Clone of . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

792 lines
75 KiB

4 years ago
2 years ago
6 years ago
5 years ago
5 years ago
5 years ago
5 years ago
2 years ago
4 years ago
2 years ago
5 years ago
4 years ago
4 years ago
4 years ago
5 years ago
5 years ago
5 years ago
4 years ago
4 years ago
5 years ago
4 years ago
4 years ago
5 years ago
4 years ago
5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
  1. # Building a Lab
  2. -----------------------------------------------------------------------------------------------------------------------------
  3. ## Table of Contents
  4. - [General Info](#general)
  5. - [101](#101)
  6. - [Virtual Machines](#vm)
  7. - [Vulnerable Web Applications](#webapp)
  8. - [OWASP](#owasp)
  9. - [General](#general)
  10. - [Specific](#specific)
  11. - [API](#sapi)
  12. - [Django](#sdj)
  13. - [HTTP Smuggling](#shtt)
  14. - [JSP](#sjsp)
  15. - [Node.js](#sno)
  16. - [Ruby](#sruby)
  17. - [SSRF](#ssrf)
  18. - [SSO](#ssso)
  19. - [Web Cache Poisoning](#swcp)
  20. - [Installing/Configuring Active Directory](#AD)
  21. - [Official Documentation](#adoc)
  22. - [Guides](#guides)
  23. - [Lab Generation](#alabgen)
  24. - [Domain Generation](#adg)
  25. - [Forest Generation](#afg)
  26. - [User Generation](#aug)
  27. - [User Activity Simulation](#aus)
  28. - [Building a Pentest Lab](#pentest)
  29. - [Talks & Presentations](#bltalks)
  30. - [Tools](#bltools)
  31. - [In the Cloud](#clouds)
  32. - [Building a Defensive Lab](#defense)
  33. - [Other Labs](#other)
  34. - [Access Methods](#oam)
  35. - [Containers/Related](#ocr)
  36. - [Defensive CI/CD](#dcicd)
  37. - [Offensive CI/CD](#ocicd)
  38. - [Building a VM/Machine for Remote Testing](#remote)
  39. - [Infrastructure Automation](#infra)
  40. - [101](#i101)
  41. - [Tooling](#infrauto)
  42. -----------------------------------------------------------------------------------------------------------------------------
  43. * **To Do**
  44. * Building a defensive Lab
  45. * Infra Automation
  46. -------------------------
  47. ### <a name="general"></a> General
  48. * **101**<a name="101"></a>
  49. * This page is supposed to be a collection of resources for building a lab for performing various security related tasks. Generally, the idea is that you setup a local VM hypervisor software(VMware, Virtualbox) and then install a virtual machine to perform testing and analysis without any impact to your "physical" machine.
  50. * **Useful links**
  51. * [Warming Up. Using ATT&CK for Self Advancement - Adam Swan](
  52. * [Jeff McJunkins 'Build a Kickass Lab' Presentation](
  53. * I don't like link shorteners, but we all know where he works so... Plus he was nice to me one time. So that clearly establishes him as being legit.
  54. * **Building a Dropbox**
  55. * **Articles/Blogposts/Writeups**
  56. * [DigiDucky - How to setup a Digispark like a rubber ducky](
  57. * [How to Build Your Own Penetration Testing Drop Box - BHIS](
  58. * **Talks/Presentations/Videos**
  59. * **Tools**
  60. * [ubuntu.autossh](
  61. * Autossh reverse tunnel to central server.
  62. * [P4wnP1](
  63. * P4wnP1 is a highly customizable USB attack platform, based on a low cost Raspberry Pi Zero or Raspberry Pi Zero W.
  64. * **Utilities**
  65. * **FFSend**
  66. * [Deployment](
  67. * This document describes how to do a full deployment of Firefox Send on your own Linux server.
  68. * [ffsend](
  69. * Easily and securely share files from the command line. A fully featured Firefox Send client.
  70. -------------------------
  71. ### <a name="vm"></a> Virtual Labs/Machines
  72. * **101**
  73. * [Virtual Machine - Wikipedia](
  74. * **VM Hypervisor Software**
  75. * **Desktop**
  76. * [Oracle VirtualBox - free](
  77. * [VMware Workstation - paid](
  78. * **Server**
  79. * [Proxmox - free](
  80. * [VMware vSphere - free](
  81. * [Xen - free](
  82. * **VirtualBox**
  83. * **VMware(Workstation/vSphere/ESXi)**
  84. * **VM Snapshots**
  85. * [Understanding VM snapshots in ESXi (1015180) -](
  86. * [How to Manage VMware Snapshots - Vladan Seget](
  87. * [Deep Dive – The Ultimate Guide to Master VMware Snapshot - Mohammed Rafic](
  88. * **Xen**
  89. * **Obtaining VMs**
  90. * [Internet Explorer Windows Vista through 10 Virtual Machines](
  91. * [Windows Server Evaluation ISOs](
  92. * [Vulnhub](
  93. * Vulnhub is a website dedicated to cataloging various vulnerable VMs from across the web. It also has a healthy community that creates and submits new VMs on a regular basis. As I write this now, I believe there is around 100 or so different VMs on Vulnhub, so you have a bit of variation.
  94. * [macOS-Simple-KVM](
  95. * Documentation to set up a simple macOS VM in QEMU, accelerated by KVM.
  96. * [unlocker](
  97. * VMware Workstation macOS
  98. * [Running macOS Catalina Beta on VirtualBox Linux - Astr0baby](
  99. * [macos-virtualbox](
  100. * is a Bash script that creates a macOS virtual machine guest on VirtualBox with unmodified macOS installation files downloaded directly from Apple servers. Tested on Cygwin. Works on macOS, Windows Subsystem for Linux, and centOS 7. Should work on most modern Linux distros.
  101. * [How to create a macOS virtual machine in VmWare Fusion on Mac without a CD, USB drive or recovery partition - Oleksii Chekulaiev(2017)](
  102. * **Automated Lab/Machine Creation Tools**
  103. * **Talks/Videos**
  104. * [Windows Server 2016 AutoLab Setup - Jason Helmick(2016)](
  105. * Join Pluralsight author Jason Helmick as he walks through his automated lab setup for use in our Windows Server 2016 content. Check out how to build your lab environment so you can follow along with our authors as you learn the ins and outs of Windows Server 2016.
  106. * **General**
  107. * Security Scenario Generator (SecGen)](
  108. * SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques. Boxes like Metasploitable2 are always the same, this project uses Vagrant, Puppet, and Ruby to create randomly vulnerable virtual machines that can be used for learning or for hosting CTF events.
