Notes

Sec26 - Lateral Movement

4 min read

Pivoting and Relaying

  • Pivoting

    • Use a compromised host to reach otherwise inaccessible network segments
    • Network Pivoting:
      • Route traffic through compromised host (e.g., SSH tunnel) 
        ssh -L 8080:target-internal:80 user@compromised-host
        • Access internal web service via http://localhost:8080
    • Application-Level Pivoting:
      • Interact with applications on other hosts via compromised host
        • Meterpreter:
        route add 192.168.10.0 255.255.255.0 1 ```
        • Routes traffic through Meterpreter session to internal subnet

  • Relay Creation

    • Capture and forward authentication requests to exploit trust relationships
    • SMB Relay:
      • Tool: ntlmrelayx.py (Impacket)
      • Captures SMB NTLM auth and uses to authenticate to target
    • LDAP Relay:
      • Forward NTLM auth to LDAP server; perform directory actions
    • Key Concepts:
      • Exploit SMB/LDAP protocols to move laterally without credentials

Demo: Using ProxyChains

  • ProxyChains
    • Route tool traffic through proxy servers (e.g., Tor or compromised hosts)
    • Configuration (/etc/proxychains.conf): 
      [ProxyList]
socks5  127.0.0.1 9050
    • Usage: 
      proxychains nmap -sT -Pn 10.0.0.0/24
      • Scans network via Tor or specified proxy chain

Enumerating for Lateral Movement

  • Service Discovery

    • Identify exploitable services on network hosts
    • Tools: 
      nmap -p 80,445,3389 10.0.0.0/24 --open 
nmap --script rpcinfo <target_ip> #rpc specific
smbclient -L \\\\target-ip -N #smbclient
    • Targets: HTTP (80), SMB (445), RDP (3389), RPC, DCOM

  • Protocol Discovery

    • Detect cleartext and weak protocols
    • Telnet (plaintext credentials):
      • Sniff with Wireshark to capture creds
    • FTP (plaintext file transfers):
      • Intercept credentials via TCP dump: 
        tcpdump -i eth0 -A port 21
    • LDAP (plaintext directory traffic):
      • Use Wireshark or tcpdump to capture LDAP queries

  • Remote Access Discovery

    • Locate RDP, SSH, VNC, WMI services
    nmap -p 3389 --script rdp-vuln-cve2019-0708 10.0.0.0/24 #rdo
nmap -p 22 10.0.0.0/24 #ssh
nmap -p 5900 --open 10.0.0.0/24 #vnc
Get-WmiObject -Class Win32_ComputerSystem -ComputerName target #wmi

  • Printer Discovery

    • Network printers often expose LPD or JetDirect
    nmap -p 515 --script lpd-print <target-ip> #lpd
nmap -p 9100 --open <target-ip> #jetdirect
    • Exploitation:
      • Upload malicious print jobs or scan network via printer buffer overflow

  • Discovering Internal Websites

    • Identify internal web interfaces (routers, switches, IP cameras, CMS)
    • Nmap: 
      nmap -p 80,443 --open 10.0.0.0/24
    • Vulnerabilities:
      • Weak/default creds (admin:admin)
      • Outdated software (SQLi, RCE) with sqlmap
      • Session hijacking (HTTP cookies)
      • HTTP request smuggling with Burpsuite
    • Tools:
      • Nessus or Burp Suite or Nikto or OpenVas for vulnerability scanning
      • Manual: curl -I http://target-internal-web-app

  • Credential Capturing: intercept auth creds usually via Responder, bettercap

  • Credential Dumping: extract stored creds from systems via Mimikatz

Living Off the Land Tools (LOLBins)

  • Use built-in binaries to avoid detection
  • Examples:
    • netstat: Enumerate active connections:
    • net use/view/user/group: Interact with network shares and accounts:
    • cmd.exe: Execute commands and scripts stealthily
    • Explorer.exe: Navigate file system without new processes
    • ftp.exe: Transfer files (data exfiltration):
    • mmc.exe: Load management consoles; escalate privileges
    • rundll32.exe: Execute DLL functions: 
      rundll32.exe C:\malicious.dll,EntryPoint
    • msbuild.exe: Compile and run malicious code from project files
    • route: Modify routing tables for pivoting: 
      route add 10.0.1.0 mask 255.255.255.0 10.0.0.5
    • findstr/strings: Search for sensitive data in files or memory

sshuttle

  • Function: Creates VPN-like tunnel via SSH without root
  • Key Features:
    • User-level privileges
    • Routes all or specific subnet traffic
    • Supports DNS forwarding
  • Commands:
	sshuttle -r user@remote-server 0.0.0.0/0 #route all traffic
	sshuttle -r user@remote-server 192.168.1.0/24 #specific subnet
	sshuttle --dns -r user@remote-server 0.0.0.0/0 #dns forwarding
	```
- **Use Cases**:
    - Scan internal network via routed traffic:
        ```bash
        nmap -sT -Pn 192.168.1.0/24
        ```
    - Access internal web servers by hostname after enabling DNS forwarding
 
---
## Demo: Covenant
 
- **Covenant**
    - .NET-based C2 framework for red teams
    - Cross-platform (Windows, Linux, macOS)
    - Agents (“Grunts”) deployed on hosts to maintain control
- **Grunts**
    - Execute commands (PowerShell, .NET)
    - Collect system information; disable security features; deploy payloads
- **Example Use Case**:
    1. Exploit misconfigured web app → RCE
    2. Deploy Grunt on Windows server
    3. Escalate via PrintNightmare (CVE-2021-34527)
    4. Search and download SQL backup for offline analysis
    5. Exploit directory traversal to read sensitive files
    6. Create scheduled task for persistent Grunt:
        ```powershell
        schtasks /create /sc onlogon /tn "PersistGrunt" /tr "C:\grunt.exe"
        ```
    7. Deploy Mimikatz via Grunt to dump domain-admin credentials
 
- **Features**:
    - Encrypted communications; evades AV/EDR
    - Uses **SharpSploit** for in-memory code injection
    - Collaboration support (multiple operators)

Graph View