ sshi <key> ubuntu@IP\text{ssh} -i\ <key>\ ubuntu@IP
  • Automate tool install via PTF:
  git clone https://github.com/trustedsec/ptf /opt/ptf; cd /opt/ptf
  ./ptf
  use modules/exploitation/install_update_all
  …
  • Harden C2: iptables (restrict SSH, CS listener ports); snapshots; Terraform “Red Baron” for auto-infra

Core C2 Suites

  • Metasploit Framework – still gold standard; msfvenom –payload windows/x64/meterpreter<em>reverse</em>http \text{msfvenom --payload windows/x64/meterpreter<em>reverse</em>http …}
  • Cobalt Strike – Beacon, Malleable C2, SMB beacons, domain-fronting, Aggressor Script
  • PowerShell Empire – multi-OS agents, autorun scripts, HTTPS listener (real certs), AMSI evasion
  • dnscat2 ⇒ DNS C2 & tunnelling: ruby dnscat2.rb <domain> –secret <s>\text{ruby dnscat2.rb <domain> --secret <s>}
  • Others: p0wnedShell, Pupy, PoshC2, Merlin (HTTP/2), Nishang scripts

BEFORE THE SNAP – RECON

Network & Asset Diffing

  • Daily cron: nmap / ndiff to mail port changes (improve: banners, Slack alerts)
  • Screenshot fleets: httpscreenshot + masscan; EyeWitness for HTTP/RDP/VNC

Cloud Enumeration

  • Grab provider CIDRs; Censys/Shodan queries; sslScrape to parse cert CN/SAN ⇒ subdomains
  • Subdomain tools: Knock, Sublist3r, SubBrute (+ MassDNS)

OSINT & GitHub Loot

  • TruffleHog / git-all-secrets for keys; search in commit history
  • AWS S3 checks: aws s3 ls/mv\text{aws s3 ls/mv} ; enum buckets via Slurp / Bucket-Finder
  • Sub-domain takeover (tko-subs, HostileSubBruteforcer)
  • Email harvest: SimplyEmail + breach corp lists (HIBP, Pastebin dumps)

THE THROW – WEB EXPLOITATION

Modern XSS

  • Polyglots, HTML events (onload/onclick), BeEF hooking, Blind XSS (XSSHunter)
  • NodeJS/Pug pitfalls: unescaped interpolation (!{}), buffered code (!=), context breakout via %0a

NoSQL / MongoDBi

  • Abuse $gt\$gt, $lte\$lte, qs[] bracket parsing ⇒ "username[$gt]=" bypass

Deserialization

  • Vulnerable node-serialize CVE-2017-5941 ⇒ "<em>"<em>NDFUNCfunction()"_function()…" payload

Template Injection (SSTI)

  • Pug newline %0a break; arithmetic #{9*9}; escalate to global.process.mainModule.require(childprocess).exec()global.process.mainModule.require('child_process').exec(…)

SSRF

  • LFI style preview param ⇒ internal 127.0.0.1 scan via Burp Intruder; pivot to Mongo 28017 admin

XXE & OOB

  • Basic: ; OOB with external DTD + php://filter/base64

Tools: Burp/ZAP auto-content, Tplmap, Sharphound for web etc.

THE DRIVE – INTERNAL COMPROMISE

Credential Harvest

  • Password-spray against OWA/Lync/SMB via Spray.sh, Ruler ⇒ GAL dump, Outlook rules attack

Responder / Inveigh / MultiRelay

  • LLMNR/NBNS spoof; NTLMv2 hash capture; relay to SMB if signing off; python Responder -I eth0 -wrf\text{python Responder -I eth0 -wrf}

Priv-Esc Windows

  • PowerUp allchecks: unquoted paths, AlwaysInstallElevated, MS16-032, DirtyCow *nix
  • LSASS creds: enable WDigest UseLogonCredential=1; Mimikittenz browser RAM dump
  • Credential Store dump: Get-WebCredentials / Invoke-WCMDump; SessionGopher (WinSCP/Putty/etc.)