  109. * **Malware**
  110. * [Set up your own malware analysis lab with VirtualBox, INetSim and Burp - Christophe Tafani-Dereeper](
  111. * [CyRIS: Cyber Range Instantiation System](
  112. * CyRIS is a tool for facilitating cybersecurity training by automating the creation and management of the corresponding training environments (a.k.a, cyber ranges) based on a description in YAML format. CyRIS is being developed by the Cyber Range Organization and Design (CROND) NEC-endowed chair at the Japan Advanced Institute of Science and Technology (JAIST).
  113. * [DockerSecurityPlayground](
  114. * A Microservices-based framework for the study of Network Security and Penetration Test techniques
  115. * **Windows**
  116. * [PSAutoLab](
  117. * This project serves as a set of "wrapper" commands that utilize the Lability module which is a terrific tool for creating a lab environment of Windows based systems. The downside is that it is a difficult module for less experienced PowerShell users. The configurations and control commands for the Hyper-V virtual machines are written in PowerShell using Desired State Configuration (DSC) and deployed via Lability.
  118. * [Lability](
  119. * The Lability module enables simple provisioning of Windows Hyper-V development and testing environments. It uses a declarative document for machine configuration. However, rather than defining configurations in an external custom domain-specific language (DSL) document, Lability extends existing PowerShell Desired State Configuration (DSC) configuration (.psd1) documents with metadata that can be interpreted by the module. By using this approach, it allows the use of a single configuration document to describe all properties for provisioning Windows-centric development and/or test environments.
  120. * [Detection Lab](
  121. * Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices. This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
  122. * [DetectionLabELK](
  123. * DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.
  124. * **VMs/Apps Designed to be Attacked**
  125. * [List of VMs that are preconfigured virtual machines](
  126. * [The Hacker Games - Hack the VM before it hacks you](
  127. * I have talked about counterattacks here before, and this system has implemented a number of aggressive anti-hacker measures. In fact, this VM is downright evil. I am probably legally obligated to tell you that it will try to hack you. So if a calculator or message declaring your pwnedness pops up or shows up on your desktop, you asked for it. But don’t worry, it won’t steal your docs or rm you, it will just demonstrate compromise for the game. To save precious bandwidth, this has been implemented in a minimal tinycore-based VM, and will require VirtualBox to run.
  128. * **Android**
  129. * [EVABS (Extremely Vulnerable Android Labs)](
  130. * An open source Android application that is intentionally vulnerable so as to act as a learning platform for Android application security beginners. The effort is to introduce beginners with very limited or zero knowledge to some of the major and commonly found real-world based Android application vulnerabilities in a story-based, interactive model. EVABS follows a level-wise difficulty approach and in each level, the player learns a new concept. This project is still under progress and aims at incorporating as many levels as possible.
  131. * **AWS**
  132. * [AWS Well-Architected Security Labs - Amazon(Official)](
  133. * This repository contains documentation and code in the format of hands-on labs to help you learn, measure, and build using architectural best practices. The labs are categorized into levels, where 100 is introductory, 200/300 is intermediate and 400 is advanced.
  134. * [CloudGoat](
  135. * CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool. It allows you to hone your cloud cybersecurity skills by creating and completing several "capture-the-flag" style scenarios. Each scenario is composed of AWS resources arranged together to create a structured learning experience. Some scenarios are easy, some are hard, and many offer multiple paths to victory. As the attacker, it is your mission to explore the environment, identify vulnerabilities, and exploit your way to the scenario's goal(s).
  136. * [CloudGoat 2: The New & Improved “Vulnerable by Design” AWS Deployment Tool - Jeffrey Anderson](
  137. * [CloudGoat 2 Walkthrough - Part One -](
  138. * [Damn Vulnerable Cloud Application](
  139. * This is a demonstration project to show how to do privilege escalation on AWS. DO NOT deploy this on an AWS account unless you know very well what you are doing!
  140. * **Lambda**
  141. * [lambhack](
  142. * A vulnerable serverless lambda application. This is certainly a bad idea to base any coding patterns of what you see here. lambhack allows you to take advantage of our tried and true application security problems, namely arbitrary code execution, XSS, injection attacks aand more. This first release only contains arbitrary code execution through the query string. Please feel free to contribute new vulnerabilities.
  143. * **Docker**
  144. * [Vulnerable Docker VM - notsosecure](
  145. * Ever fantasized about playing with docker misconfigurations, privilege escalation, etc. within a container? Download this VM, pull out your pentest hats and get started
  146. * [Vulhub - Some Docker-Compose files for vulnerabilities environment](
  147. * **Exploit Development**
  148. * [exploit_me](
  149. * Very vulnerable ARM application (CTF style exploitation tutorial for ARM, but portable to other platforms)
  150. * **Git Repo**
  151. * [Leaky Repo](
  152. * **Router**
  153. * [iv-wrt](
  154. * An Intentionally Vulnerable Router Firmware Distribution
  155. * **Serverless**
  156. * [ServerlessGoat](
  157. * This serverless application demonstrates common serverless security flaws as described in the Serverless Security Top 10 Weaknesses guide
  158. * **Terraform**
  159. * [TerraGoat](
  160. * TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
  161. * **Thick Client**
  162. * [Damn Vulnerable Thick Client Application - Part 1 - Setup - Parsia's Den](
  163. -----
  164. ### Web Applications <a name="webapp"></a>
  165. * **OWASP**<a name="owasp"></a>
  166. * [OWASP Vulnerable Web Applications Directory Project/Pages/Offline](
  167. * [OWASP Broken Web Applications Project](
  168. * OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.
  169. * [OWASP Juiceshop](
  170. * [OWASP Juice Shop(Github)](
  171. * OWASP Juice Shop is an intentionally insecure web application written entirely in Javascript which encompasses the entire range of OWASP Top Ten and other severe security flaws.
  172. * [OWASP JuiceShop Gitbook walkthrough](
  173. * [Video Walk through by Sunny Wear](
  174. * [Pwning OWASP Juice Shop](
  175. * [OWASP Damn Vulnerable Web Sockets](
  176. * OWASP Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication. The flow of the application is similar to DVWA. You will find more vulnerabilities than the ones listed in the application.
  177. * [NodeGoat](
  178. * Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
  179. * [OWASP DevSlop Project](
  180. * collection of DevOps-driven applications, specifically designed to showcase security catastrophes and vulnerabilities for use in security testing, software testing, learning and teaching for both developers and security professionals.
  181. * [OWASP Mutillidae II](
  182. * OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.
  183. * **General**<a name="wgen"></a>
  184. * [Damn Vulnerable Web App](
  185. * Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
  186. * [Damn Small Vulnerable Web](
  187. * Damn Small Vulnerable Web (DSVW) is a deliberately vulnerable web application written in under 100 lines of code, created for educational purposes. It supports majority of (most popular) web application vulnerabilities together with appropriate attacks.
  188. * [File scanner web app (Part 1 of 5): Stand-up and webserver](
  189. * [Xtreme Vulnerable Web Application (XVWA)](
  190. * XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice.
