Pivoting and Lateral Movement
Last updated
Last updated
We’ve focused on how attackers first gain access to a target. Now, we’ll discuss pivoting and lateral movement, which help an attacker use that initial access to attack more systems in the same network.
Attackers can use their C2 access to move around and access new devices in the network. A key example is the Meterpreter C2 framework, which can be used during the first attack or from a separate payload made with MsfVenom.
Meterpreter lets attackers access internal networks by using a compromised system as a stepping stone. For example, an attacker at 96.97.98.99 hacks into a system at 10.10.10.11. They then use this system to attack other internal targets that can only be reached from it. The attacker can set up a proxy on 96.97.98.99 to forward traffic through the C2 link, making it look like the traffic is coming from 10.10.10.11.
An attacker could use the same Meterpreter C2 link and other Metasploit tools to attack internal systems with the Meterpreter route command.
An attacker can use the Meterpreter portfwd
command to set up port forwarding to a specific IP and port. For example, if they listen on their system's port 8000 (e.g., 96.97.98.99:8000), any connections to that port will be forwarded to the victim's system at 10.10.10.100:80. This works for any IP address and TCP port, not just HTTP.
The route command in Meterpreter helps with pivoting. In the example, we start with a Meterpreter session from the exploit/windows/smb/psexec module, then use the background command to go back to the Metasploit console. The message "Backgrounding session 1..." shows that session 1, which is on the victim's system, is now in the background.
To set up a pivot through the victim, an attacker can use the route command in Metasploit to direct access to the 10.10.10.0/24 network through Meterpreter session 1. After this, any Metasploit exploit targeting an IP in that range will go through session 1. In the example, after setting up the route, they use the psexec module again with a new target IP of 10.10.10.100, using the same credentials. The new Meterpreter session is labeled as session 2, and the session ID increases with each new session.
The Metasploit route feature can be used with auxiliary modules for port scanning. Meterpreter doesn't have its own port scanner, but it can use the arp_scanner module to find devices on the local network. In the example, three hosts are found, and port scanning can follow. Metasploit has tools like nmap and the auxiliary/scanner/portscan/tcp module. By using the route command and loading the tcp module, an attacker can scan internal systems through the Meterpreter connection.
To pivot on compromised Linux or UNIX systems, an attacker can use an SSH server. This lets them access other internal systems. For example, an attacker can connect to a victim's SSH at 10.10.10.11 as user victortimko. By using the -L option, they create a listening port (8000) on their system (e.g., 96.97.98.99:8000). When they connect to port 8000, it forwards to another host (10.10.10.100) on TCP port 80. More -L options can set up additional port forwards.
The attacker can connect to the victim at 10.10.10.11 using the SSH command with the option -D 3128
. This sets up a SOCKS proxy on their system, letting them use any compatible client to send traffic through the SSH tunnel. SSH also offers various port forwarding options, including dynamic and reverse port forwarding. For more details on SSH tunneling, check out https://www.ssh.com/ssh/tunneling/example.
You can use other tools for port forwarding besides SSH. On UNIX and Linux, Netcat can help with port forwarding through named pipes. On Windows, the netsh command lets you listen on a port and forward traffic to a remote address, but you need admin access. This makes it easier to move from one system to another.
In this case, the listening port is on the victim's computer, not the attacker's. The attacker can still use it to move around the network and hide their attack, but they need to connect to the victim's listening port first.
Pivoting in a hacked system gives attackers new chances. They can access more targets, find data, and avoid detection. Lateral movement means using these points to exploit more targets on the network.
Lateral movement uses familiar attack methods but also offers new chances for attackers. Some attacks, like man-in-the-middle (MITM) and local password stealing, can only happen after a breach or if the attacker has a special network position. Here, we’ll explore how attackers move within a network and use pivot points to carry out these attacks.
Attackers can access hard-to-reach internal targets by first compromising an easy one. In this lab, we'll use Metasploit to take control of one host and then use that host to reach another one that’s normally out of reach.
In this lab, we'll use Metasploit to access a target machine at 172.30.0.21, which allows SSH connections. After getting in through SSH, we'll use this machine to explore and attack other systems inside the network.
The lab focuses on a Wardrobe99 branch, an online clothing store. As the security analyst, We find a PasteBin post while doing OSINT research.