AD Recon

  • PowerView: Get-DomainUser, Get-Computer, Find-LocalAdminAccess
  • BloodHound/SharpHound: graph paths, ACL abuse, tag owned nodes; metrics path to DA

Lateral Techniques

  • WMI / PSRemoting / Invoke-DCOM; SMB/PSExec; DCOM ShellBrowserWindow; psexec.py
  • Pass-the-Hash; Kerberoasting TGSREPhashcat -m 13100TGS-REP\rightarrow \text{hashcat -m 13100}
  • DCSync for ntds.dit hashes without touching LSASS
  • RDP via VPS double-SSH port-forwards; dnscat2 listen 127.0.0.1:9999 …

THE SCREEN – SOCIAL ENGINEERING

  • Clone sites with SET; ReelPhish 2FA relay (Selenium)
  • Macro payloads (Empire stager, Unicorn); DDEAUTO mshta attacks; VBad & LuckyStrike obfuscators
  • Jenkins blind XSS ⇒ Groovy RCE via generateJenkinsExploit.py

PHYSICAL / HID

  • Proxmark3 RDV2 badge clone
  • LAN Turtle / Packet Squirrel reverse-VPN (OpenVPN AS) ssh -L 3389 \text{ssh -L 3389 …}
  • Bash Bunny: QuickCreds (Responder) & BunnyTap (PoisonTap)

AV / NIDS EVASION

Custom Keylogger Walk-through

  • SetWindowsHookEx(WHKEYBOARDLL) + ROT6 string encryption + function-pointer API resolve; compile x64 ⇒ 0/66 VT

thpDropper framework

  • Server sends DLL or shellcode blob; client reflectively loads; easily extend handlers

Meterpreter Hardening

  • Recompile metsrv w/ clang; edit payload ruby for NOP sled; custom Stage-0 HTTPS loader (C/WinInet)

SharpShooter

  • DotNetToJS + multiple templates ⇒ HTA/DOC/JS bypasses; staged over DNS/HTTP

App-Whitelisting Bypass

  • msbuild.xml, regsvr32 / scrobj.dll, INF-SCT, Excel.RegisterXLL, psgetsystem
  • PowerShell obfuscation (Invoke-Obfuscation, CradleCrafter) + NoPowerShell/NPS

SPECIAL TEAMS – CRACKING & TRICKS

  • 8×1080 Ti ≈ 472 GH/s472\text{ GH/s} NTLM; AWS p3.16xlarge 633 GH/s633\text{ GH/s}
  • Wordlists: BreachCompilation 1.4B; rockyou, crackstation, weakpass; combine via combinator, PACK masks
  • Rulesets: rockyou, NSAKEY, Hob0, NotSoSecure ⇒ “one rule to rule them all”
  • Fast run-order: 1-7 char brute, dict only, dict+rules, hybrid –a6/-a7, PACK masks
  • Creative: simulated ransomware; disabling PS logging via ETW provider swap; invoke web downloads via certutil/mshta/etc.

TWO-MINUTE DRILL (CASE STUDY)

  • Phish forum creds → stored-XSS Jenkins spray → Empire shells
  • BloodHound chain: user → helpdesk → DA; EternalBlue in isolated lab; Kerberoast → SQL creds; exfil rocket DB
  • Persistence: scheduled tasks, sticky keys, DLL hijack; Golden Ticket using krbtgt hash

REPORTING & METRICS

  • Provide indicators: IPs, hashes, domains, timelines
  • Document TTD / TTM for each phase
  • Include Blue-team feedback, gaps in process/tooling
  • Use simple web app for Red Teamers to log date/time, action, impact, alert status, screenshots for final report

CONTINUING EDUCATION

  • Blog + Github projects; speak at meetups/CTFs; bug bounty platforms; build AD lab (Detection Lab)
  • Monitor APT/ATT&CK, Portia & MITRE Caldera for automation
  • Subscribe THP, join LETHAL, push code to community