  191. * [Hackazon](
  192. * Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows and RESTful API’s used by a companion mobile app providing uniquely-effective training and testing ground for IT security professionals. And, it’s full of your favorite vulnerabilities like SQL Injection, cross-site scripting and so on.
  193. * [Vulnerable Web applications Generator](
  194. * This is the Git repo of the VWGen, which stands for Vulnerable Web applications Generator.
  195. * [secDevLabs](
  196. * By provisioning local environments via docker-compose, you will learn how the most critical web application security risks are exploited and how these vulnerable codes can be fixed to mitigate them. woman_technologist
  197. * [LKWA](
  198. * Lesser Known Web Attack Lab is for intermediate pentester that can test and practice lesser known web attacks such as Object Injection, XSSI, PHAR Deserialization, variables variable ..etc.
  199. * [One Random Insecure Wep Application Please (ORIWAP) - Nancy Snoke(NolaCon2019)](
  200. * You may need an insecure web application as part of yearly developer compliance training. You may need an insecure web application for a companywide contest for cyber security awareness month. Perhaps you just like playing with insecure web applications on the weekend. There are a variety of insecure web applications out there. If you have specific needs -- maybe XSS in VBScript as opposed to JavaScript --, or regular use-case where you want something similar to showcase the OWASP top 10 yet different topics and look every time. Then what is out there may not work for you. This talk introduces a new tool -- ORIWAP (One Random Insecure Web Application Please), which can randomly generate an insecure web application (the security features, visual style, and data -- users, passwords, forum postings, about page). If you don't like randomness you can specify some or all of the settings and an application will be generated. The talk will demo creating several new applications, and show the variety of options for creating the perfect insecure web application for you. This talk will also discuss how the code works for each area: security features, visual style, and data.
  201. * [Damn Small Vulnerable Web in Docker](
  202. * **Specific**<a name="specific"></a>
  203. * **API**<a name="sapi"></a>
  204. * [vulnerable-api](
  205. * [How to configure Json.NET to create a vulnerable web API](
  206. * **Django**<a name="sdj"></a>
  207. * [django.nV](
  208. * django.nV is a purposefully vulnerable Django application provided by nVisium.
  209. * **HTTP Smuggling**<a name="shtt"></a>
  210. * [HTTP-Smuggling-Lab](
  211. * Use HTTP Smuggling Lab to learn HTTP Smuggling.
  212. * **JSP**<a name="sjsp"></a>
  213. * [MoneyX](
  214. * MoneyX is an intentionally vulnerable JSP application used for training developers in application security concepts.
  215. * **Node.js**<a name="sno"></a>
  216. * [node.nV](
  217. * Intentionally Vulnerable node.js application
  218. * [goat.js](
  219. * Tutorial for Node.js security
  220. * [Damn Vulnerable NodeJS Application(DVNA)](
  221. * Damn Vulnerable NodeJS Application (DVNA) is a simple NodeJS application to demonstrate OWASP Top 10 Vulnerabilities and guide on fixing and avoiding these vulnerabilities. The fixes branch will contain fixes for the vulnerabilities. Fixes for vunerabilities OWASP Top 10 2017 vulnerabilities at fixes-2017 branch.
  222. * **Ruby**<a name="sruby"></a>
  223. * [grails_nV](
  224. * grails_nV is a vulnerable jobs listing website.
  225. * [RailsGoat](
  226. * RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
  227. * **SSRF**<a name="ssrf"></a>
  228. * [SSRF Vulnerable Lab](
  229. * This repository contain PHP codes which are vulnerable to Server-Side Request Forgery (SSRF) attack.
  230. * **SSO**<a name="ssso"></a>
  231. * [Vulnerable SSO](
  232. * Vulnerable SSo is focused on single sign on related vulnerabilities. If you want to learn, you should check this and contribute this project. VulnSSO tool is focused on sso attacks. Nowadays most of the company uses their own implementation for sso solutions. Some of the bug hunters found really good vulnerability on the big company. There are some tools(dvwa and others .. ) that contains vulnerability. They don't have any support for sso vulnerability. Our focus is only sso related bugs. VulnSSO is training tool.It will contain redirect uri vulnerability , XXE on saml request and many others.
  233. * **Web Cache Poisoning**<a name="swcp"></a>
  234. * [Web Cache Poisoning Lab](
  235. * Welcome to the Cache Poisoning Lab. In this lab you will have the opportunity to experiment with some of the vulnerabilities presented in the brilliant paper Practical Web Cache Poisoning by James Kettle.
  236. * **Making One**
  237. * [clicker-service](
  238. * Docker container that intakes post with the following form data and then "clicks" the link. Intentionally vulnerable. To be used with vulnerable by design web apps to realistically simulate XSS and XSRF (CSRF). Service runs flask to receive the post requests, and runs on the default port of 5000.
  239. -------------------------
  240. ### <a name="AD"></a> Setting up ActiveDirectory Focused Labs
  241. * **Official Documentation**<a name="adoc"></a>
  242. * [Install AD DS using Powerhsell](
  243. * [Active Directory Domain Services Overview](
  244. * [Understanding Active Directory -](
  245. * [Windows Server 2016: Build a Windows Domain Lab at Home for Free - social.technet](
  246. * [Integrate macOS with Microsoft Active Directory -](
  247. * **Guides**<a name="aguides"></a>
  248. * **Active Directory Locally**
  249. * [Building an Effective Active Directory Lab Environment for Testing -](
  250. * [Step-By-Step: Setting up Active Directory in Windows Server 2016 - blogs.technet](
  251. * [Pentest Home Lab - 0x2 - Building Your AD Lab on Premises-SethSec](
  252. * [Building and Attacking an Active Directory lab with PowerShell - 1337red](
  253. * [DarthSidious](
  254. * Building an Active Directory domain and hacking it
  255. * [Creating a SCCM Lab: Part 1 - Setting up AD](
  256. * [Build a new Windows Domain with a (semi) easy button - Craig Bowser](
  257. * [Introducing the Active Directory Learning Lab - @jckhmr_t](
  258. * I'm a big fan of automation with tools such as Ansible, Vagrant and Terrorm now being put to regular use by me. Also, as a Red Team Operator I spend a lot of time modelling attacks up, trying new ideas out and generally keeping myself 'sharp'. I wanted to create something that help me to scratch all of these itches. The research and development culminated in my [BSides Belfast 2019 presentation: Offensive Ansible for Red Teams (Attack, Build, Learn)](
  259. * [How to Build an Active Directory Hacking Lab - TheCyberMentor](
  260. * [PAW deployment guide - Jian Yan(2018)](
  261. * This blogpost only focusses on one aspect, which is the PAW deployment, including the backend servers.
