Glossary of Terms
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Bypassing authentication is a technique used by the Red Team to gain unauthorized access into an application or environment. An example of this may be a SQL Injection vulnerability that allows access without needing an account. This Red Team robot is accessing a panel for the Blue Team dragon's drawbridge and bypassing the need for a valid PIN to gain access. This panel hacking concept was inspired by a certain space droid.
A Brute Force attack is a technique used by the Red Team to gain access by trying multiple combinations of credentials over a period of time. Unlike a dictionary attack or rainbow table, brute forcing iterates through all possible combinations throughout a specified key space. The Red Team commonly uses brute forcing techniques for cracking hashes and for authentication. This droid, also inspired by a certain space droid, is attempting to use brute force to knock down the Blue Team's castle door with a battering ram.
Command and Control servers (C2) are services run by the Red Team that provide a framework to receive and transmit data and commands between an agent on an compromised host and the Red Team's host. Although C2 servers can be internal, they are often external and work in a way in which the agent reaches outbound to check-in, run commands issued, and submits results to the C2. This is done since NAT doesn't typically allow for direct connections from the C2 to the agent. In this illustration, astronauts are the agents who are checking in with the control center on Earth, ready to receive their instructions on what to do next.
Drop boxes are physical devices left behind by the Red Team during a physical security assessment. Once on-site, a device which is often obfuscated to look like a power adapter or something that belongs in the environment is left behind and establishes a network connection which bridges the internal corporate network and the Red Team's servers. This gives remote access to the internal environment for additional activities, such as lateral movement, privilege escalation, or information gathering. This image shows the Red Team robot who impersonated a dragon (see Impersonation) sneaking under a Blue Team conference table in the castle and plugging in a drop box designed to look like a mouse. The tail is plugged into an Ethernet jack next to a speaker phone on the floor.
Evasion is another technique used by the Red Team to avoid detection and blocking from security products and Blue Team personnel. The Red Team may use tools and techniques that are opsec safe, meaning they will not try to generate "noise" on the network that may alert the Blue Team and instead fly under the radar. Evasion techniques, such as Windows API hooking for example, may be used against endpoint protection so that tools can be run that otherwise would be prevented. This concept is shown in this illustration by a Red Team robot sneaking into the Blue Team's castle while remaining undetected, staying out of the spot light. The robot's shirt says, "API Hook."
Fuzzing a service or input is a way in which Red Teams can look for and discover a vulnerability that may otherwise be unknown (Zero Day). Fuzzing inputs for example may lead to a Buffer Overflow, meaning the application didn't anticipate a large string as input and the user-supplied input bleeds over into other parts of memory which could lead to arbitrary code execution. Typically with fuzzing the intent is to see what breaks, which could indicate a vulnerability, so it is similar to a stress test to overload the target. This is demonstrated on the page by showing a Red Team robot overloading their circuitry with other equipment while "fuzzing" their hair.
One method a Red Team member may use against a target is to enumerate Git respositories for sensitive information that may be useful. This may include accidental historical commits that contain tokens or credentials that are hard coded or used in connection strings for the application to connect to third party services or databases, for example. This is shown in the illustration by a Red Team robot who is posing as a sanitation worker, going through the trash of the Blue Team, finding API tokens that were improperly discarded.
A Heap Spray works by writing a series of bytes at various places in the heap, since the location of memory may be dynamic and not easily guessable. Like with a buffer overflow, spraying the heap may result in the execution of arbitrary code for the Red Team, but is not a vulnerability by itself. This robot barber is using a spray can of "Heap" to spray into the memory of the captured robot and point to the EAX CPU register in order to reprogram the dragon-bot. This robot was originally designed by the Red Team, but was captured by the Blue Team and reverse engineered (see Reverse Engineer in the Blue Team book) to work for them. The Red Team is taking it back again with this Heap Spray attack.
Impersonation is when the Red Team uses account takeover to assume the identity of a valid, authorized user. This can be done in a variety of different ways, but token delegation is a common method on the domain. This robot is attempting to sneak into the Blue Team's environment by dressing up to pass as a dragon. This robot can also be seen on the "Drop Box" page after they successfully gained access.
Juice Jacking is an attack in which a kiosk is designed to look like a USB charging station but really it accesses the data on the device. This can steal sensitive information or side load malicious apps. In the illustration a Red Team robot is siphoning data from these devices while being hidden behind the kiosk.
Kali Linux is a popular Linux distribution based on Debian for penetration testing. It is designed out-of-the-box with popular Cybersecurity applications and has a source repository with popular packages available for installation. A few wordlists are also available with the standard installation and this distro can be run from a Virtual Machine (VM) or live environment as well as some mobile devices, making it ideal for portability and a quick setup. This image is a shout-out to the Offensive Security folks as well as women in the Cybersecurity space, with the Women's Society of Cyberjutsu logo on the hacker hoodie.
A Listener is simply a service set up to receive data on a Red Team user's host. This can be something more complex like a C2 framework, or simply a Netcat or Python service listening on a port. In this illustration a space rover is on the moon, listening for connections to be made. The "Need input" reference is a nod to a classic movie robot.
A Man-in-the-Middle attack (MitM), is situation in which a Red Team member is positioned in between a client, or user, and a service. MitM techniques can be used to redirect this traffic to route through the Red Team host, while eavesdropping on or modifying the data in transit. In this illustration federal agents are performing a cellular "string ray" attack by monitoring a suspect's phone, remotely and discretely.
