The Seven Stages of an Advanced Persistent threat Attack (APT)


An APT attacks involves seven basic steps, according to Mandiant. All but the seventh mirror the steps taken by a penetration tester or auditor, Damballa’s Ollmann says. “That’s what makes [APT] unique and so damaging,” he says.

Here are the stages of an APT attack:

1. Reconnaissance: Attackers research and identify individuals they will target in the attacks, using public search or other methods, and get their email addresses or instant messaging handles.

2. Intrusion into the network: It all typically starts with spear-phishing emails, where the attacker targets specific users within the target company with spoofed emails that include malicious links or malicious PDF or Microsoft Office document attachments. That infects the employee’s machine and gives the attacker a foot in the door.

3. Establishing a backdoor: The attackers try to get domain administrative credentials and extract them from the network. Since these credentials are typically encrypted, they then decrypt them using pass-the-hash or other tools and gain elevated user privileges. From here, they move “laterally” within the victim’s network, installing backdoors here and there. They typically install malware via process injection, registry modification, or scheduled services, according to Mandiant.

4. Obtaining user credentials: Attackers get most of their access using valid user credentials, and they access an average of 40 systems on the victim’s network using the stolen credentials, according to Mandiant. The most common type: domain-administrator credentials.

5. Installing multiple utilities: Utility programs are installed on the victim’s network to conduct system administration, including installing backdoors, grabbing passwords, getting email, and listing running processes, for instance. Mandiant says utilities are typically found on systems without backdoors.

6. Privilege escalation, lateral movement, and data exfiltration: Now the attackers start grabbing emails, attachments, and files from servers via the attacker’s C&C infrastructure. They typically funnel the stolen data to staging servers, where they encrypt and compress it, and then delete the compressed files from the staging server.

7. Maintaining persistence: If the attackers find they are being detected or remediated, then they use other methods to ensure they don’t lose their presence in the victim’s network, including revamping their malware.

Mandiant’s Malin says patience and resilience are what make these attacks so successful. “These are very sophisticated, determined, and coordinated activities,” he says. “The attackers are not there to snatch and grab data. They are in there to stay awhile.”

Gathering Proper Intel



I have been looking at several forums and one of the things that frustrate me the most is the lack of talk on the areas of proper target enumeration and intel gathering. Everybody is focused in running Nmap, fierce or any other host of tools and forget the true time basics of simply surfing the targeted client’s site taking note of the contact information and sending someone from the attack team to do a physical recon, to look for:

  • Wireless networks
  • Trash disposal methods
  • Physical security to the building
  • Open and exposed Ethernet network ports
  • Exposed USB ports
  • Unlocked and unused machines

Not everything has to be done thru the internet, most people are focused on the latest tool and not in thinking outside the box, in many of my presentation clients are impressed that their biggest hole is physical security. I know I’m ranting but I had to get it off my chest. take care and be secure.

Bookmark this

Awesome Penetration Testing

A collection of awesome penetration testing resources

Online Resources

Penetration Testing Resources

  • Metasploit Unleashed – Free Offensive Security metasploit course
  • PTES – Penetration Testing Execution Standard
  • OWASP – Open Web Application Security Project

Exploit development

Social Engineering Resources

Lock Picking Resources


Penetration Testing Distributions

  • Kali – A Linux distribution designed for digital forensics and penetration testing
  • BlackArch – Arch Linux-based distribution for penetration testers and security researchers
  • NST – Network Security Toolkit distribution
  • Pentoo – security-focused livecd based on Gentoo
  • BackBox – Ubuntu-based distribution for penetration tests and security assessments

Basic Penetration Testing Tools

  • Metasploit Framework – World’s most used penetration testing software
  • Burp Suite – An integrated platform for performing security testing of web applications
  • ExploitPack – Graphical tool for penetration testing with a bunch of exploits
  • BeeF – The Browser Exploitation Framework Project
  • faraday – Collaborative Penetration Test and Vulnerability Management Platform
  • evilgrade – The update explotation framework
  • commix – Automated All-in-One OS Command Injection and Exploitation Tool