  262. * [Step-by-Step Guide to install Active Directory in Windows Server 2019 (PowerShell Guide) - Disham M. Francis(2018)](
  263. * [Lab Building Guide: Virtual Active Directory - Vartai Security(2020)](
  264. * [Building a lab with Server 2019 Server Core and PowerShell …then attacking it! - Neil Lines(2020)](
  265. * **AWS**
  266. * [Active Directory Domain Services on the AWS Cloud: Quick Start Reference Deployment -](
  267. * [Active Directory Domain Services on AWS](
  268. * This Quick Start deploys Microsoft Active Directory Domain Services (AD DS) on the AWS Cloud. AD DS and Domain Name Server (DNS) are core Windows services that provide the foundation for many Microsoft-based solutions for the enterprise, including Microsoft SharePoint, Microsoft Exchange, and .NET Framework applications.
  269. * **Azure**
  270. * **Articles/Blogposts/Writeups**
  271. * [Automating the provisioning of Active Directory labs in Azure - Christophe Tafani-Dereeper](
  272. * **Tools**
  273. * [Disruption](
  274. * Disruption is a code for Terraform to deploy a small AD domain-based environment in Azure. The environment contains two domain controllers (Windows Server 2012), Fileserver + Web server (Windows Server 2019), Windows 7 client, Windows 10 client, and kali Linux machine. They are connected to the same subnet. Each windows machine has some packages being installing during deployment (the list can be viewed and modified here: chocolist). All the needed configurations (Domain creation, DC promotion, joining the machines to the domain and more are automated and part of the deployment. However, there are more improvments to be added (creating OUs, Users, and stuff like that. I'll might get to it in the future, or, you will submit a pull request :))
  275. * **Lab Generation**<a name="alabgen">
  276. * **Personal Opinion**
  277. * __My Guide to Building your own AD Lab with 0 effort.__
  278. 1. Use an automated lab creation solution/script.
  279. 2. Populate it using [BadBlood](
  280. 3. Add misconfigurations to it:
  281. * **Articles**
  282. * [Manage Active Directory Objects with the New Windows AD Provider for HashiCorp Terraform(2020)](
  283. * [Windows Server Administration for Beginners - IT & Software(Youtube)](
  284. * **Tools**
  285. * [Active Directory Auto Deployment of Tiers in any environment - David Rowe](
  286. * "This code is written in PowerShell and requires the AD commandlets to run. The current scripts in the repo: create a tiered structured in an active directory environment, create tiered groups with very granular permissions on the domain and create ACL permissions on the OUs based on the name of the group."
  287. * [WSLab - Official Microsoft Stuff](
  288. * Windows Server rapid lab deployment scripts
  289. * [AutomatedLab](
  290. * AutomatedLab is a provisioning solution and framework that lets you deploy complex labs on HyperV and Azure with simple PowerShell scripts. It supports all Windows operating systems from 2008 R2 to 2016 including Nano Server and various products like AD, Exchange, PKI, IIS, etc.
  291. * [Automated-AD-Setup](
  292. * A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening.
  293. * [Invoke-ADLabDeployer](
  294. * Automated deployment of Windows and Active Directory test lab networks. Useful for red and blue teams.
  295. * [Blogpost](
  296. * [ADLab](
  297. * PS Script for creating an AD lab quickly
  298. * [Blogpost](
  299. * [Purple Cloud](
  300. * An Infrastructure as Code (IaC) deployment of a small Active Directory pentest lab in the cloud. The deployment simulates a semi-realistic corporate enterprise Active Directory with a DC and endpoints. Purple team goals include blue team detection capabilities and R&D for detection engineering new approaches.
  301. * **Domain Generator**<a name="adg"></a>
  302. * **Tools**
  303. * [BadBlood](
  304. * BadBlood by Secframe fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world. After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory. Each time this tool runs, it produces different results. The domain, users, groups, computers and permissions are different. Every. Single. Time.
  305. * **Fake Data Generation**
  306. * [faker](
  307. * Faker is a Python package that generates fake data for you. Whether you need to bootstrap your database, create good-looking XML documents, fill-in your persistence to stress test it, or anonymize data taken from a production service, Faker is for you.
  308. * **Forest Generation**<a name="afg"></a>
  309. * **Talks/Presentations/Videos**
  310. * [How To Create An Active Directory Forest With PowerShell - Adam Bertram(2018)](
  311. * In this video, Adam will cover how the various parameters that are required to run the Install-ADDSForest command and will go over some gotchas that you should know about when building a new forest. Prerequisites include: (2) Windows Server 2016 VMs on the same network (soon-to-be domain controllers)
  312. * **Tools**
  313. * [Use PowerShell to Create a New Active Directory Forest on Windows 2019 Server Core Installation (no-GUI) - Mike F Robbins](
  314. * **User Generation**<a name="aug"></a>
  315. * **Articles/Blogposts/Writeups**
  316. * [Create Bulk Users in Active Directory (Step-By-Step Guide) - Robert Allen(2018)](
  317. * [New-ADUser: Creating Active Directory Users with PowerShell - Kevin Sapp(2019)](
  318. * **Tools**
  319. * [ADImporter](
  320. * When you need to simulate a real Active Directory with thousands of users you quickly find that creating realistic test accounts is not trivial. Sure enough, you can whip up a quick PowerShell one-liner that creates any number of accounts, but what if you need real first and last names? Real (existing) addresses? Postal codes matching phone area codes? I could go on. The point is that you need two things: input files with names, addresses etc. And script logic that creates user accounts from that data. This blog post provides both.
  321. * [youzer](
  322. * Fake User Generator for Active Directory Environments
  323. * [AzDummy](
  324. * A Python Typer-based CLI tool to generate fake data for Azure AD.
  325. * **User Simulation**<a name="aus"></a>
  326. * **Tools**
  327. * [sheepl](
  328. * sheepl is a tool that aims to bridge the gap by emulating the behaviour that people normally undertake within a network environment. Using Python3 and AutoIT3 the output can be compiled into a standalone executable without any other dependancies that when executed on an Windows endpoint, executes a set of tasks randomly over a chosen time frame.
  329. -------------------------
  330. ### Building a Pentest Lab<a name="pentest"></a>
  331. * **Building a Lab Basics**<a name="blb"></a>
  332. * **Articles/Blogposts/Writeups**
  333. * [DarthSidious](
  334. * To share my modest knowledge about hacking Windows systems. This is commonly refered to as red team exercises. This book however, is also very concerned with the blue team; the defenders. That is, helping those who are working as defenders, analysts and security experts to build secure Active Directory environments and monitor them for malicious activity.
  335. * [Home Lab with pfSense & VMware Workstation - sysadmin perspective](
  336. * I wanted to build a virtual lab environment at home that would emulate an office environment. My requirements were to have separate network segments for Clients & Servers, and two DMZ networks. I also wanted my home network, which is external to the virtual lab environment, to emulate the Internet, even though it really isn’t. The following is how I created multiple “named” LAN segments within VMware Workstation, and routed between them using a VM running pfSense, which is an open source firewall.
