kras99 -


5 open source offensive security tools for red teaming

To be an effective red teamer, you need the right tools in your arsenal. These are five of the open source offensive security tools worth learning.

One of the harder cybersecurity areas to develop and maintain a skill base for is the red team. For those on the offense side of the security equation -- for example, penetration testers -- it can be challenging to establish an initial set of skills and keep them sharp over the long term.

Other than large companies, few organizations can afford full-time red teams. So, unless you're employed by a service provider such as a consultancy or MSSP that offers offense-based services to clients, there are few positions relative to defenders.

Offensive skills training is also somewhat niche as the skills taught are less directly applicable to blue teamers. Additionally, specialized training can be expensive. This translates into organizations being reluctant to hire and train someone as opposed to hiring someone with a fully developed skill base.

How then does someone looking into a red team career path build foundational skills? One way is to hone and maintain the skills associated with using offensive security tools. But which ones?

Here are five popular open source offensive security tools to consider. There are many great commercial tools out there, but these open source options are accessible to everyone. This enables cybersecurity professionals to start practicing and build up their skill base immediately.

One important caveat: Just as these tools can help build fundamental and necessary skills in a lawful and ethical manner, so too can they be used for unlawful, unethical purposes. The onus is on users to make sure that their usage is both lawful and ethical.

Diagram showing the differences between penetration testing and red teaming
The differences between penetration testing and red teaming

1. Metasploit Framework

The Metasploit Framework provides a common, standardized interface to many services of interest to pen testers, researchers and red teams. It includes working with exploits and payloads, as well as auxiliary tasks that don't use a payload.

Vulnerability researchers historically wrote exploitation scripts or proof-of-concept code for exploits they discovered. This often lead to usability challenges because some scripts were minimally documented, included nonstandardized usage conventions or were unreliable when it came to using them as a test harness to validate issues. The Metasploit Framework helped remedy these issues.

Metasploit is the de facto standard interface for working with exploit code and payloads. It normalizes how red teams and pen testers interact with exploit code. From the red team's point of view, it streamlines work by providing important services such as payloads -- i.e., shellcode -- so the red team can focus on the vulnerability itself. For the tester, it likewise provides a standard way to interact so they can concentrate on the issue they're testing and not the minutia of running the exploit code itself.

To get started with Metasploit, try the companion Metasploitable project. It provides a deliberately weakened VM to test usage and build skills.

2. Zed Attack Proxy (ZAP)

Offense involves more than just being able to run exploits. Particularly with web applications, it's important to be able to see and manipulate requests that occur between a browser and a web server. One category of tools that facilitate this are attack proxies. These tools sit between a browser and a remote web server so users can examine and even manipulate traffic between those devices. Likewise, attack proxies often contain automated mapping and crawling tools, automated website scanning tools and informational tools such as URL, hex and Base64 encoders and decoders.

The Zed Attack Proxy (ZAP) from OWASP is an attack proxy.

3. Browser Exploitation Framework (BEeF)

An attack proxy is great for exercising the functionality of a remote website, but what if you want to attack a given user more directly? For example, to test the resilience of users' browser habits or test whether they would notice warning signs of being part of an attack chain.

One way to do this is by using tools that hook one or more tabs within a target's browser and provide some level of control to an attacker. This in turn can be used as a forward "staging area" by an attacker to gain further traction within an environment or move laterally. The Browser Exploitation Framework (BeEF) enables red teams to do exactly that.

4. Atomic Red Team

The Atomic Red Team project is a set of scripts that can be used to simulate attacker activity. The project provides a set of portable tests, each mapped to the Mitre ATT&CK framework, which can be used to exercise protections and hardening strategies in an organization.

Atomic Red Team is a useful tool for red and blue team members. For the blue team, it's a helpful way to validate the controls protecting the environment. On the offense side, deconstructing attack techniques can help red teams understand how those techniques work and how to apply them.

5. Social-Engineer Toolkit (SET)

One often-overlooked area is testing the resilience of users against manipulation, coercion and trickery. The Social-Engineer Toolkit (SET) provides mechanisms to quickly create artifacts that might appear legitimate to a user and that can be used to test different scenarios. With it, red teams can send a legitimate-looking emails to target users, attempt a spear phishing attack containing malicious attachments and spoof SMS messages.

Other offensive security tools to try

These five are a tiny subset of the many fantastic tools available. Some other offensive security tools to learn include Wireshark to help examine network activity and special-purpose tools like Mimikatz and Molehunt.

To dig beyond this list, look to pen testing-focused Linux distributions such as Kali, BlackArch or Parrot. These distributions pull together hundreds of specialized tools all in one place, which can help red teams learn which tools do what.

Next Steps

20 free cybersecurity tools you should know about

Dig Deeper on Risk management

Enterprise Desktop
Cloud Computing