Docker for Penetration Testing

Vulnerability Scanners

  • Netsparker – Web Application Security Scanner
  • Nexpose – Vulnerability Management & Risk Management Software
  • Nessus – Vulnerability, configuration, and compliance assessment
  • Nikto – Web application vulnerability scanner
  • OpenVAS – Open Source vulnerability scanner and manager
  • OWASP Zed Attack Proxy – Penetration testing tool for web applications
  • Secapps – Integrated web application security testing environment
  • w3af – Web application attack and audit framework
  • Wapiti – Web application vulnerability scanner
  • WebReaver – Web application vulnerability scanner for Mac OS X
  • DVCS Ripper – Rip web accessible (distributed) version control systems: SVN/GIT/HG/BZR
  • arachni – Web Application Security Scanner Framework

Network Tools

  • nmap – Free Security Scanner For Network Exploration & Security Audits
  • pig – A Linux packet crafting tool
  • tcpdump/libpcap – A common packet analyzer that runs under the command line
  • Wireshark – A network protocol analyzer for Unix and Windows
  • Network Tools – Different network tools: ping, lookup, whois, etc
  • netsniff-ng – A Swiss army knife for for network sniffing
  • Intercepter-NG – a multifunctional network toolkit
  • SPARTA – Network Infrastructure Penetration Testing Tool
  • DNSDumpster – Online DNS recond and search service
  • Mass Scan – TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
  • Zarp – Zarp is a network attack tool centered around the exploitation of local networks
  • mitmproxy – An interactive SSL-capable intercepting HTTP proxy for penetration testers and software developers
  • mallory – HTTP/HTTPS proxy over SSH
  • DET – DET is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time
  • pwnat – punches holes in firewalls and NATs
  • dsniff – a collection of tools for network auditing and pentesting
  • tgcd – a simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls

Wireless Network Tools

  • Aircrack-ng – a set of tools for auditing wireless network
  • Kismet – Wireless network detector, sniffer, and IDS
  • Reaver – Brute force attack against Wifi Protected Setup
  • Wifite – Automated wireless attack tool
  • wifiphisher – Automated phishing attacks against Wi-Fi networks

SSL Analysis Tools

  • SSLyze – SSL configuration scanner
  • sslstrip – a demonstration of the HTTPS stripping attacks
  • sslstrip2 – SSLStrip version to defeat HSTS
  • tls_prober – fingerprint a server’s SSL/TLS implementation

Web exploitation

  • WPScan – Black box WordPress vulnerability scanner
  • SQLmap – Automatic SQL injection and database takeover tool
  • weevely3 – Weaponized web shell
  • Wappalyzer – Wappalyzer uncovers the technologies used on websites
  • cms-explorer – CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running.
  • joomscan – Joomla CMS scanner
  • WhatWeb – Website Fingerprinter
  • BlindElephant – Web Application Fingerprinter

Hex Editors

  • HexEdit.js – Browser-based hex editing
  • Hexinator (commercial) – World’s finest Hex Editor


Windows Utils

  • Sysinternals Suite – The Sysinternals Troubleshooting Utilities
  • Windows Credentials Editor – security tool to list logon sessions and add, change, list and delete associated credentials
  • mimikatz – Credentials extraction tool for Windows OS
  • PowerSploit – A PowerShell Post-Exploitation Framework
  • Windows Exploit Suggester – Detects potential missing patches on the target
  • Responder – A LLMNR, NBT-NS and MDNS poisoner
  • Empire – Empire is a pure PowerShell post-exploitation agent
  • Fibratus – Tool for exploration and tracing of the Windows kernel

Linux Utils

DDoS Tools

  • LOIC – An open source network stress tool for Windows
  • JS LOIC – JavaScript in-browser version of LOIC
  • T50 – The more fast network stress tool

Social Engineering Tools

  • SET – The Social-Engineer Toolkit from TrustedSec

OSInt Tools

  • Maltego – Proprietary software for open source intelligence and forensics, from Paterva.
  • theHarvester – E-mail, subdomain and people names harvester
  • creepy – A geolocation OSINT tool
  • metagoofil – Metadata harvester
  • Google Hacking Database – a database of Google dorks; can be used for recon
  • Shodan – Shodan is the world’s first search engine for Internet-connected devices
  • recon-ng – A full-featured Web Reconnaissance framework written in Python

Anonymity Tools

  • Tor – The free software for enabling onion routing online anonymity
  • I2P – The Invisible Internet Project
  • Nipe – Script to redirect all traffic from the machine to the Tor network.