  337. * [Setting Up a Pentest/Hacking Lab with Hyper-V](
  338. * [Setting up a Windows Lab Environment](
  339. * [Setting Up A Penetration Testing Lab - Rapid7](
  340. * [Building a Pentest Lab -](
  341. * [Privilege-Escalation](
  342. * Collection of VMs aimed at teaching different privilege escalation techniques with Vulnhub machines used for examples.
  343. * [Emulating ARM Router Firmware - Azeria](
  344. * **Offensive Monitoring**
  345. * **Articles/Blogposts/Writeups**
  346. * [Automating a RedELK Deployment Using Ansible - Jason Lang(2020)](
  347. * **Talks/Presentations/Videos**<a name="bltalk"></a>
  348. * [SANS Webcast: Building Your Own Super Duper Home Lab](
  349. * [Hack Yourself: Building a Test Lab - David Boyd](
  350. * [Hack-Yourself: Building a pentesting lab for fun & profit](
  351. * **Tools**<a name="bltools"></a>
  352. * [DumpsterFire](
  353. * [Slides](
  354. * The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Turn paper tabletop exercises into controlled "live fire" range events. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
  355. * [Pentest Environment Deployer](
  356. * This repo provides an easy way to deploy a clean and customized pentesting environment with Kali linux using vagrant and virtualbox.
  357. * [Capsulecorp Pentest](
  358. * "The Capsulecorp Pentest is a small virtual network managed by vagrant and ansible. It contains five virtual machines, including one Linux attacking system running xubuntu and 4 Windows 2019 servers configured with various vulnerable services. This project can be used to learn network penetration testing as a stand-alone environment but is ultimatly designed to compliment my book The Art of Network Penetration Testing"
  359. * [Sadcloud](
  360. * sadcloud is a tool for spinning up insecure AWS infrastructure with Terraform. It supports approx. 84 misconfigurations across 22 AWS Services. The inital set of misconfigurations were drawn from ScoutSuite, NCCGroup's Multi-cloud auditing tool. sadcloud was created to easily allow security researchers to misconfigure AWS for training purposes, or to use to asses AWS security tools - including built-ins and third-party.
  361. * [Offensive ELK: Elasticsearch for Offensive Security](
  362. * Offensive ELK is a custom Elasticsearch setup, aiming to show how traditional “defensive” tools can be effectively used for offensive security data analysis, helping your team collaborate and triage scan results. In particular, Elasticsearch offers the chance to aggregate a multitude of disparate data sources, query them with a unified interface, with the aim of extracting actionable knowledge from a huge amount of unclassified data.
  363. * [Blogpost](
  364. * [RedELK](
  365. * Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability for the Red Team in long term operations.
  366. * **In the Clouds**<a name="clouds"></a>
  367. * **AWS**
  368. * **Official Documentation**
  369. * [Getting Started with AWS Managed Microsoft AD -](
  370. * [Active Directory Domain Services on the AWS Cloud: Quick Start Reference Deployment](
  371. * **Un-Official**
  372. * [Building A Lab on AWS - 0x1 SethSec](
  373. * [Pentesting In The Cloud - primalsecurity](
  374. * [Designing The Adversary Simulation Lab - Adam Chester(2020)](
  375. * **Azure**
  376. * [Building a security lab in Azure - blogs.technet](
  377. * **GCP**
  378. -------------------------
  379. ### <a name="defense"></a> Building a Defensive Lab
  380. * **Guides**<a name="guides"></a>
  381. * **Articles/Blogposts/Writeups**
  382. * [DIY Single Sign-On for SSH - Carl Tashian(2020)](
  383. * TL;DR In this post we're going to set up Google single sign-on for SSH. Behind the scenes, we'll use OpenID Connect (OIDC), short-lived SSH certificates, a couple of clever SSH configuration tweaks, and Smallstep's open-source step-ca and step packages. We will set up an SSH Certificate Authority, and use it to bootstrap a new host and a new user in our system. While this approach requires more up-front work than a typical SSH public/private key setup, it comes with a lot of benefits beyond single sign-on. It eliminates the need for gathering and shipping and managing authorized_keys files.
  384. * **Talks/Presentations/Videos**
  385. * **Talks/Presentations/Videos**
  386. * [Webcast: Group Policies That Kill Kill Chains - BHIS(2019)](
  387. * [Getting Started With Sysmon - John Strand(2019)](
  388. * [Webcast: Implementing Sysmon and Applocker - BHIS(2019)](
  389. * [Webcast: Windows logging, Sysmon, and ELK - BHIS(2019)](
  390. * [Webcast: Let’s Talk About ELK Baby, Let’s Talk About You and AD - BHIS(2020)](
  391. * This webcast is going to demonstrate an integration between our ongoing Windows baseline best practices configuration and improving your endpoint optics. But first, we’re going to summarize some previous webcasts, their content, and the order in which they should be reviewed to tie all of these things together. Then, with all the baseline content and configuration options summarized, we are going to help you put a bow on all that, just in time for the Holidays.
  392. * [Virtual Smart Cards for Lab Environments - Eddie David(Derbycon2019)](
  393. * Have you ever wanted to learn what a virtual smart card is? How to set them up? Are you running gear in your lab with no TPM security chips? This is something unique that I do for my lab environments with Hyper-V. It's very real world as there are high security organizations out there that do use smart cards.This talk will dive into what is minimally involved to set this environment up so you can run your labs in a password less way.
  394. * **Application Whitelisting**
  395. * **WDAC**
  396. * [Building a Windows Defender Application Control Lab - FortyNorthSecurity(2018)](
  397. * **Elastic Search + Log Forwarder/Parser + Kibana**<a name="elk"></a>
  398. * **101**
  399. * **Articles/Blogposts/Writeups**
  400. * [Installing ELK 7 (Elasticsearch, Logstash and Kibana) – Windows Server 2016 (Part I) - Rob Willis(2019)](
  401. * [Using the ELK Stack and Python in Penetration Testing Workflow - Adam Vanderbush](
  402. * [The Complete Guide to the ELK Stack - Daniel Berman(2019)](
  403. * **Tools**
  404. * [Elastic stack (ELK) on Docker](
  405. * Run the latest version of the Elastic stack with Docker and Docker Compose.
  406. * **FW Log Visualization**
  407. * [pfELK](
  408. * pfELK was created in 2016 after spending hours researching firewall visualization. After stumbling across Elasticstack (formerly known as ELK stack) with weeks of troubleshooting and research. The process was refined and shared to aid others in leveraging the awesome power of Elasticsearch through the visualization of firewall events. pfELK is comprised of Java, Elasticstack, and a number of dependencies. Your firewall logs are parsed through various patterns simplifying firewall log analysis. Currently, pfSense and OPNsense are supported with extensive testing.
  409. * **Network Access Controls**
  410. * [PacketFence](
  411. * PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired, wireless and VPN management, industry-leading BYOD capabilities, 802.1X and RBAC support, integrated network anomaly detection with layer-2 isolation of problematic devices; PacketFence can be used to effectively secure small to very large heterogeneous networks.
