157. Lateral Movement (OBJ 3.7)
Now, we talked about lateral movement already and I already provided a couple of examples or techniques that we can use for lateral movement as an attacker if you’re working as a pen tester. Things like pass the hash or golden ticket attack. But there are other ones out there too. And the idea is that an attacker can use any remote access protocol to move from host to host. One of the most common in ways they do this is by relying on people using poor passwords. If you have employees in your organization, you can have employees that don’t follow good password practices. And the larger your organization, the more often this is going to be true.
For example, if we go forward and look at the top 30 passwords that are compromised, you’ll see that a lot of them are really kind of silly. For instance, who would set their password to 12345? Well, the reason that’s the number one most commonly hacked password is because a lot of people actually do it. And so, if you have those people working your organization, this can actually be something that can be a way that an attacker can laterally move throughout your organization by using different accounts on different machines by going through some of these common passwords. For example, if you look there over on the third column.
You’ll see one that looks pretty secure, qwertyuiop. Now, this one doesn’t look bad at first glance but as you start looking at it, you see those letters look kind of familiar even though they’re random. Well, they’re actually the first line going across the top of your keyboard and that’s why it’s a commonly used password. And so this is not secure, even though it doesn’t look like a standard dictionary word. Now, let’s take a look at a couple more examples. As I went down the top 100 most commonly used passwords, I found two more that look pretty secure. Number 42 and number 62.
Number 42 looks pretty secure, q1w2e3r4t5y6. Now at first glance, that looks pretty secure. But if you look at your keyboard again, all they’re doing is what’s known as keyboard walking. They’re alternating between the Q row and the number row and going q1w2e3 all the way across. And if you look at number 62, this one is doing the same thing, but in reverse. So again, just because it looks randomized doesn’t mean it is. And so, you have to make sure that the passwords your employees are using are secure because if they’re not using secure passwords it’s a common way for an attacker to laterally move throughout your system. Now, insecure passwords are going to make our networks weak and much more susceptible to this lateral movement. So, we want to make sure we’re doing frequent checks of our employees’ passwords using good tools as part of our security procedures.
So again, remember, most systems rely on usernames and passwords for authentication. And if you’re using weak passwords, people are going to be able to break in. And when this is done with an administrator account, it’s really bad. All right, so let’s keep in mind that we need those secure passwords and we want to make sure they’re safe and secure. Now, if we move beyond that. What are some of the other lateral movement techniques that an attacker can use? Well, they can use the same things that system administrators use. That includes things like Remote Access Services, WMIC, PsExec and Windows PowerShell. Now, these are tools that an assistant administrator uses to do their job. But an attacker can use them for their nefarious purposes as well. First, let’s talk about Remote Access Services. This is any combination of hardware and software that enables the remote access tools or information that typically reside on a network of IT devices. Now, it’s a complicated way of saying this allows somebody to access a computer from a distance. Now, this can be really useful if you’re at home and you need to access your computer to able to run something from the office even though you don’t have access to all the things. This might be something like a VPN or SSH or Telnet or other services like that.
When you’re using things like SSH and Telnet and RDP, and VNC, this can provide an attacker the ability to laterally move across the network. But they’re also useful for our users who need remote access. But again, this becomes a major area of vulnerability that attackers will use against you and be able to laterally move around your network with. The second area we want to talk about is WMIC which is the Windows Management Instrumentation Command-Line. This provides users with a terminal interface and enables administrators to run scripts to manage those computers. Now, the great thing about WMIC as a system administrator is it gives you a lot of power. You can go forward and run scripts and run all sorts of different commands and perform tasks that require a higher level of privilege than normal.
But again, if an attacker can get access to it, this becomes a great lateral movement tool for them because they can run processes at higher levels of privilege than normal. They can also do crucial reconnaissance from a remote host using WMIC. They can do everything from looking at processes to disk-partitions, to bios data. All of this can be done through WMIC. And so it is a way that attackers use to laterally move throughout your network. Because of this, WMIC can be a vector in a post-attack lateral movement. The next one we want to talk about is PsExec. This is a tool that’s developed as an alternative to Telnet and other remote access services which utilizes the window system account for privilege escalation. Again, this is a tool that was developed for system administrators. It is actually part of the Sysinternals Tool Suite that was developed by Mark Rossinovich. Now again, this is something that was developed for system administrators, but attackers use it for their own benefit as well.
