Lateral Movement Offensive Security Lateral Movement After initial

  • Slides: 10
Download presentation
Lateral Movement Offensive Security

Lateral Movement Offensive Security

Lateral Movement • After initial access/privilege escalation • In most cases the host you

Lateral Movement • After initial access/privilege escalation • In most cases the host you land on isn’t the most important • Looking for more targets Offensive Security More important targets 2

Targets • Depends on objective • Web servers/Databases • Domain controllers • Terminal Server

Targets • Depends on objective • Web servers/Databases • Domain controllers • Terminal Server • File shares • Dev/Engineering network Offensive Security What are we trying to prove Penetration test vs Red team engagement 3

Can you move? • Determine whether or not you can pivot • Networking is

Can you move? • Determine whether or not you can pivot • Networking is key Interfaces Network connections Internal Recon SSH Keys Credentials or notes Etc. Offensive Security • 4

 • Internal hosts may have vulnerabilities that you can’t see from the outside

• Internal hosts may have vulnerabilities that you can’t see from the outside • Many ways to do this • Tunneling SSH Autoroute Proxychains Socat Iptables Socks Proxy Offensive Security Tunneling 5

Finding Credentials • Passwords or SSH keys • Use of native tools to move

Finding Credentials • Passwords or SSH keys • Use of native tools to move • SSH on linux • Psexec, Winrm, PS remoting, etc on Windows Offensive Security A lot of native tools allow you to use password Schtasks, at, 6

 • Use auxillary/scanner/portscan/tcp • Nmap • Bash/Powershell scripts • Custom tools • Tunneling

• Use auxillary/scanner/portscan/tcp • Nmap • Bash/Powershell scripts • Custom tools • Tunneling Offensive Security Scanning the network 7

 • Once you pivot through a system you can send exploits through too

• Once you pivot through a system you can send exploits through too • Can tunnel them similar to scanning • Web traffic Find internal web applications Slightly more likely to have vulnerabiliites Offensive Security Exploits 8

 • Windows • Each user on a windows machine has a “token” •

• Windows • Each user on a windows machine has a “token” • More on this later Offensive Security Token Stealing 9

Moving Laterally on a Domain • Have a user account that is connected to

Moving Laterally on a Domain • Have a user account that is connected to a domain • Likely able to authenticate to similar types of computers Offensive Security Check who the local computer has been talking to ARP table, established/stale netstat connections 10