by Lateral movement is the process of moving from one part of a computing environment to another. After you gain access to the initial part of the environment, you can spread your attack out to compromise additional resources. This ensures that your test encompasses more than just a narrow selection of resources. Likewise, you may be able to discover additional or new vulnerabilities in the environment that you would otherwise miss if you stayed in place. Lateral movement can also support stealth, as in some cases, you’ll draw greater attention to your attack if you focus on only a single resource or a small group of like resources.
One of the most common forms of lateral movement is to jump from one network host to the next. You might gain access to an employee’s workstation from the outside, then use that workstation to set up a connection to an application server, which you then use to open up access to a database server, and so on. Essentially, you’re going further and further into the network, looking for new targets or new vectors with which to spread the attack.
There are several techniques that can make lateral movement easier; namely, reconnaissance. Once you compromise the “patient zero” host, you can sweep the network for other hosts, as well as enumerate network protocols, ports, and logical mapping. This helps you discover where additional hosts are, and what hosts you can move to.
At a lower level, lateral movement can also refer to moving exploit code or a session into another running process. This can help you evade defensive efforts to identify and eliminate malicious processes. Migrating code to a known, existing process (e.g., explorer.exe), can also enable you to take on the features and privileges of that process.
Lateral Movement with Remote Access Services
There are different techniques that enable lateral movement. Remote services are perhaps the most prominent. These services enable you to connect to another machine and issue interactive commands using a shell. Examples include the following.
| Remote Service/Protocol | Description | Examples |
| Telnet | An older remote protocol that does not support encryption and is disabled on most modern systems. However, some older or insecure systems may still have this service enabled. | telnet 192.168.1.50 12345 |
| rsh/rlogin | rlogin is a Linux command that’s similar to Telnet, but if the server has an .rhosts file configured a certain way, you won’t even need to supply credentials. The rsh command can open a shell, but it also gives you the ability to execute a command directly. | rlogin 192.168.1.50 rsh 192.168.1.50 ifconfig |
| Secure Shell (SSH) | SSH is a modern answer to Telnet’s lack of encryption and other security mechanisms. Some systems (particular Linux systems) have SSH enabled by default. If you know the credentials of an account on the system you’re trying to access, you can use them to authenticate. However, some configurations require the use of a digital certificate and keypair for authentication. | ssh admin@192.168.1.50 |
In addition to command shell remote access services, there are several GUI-based remote desktop services you can use in lateral movement.
| Remote Desktop Service/Protocol | Description |
| Remote Desktop Protocol (RDP) | RDP is the default remote desktop service that comes with Windows systems. It allows full remote control via a GUI window. It can take local account credentials or domain credentials, and supports varying levels of encryption. The service must be enabled on the system you want to connect to, otherwise the connection attempt will be rejected. |
| Apple Remote Desktop (ARD) | ARD is similar in purpose to RDP, but it runs on macOS systems. It supports full remote control through a GUI, and supports encryption. Like RDP, the service must be enabled on the target system before you can connect to it through ARD. |
| X Window System (X) | X is a graphical display system for Unix-based computers. X actually operates on a client and server model, so you can remotely control specific windows on a computer over a network. The connection between X client and X server is not encrypted, but you can use a technique called X forwarding so that the server directs the connection through an SSH tunnel. This behavior is the default in modern versions of SSH. |
| Virtual Network Computing (VNC) | VNC is yet another service that enables full remote control of a desktop, but unlike the others listed, it is cross-platform. A VNC server must be installed on the target machine, which you can access with a corresponding client. There are many different implementations of VNC, and their level of security varies. |
Lateral Movement with Remote Management Services
Remote management services enable you to issue commands to remote systems. These differ from remote access technologies in that remote management does not usually involve an interactive shell. Windows Remote Management (WinRM) is technology that provides an HTTP Simple Object Access Protocol (SOAP) standard for specific remote management services on Windows systems. Windows Management Instrumentation (WMI), for example, provides an interface for querying data about remote systems. The following uses WMI command-line (WMIC) to get the name of the currently logged in user of a remote system:
wmic /node:192.168.1.50 computersystem get usernameThere’s also PowerShell remoting, which requires that the target system has the WinRM service set up to receive remote PowerShell commands. For example, to view the contents of C:\Windows\system32:
Invoke-Command -ComputerName 192.168.1.50 -ScriptBlock { Get-ChildItem C:\Windows\System32 }There’s also PsExec, which uses Server Message Block (SMB) to enable you to issue commands to a remote system. For example, to run an executable in the SYSTEM account:
psexec \\192.168.1.50 -s "C:\bad-app.exe"Lateral Movement with RPC/DCOM
Methods like PsExec, WMI, logging in using Telnet and SSH, etc., tend to stand out to administrators or security personnel who are paying close attention to their systems. Using RPC/DCOM can help you evade notice.
Remote Procedure Call (RPC) enables inter-process communication between local and remote processes on Windows. Distributed Component Object Model (DCOM) enables communication between software components over a network. DCOM applications use RPC as a transport mechanism for client requests. Flaws in DCOM can enable you to execute code on a remote system by assuming user privileges.