Reverse Engineering Tools

  • IDA Pro – A Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger
  • IDA Free – The freeware version of IDA v5.0
  • WDK/WinDbg – Windows Driver Kit and WinDbg
  • OllyDbg – An x86 debugger that emphasizes binary code analysis
  • Radare2 – Opensource, crossplatform reverse engineering framework.
  • x64_dbg – An open-source x64/x32 debugger for windows.
  • Pyew – A Python tool for static malware analysis.
  • Bokken – GUI for Pyew Radare2.
  • Immunity Debugger – A powerful new way to write exploits and analyze malware
  • Evan’s Debugger – OllyDbg-like debugger for Linux
  • Medusa disassembler – An open source interactive disassembler
  • plasma – Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.

CTF Tools

  • Pwntools – CTF framework for use in CTFs


Penetration Testing Books

Hackers Handbook Series

Network Analysis Books

Reverse Engineering Books

Malware Analysis Books

Windows Books

Social Engineering Books

Lock Picking Books

Vulnerability Databases

Security Courses

Information Security Conferences

  • DEF CON – An annual hacker convention in Las Vegas
  • Black Hat – An annual security conference in Las Vegas
  • BSides – A framework for organising and holding security conferences
  • CCC – An annual meeting of the international hacker scene in Germany
  • DerbyCon – An annual hacker conference based in Louisville
  • PhreakNIC – A technology conference held annually in middle Tennessee
  • ShmooCon – An annual US east coast hacker convention
  • CarolinaCon – An infosec conference, held annually in North Carolina
  • HOPE – A conference series sponsored by the hacker magazine 2600
  • SummerCon – One of the oldest hacker conventions, held during Summer
  • – An annual conference held in Luxembourg
  • HITB – Deep-knowledge security conference held in Malaysia and The Netherlands
  • Troopers – Annual international IT Security event with workshops held in Heidelberg, Germany
  • Hack3rCon – An annual US hacker conference
  • ThotCon – An annual US hacker conference held in Chicago
  • LayerOne – An annual US security conference held every spring in Los Angeles
  • DeepSec – Security Conference in Vienna, Austria
  • SkyDogCon – A technology conference in Nashville
  • SECUINSIDE – Security Conference in Seoul
  • DefCamp – Largest Security Conference in Eastern Europe, held anually in Bucharest, Romania
  • AppSecUSA – An annual conference organised by OWASP
  • BruCON – An annual security conference in Belgium
  • Infosecurity Europe – Europe’s number one information security event, held in London, UK
  • Nullcon – An annual conference in Delhi and Goa, India
  • RSA Conference USA – An annual security conference in San Francisco, California, USA
  • Swiss Cyber Storm – An annual security conference in Lucerne, Switzerland
  • Virus Bulletin Conference – An annual conference going to be held in Denver, USA for 2016
  • Ekoparty – Largest Security Conference in Latin America, held annually in Buenos Aires, Argentina
  • 44Con – Annual Security Conference held in London

Information Security Magazines

Awesome Lists

Phishing Frenzy is an awesome tool to use during Social Engineering/Spear Phishing exercises. One of the tasks that I spent a lot of time on when using Phishing Frenzy is the ‘cloning of a website’ to be used for phishing passwords. Phishing Frenzy does have a ‘Website Cloner’ but its pretty basic and some work needs to be […]

via Easily clone sites and import as Phishing Frenzy templates (Phishing for passwords) — Milo2012’s Security Blog

Phishing Toys — Milo2012’s Security Blog

I wrote 2 scripts with the help of a co-worker that are useful in our social engineering engagements. – This script generates Microsoft documents (VBA code) that uses Powershell to get a meterpreter reverse shell. This script works on a Linux/Mac machine unlike some scripts I found which requires a Windows machine. This works by patching the […]

via Phishing Toys — Milo2012’s Security Blog

Hacking and Penetration Testing Pdf’s