Red Team plan of action for the next stages based on the reconnaissance data, focusing on subdomains, IP addresses, AS numbers, emails, and employee details (ignoring PAN cards). This plan also includes execution phases with estimated hours for each attack. The execution times are distributed across several days to mimic real-world attack timelines while maintaining stealth and minimizing detection.
Objective: Identify vulnerabilities in subdomains and public-facing IPs, exploit misconfigurations, and gain initial access.
-
Time Frame: 3-5 hours (low noise during business hours)
-
Actions:
- Enumerate all subdomains thoroughly, looking for forgotten or misconfigured services.
- Perform vulnerability scans on subdomains (focusing on outdated software, unpatched systems, and potential takeover opportunities).
-
Tools:
Sublist3r,Amass,Nmap,Nikto,Subjackfor subdomain takeover attempts. -
Execution Hours:
- Start Time: 10:00 AM – 3:00 PM (active hours but low interference; scanning can appear as benign activity).
-
Target: Identify weaknesses like forgotten subdomains or exposed internal applications on subdomains.
-
Time Frame: 2-4 hours
-
Actions:
- Check for subdomain takeover vulnerabilities. If found, take control of the subdomain (ensure you have permissions outlined in the scope to do this).
- Prepare for future phishing attacks by creating a believable clone of the subdomain.
-
Tools:
Subjack,SubOver, DNS manipulation. -
Execution Hours:
- Start Time: 3:00 PM – 6:00 PM (end of business day, decreasing likelihood of detection during initial stages of setup).
-
Target: Successful subdomain takeovers for use in later phishing campaigns.
-
Time Frame: 3-4 hours
-
Actions:
- Perform detailed port scanning on the identified IP addresses to discover services and open ports.
- Conduct service version fingerprinting to identify vulnerable services running on these IPs (e.g., outdated software, unpatched systems).
- Try exploits on low-hanging vulnerabilities such as weak authentication, exposed management interfaces, etc.
-
Tools:
Nmap,Masscan,Nessus,Metasploit. -
Execution Hours:
- Start Time: 9:00 PM – 12:00 AM (after hours, to avoid detection and reduce the chances of security teams responding quickly).
-
Target: Gain access to vulnerable systems by exploiting open services (e.g., weak credentials, software vulnerabilities).
Objective: Leverage the gathered email and employee data for targeted social engineering and credential attacks.
-
Time Frame: 2-3 hours (low noise activity)
-
Actions:
- Using the discovered emails, perform a password spraying attack against common external services (e.g., webmail, VPN) using common passwords.
- Perform credential stuffing attacks using any previously leaked passwords (from past data breaches).
-
Tools:
Hydra,Medusa,Burp Suite,HaveIBeenPwned,Snusbase. -
Execution Hours:
- Start Time: 9:00 AM – 12:00 PM (normal business hours, password spraying mimics typical login behavior).
-
Target: Gain access through weak or reused credentials, allowing further lateral movement inside the network.
-
Time Frame: 4-6 hours (split over 2-3 days to maintain stealth)
-
Actions:
- Craft tailored spear-phishing emails targeting high-value employees (e.g., C-level execs, IT administrators) using discovered employee names and emails.
- Use legitimate-looking attachments or links hosted on compromised subdomains from Phase 2 (to make the phishing email more convincing).
- Launch the campaign, track email opens, and monitor phishing site interactions.
-
Tools:
GoPhish,SET (Social Engineering Toolkit). -
Execution Hours:
- Start Time: 2:00 PM – 5:00 PM (emails typically receive more attention in the afternoon, increasing chances of interaction).
-
Target: Capture employee credentials by luring them into fake login pages or getting them to open malicious attachments.
Objective: Once initial access is gained, escalate privileges and move laterally across the network.
-
Time Frame: 3-5 hours
-
Actions:
- Analyze any credentials or access gained from spear phishing or password spraying.