For example, a DCOM application commonly used to initiate lateral movement is MMC20.Application. This enables users to execute Microsoft Management Console (MMC) snap-in operations on a Windows computer. The MMC20.Application application includes an ExecuteShellCommand() method that does exactly what its name implies. You can leverage this method by creating an instance of a DCOM object using PowerShell:
$obj = [activator]::CreateInstance ([type]::GetTypeFromProgID (“MMC20.Application”,”192.168.1.50″))
Note that the first argument in GetTypeFromProgID() refers to the DCOM application mentioned before, and the second argument is the IP address of the remote machine you want to move to. You can then invoke the ExecuteShellCommand() method on the object you created:
$obj.Document.ActiveView.ExecuteShellCommand (“C:\Windows\system32\calc.exe”,$null,$null,”7″)
The first argument is the app or command that will start—in this case, the Calculator app. The second argument specifies the current working directory, and the third specifies any parameters to add to the command. In this case, none are needed, so they’re set to null. The last parameter specifies the state of the window. Ultimately, this will launch the Calculator app on the remote computer under a local administrator account.
You can, of course, do much more than just launch a simple app. The point of lateral movement is to “own” the next host you move to, so you can compromise it in many different ways. There are also other DCOM applications and methods you can use to move laterally. However, DCOM is blocked by default on modern Windows Defender firewalls, so you shouldn’t expect this to work with any regularity.
Pivoting
Pivoting is a process similar to lateral movement. In lateral movement, you jump from one host to the next in search of vulnerabilities to exploit. When you pivot, you compromise one host (the pivot) that enables you to spread out to other hosts that would otherwise be inaccessible. This is necessary when you want to move to a different network segment than the one you’re currently on. For example, if you are able to open a shell on a host you’ve compromised, you can enter commands in that shell to see other network subnets that the host might be connected to. From here, you can use the pivot host to spread out to these other subnets.
Note: Despite the distinction, lateral movement and pivoting are often used interchangeably.
There are several techniques that can enable pivoting.
| Pivoting Technique | Description |
| Port forwarding | You use a host as a pivot and are able to access one of its open TCP/IP ports. You then forward traffic from this port to a port of a host on a different subnet using various methods. One common method is to forward port 3389 (RDP) to a Windows target for remote desktop access. |
| VPN pivoting | You run an exploit payload on a compromised host that starts a VPN client on its network interface. Meanwhile, you run a VPN server outside the network, and relay frames of data from that server to the client. The data frames are dumped onto the client and can now interface with the wider private network. Any traffic that the client (pivot host) sees can then be relayed back to your VPN server. VPN pivoting is commonly used to perform additional reconnaissance of a target network. |
| SSH pivoting | You connect to the compromised pivot through SSH using the -D flag. This flag sets up a local proxy server on your attack machine, as well as enables port forwarding. Connections to this proxy on the port specified are forwarded to the ultimate target through the pivot. SSH pivoting is often used to chain proxy servers together in order to continue pivoting from host to host. |
| Modifying routing tables | After opening a shell on the pivot host, you can also add a new route to the pivot host’s routing table. This new route includes a destination subnet and a gateway. You define the gateway as your own exploit session, so that any traffic sent to the subnet must tunnel through your session. Adjusting routing tables in this manner is often used as a way to reach different subnets. |
Tools that Enable Pivoting
You can engage in pivoting by using familiar tools like Metasploit. For example, assume that you use your Kali Linux attack machine to gain a Meterpreter session onto a Windows host in the same subnet (192.168.1.0/24). You open a shell and run ipconfig on the Windows host, and see that it has a second network interface that is connected to a gateway in a different subnet (10.8.0.0/24). You want to reach hosts in this subnet, but you can’t do that directly from your attack machine. To get to the other subnet, you can use the compromised host as a pivot.
In Metasploit, running the post/multi/manage/autoroute module searches the pivot for any additional subnets and then adds those subnets to Metasploit’s routing table. Using the previous example, it would add 10.8.0.0/255.255.255.0 to the routing table. You can now use various Metasploit modules with this new subnet. For example, you could conduct a ping sweep with the new subnet as the target in order to identify specific hosts on this subnet. Then, you might target a specific host and attempt to access it using a service like SSH, Telnet, etc.
Another tool you can use to pivot to a new subnet is called ProxyChains. After opening a Meterpreter session with the pivot host, you can add the target subnet to the routing table, like so: route add 10.8.0.0 255.255.255.0 1 where 1 is the ID of the Meterpreter session. Then, run the Metasploit module auxiliary/server/socks4a to start a proxy server that uses Metasploit’s routing table. Next, edit /etc/proxychains.conf to include the following line: socks4 127.0.0.1 1080. This instructs ProxyChains to use the proxy on localhost. Lastly, you can run ProxyChains to pass in pretty much any command. The following example conducts an Nmap scan of a host on the target subnet:
proxychains nmap -sT -Pn -p21,22,23,25,80,443 10.8.0.10Chisel is a great tool for pivoting through rooted machines.
https://github.com/jpillora/chisel
Also check out routing in Linux:
http://linux-ip.net/html/routing-tables.html
Guidelines for Using Lateral Movement Techniques
When using lateral movement techniques:
- Jump from one host to the next to spread your attack out and look for new vulnerabilities to exploit.
- Use reconnaissance techniques to make lateral movement easier.
- Migrate code between running processes to evade detection and take on new privileges.
- Use insecure remote access services like Telnet and rlogin when available.
- Use SSH to encrypt your movement traffic.
- Use remote desktop services like RDP and VNC to gain a GUI onto systems you move to.
- Ensure that these remote desktop services are activated on the target system.
- Use pivoting to move through one host to a host on an otherwise inaccessible subnet.
- Use pivoting techniques like port forwarding and modifying routing tables to access other hosts and subnets.
- Use tools like Metasploit and ProxyChains to engage in pivoting.