Lateral movement is where an attacker moves within a network to gain access to additional systems. This type of attack is commonly referred to as “pivoting” because the attacker “pivots” from one system to another. The purpose of lateral movement is to gain access to additional systems and data, or to use the compromised systems as a way to launch further attacks.
The two primary methods of lateral movement are credential-based and non-credential-based. In credential-based lateral movement, the attacker uses valid credentials to move from one system to another. This type of attack is often used to gain access to additional systems that the attacker would not have been able to access otherwise.
Non-credential-based lateral movement does not require the attacker to use valid credentials. Instead, the attacker uses methods such as exploiting vulnerabilities, using exploits, or scanning for open ports to gain access to the target system.
Port forwarding, also known as tunneling, is a technique used to redirect incoming data traffic to a specific port or port range on a computer or network device. It is commonly used to allow remote users to access services on a local network, such as a web server, mail server, or other application.
The process involves recieving network traffic on one port, and redirecting it out another. This allows traffic that might be restricted or blocked over one port, to be allowed to pass over another.
sslh - sslh lets one accept HTTPS, SSH, OpenVPN, tinc and XMPP connections on the same port. This makes it possible to connect to any of these servers on port 443 (e.g. from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port.
redsocks - Redsocks is a daemon running on the local system, that will transparently tunnel any TCP connection via a remote SOCKS4, SOCKS5 or HTTP proxy server.
nextnet - This package contains a pivot point discovery tool written in Go.
miredo - A client for the Teredo IPV6 tunneling protocol.
iodine - This is a piece of software that lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed.
dnschef - DNSChef is a highly configurable DNS proxy for Penetration Testers and Malware Analysts.
dns2tcp - dns2tcp is a set of tools to encapsulate a TCP session in DNS packets. This type of encapsulation generates smaller packets than IP-over-DNS, improving throughput.
cryptcat - Cryptcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol while encrypting the data being transmitted.
chisel - This package contains a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.
PacketWhisper - PacketWhisper: Stealthily exfiltrate data and defeat attribution using DNS queries and text-based steganography. Avoid the problems associated with typical DNS exfiltration methods. Transfer data between systems without the communicating devices directly connecting to each other or to a common endpoint. No need to control a DNS Name Server.
Pivotnacci - Pivot into the internal network by deploying HTTP agents.
Iodine - This is a piece of software that lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed.
SSHuttle - Where transparent proxy meets VPN meets ssh.
Modaliska - Modlishka is a powerful and flexible HTTP reverse proxy. It implements an entirely new and interesting approach of handling browser-based HTTP traffic flow, which allows to transparently proxy multi-domain destination traffic, both TLS and non-TLS, over a single domain, without a requirement of installing any additional certificate on the client.
ProxyChains - ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL and redirects the connections through SOCKS4a/5 or HTTP proxies.
PivotSuite - PivotSuite is a portable, platform independent and powerful network pivoting toolkit, Which helps Red Teamers / Penetration Testers to use a compromised system to move around inside a network.
keimpx - quickly check for valid credentials across a network over SMB.
Sonar.js - A framework for identifying and launching exploits against internal network hosts. Works via WebRTC IP enumeration combined with WebSockets and external resource fingerprinting.
SprayWMI - SprayWMI is a method for mass spraying Unicorn PowerShell injection to CIDR notations.
LOLBAS - Living Off The Land Binaries and Scripts (and also Libraries)
MalSCCM - This tool allows you to abuse local or remote SCCM servers to deploy malicious applications to hosts they manage.
SCShell - Fileless lateral movement tool that relies on ChangeServiceConfigA to run commandG
Inject a new agent into a running process owned by a different user
PSInject - inject agent into processes using ReflectivePick to load up the .NET clanguage runtime into a process and execute a Powershell command without a new powershell.exe process
This will start a new agent running as a process owned by the new target.
The rinetd configuration file, /etc/rinetd.conf, lists forwarding rules that require four parameters, including bindaddress and bindport, which define the bound (“listening”) IP address and port, and connectaddress and connectport, which define the traffic’s destination address and port:
Used to access an application that the user of the compromised workstation accesses regularly.
This method can bypass authentication to that application
Tasks: Inject code into IE process accessing the medical database, create a web proxy DLL based on the WnInet API, and passw eb traffic through our ssh tunnel and the new proxy
Stage 1: DLL Injection - Injecting code into a currently running process
Attach to the target process
Allocate memory within the target process
Copy the DLL into the target process memory and calculate an appropriate memory addresses
Instruct target process to execute your DLLL
Stage 2: Create a Proxy DLL based on the WinInet API
Any program can use the WinInet API, and it can handle tasks such as cookie and session managment, auth, etc...
WinInet API performs Auth on a per process basis
Inject our own proxy server into targets IE process and route our web traffic through it and inherit application session states. Including those with 2FA!
Stage 3: Using the injected proxy server
Now we have an HTTP proxy running on our target machine and restructed it to the local ethernet int.
Next we must hardcode an additional tunnel into our payload.