- Escalate privileges on compromised systems (e.g., local privilege escalation exploits, misconfigurations).
- Dump passwords or hashes from compromised systems for further lateral movement.
-
Tools:
Mimikatz,BloodHound,PowerShell Empire,WinPEAS,LinuxPEAS. -
Execution Hours:
- Start Time: 8:00 PM – 12:00 AM (off-hours to minimize detection during privilege escalation attempts).
-
Target: Gain admin-level access to internal systems, allowing deeper exploration or additional attacks.
-
Time Frame: 3-5 hours
-
Actions:
- Move laterally through the network using stolen credentials or compromised systems.
- Explore Active Directory for high-value targets, escalate to domain admin if possible.
-
Tools:
BloodHound,Rubeus,PowerShell Empire,Cobalt Strike. -
Execution Hours:
- Start Time: 11:00 PM – 3:00 AM (early hours to avoid user activity and reduce chances of detection).
-
Target: Gain control of high-value systems such as databases, financial systems, or sensitive information stores.
Objective: Establish persistence by setting up a reliable command-and-control channel for long-term access.
-
Time Frame: 3-4 hours
-
Actions:
- Set up command-and-control channels on compromised systems using HTTP(S), DNS tunneling, or other covert methods.
- Ensure the C2 infrastructure is stealthy to avoid detection by the client’s network monitoring systems.
-
Tools:
Cobalt Strike,Metasploit,Empire, custom backdoors. -
Execution Hours:
- Start Time: 9:00 PM – 12:00 AM (quiet hours to avoid triggering security alerts).
-
Target: Ensure continued remote access to the compromised network without detection.
Objective: Simulate data exfiltration and assess the client’s ability to detect and respond.
-
Time Frame: 3-4 hours
-
Actions:
- Identify sensitive data (e.g., intellectual property, customer data) and simulate data exfiltration using encrypted channels (HTTP(S), DNS tunneling).
- Measure the client’s ability to detect and prevent the exfiltration.
-
Tools: Custom scripts, HTTP/S, FTP, DNS tunneling,
ExfilKit. -
Execution Hours:
- Start Time: 1:00 AM – 4:00 AM (quiet hours to simulate stealthy exfiltration).
-
Target: Simulate data breach scenarios and evaluate security monitoring capabilities.
Objective: Ensure long-term persistence or safely exit without leaving a footprint (depending on scope).
-
Time Frame: 3-4 hours
-
Actions:
- Plant persistence mechanisms (e.g., scheduled tasks, rootkits, backdoors) on compromised machines for future access.
-
Tools:
PowerShell Empire, custom persistence scripts,Cobalt Strike. -
Execution Hours:
- Start Time: 10:00 PM – 2:00 AM (quiet hours to avoid triggering detections).
-
Target: Maintain covert long-term access to the organization’s network.
| Phase | Estimated Hours | Execution Time |
|---|---|---|
| Subdomain Scanning | 3-5 hours | 10:00 AM – 3:00 PM |
| Subdomain Takeover | 2-4 hours | 3:00 PM – 6:00 PM |
| IP Scanning & Exploitation | 3-4 hours | 9:00 PM – 12:00 AM |
| Password Spraying | 2-3 hours | 9:00 AM – 12:00 PM |
| Spear Phishing | 4-6 hours | 2:00 PM – 5:00 PM |
| Privilege Escalation | 3-5 hours | 8:00 PM – 12:00 AM |
| Lateral Movement | 3-5 hours | 11:00 PM – 3:00 AM |
| C2 Setup | 3-4 hours | 9:00 PM – 12:00 AM |
| Data Exfiltration | 3-4 hours | 1:00 AM – 4:00 AM |
| Persistence Setup | 3-4 hours | 10:00 PM – 2:00 AM |
This plan balances stealth, operational effectiveness, and efficiency, keeping the risk of detection minimal while maximizing attack success. Adjustments can be made based on the client’s response or engagement scope.