Nmap, short for Network Mapper, is a very popular tool used for host discovery and service enumeration. It also has a scripting engine which makes the tool even more powerful and can perform vulnerability discovery, among other things. This illustration shows a robot pirate who has a treasure "map," containing a network diagram of devices.
OSINT is short for Open-source Intelligence, and is a term used to describe the process of collecting information that is publicly available about a company, person, or other resource. OSINT techniques are used by the Red Team to learn more about their targets and this information can be levered in a larger-scale attack, such as phishing. This image depicts a robot investigator who is piecing together a series of clues to aid in an attack plan against the Blue Team's castle.
A Proof of Concept (PoC) in Cybersecurity is some code or an example of a specific payload that can prove a vulnerability exists and is exploitable. This PoC can often be weaponized into an exploit to be used in a dynamic fashion in a Red Team framework, and sometimes are publicly shared. Since PoCs are a type of prototype, being the initial draft of an exploit, this is reflected by showing a Red Team robot who has been pieced together and is in development. There are robot concept drawings on the wall to show this is a work in progress.
Perhaps the most important part of a Red Team engagement is the documentation. A report needs to do a thorough job of articulating and explaining the relevant vulnerabilities, risks they pose to the environment, and remediation steps. This report should bridge the gap between both the technical and the non-technical alike, using screenshots and other examples as necessary to explain how a real-world attacker may exploit these various vulnerabilities. Without a quality report, the individuals receiving it may not properly understand the impact or recommended actions to take in order to mitigate the issues. SANS and the Counter Hack team hosts Kringlecon and Holiday Hack each year which encourages not just technical ability, but this Capture the Flag (CTF) event also rewards participants for quality reporting.
The Red Team is often thought of as the offensive side of Cybersecurity. They are vital in demonstrating the impact a vulnerability has on an environment and in testing defenses after they are implemented to help determine what the security posture is of an organization. This page shows a basketball-playing robot who is on offense, slam dunking a ball into the net while getting a boost from their rocket shoes.
SIM Swapping is a technique used in order to mainly intercept SMS messages for the purpose of defeating Multi-factor Authentication (MFA) set up to use text messages for tokens. This process is usually logical and does not require a physical SIM card, although cloning a SIM card is also possible. Social Engineering attempts are usually used in the real-world in order to trick telecom vendors into changing phone numbers for a customer the adversary want to gain access to. This surgeon robot is carefully switching out a Blue Team SIM card in a phone for a Red Team one, with the intent to give it back discretely and intercept messages.
Tailgating is a technique used in physical security where an unauthorized individual may follow closely behind an authorized one, often squeezing in before a locked door or gate closes. This dragon is walking through a turnstile and a little red robot has hitched a ride in the dragon's backpack to get past security at the entrance.
USB Drops are a type of Media Drops that can be used in physical Social Engineering campaigns in order to trick victims into giving the Red Team access into an internal environment. Typically USB drives are used because they are cost effective and easy to use, but CDs, SD cards, and other types of digital media can be used. The idea is to make the media look appealing, typically by placing sticky notes on them with "Credit Card Numbers", "Passwords", or something similar so that an employee who discovers it will open it up back at their desk and become infected with a backdoor. This is demonstrated in this illustration by a Red Team robot who has a sports t-shirt cannon arm and is shooting various USB drives around the Blue Team's castle parking lot.
Vishing is a type of Social Engineering and gets its name by combining the words, "Voice" and "Phishing". While Phishing is a type of Social Engineering that uses email as a medium, Vishing is verbal and is often carried out over the phone to entice victims into giving up credentials or installing malware. This Red Team robot is trying to lure an employee into visiting a phishing site to steal credentials, while pretending to be calling from the internal Help Desk department.
Wireless Hacking is similar to War Driving in the "M is for Malware" book, but does not have the requirement of being in a vehicle. Wireless Hacking can be carried out within range of the broadcasted radio signal and can include Wi-Fi, Bluetooth, RFID, and many others. Often times segmentation issues exist on guest wireless networks that may lead to the compromise of internal, protected assets. This Red Team robot is flying over the Blue Team castle while staying within range in order to hack into their Wi-Fi network.
XML eXternal Entity is a type of injection vulnerability in which user input is processed by an XML parser server-side in an unsafe way. A specifically crafted XML payload can instruct the server to call an external DTD file and process it back on the server, which may result in Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), or information disclosure. In this illustration we see a restaurant with dragons and robots eating together. The robots have instructed the "server" (Mr. Parser) to retrieve the bill from the Blue Team dragon's table. The server is providing a bill with DTD on it.
Ysoserial is a tool used for generating payloads in order to exploit Java Deserialization vulnerabilities. In addition to being a standalone python script, it can also be imported into Burp Suite Professional as an Extender plugin for use in dynamic web application testing. The concept is shown in this illustration by an object (the dragon) being serialized into a teleporter beam. A certain comic-inspired Red Team robot, which is where the tool got its name, is changing the dragon's deserialization location which would be like the write output path. The "teleportation device" is also inspired by a certain science fiction show.
Zombie Bots, or Zombies, are similar to Command and Control agents but there are many of them as part of a Botnet. Although more often used by Black Hats, Red Teams will sometimes use a vulnerability on a domain network to compromise multiple hosts at once, creating a backdoor on each host for persistence. These hosts act like Zombies in a hoard waiting for instructions to execute a command all at once, or individually. Zombies in the real-world are typically used to relay spam, web traffic, or carry out Denial of Service attacks. This illustration shows a Zombie roBOT who is mindlessly in search of input.