There are different techniques that enable lateral movement. Remote services are perhaps the most prominent. These services enable you to connect to another machine and issue interactive commands using a shell. Examples include the following.
Remote Service/Protocol | Description | Examples |
Telnet | An older remote protocol that does not support encryption and is disabled on most modern systems. However, some older or insecure systems may still have this service enabled. | telnet 192.168.1.50 12345 |
rsh/rlogin | rlogin is a Linux command that's similar to Telnet, but if the server has an .rhosts file configured a certain way, you won't even need to supply credentials. The rsh command can open a shell, but it also gives you the ability to execute a command directly. | rlogin 192.168.1.50 rsh 192.168.1.50 ifconfig |
Secure Shell (SSH) | SSH is a modern answer to Telnet's lack of encryption and other security mechanisms. Some systems (particular Linux systems) have SSH enabled by default. If you know the credentials of an account on the system you're trying to access, you can use them to authenticate. However, some configurations require the use of a digital certificate and keypair for authentication. | ssh admin@192.168.1.50 |
In addition to command shell remote access services, there are several GUI-based remote desktop services you can use in lateral movement.
Remote Desktop Service/Protocol | Description |
Remote Desktop Protocol (RDP) | RDP is the default remote desktop service that comes with Windows systems. It allows full remote control via a GUI window. It can take local account credentials or domain credentials, and supports varying levels of encryption. The service must be enabled on the system you want to connect to, otherwise the connection attempt will be rejected. |
Apple Remote Desktop (ARD) | ARD is similar in purpose to RDP, but it runs on macOS systems. It supports full remote control through a GUI, and supports encryption. Like RDP, the service must be enabled on the target system before you can connect to it through ARD. |
X Window System (X) | X is a graphical display system for Unix-based computers. X actually operates on a client and server model, so you can remotely control specific windows on a computer over a network. The connection between X client and X server is not encrypted, but you can use a technique called X forwarding so that the server directs the connection through an SSH tunnel. This behavior is the default in modern versions of SSH. |
Virtual Network Computing (VNC) | VNC is yet another service that enables full remote control of a desktop, but unlike the others listed, it is cross-platform. A VNC server must be installed on the target machine, which you can access with a corresponding client. There are many different implementations of VNC, and their level of security varies. |