This allows them to be able to open back doors, run processes, and elevate permissions across the network on remote systems and run things there. The final thing we want to talk about is Windows PowerShell. Now, Windows PowerShell is a task automation and configuration management framework from Microsoft. And it comes by default embedded in your Windows system. It consists of a command-line shell and an associated scripting language. Because of that, it gives a lot of power to system administrators and in turn, attackers. Attackers also have developed their own exploit kits. One of the most popular ones is known as the PowerShell Empire. This tool kit contains numerous prebuilt attack modules and it allows an attacker with ease to go forward and run lots of different programs against your systems with pre-written modules and pre-written exploits. So, once you’ve exploited a system, you can then run PowerShell Empire on it and you’ll be able to run all of these different modules. For example here, you can see there are 91 currently loaded modules that I could run against the victim’s system. Because of the way PowerShell was developed, it has native commandlets, as well as the ability to run all sorts of different remote access.
WMIC and PsExec tools inside of them as well through those PowerShell scripts and you can even use these prebuilt modules from Empire as well. Attackers aren’t only limited to command-line access either. They can also use graphical user environments. Now, for example, if you’ve attacked a Windows system you can actually open an RDP session between your attack machine and your Windows victim. This will allow you to have the Windows desktop in a full graphical user interface that you can use over the network. Additionally, if you’re attacking a macOS system, you can do the same thing using Apple remote desktop. If you’re going against a Unix or a Linux system, you can use the X window system to give you graphical display too.
If you want something that’s a little more cross-platform, that’s where we use tools like VNC, the Virtual Network Computing protocol that allows you to connect using a graphical user interface to any other operating system that has a VNC server installed upon it. As you can see, there are lots of different tools and techniques you can use to conduct lateral movement within a network once you’ve gained your initial a foothold. One of my favorites is actually using RPC Decom. Now, RPC Decom is a remote procedure call distributed component object model. RPC is an inter-process communication between local and remote processes on Windows systems. Whereas Decom enables the communication between different software components over a network. By using RPC and Decom, you can initiate and control lateral movement into an application.
Most Decom applications use RPC as their transport mechanism when you’re making requests. Now, the great thing for us as attackers is that there are flaws in the Decom program. And this can allow us to execute code on remote systems by assuming user privileges. For example, we can initiate lateral movement inside of the MMC application which is the Microsoft Management Console snap-in for a Windows computer. This MMC application does have the ability for us to execute shell commands using Decom objects. So, if you’re inside of PowerShell and you get familiar with how to use Decom, you’re going to be able to actually do lateral movement using PowerShell and take advantage of these default features that are built-in to the Windows operating system on both works stations and servers for you to conduct lateral movement with.
158. Pivoting (OBJ 3.7)
In this lesson, we’re going to focus on exactly what pivoting is and how it’s different from lateral movement. Now, when we talk about pivoting, this is when an attacker uses a compromised host, the pivot, as a platform from which to spread an attack to other points in the network. When I talk more about lateral movement, this is more focused on when an attacker hops from one host to another in search of vulnerabilities for them to exploit. But once they start running those attacks from one point, that is the pivot point. Now again, let me give you a quick word of warning here. Lateral movement and pivoting, while they are different and we talk about them as separate concepts in this lesson, they are used interchangeably by a lot of cyber security professionals. So when you’re talking about this in the field, people will say lateral movement or pivoting to mean the same thing oftentimes.
But for the exam, there is a difference. So you need to remember the difference really comes down to if you have an attack point established and then you’re conducting your attacks from that point in the network, that is your pivot point. I’ll go into that a little bit more in this lesson. Now, when we do pivoting, one of the main things we have to do is we use port forwarding. With port forwarding, this allows the attacker to use a host as a pivot and then we’ll be able to access one of its open TCP ports to send traffic from this port to the port of another host on a different subnet. Now I know that sounds a little complicated. So I’m going to go ahead and show you graphically what this means. First, we have a host. This is host A inside the victim network.
As an attacker, I’m going to find some way to exploit host A through some kind of exploit. Maybe I used a phishing campaign or maybe I found a vulnerability that I was able to exploit with some kind of zero day code or something like that. However I got in, let’s just say, host A has been had by an attacker and is now victimized. Then we have host B. The attacker might be conducting reconnaissance and identifying another target. So as I got into host A, I now start looking around and identified there’s this other host, B. This is my looking out as a way of looking forward as lateral movement that I may want to achieve later. And then I keep searching and I find that there’s also this host C depicted here as a server.
