Red Wizard - User friendly, automated infrastructure for Red Team - Part 1

Red Wizard picture 1

Author: Ben Brucker, Senior Security Specialist and Domain Manager Red Teaming at Secura.

Where to get it? https://github.com/SecuraBV/RedWizard

This is part of a blog series about Red Wizard. The first part will focus on the background of the tool. Future instances will focus on the technical implementation and the extensibility of the tool.

What is Red Wizard?

Red Wizard is an open-source tool designed to provide repeatable, OPSEC-safe infrastructure for Red Teaming operations. Red Wizard was created to address the challenge faced by many serious Red Teams, where publicly available deployments are either limited or not user-friendly, requiring additional time and work from infrastructure maintainers and operators.

This tool automates the deployment of a comprehensive infrastructure with redirectors, backend systems, phishing relays, OSINT machines, and more. It is designed to be user-friendly, providing wizards to walk administrators and Red Team operators through the deployment process. The infrastructure is also self-documenting, making the sharing of all relevant details to the team of operators an effortless task.

Example

Below you find an example of a moderately complex Red Teaming infrastructure that takes approximately 10 minutes to configure, and 30 minutes to deploy. It includes OSINT machines, 2 phishing servers, a CobaltStrike instance, a generic callback catcher and a backend for hardware implants:

Red Wizard 2

This diagram was created by Red Wizard as well, making it easy to share relevant information with your team.

What Red Wizard can do

Red Wizard will help you provision your servers and install all necessary tools, tunnels and defaults.

It does not currently provision the underlying servers, as every company has their own processes for spinning up systems. That is why there are 4 very basic requirements that you can automate with for example terraform:

  • Ubuntu 22.04 on the deployment system (Your laptop or a VM is fine)
  • Clean Ubuntu 20.04 on all target machines (Will support 22.04 in the near future)
  • 1 deployment user (Configured for key-based SSH access on all machines)
  • Deployment user has identical sudo password on all machines

Currently publicly released parts

Currently the following 6 components are released that are quite common to Red Teaming operations:

Red Wizard 3

Future releases might include:

  • RedElk integration (Red Team SIEM by Outflank)
  • MitM Phishing (EvilGinx / Modlishka)
  • Support for non-standard relays (domain fronting etc)

How to get started?

For detailed instructions please follow the Readme in the GitHub repository. But on the high level it boils down to the following:

Red Wizard 4

Design principles

We built this tool with resilience in mind, ensuring an OPSEC-safe setup by retrieving all critical key material from the deployed servers, enabling you to rebuild and keep receiving your shells even if one of your servers crashes and burns. Red Wizard is mainly based on Ansible and Docker, making it easy to deploy and manage.

Other design principles can be summarized as follows:

  • Simplicity trumps fanciness
  • Operational Security (OPSEC)
  • Must be robust
  • No magical Black Boxes
  • Everything must be self-documenting
  • Easily extendable
  • Preconfigured listeners / phishing profiles
  • Log everything

The actual deployment follows the tried and tested approach for Red Teaming infrastructures where you have a backend / relay infrastructure:

Red Wizard 5

In this case there is a Command and Control server with for example a gophish instance. This gophish instance is exposed to the internet via a public relay. This relay decides, based on the URL and other featured whether this is an actual callback or other scans from the internet. A real callback will be forwarded to the backend, other internet traffic will not, improving the OPSEC of the Red Team.

Red Wizard supports many deployment modes, for example multiple components that each call out to their own relay:

Red Wizard 6

Or multiple components that share the same relay:

Red Wizard 7

Up next:

The next blog post will show you all the important features of a deployed Red Wizard infrastructure and help you create your first deployment.

Ben Brucker

About the Author

Ben Brücker is Senior Security Specialist and Domain Manager Red Teaming at Secura. He studied Computer Science, Cyber Security and Artificial Intelligence at Radboud University in Nijmegen. For 8 years, Ben has been working at Secura. He specializes in Red Teaming and has led many successful Red Teaming assessments.

More Information on Red Teaming

Would you like to know more about our Red Teaming services? Please fill out the form below and an expert will contact you within one business day.