Our task is to use this OSINT to evaluate the reported vulnerability and determine the impact to internal Wardrobe99 systems.
Let's start the Metasploit msfconsole tool.
In the first part of the attack, we'll use the leaked SSH credentials to access the SSH server. From the msf6 > prompt, let's look for the sshexec exploit.
The sshexec exploit works like the psexec exploit but targets Linux and UNIX systems. We can load it using the shortcut use 0
.
Next, let's set up the module for the target system (172.30.0.21) using the username and password for mpoor/forgecaptain. We'll use the default linux/x86/meterpreter/reverse_tcp payload and set the listener host to the Slingshot Linux VM with the shortcut value eth0.
Next, let's run the exploit command. After a few seconds, we’ll see the meterpreter > prompt, which means we have remote access to the target.
We've set up remote access to the target system using Meterpreter on port TCP/4444. Next, we'll gather more information about the target using the same session.
Let's type shell
to open a command line on the SSH victim system. We won't see a normal $
prompt, but we can still run commands. Use ifconfig
to list the network interfaces on the victim system.
The output shows that the eth0 interface was used to connect to the system, and there's also a new network on eth1: 172.40.0.2/255.255.255.0.
Let's use the exit
command to leave the shell and go back to the meterpreter session.
To connect to the remote network 172.40.0.0/255.255.255.0, we'll use the Meterpreter link to the victim at 172.30.0.21. We'll use the background command to go back to the msfconsole prompt.
Next, we'll use the Meterpreter route command to create a new route from our attacking system, through the compromised system at 172.30.0.21, to the remote network 172.40.0.0/255.255.255.0.
This way of adding the route lets the attacker use the 172.30.0.21 host to connect to other devices in the 172.40.0.0 network by reusing the Meterpreter session.
Next, we'll scan for more hosts in the 172.40.0.0 network using the new route. The scan will look like it's coming from the 172.30.0.21 host.
To scan a remote network using Meterpreter, we'll use the Metasploit module auxiliary/scanner/portscan/tcp
. Let's load this module and set the target range from 172.40.0.3 to 172.40.0.20, focusing on common HTTP ports.
Let's use the run command to start the auxiliary scanner.
The scan found a new host at 172.40.0.10 with a service on TCP/80, probably an HTTP server.
Next, we'll do more HTTP scanning on the new server using Metasploit's http_header scanner module.
This Metasploit module gets HTTP headers, showing an Apache 2.4.25 server on Debian Linux with PHP 7.2.3 for a Drupal 8 site, which is a CMS known for past vulnerabilities.
Next, we'll use the pivot host to attack the Drupal server. Let's use the Metasploit search command to find a highly reliable Drupal exploit.
Let's use the third one use 2
to load the Drupalgeddon2 exploit, then run show info
to view its details.
The info shows it works with some Drupal 8 sites. Now, we'll use the exploit to get remote access to the server.
We use the pivot host (172.30.0.21) to send the Drupalgeddon2 exploit to the 172.40.0.10 server through a Meterpreter session with a reverse TCP payload. Once exploited, the reverse Meterpreter session connects back to the attacker at 10.10.75.1.
A new Meterpreter session from the 172.40.0.10 server has been established. We'll now focus on the access gained through the Drupalgeddon2 exploit and simulate an attacker by collecting data
Let's use the Meterpreter session to download the Drupal database from /var/www/html/sites/default/files/.ht.sqlite
using the download
command.
Next, let's background our session and use the sqlite3 command to dump the Drupal user password hash table users_field_data
.
This command got the password hashes for the Drupal server users: admin, josh, and steve.
To access the Drupal server at 172.40.0.10 using SSH instead of Metasploit, first SSH into the server with the username mpoor and password forgecaptain. Then, use the -L option to set up a TCP listener on the Slingshot Linux system to forward connections to the Drupal server at 172.40.0.10:80.
While the SSH session is open, let's open a new terminal window. Run netstat -nat
to check the new TCP port listening on 127.0.0.1:8000.
To access the Drupal server, let's open Firefox and go to http://127.0.0.1:8000.
The target system is reachable at 127.0.0.1:8000. We can exploit it with Metasploit again. For the unix/webapp/drupal_drupalgeddon2 exploit, we'll set RHOSTS to 127.0.0.1 and RPORT to 8000.