  412. * **Individual Machines**
  413. * **Linux**
  414. * **Articles/Blogposts/Writeups**
  415. * **Talks/Presentations/Videos**
  416. * **Windows**
  417. * **Articles/Blogposts/Writeups**
  418. * [Windows 10 is ‘mine’…, Part 1 - Hexacorn](
  419. * Hexacorn walking through setting up a Win10 VM to his standards.
  420. * **Talks/Presentations/Videos**
  421. * **Monitoring & Threat Hunting**<a name="monitoring"></a>
  422. * **Articles/Blogposts/Writeups**
  423. * [How To Do Endpoint Monitoring on a Shoestring Budget – Webcast Write-Up - Joff Thyer, Derek Banks](
  424. * [Azure Sentinel To-Go: Sentinel Lab w/ Prerecorded Data 😈 & a Custom Logs Pipe via ARM Templates 🚀 - Cyb3rWard0g](
  425. * [Building a SIEM: centralized logging of all Linux commands with ELK + auditd - Security Shenanigans(2020)](
  426. * [How To Deploy Windows Optics: Commands, Downloads, Instructions, and Screenshots - Jordan Drysdale & Kent Ickler(2020)](
  427. * [How To: Applied Purple Teaming Lab Build on Azure with Terraform (Windows DC, Member, and HELK!) - Jordan Drysdale & Kent Ickler(2020)](
  428. * **Talks/Presentations/Videos**
  429. * [Build your own threat hunting based on open-source tools - Teymur Kheirkhabarov(PHDays2018)](
  430. * [Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response](
  431. * **Tools**
  432. * **Lab-Creation/Generation**
  433. * [DetectionLab](
  434. * [...]to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
  435. * [ELK Detection Lab](
  436. * An ELK environment loaded with the following datasets: Mordor from Roberto Rodriguez @Cyb3rWard0g and Jose Luis Rodriguez @Cyb3rPandaH; EVTX-ATTACK-SAMPLES from Samir Bousseaden SBousseaden; PCAPs from @malware_traffic processed with Suricata.
  437. * [HELK](
  438. * The Hunting ELK or simply the HELK is one of the first open source hunt platforms with advanced analytics capabilities such as SQL declarative language, graphing, structured streaming, and even machine learning via Jupyter notebooks and Apache Spark over an ELK stack. This project was developed primarily for research, but due to its flexible design and core components, it can be deployed in larger environments with the right configurations and scalable infrastructure.
  439. * [SweetSecurity](
  440. * Scripts to setup and install Bro IDS, Elastic Search, Logstash, Kibana, and Critical Stack on a Raspberry Pi 3 device
  441. * [Response Operation Collections Kit Reference Build](
  442. * [RedELK](
  443. * Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability for the Red Team in long term operations.
  444. * [Defensive Origins - Lab Build Scripts](
  445. * This repo contains build scripts for Defensive Origin's various lab environments.
  446. * **Datasets/Generation**
  447. * [Mordor](
  448. * The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. The pre-recorded data is categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework. The pre-recorded data represents not only specific known malicious events but additional context/events that occur around it. This is done on purpose so that you can test creative correlations across diverse data sources, enhancing your detection strategy and potentially reducing the number of false positives in your own environment.
  449. * **Linux**
  450. * [auditd - Neo23x0](
  451. * Best Practice Auditd Configuration
  452. * **Windows Domain**<a name="bwd"></a>
  453. * **Articles/Blogposts/Writeups**
  454. * [Microsoft-Blue-Forest](
  455. * A Blue Forest is centered around Blue Team operational security in domain networks. This repository serves as a living documentation on securing Windows domain networks running modern Microsoft operating systems.
  456. * **Talks/Presentations/Videos**
  457. * **Tools**
  458. * [Gathering Windows, PowerShell and Sysmon Events with Winlogbeat – ELK 7 – Windows Server 2016 (Part II)](
  459. * [PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs - Jorge]
  460. * **In the Clouds**
  461. * [Securing Azure Infrastructure - Hands on Lab Guide - Adam Raffle, Tom Wilde](
  462. * [Response Operation Collections Kit Reference Build](
  463. * [Applied Purple Teaming Threat Optics Lab - Azure TerraForm](
  464. * [Adaz: Active Directory Hunting Lab in Azure](
  465. * This project allows you to easily spin up Active Directory labs in Azure with domain-joined workstations, Windows Event Forwarding, Kibana, and Sysmon using Terraform/Ansible.
  466. * [SimuLand](
  467. * Cloud Templates and scripts to deploy mordor environments. An initiative from the Open Threat Research (OTR) community to share cloud templates and scripts to deploy network environments to simulate adversaries, generate/collect data and learn more about adversary tradecraft from a defensive perspective. The difference with other environments is that we do not have one scenario to cover all use-cases, but multiple modular environments that adapt to specific topics of research.
  468. * **Fake Data Generation**
  469. * [Ps-Whitenoise](
  470. * Powershell - web traffic whitenoise generator
  471. * **Other**
  472. * [elk-hole](
  473. * Pi-hole data visualization using Elasticsearch, Logstash and Kibana. elk-hole provides the relevant files and configuration to easily visualize pi-holes/dnsmasq statistics via the popular elasticstack.
  474. -------------------------------------------------------
  475. ### Building a VM/Machine for Remote Testing <a name="remote"></a>
  476. * **Remote Access**
  477. * [Creating an Internal Pen Test VM with Ngrok - FortyNorthSecurity(2020)](
  478. -------------------------
  479. ### Other Labs <a name="other"></a>
  480. * [DanderSpritz Lab](
  481. * The goal of DanderSpritz lab is to allow researchers and defenders to quickly stand up a fully functional version of DanderSpritz - The Equation Group's Post exploitation tool-set and a Windows Server 2008 Domain and client as targets. The Windows target have some reverse engineering tools that I found useful while investigating DanderSpritz and it's capabilities.
  482. * [deploy-your-own-saas](
  483. * 'List of "only yours" cloud services for everyday needs'
  484. * **Access Methods**<a name="oam"></a>
  485. * **RDP**
  486. * [Apache Guacomole](
  487. * Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH. We call it clientless because no plugins or client software are required. Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.
  488. * [Apache Guacamole: How To Install and Configure - FortyNorth Security](
  489. * [xrdp](
  490. * xrdp provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp accepts connections from a variety of RDP clients: FreeRDP, rdesktop, NeutrinoRDP and Microsoft Remote Desktop Client (for Windows, Mac OS, iOS and Android).
  491. * **SSH**
  492. * [ubuntu.autossh](
  493. * Autossh reverse tunnel to central server.