So I have access to host A because I have control over it due to my initial exploitation. Then as part of my reconnaissance, I might find that I can reach host B, but I can’t reach host C because it’s on a different subnet. If this is the case, I may decide to exploit host B instead. By doing this, I now can have some kind of an exploit shell between host A and B. For instance, I may have gotten into host B and set up a listener on it and then had a net cat connection between host A and B. Now, that doesn’t give me access to C yet, but I might be able to find that host B is on the same subnet as host C and has the ability to reach it because of its network configuration. For example, the firewall might trust host B but doesn’t trust host A, so host B can get into that subnet.
Now as the attacker, I want to be able to get into host C. So how can I do that? Well, maybe I’m going to set up a port forwarder on host B. For example, if I wanted to use RDP, the remote desktop protocol, I would set up a port forwarder of 3389 on host B. That will forward the port 3389 from B over to C. Now, I would have the ability from B to establish a connection, but that still won’t get it all the way back to host A, which is where I actually have my footprint. So I would want to set up a listener on host A for port 3389, which, again, is RDP. This way, anything received on host B for port 3389 will get forwarded from B over to C, and we’re going to use it as a pass through point or a pivot point. So now as an attacker, I can initiate an RDP session with host C from host A by going through host B. Essentially, I’m playing a telephone game. Anything I send to B is going to get redirected to C. Anything that goes from C to B gets redirected back to A. So we’re just passing through B on our way to C. This allows the attacker to successfully pivot from host A through host B into host C.
That way, we have a full RDP connection ongoing. Now that’s the way it looks when you’re doing this inside of a network graphically. Again, this is a very simplified diagram but it gives you the idea of going through one host to another. We’re pivoting through that host by doing that port forwarding. In addition to that, we can do this, instead of using RDP, we can used SSH. With SSH, it’s actually really easy to use it for pivoting, because you can use the -D flag, which sets up a local proxy and port forwarding on a given target. So this is something that is used a lot by attackers. For instance, you might have, again host A, host B and host C. Now host A can’t get to host C because being blocked by the firewall, but host B can get to host C.
So what will we do? Well, we’ll create an SSH channel between A to B. And then we’ll pivot from B through the firewall over to host C, creating that connection and allowing host A to connect to host C through host B. Now, in both of my examples, I showed you where we used a single pivot point, but attackers can actually chain their proxy servers together in order to continue pivoting from host to host until they reach a mission critical host or server. For example, in one network I worked in, we had a very complex network setup with multiple different subnets where only certain ones could trust each other. We had an attacker that actually found their way through three or four different subnets pivoting through until they got to the thing they were looking for. For example, some networks may be built in a very complex manner. You may have certain areas that are dedicated on certain subnets, like the accounting subnet, your credit card databases.
Maybe you have some ICS or SCADA that’s going to be on another network. An attacker can actually pivot through multiple pivot points until they get into the particular networks they need to for the attack they’re trying to run. So this is important to consider as people start chaining these proxy servers together to reach their angle and into their end state. Another pivoting technique used by attackers is known as VPN pivoting. With VPN pivoting, you’re going to start up a VPN client on the network interface of a compromised host. Then you run a VPN server outside of that network and you can then relay frames of data from that VPN server over to the client.
This allows you to pivot through that VPN endpoint that you just configured on that compromise host and use that as a way to get back into the network. VPN pivoting is commonly used to perform additional reconnaissance on target networks, because it helps to hide your initial source of where you’re coming from. Another method used is to modify routing tables. You can modify routing tables on the routers but you can also do it on a compromised host.
In fact, every workstation server has its own independent routing table that you can modify using the route command from the command line interface. Therefore, you can open up a shell on that host and you can then add new routes to that pivot host routing table and then allow it to be able to route information to and from different subnets based on that host having dual connections to the internet and to the internal network.
This way, you can define your gateway as your own exploit session, and then send traffic through that subnet that will tunnel through your session first. This allows you to do an on path attack as you’re adjusting those routing tables to be able to have a way to reach into these different subnets and act as a person in the middle of these connections. As you can see, there are lots of different ways to do pivoting. Whether you’re using port forwarding, SSH pivoting, VPN pivoting, or modifying the route tables. But when you’re doing pivoting, you are compromising one host, which then acts as your pivot point that enables you to spread out into other hosts and use that as a way to proxy information in and out of a network through a compromised host. For the exam, it’s important to remember this distinction between lateral movement and pivoting.
