RedTeamNotes: Combining Notes & Graphs!

Intro

RedTeamNotes started as a mini project to try and make a better note taking application than what was currently available. The big issue for me with apps such as Obsidian or OneNote was that whilst they have great note taking capability, they struggle to show how different notes relate to each other – unless you follow every link and manually piece it together.

Whilst doing CRTO, I often found myself in a position where I was trying to achieve an objective but would struggle to remember all of the various ways of achieving this. For example, to move laterally, I would likely remember that I could:

  • Dump LSASS to obtain AES256 keys
  • Obtain the plaintext password and perform overpass-the-hash
  • Use Rubeus to monitor for TGTs using the /monitor command

But would I remember that I could also use the following?

  • NTLM Relaying, if I have control of an device with unconstrained delegation
  • ADCS to obtain a certificate, then leverage THEFT5
  • And several other options..

Dun Dun Dun

So I decided to build my own note taking application – RedTeamNotes!

I had a few aims for this tool:

  • It should be possible to reuse the notes in other applications.
    • i.e. Use JSON
  • Try to avoid dependencies on too many tools just to build the application
    • I don’t want to have to download Node and 100 dependencies if I want to play around in HackTheBox
  • The relationships between notes should be very clear

With a few known limitations:

  • The tool wont handle editing the notes or relationships
  • The notes will be intentionally quite brief and will mainly signpost other resources

After many changes, I ended up choosing a few great JavaScript libraries to help me out. The graphing UI is handled by Drawflow. Positioning the various nodes turned out to be one of the hardest parts of the project, as it is very easy to know what the correct graph looks like, but it is very hard to actually implement in an automated way from my experience! Luckily I found Dagre’s GraphLib, which I believe uses the ‘Dagre’ algorithm to sort the nodes, but this might well be wrong!

Aside from these two libraries, the rest was blood, sweat, tears and swearing at CSS selectors.

On the right, we can view information on our selected technique, which currently supports:

  • Description
  • OPSEC considerations
  • Links
  • Code examples
  • Defensive guidance

This data would be represented with the following JSON:

"constrained_delegation" : {
    "name": "Constrained Delegation",
    "description": "Constrained delegation is a feature of AD which allows a service to act on behalf of another user to specific other services. If we can compromise a service with constrained delegation enabled, we can potentially steal cached TGTs",
    "opsec" : ["Make sure the msdspn value (If using Rubeus) is a valid SPN which we can delegate to, only specific SPNs will be allowed."],
    "code_examples": [
        {
            "description" : "Find machines with uncontrained delegation enabled via BloodHound",
            "code" : "MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p"
        },
        {
            "description" : "Find machines with constrained delegation enabled via LDAP",
            "code" : "(&(objectCategory=computer)(msds-allowedtodelegateto=*))"
        },
        {
            "description" : "Find SPNs we can delegate to via PowerView",
            "code" : "Get-DomainComputer -Identity PC_NAME | Select-Object -Expandproperty msds-allowedtodelegateto"
        }
    ],
    "links" : ["https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/"]
}

Using our earlier example of pass-the-ticket, we can see how this is represented below. Notice the 6 lines leading into the left of ‘Pass The Ticket’, showing 6 techniques which could get us to that position.

I decided to make a node for some of the ‘tactics’ (As MITRE ATT&CK would refer to them), which helps Dagre to better position the nodes. This has the added benefit of being able to help me perform a pseudo-checklist when I am stuck on a machine.

For example, below are a set of the privilege escalation techniques I have currently added into the tool:

The tool also can handle quite a lot of nodes. Especially considering that the relationships are quite complex, there is no caching, and it is not a super-efficient algorithm!

Searching

The tool has a search bar which will query the title and description of all the nodes on the current page, which is performed using FuzzySort. For example, lets look for techniques related to ‘tgt’:

We can then click on the top item “Dump TGT’s” and be taken to the relevant node

We can also switch between multiple datasets. For now, I currently have 3 datasets within my notes:

With code samples, we can click on the clipboard emoji, and the example text will be copied to the clipboard.

Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|WriteDacl|WriteOwner" -and $_.SecurityIdentifier -match "S-1-5-21-SID_GOES_HERE-[d]{4,10}" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl

Summary

Hopefully this serves as some inspiration as to what can be done to make note-taking a bit more user-friendly and usable. I’m hoping to develop this idea into a few other directions in the coming weeks and months, as I think this style of program could be useful for a few other applications!