Ethical hacking: Lateral movement techniques
Those with at least an introductory-level understanding of hacking techniques are aware of how much hackers can rely on lateral movement techniques to perform their deeds in the computer systems of others. But what exactly are lateral movement techniques, you may be asking?
This article will detail some of the most popular lateral movement techniques used by adversaries. Ethical hackers should study these techniques so they can better test their own organization’s network against said attacks. For those wanting a solid look at common lateral movement techniques, this article is for you.
FREE role-guided training plans
A little about lateral movements
To provide a quick definition here, lateral movements are used by cybercriminals to move throughout a network systematically to search for sensitive date or assets to perform data exfiltration.
Did you know that on average, it takes seven months before data breaches are discovered? And of these breaches, only 4% are actually investigated?
Or how about this: 80% of the time an attack is underway, it is performing lateral movements? This is because most of the time attackers are in systems blind and have to move slowly to minimize detection. Just imagine all of the potential data exfiltration, among other damage, that hackers can cause during this time. It is enough to make you lose sleep for those who are security-minded.
PowerShell
PowerShell is the number one mechanism by which to implement lateral movement techniques. PowerShell uses object-oriented scripting that makes stealing credentials, system configuration modification and automation of movement from system to system as easy as it is legal to own. (Funny how some of the most easily accessible tools used attack techniques, including lateral movement.)
This is a tool and not a technique, technically, but it is definitely worth a mention based on its overrepresentation. Ethical hackers would be smart to use it themselves.
Common lateral movement techniques
Lateral movement techniques are definitely not lacking in number or diversity, but they have the same basic strategy. It goes like this: gain access to a low-privileged asset with low protection, escalate privileges and seek out targets of interest on the network.
Below is a list, in no particular order, of some of the most commonly used techniques by black hat hackers which ethical hackers can use to test their organization’s systems and networks. It follows the old adage of “know your enemy.”
Token stealing
Used in most attacks today, token stealing is a top technique for sure. Using tools such as Windows Credential Editor and mimikatz, attackers find a service account in system memory, generate Kerberos tickets and then use them to gain elevated privileges like domain administrator. This can be performed without detection, often with the use of PowerShell.
Stolen credentials
Stolen credentials are even more common than token stealing. While organizations have responded to the attack environment by investing in anti-malware capabilities, attackers have changed their focus a bit and have shifted more to the fundamental actions within environments. Attackers know that once you steal legitimate credentials, not only is their job easier but it makes it much harder to detect. In fact, stealing credentials is part of nearly every attack strategy under the sun.
Some of the most relied-upon methods of stealing credentials include reusing credentials that were leaked on another website, phishing and social engineering, and brute-force attacks. These methods of stealing credentials are what allows for smoother lateral movements within an organization’s network.
Logon scripts
Windows uses logon scripts whenever users log into a computer system. These scripts can execute other programs, perform administrative functions and send information to login servers on the network. If attackers can access these scripts, they can insert their own pieces of code for continued persistence of a compromised system.
The lateral movement comes into play if these logon scripts are stored in a central server. When these logon scripts are kicked out to systems on the network, attackers can use this to move about.
Other techniques for lateral movement
Lateral movement techniques are diverse, to say the least, and attackers are resourceful in that they make the most out of the state of systems (especially Windows) which most organizations use. These techniques may be different, but they use a lot of the same corridors to move within a network. These include:
- Vulnerability exploitation
- Removable media
- Abusing application deployment software
- Abusing Windows features and services
Wait a minute, did I just say Windows features and services? I did. This is the scariest thing for an organization’s network, because Windows features and services are running 24/7 and are used daily. These features and services can include (non-exclusive list):
- Remote desktop
- Server Message Block (SMB)
- Service Control Manager (SCM)
- Windows Management Instrumentation (WMI)
- Task scheduler
- Windows Remote Management (WinRM)
- Distributed Component Object Model (DCOM)
Mobile lateral movement
Mobile technology is not spared from the onslaught of lateral movement techniques. The two most common techniques are presented below.
