::: left till the conference

Lateral movement automation

19:10
15 min
Main Stage

In a corporate network, lateral movement is a great way to escalate privileges and find necessary information.

But it is hindered when we face filtering between network segments. Sometimes, we have to open multiple embedded tunnels, which is hard to automate. In other words, lateral movement is rarely possible without pivoting.

Trying to solve this problem and move away from pivoting, an interesting solution was found – a recursive shell, i.e. a shell that can be opened from another shell.

In fact, it is a proxy based on DCOM and available through the MSRPC pile built into victim. As a result, we can forward ports exclusively through port 445/tcp.

This kind of lateral movement significantly hinders active countermeasures because it happens through a chain of MSRPC proxies and the real source of the attack is hard to identify. 

A demo.

 

Speakers
Andrey Zhukov
Share
Other Reports
Web Village
Hacker adventures on dating websites
Hardware Zone
How to start soldering and not to burn the apartment
Web Village
HotPics 2021
Up