Red Team Toolkit Essentials

Tim Roberts

March 01, 2017 - Posted by Tim Roberts to Security Insight

Many types of red team and physical security assessment toolkits are utilized across the industry. Through our experiences in the NTT Security Threat Services group, we have developed a mixed bag of devices and tools that we commonly use with hybrid assessment types.

The lists below are not intended to be comprehensive, but a quick reference for red team specific toolkits - which often include technical devices and physical tools.

As always, it is assumed that you have permission from your client, have the proper documentation on hand and the defined scope is your primary consideration before attempting to compromise a target facility. Please make sure that you have plenty of experience with bypass and lock picking tools in order to reduce the risk of damaging doors, locking cores and mechanisms etc. Always be responsible!

Note: Many tools commonly utilized in on-site social engineering, covert physical security assessments and red team assessments may not be listed below. Although there are popular vendors for specific tools, alternatives may exist.

Toolkit Travel Tips

When deciding what to bring to an assessment, it is important to understand the facility, industry type, dress codes, etc. Often you may not discover this kind of information until you are already on site, so it is important that you arrive at least the day before an engagement in order to observe the entry points, employees and access controls. Allow yourself enough time for reconnaissance, especially if there is more than one target facility. From on-site observations, you may need to adjust your toolkit accordingly. Remember that the lighter the kit, the easier it will be to move about and stay discrete.

Keep a printout of "TSA approved items" just in case you run into any issues at the airport. Often TSA agents aren’t knowledgeable about the tools nor aware that the tools are allowed for carry-on.

Another handy tip, recommended by fellow red team assessors, is to carry a stamped envelope in case you need to mail something back to yourself.

If you're worried about your carry-on, just check your tools in as a checked bag.

Toolkit Bags

When arriving for the on-site assessment, it is advised that you do not carry a large backpack or your super awesome tactical military bag. Here are some additional considerations:

  • Wear a bag that is a neutral color.
  • If you must use a tactical bag consider a Versipack®, sling bag, laptop or shoulder bag. Maxpedition® makes an excellent jumbo Versipack with multiple built-in, organized and concealed pockets that isn't overly "tactical." One of our favorite bags is the Maxpedition Mongo™ Verispack. A cheaper version of the Maxpedition Mongo bag is the SHANGRI-LA Multi-functional.
  • DO NOT walk in with your hacker patches and pins all over your bag or stickers all over your laptop and gear - unless you intend to make yourself stand out on purpose.
  • Organizer grids (Cocoon Grid-It) help to keep cables and small devices organized in your bag for quick access.

Toolkit Examples

Minus the patches and pins when on-site – All of the below fits in a single bag (as shown in the following picture).

Toolkit Examples

Red Team Toolkit Example #1

  • Lock picks (pocket) - commonly used picks
  • Under-the-door tool
  • Canned air, hand warmers (request-to-exit bypass, etc.)
  • Shove knife/shrum tool
  • Crash bar tool
  • Dimple lock gun
  • Tubular lock picks
  • Fire/emergency elevator key set
  • USB keylogger and Hak5 rubber ducky
  • Hak5 LAN turtle
  • Pineapple nano
  • LAN tap
  • Wafer and warded pick set
  • Laptop or mobile device
  • External hard drive
  • Fake letter of authorization (as a plan B and to test incident response)
  • Real letter of authorization
  • Props for guises if utilizing social engineering
  • RFID thief/cloner (something that is easy to hide - I often use a clipboard like the one shown in the picture above)
  • Camera (or just use your smartphone)

EXAMPLE Red Team Toolkit #2

  • Lock picks (pocket) - common
  • Lock picks (backpack) - expanded set
  • Under-the-door tool
  • Shove knife/shrum tool
  • Crash bar tool
  • Snap gun with interchangeable needles
  • Dimple lock gun
  • Tubular lock picks
  • Hand warmers/canned air
  • Leather gloves/good shoes
  • Fire/emergency elevator key set
  • USB keylogger and Hak5 rubber ducky
  • Hak5 LAN turtle
  • LAN tap
  • Wafers and warded pick set
  • Laptop if needed
  • External hard drive
  • Malicious drops x4 (USB, etc.)
  • Rogue access point (PwnPlug, Pi, whatever your flavor of choice)
  • Hak5 pineapple
  • 15dbi wireless antenna (for outside, not really something you want to stuff in your bag inside).
  • Nexus 7 with nethunter, TP-link adapter etc.
  • Props for guises if utilizing social engineering
  • Fake letter of authorization (as a plan B and to test incident response)
  • Real letter of authorization
  • RFID thief/cloner
  • Camera (or just use your smartphone)
  • Snake camera (a bonus for looking over drop ceilings or floors)
  • Multi-tool

**A few example resource links for some of the above tools

Miscellanies Considerations

  • Various USB cables (A, B, mini, micro, OTG, etc.)
  • SD Cards, microSD cards
  • Smartphone (earpiece if with a team)
  • Body camera (GoPro/ACE Cameras are sometimes handy with client approval)
  • Extra power packs/batteries
  • Small flashlight (low lumen)
  • RTFM: Red Team Field Manual

Lock Pick Laws

If you purchase lock picks and bypass tools, it is important that you understand your state's laws regarding them. Some states are strict about possession of burglary tools and some couldn’t care less. States to consider:

MS, NV, OH, VA - Possession of picks and bypass tools may be considered evidence of criminal intent.

TN - Lock picks and bypass tools are considerably restricted under current law.

**TOOOL is an excellent resource: http://toool.us/laws.html

Final Toolkit Thoughts

The above information will help to assist anyone starting their own red team bag. As I said above, please be responsible and only attempt relevant on-site assessments when directed from the target organization, and with the proper legal documents signed and in place.

You can also reach out to us at NTT Security. We can assist your organization with any questions on these types of assessments, what kind of risks these attack vectors may be to your organization, and any other security concerns you may have. Cheers and stay aware!

Read more on Solutionary Minds about:

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)

LATEST TWEETS