Lateral Movement

Introduction

  • The goal here is that we test what an attacker could do within the entire network.

  • In this stage, we want to test how far we can move manually in the entire network and what vulnerabilities we can find from the internal perspective that might be exploited. In doing so, we will again run through several phases:

    • Pivoting

    • Evasive Testing

    • Information Gathering

    • Vulnerability Assessment

    • (Privilege) Exploitation

    • Post-Exploitation

Pivoting

  • In most cases, the system we use will not have the tools to enumerate the internal network efficiently. Some techniques allow us to use the exploited host as a proxy and perform all the scans from our attack machine or VM. In doing so, the exploited system represents and routes all our network requests sent from our attack machine to the internal network and its network components.

  • In this way, we make non-routable networks (and therefore publicly unreachable) can still be reached. This allows us to scan them for vulnerabilities and penetrate deeper into the network. This process is also known as Pivoting or Tunneling.

Evasive Testing

  • Also, at this stage, we should consider whether evasive testing is part of the assessment scope.

  • There are many ways to protect against lateral movement, including network (micro) segmentation, threat monitoring, IPS/IDS, EDR, etc. To bypass these efficiently, we need to understand how they work and what they respond to. Then we can adapt and apply methods and strategies that help avoid detection.

Information Gathering

  • Before we target the internal network, we must first get an overview of which systems and how many can be reached from our system.

  • We return to the Information Gathering stage, but this time, we do it from inside the network with a different view of it.

  • Once we have discovered all hosts and servers, we can enumerate them individually.

Vulnerability Assessment

  • Vulnerability assessment from the inside of the network differs from the previous procedures. This is because far more errors occur inside a network than on hosts and servers exposed to the Internet.

  • Here, the groups to which one has been assigned and the rights to different system components play an essential role.

(Privilege) Exploitation

  • Once we have found and prioritized attack vectors, we can jump to the step where we use these to access the other systems.

  • We often find ways to crack passwords and hashes and gain higher privileges. Another standard method is to use our existing credentials on other systems.

  • There will also be situations where we do not even have to crack the hashes but can use them directly.

Post-Exploitation

  • Once we have reached one or more hosts or servers, we go through the steps of the post-exploitation stage again for each system.

PreviousPost-ExploitationNextProof-of-Concept

Last updated