A red team is a group that plays the role of an enemy or competitor, and provides security feedback from that perspective. Red teams are used in many fields, especially in cybersecurity, airport security, the military, and intelligence agencies. These are the defenders. I have provided a list of resources useful for red teams and penetration testing assignments:

• NIST SP 800-115
• Open Source Security Testing Methodology Manual (OSSTMM)
• Open Web Application Security Project (OWASP)
• Penetration Testing Execution Standard (PTES)

Working around industrial control systems, I get asked frequently to assess the security of either the hosts that critical systems are hosted on (i.e. SCADA, DCS, historians, HMI). The question that comes up is given the sensitivity of these systems are there any frameworks or methodologies that can be used:

• Sandia National Laboratories (SAND2005-2846P) – Penetration Testing of Industrial Control Systems 
• NESCOR Guide to Penetration Testing for Electric Utilities (EPRI)

 

Tools & Scripts

• Responder – This tool is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix
• EyeWitness – EyeWitness is designed to take screenshots of websites, RDP services, and open VNC servers, provide some server header info, and identify default credentials if possible.
• Yersinia – Layer 2 DTP and Root switch attack (VLAN hopping). Essentially plugging a Pi on to a port and having that Pi emulate a trunk port.
• ADRecon – Tool which extracts and combines various artefacts (as highlighted below) out of an AD environment. The information can be presented in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis and provide a holistic picture of the current state of the target AD environment.