Attacking a PC via USB connection
Attackers are adept at using Android technology in their attacks, and lateral movement is part of this game plan. Simply put, attackers can escalate privileges within a mobile device and then program the mobile device to impersonate other USB devices in order to attack a computer that it is physically connected to. This technique has not been discovered on iOS as of yet.
Exploit enterprise resources
Attackers can also use the mobile device’s access to organization network resources through either a local connection or Virtual Private Network (VPN). The best example of this is DressCode, which is an Android malware family that creates a “general purpose tunnel” by which adversaries can use to move about within a network.
Conclusion
Lateral movement in network and system attacks is equivalent to physical movement in a burglary. The burglar needs to be able to freely move within a location to perform their burglary, and attackers need the same kind of mobility to check out what is in a network and avoid detection.
With the average attack lifespan being seven months before detection, lateral movement is essential to keeping these attacks from being detected, as well as for reconnaissance with a network. Ethical hackers should become adept at using these lateral movement techniques within their network to get a better idea of how real-world attackers would act if they get in.
What should you learn next?
Sources
- The Top 20 Lateral Movement Tactics, Smokescreen
- Hacking Happens: Stolen Credentials, Immunio
- Lateral Movement, MITRE
- Lateral Movement (Mobile), MITRE
- Logon Scripts, MITRE
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- Ethical hacking: Lateral movement techniques
- The rise of ethical hacking: Protecting businesses in 2024
- How to crack a password: Demo and video walkthrough
- Inside Equifax's massive breach: Demo of the exploit
- Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
- How to hack mobile communications via Unisoc baseband vulnerability
- How to build a hook syscall detector
- Top tools for password-spraying attacks in active directory networks
- NPK: Free tool to crack password hashes with AWS
- Tutorial: How to exfiltrate or execute files in compromised machines with DNS
- Top 19 tools for hardware hacking with Kali Linux
- 20 popular wireless hacking tools [updated 2021]
- 13 popular wireless hacking tools [updated 2021]
- Man-in-the-middle attack: Real-life example and video walkthrough
- Decrypting SSL/TLS traffic with Wireshark [updated 2021]
- Dumping a complete database using SQL injection [updated 2021]
- Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
- Hacking communities in the deep web [updated 2021]
- How to hack Android devices using the StageFright vulnerability [updated 2021]
- Hashcat tutorial for beginners [updated 2021]
- How to hack a phone charger
- What is a side-channel attack?
- Copy-paste compromises
- Hacking Microsoft teams vulnerabilities: A step-by-step guide
- PDF file format: Basic structure [updated 2020]
- 10 most popular password cracking tools [updated 2020]
- Popular tools for brute-force attacks [updated for 2020]
- Top 7 cybersecurity books for ethical hackers in 2020
- How quickly can hackers find exposed data online? Faster than you think …
- Hacking the Tor network: Follow up [updated 2020]
- Podcast/webinar recap: What's new in ethical hacking?
- Ethical hacking: TCP/IP for hackers
- Ethical hacking: SNMP recon
- How hackers check to see if your website is hackable
- Ethical hacking: Stealthy network recon techniques
- Getting started in Red Teaming
- Ethical hacking: IoT hacking tools
- Ethical hacking: BYOD vulnerabilities
- Ethical hacking: Wireless hacking with Kismet
- Ethical hacking: How to hack a web server
- Ethical hacking: Top 6 techniques for attacking two-factor authentication
- Ethical hacking: Port interrogation tools and techniques
- Ethical hacking: Top 10 browser extensions for hacking
- Ethical hacking: Social engineering basics
- Ethical hacking: Breaking windows passwords
- Ethical hacking: Basic malware analysis tools
- Ethical hacking: How to crack long passwords
- Ethical hacking: Passive information gathering with Maltego
- Ethical hacking: Log tampering 101
- Ethical hacking: What is vulnerability identification?
- Ethical hacking: Breaking cryptography (for hackers)
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