  494. * **VPN**
  495. * **Wireguard**
  496. * [Wireguard - Wikipedia](
  497. * WireGuard is a free and open-source software application and communication protocol that implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations. It is run as a module inside the Linux kernel, and aims for better performance and more power saving than the IPsec and OpenVPN tunneling protocols. It was written by Jason A. Donenfeld and is published under the GNU General Public License (GPL) version 2.
  498. * [wg-access-server](
  499. * wg-access-server is a single binary that provides a WireGuard VPN server and device management web ui. We support user authentication, 1 click device registration that works with Mac, Linux, Windows, Ios and Android including QR codes. You can configure different network isolation modes for better control and more. This project aims to deliver a simple VPN solution for developers, homelab enthusiasts and anyone else feeling adventurous.
  500. * **Containers/Related**<a name="ocr"></a>
  501. * **Docker**
  502. * **Articles/Blogposts/Writeups**
  503. * [Docker Your Command & Control (C2) - obscuritylabs](
  504. * [Create a Reusable Burner OS with Docker, Part 1: Making an Ubuntu Hacking Container - EvilToddler](
  505. * [Part 2](
  506. * **Tools**
  507. * [linuxkit](
  508. * A toolkit for building secure, portable and lean operating systems for containers
  509. * [Bad Dockerfile](
  510. * A Dockerfile that creates an image with known vulnerabilities.
  511. * [Blogpost](
  512. * **Kubernetes**
  513. * **Instances**
  514. * [Simulator](
  515. * A distributed systems and infrastructure simulator for attacking and debugging Kubernetes: simulator creates a kuberntes cluster for you in your AWS account; runs scenarios which misconfigure it and/or leave it vulnerable to compromise and trains you in mitigating against these vulnerabilities.
  516. * [k3s](
  517. * Lightweight Kubernetes. Easy to install, half the memory, all in a binary less than 40mb.
  518. * [k3d](
  519. * Little helper to run Rancher Lab's k3s in Docker
  520. * [kube_security_lab](
  521. * The goal of this project is to make use of Docker and specifically kind to create a lab environment for testing Kubernetes exploits and security tools entirely locally on a single machine without any requirement for remote resources or Virtual Machines being spun up.
  522. * [kind](
  523. * kind is a tool for running local Kubernetes clusters using Docker container “nodes”. kind was primarily designed for testing Kubernetes itself, but may be used for local development or CI.
  524. * **Vulnerable**
  525. * [Bust-a-Kube](
  526. * [Kubernetes Goat](
  527. * The Kubernetes Goat designed to be intentionally vulnerable cluster environment to learn and practice Kubernetes security.
  528. * **Development**
  529. * [Callback Catcher](
  530. * Callback Catcher is a multi-socket control tool designed to aid in pentest activities. It has a simple web application with an backend API that allows the user control what TCP and UDP sockets should be opened on the server. It records any and all data send to the exposed sockets and logs it to a database which can be easily accessed via it's backend API. Itís kind of intended to be like the love child of Burp Collaborator and Responder. Alternatively think of it like a low/medium interactive honeypot. Its been coded on top of the Django REST framework, which offers a number of benefits , primarily being able to create your own client scripts and tools and quickly searching and filtering of data. Opening of sockets is built on top of Python's ServerSocket library. Upon spinning up a socket a user is given the option to assign a handler to the socket, which is affectively user defined code that overwrites the handler function within the SocketServer.TCPServer and SocketServer.UDPServer classes. This code tells the socket how to handle the incoming data and what to respond with. Each connection to the socket is recorded to a database.
  531. * **Mail Servers**
  532. * **Hosting**
  533. * **Local**
  534. * [Papercut](
  535. * Simple Desktop SMTP Server
  536. * **Mobile Device Management**
  537. * **macOS**
  538. * [MicroMDM](
  539. * MicroMDM is a project which provides an open source Mobile Device Management server for Apple devices. Our goal is to create a performant and extensible device management solution for enterprise and education.
  540. * **Defensive CI/CD**<a name="dcicd"></a>
  541. * **F**
  542. * See [AppSec/Programming Stuff](
  543. * **Offensive CI/CD**<a name="ocicd"></a>
  544. * **Agnostic(not really) Talks**
  545. * [Offensive Development: How To DevOps Your Red Team - Dominic Chell(BSidesMCR2019)](
  546. * [OffSecOps – Will Schroeder (SO-CON 2020)](
  547. * As the offensive industry continues to mature in reaction to the progression of its defensive counterpart, offensive teams have increasingly integrated DevOps practices to mature their operations. In this talk, we'll describe our approach to building an offensive continuous integration (CI) pipeline, including our architecture and lessons learned. We'll show how tracking of (unique) artifacts per engagement, proactive scanning for artifacts submitted by defenders to cloud analysis platforms, integrated obfuscation, OPSEC scanning of artifacts, and seamless integration of the build process into existing C2 frameworks (like Cobalt Strike) can all be accomplished with free installations of Jenkins and Artifactory on your own (non-cloud) hardware. Come learn how to up your artifact game!
  548. * [Offensive Development: Post Exploitation Tradecraft in an EDR World - Dominic Chell(x33fCon2020)](
  549. * You spend days or even weeks perfecting the perfect phish; your campaign has a targeted pre-text, a slick initial access payload and it slips through perimeter defences right in to your target's inbox. Moments later, your C2 pings and your beacon is awake - you're in, it's time to explore! You start by probing the endpoint, checking your privileges and getting your bearings in the network. Suddenly, silence... your beacon has stopped responding, your infrastructure is burned and you have to start over. Command line logging, PowerShell logging, sysmon, EDR, EDP, app whitelisting, AMSI, the blue team has it all and you're playing on their turf. Unless your post-exploitation game is at it's peak, you shall not pass. During this talk we will explore post-exploitation tradecraft, reviewing the opsec pitfalls that commonly lead to detection in mature environments as well as how to significantly reduce the indicators of compromise. It will demonstrate how DevOps principles can be applied to red teaming, focusing on the implementation of a custom CI/CD pipeline to automatically consume, build and deploy existing and custom tooling to an environment in a manner agnostic to any command and control framework. This approach also provides the operator with the capability to programmatically and automatically protect their tools from DFIR, safeguarding intellectual property and operational infrastructure when an artifact is dropped to disk. The future of red teaming is offensive development.
  550. * **AMSI Automation**
  551. * **Aritcles/Blogposts/Writeups**
  552. * [AMSI as a Service — Automating AV Evasion - James](
  553. * **Tools**
  554. * [AMSI_Handler](
  555. * Automate AV evasion by calling AMSI
  556. * **CI/CD with Azure Pipelines**
  557. * **101**
  558. * [Azure Pipelines](
  559. * [What is Azure Pipelines? -](
  560. * [Azure Pipelines documentation -](
  561. * **Aritcles/Blogposts/Writeups**
  562. * [Using Azure Pipelines to validate my Sysmon configuration - Olaf Harton(2020)](
  563. * [Testing your RedTeam Infrastructure - Adam Chester(2020)](
  564. * In this post I'm going to start with a quick review of how RedTeam infrastructure is defined in code which would typically live in a Git repo somewhere. More importantly however, we will continue this by looking at ways in which our environments can be tested as they evolve and increase in complexity, finishing with a walkthrough of how we can introduce a CI pipeline into the mix to help automate this testing.
