Saltar a contenido

General Consideration

Lateral movement is a vast topic that can be approached from various angles. Discussing every single method for performing Windows lateral movement is generally impossible. However, the information provided in this module will help build the skills needed to identify lateral movement opportunities not covered here.

In order to perform lateral movements, we need to start with the available assets such as users, passwords, networks, and computers. Typically, we will search for services and understand how to interact with or abuse them to gain access.

Once we gain access to a service, we repeat the process. We search for more credentials or think about how we can use that service's rights to gain access to another service or computer. We then repeat the process over and over again until we reach our goal.

Using our imagination is crucial when exploring a Windows network. Observing the services running and how they interact within the network can help us identify more opportunities for lateral movement, such as:

  • Development environments running code hosted on accessible servers.
  • Applications connecting to shared folders to retrieve and execute DLLs.
  • MSSQL servers running queries from configuration files.
  • Software installed across the domain used for inventory that can execute PowerShell commands.

Can you imagine how to exploit these use cases for lateral movement? Your imagination is vital when approaching unknown networks. The concepts in this section aim to provide the foundational knowledge for performing lateral movement.

User privileges

Administrative rights are not always necessary for lateral movement. Services such as PSRemoting, RDP, WMI, DCOM, and SSH allow non-administrators to execute commands. It is essential to test all our credentials against these services.

Firewall Blocking

Firewalls and network segmentation are crucial considerations. Sometimes, you may have access to a workstation that doesn't have direct access to specific servers, requiring you to use other devices to reach your target network.

Administrators can apply various network configurations and restrictions, such as:

  • Changing default ports.
  • Restricting access to specific workstations.
  • Allowing inbound access only from specific IPs or networks.
  • Blocking outbound internet access for specific workstations.
  • Monitoring network traffic.

To identify non-default ports, use the netstat command. For example, running netstat -ano on SRV01 might yield:

PS C:\Tools> netstat -ano
netstat -ano

Active Connections

 Proto  Local Address          Foreign Address        State           PID
 TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1704
 TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
 TCP    0.0.0.0:23389          0.0.0.0:0              LISTENING       336
 ```

 In this example, we can see the port `23389`. We can investigate to which service this port belongs using `tasklist`:

```powershell
PS C:\Tools> tasklist /svc /FI "PID eq 336"

Image Name                PID Services
=====================  ====== =====================
svchost.exe               336 TermService

Investigating further reveals that TermService is responsible for Remote Desktop Services, indicating that this port is for RDP.

Note: Additionally, tools such as nmap can be used to actively enumerate remote hosts.

Credentials

Searching for credentials is a crucial aspect of identifying lateral movement opportunities. The Windows Privilege Escalation module covers methods for credential pillaging. Successful lateral movement often relies on using and reusing credentials, public/private keys, tokens, and website logins found during enumeration.

IPv6

IPv6 is often overlooked, but it is enabled by default on Windows. If firewalls block IPv4 connections but overlook IPv6, you can use IPv6 to bypass these restrictions.

To connect to an IPv6 network, use the IPv6 address within brackets, like this: [dead:beef::647f:620f:3a1a:e978]. For WinRM, use the following command:

PS C:\Tools> Enter-PSSession -ComputerName [dead:beef::647f:620f:3a1a:e978] -Authentication Negotiate

If we are attempting to connect to RDP using IPv6, we can use the following address:

image

Conclusion

This module combines various lateral movement techniques to help students familiarize themselves with the most common methods used in Windows networks. Many Active Directory modules present labs requiring lateral movement, and we encourage students to practice and familiarize themselves with different tools and techniques.

The following section will cover defense mechanisms against lateral movement and explain how to detect and prevent it. At the end of this module, students will be challenged to combine different lateral movement techniques to complete the skill assessment.