Lateral Movement

Introduction

The goal here is that we test what an attacker could do within the entire network.
In this stage, we want to test how far we can move manually in the entire network and what vulnerabilities we can find from the internal perspective that might be exploited. In doing so, we will again run through several phases:
- Pivoting
- Evasive Testing
- Information Gathering
- Vulnerability Assessment
- (Privilege) Exploitation
- Post-Exploitation

Pivoting

In most cases, the system we use will not have the tools to enumerate the internal network efficiently. Some techniques allow us to use the exploited host as a proxy and perform all the scans from our attack machine or VM. In doing so, the exploited system represents and routes all our network requests sent from our attack machine to the internal network and its network components.
In this way, we make non-routable networks (and therefore publicly unreachable) can still be reached. This allows us to scan them for vulnerabilities and penetrate deeper into the network. This process is also known as Pivoting or Tunneling.

Evasive Testing

Also, at this stage, we should consider whether evasive testing is part of the assessment scope.
There are many ways to protect against lateral movement, including network (micro) segmentation, threat monitoring, IPS/IDS, EDR, etc. To bypass these efficiently, we need to understand how they work and what they respond to. Then we can adapt and apply methods and strategies that help avoid detection.

Information Gathering

Before we target the internal network, we must first get an overview of which systems and how many can be reached from our system.
We return to the Information Gathering stage, but this time, we do it from inside the network with a different view of it.
Once we have discovered all hosts and servers, we can enumerate them individually.

Vulnerability Assessment

Vulnerability assessment from the inside of the network differs from the previous procedures. This is because far more errors occur inside a network than on hosts and servers exposed to the Internet.
Here, the groups to which one has been assigned and the rights to different system components play an essential role.

(Privilege) Exploitation

Once we have found and prioritized attack vectors, we can jump to the step where we use these to access the other systems.
We often find ways to crack passwords and hashes and gain higher privileges. Another standard method is to use our existing credentials on other systems.
There will also be situations where we do not even have to crack the hashes but can use them directly.

Post-Exploitation

Once we have reached one or more hosts or servers, we go through the steps of the post-exploitation stage again for each system.

PreviousPost-Exploitation NextProof-of-Concept

Last updated 3 months ago

Introduction

The goal here is that we test what an attacker could do within the entire network.

In this stage, we want to test how far we can move manually in the entire network and what vulnerabilities we can find from the internal perspective that might be exploited. In doing so, we will again run through several phases:

Pivoting
Evasive Testing
Information Gathering
Vulnerability Assessment
(Privilege) Exploitation
Post-Exploitation

Pivoting

In most cases, the system we use will not have the tools to enumerate the internal network efficiently. Some techniques allow us to use the exploited host as a proxy and perform all the scans from our attack machine or VM. In doing so, the exploited system represents and routes all our network requests sent from our attack machine to the internal network and its network components.

In this way, we make non-routable networks (and therefore publicly unreachable) can still be reached. This allows us to scan them for vulnerabilities and penetrate deeper into the network. This process is also known as Pivoting or Tunneling.

Evasive Testing

Also, at this stage, we should consider whether evasive testing is part of the assessment scope.

There are many ways to protect against lateral movement, including network (micro) segmentation, threat monitoring, IPS/IDS, EDR, etc. To bypass these efficiently, we need to understand how they work and what they respond to. Then we can adapt and apply methods and strategies that help avoid detection.

Information Gathering

Before we target the internal network, we must first get an overview of which systems and how many can be reached from our system.

We return to the Information Gathering stage, but this time, we do it from inside the network with a different view of it.

Once we have discovered all hosts and servers, we can enumerate them individually.

Vulnerability Assessment

Vulnerability assessment from the inside of the network differs from the previous procedures. This is because far more errors occur inside a network than on hosts and servers exposed to the Internet.

Here, the groups to which one has been assigned and the rights to different system components play an essential role.

(Privilege) Exploitation

Once we have found and prioritized attack vectors, we can jump to the step where we use these to access the other systems.

We often find ways to crack passwords and hashes and gain higher privileges. Another standard method is to use our existing credentials on other systems.

There will also be situations where we do not even have to crack the hashes but can use them directly.