  565. * **CI/CD with Github**
  566. * **101**
  567. * [Github Actions Documentation](
  568. * **Aritcles/Blogposts/Writeups**
  569. * [An Introduction to Github Actions - Gabriel Tanner(2019)](
  570. * [Building Tooling With GitHub Actions - James(2019)](
  571. * [Offensive Development with GitHub Actions - James Williams(2020)](
  572. * **CI/CD with Jenkins**
  573. * **101**
  574. * [Jenkins](
  575. * open source automation server
  576. * [Getting started with the Guided Tour -](
  577. * [What Is Jenkins? How & Why To Use It? - Himanshu Sheth(2020)](
  578. * **Aritcles/Blogposts/Writeups**
  579. * [Learn How to Set Up a CI/CD Pipeline From Scratch - Samarpit Tuli(2018)](
  580. * [CI/CD Pipeline using Jenkins and Gogs - Vishnu(2020)](
  581. * [Jenkins - More than Just Target Practice - FortyNorth Security](
  582. * [Jenkins Multibranch Pipeline Tutorial For Beginners - Bibin Wilson(2020)](
  583. * [Jenkins Automated Build Trigger On Github Pull Request - devopscube(2020)](
  584. * **Talks/Presentations/Videos**
  585. * [OffSecOps – Will Schroeder (SO-CON 2020)](
  586. * As the offensive industry continues to mature in reaction to the progression of its defensive counterpart, offensive teams have increasingly integrated DevOps practices to mature their operations. In this talk, we'll describe our approach to building an offensive continuous integration (CI) pipeline, including our architecture and lessons learned. We'll show how tracking of (unique) artifacts per engagement, proactive scanning for artifacts submitted by defenders to cloud analysis platforms, integrated obfuscation, OPSEC scanning of artifacts, and seamless integration of the build process into existing C2 frameworks (like Cobalt Strike) can all be accomplished with free installations of Jenkins and Artifactory on your own (non-cloud) hardware. Come learn how to up your artifact game!
  587. * **Policy Enforcement**
  588. * [Leveraging DevSecOps Practices to Secure Red Team Infrastructure - Jesse Somerville(2020)](
  589. -------------------------------------------------------
  590. ### Infrastructure Automation <a name="infra"></a>
  591. * **101**<a name="i101"></a>
  592. * [PhoenixServer - Martin Fowler](
  593. * [An Introduction to the /opt Directory - Nick Sweeting](
  594. * [An introduction to immutable infrastructure - Josh Stella(2015)](
  595. * "Why you should stop managing infrastructure and start really programming it."
  596. * **Articles/Blogposts**
  597. * [An Introduction to Configuration Management - Erika Heidi(2019)](
  598. * [Automation Testing With Ansible, Molecule, And Vagrant - Mike Spitzer](
  599. * [Building a scalable, highly available, and portable web server - Surya Dantuluri](
  600. * [Containerised Home Server With Docker Compose and Traefik - Kristian Glass](
  601. * [Infrastructure as Code, Part One - Emily Woods](
  602. * [Automating a RedELK Deployment Using Ansible - Jason Lang](
  603. * [Red Teaming Series: Part 1 : Setting the environment, Running the C2 server on Docker and Bypassing latest security controls. - ](
  604. * [Designing The Adversary Simulation Lab - Adam Chester](
  605. * [Building, Modifying, and Packing with Azure DevOps - Adam Chester(2020)](
  606. * [Hitchhikers Guide to the PowerShell Module Pipeline - Michael Willis](
  607. * The following article highlights both high and mid level concepts toward creating a simple release pipeline for PowerShell modules. The major focus will cover file structure, test practices, task runners, and portability between CI/CD systems. Additional topics include generated reports, design patterns for code consistency, and a Jenkins CI implementation. The supplementary project: Xainey/PSHitchhiker is available on Github to analyze alongside the project.
  608. * **Infrastructure Automation Tools**<a name="infrauto"></a>
  609. * **Ansible**
  610. * **Articles/Blogposts**
  611. * [AWX](
  612. * AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is the upstream project for Tower, a commercial derivative of AWX.
  613. * **Chef**
  614. * **Salt**
  615. * **Puppet**
  616. * **Terraform**
  617. * [An Intro to Terraform with Azure, PFSense, and Windows 10 - FortyNorth Security](
  618. * [Modern C2 Infrastructure with Terraform, DigitalOcean, Covenant and Cloudflare - Riccardo](
  619. * [Infrastructure as Code: Setting up a web application penetration testing laboratory - avasdream](
  620. * [Automating Red Team Infrastructure with Terraform - @spottheplanet](
  621. * [Infrastructure as Code: Setting up a web application penetration testing laboratory - avasdream(2020)](
  622. * **Vagrant & Packer**
  623. * **101**
  624. * [Vagrant Documentation -](
  625. * **Articles/Blogposts**
  626. * [Automating Red Team Homelabs: Part 1 – Kali Automation - Alex Rodriguez](
  627. * [Automating Red Team Homelabs: Part 2 – Build, Pentest, Destroy, and Repeat - Alex Rodriguez](
  628. * **Windows**
  629. * [Modern Windows Attacks and Defense Lab](
  630. * This is the lab configuration for the Modern Windows Attacks and Defense class that Sean Metcalf (@pyrotek3) and I(Jared Haight) teach.
  631. * [Self-Installing Windows OVA](
  632. * This is an Virtual Machine in OVA format that will install Windows ontop of itself. I wrote this as an alternative to packer. This OVA basically downloads the evaluation version of the Windows version you select to one drive as installation media and then installs onto the primary drive. After this is done, the smaller secondary drive can be discarded to save disk space.
  633. * **Other Tools**
  634. * [axiom](
  635. * Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty and pentesting.
  636. * **Package Management**
  637. * [fpm](
  638. * Effing package management! Build packages for multiple platforms (deb, rpm, etc) with great ease and sanity.
  639. * **Sort**
  640. * [Imaginary C2](
  641. * A python tool which aims to help in the behavioral (network) analysis of malware. Imaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads.
  642. * [EVABS (Extremely Vulnerable Android Labs)](
  643. * An open source Android application that is intentionally vulnerable so as to act as a learning platform for Android application security beginners. The effort is to introduce beginners with very limited or zero knowledge to some of the major and commonly found real-world based Android application vulnerabilities in a story-based, interactive model. EVABS follows a level-wise difficulty approach and in each level, the player learns a new concept. This project is still under progress and aims at incorporating as many levels as possible.