VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
Lateral Movement, Accounts, Vulnerabilities and Protection
1. Topic 2 - Lateral Movement,
Accounts and Vulnerabilities
2. • Office 365 account
• VPN endpoint
• Webshell on perimeter
• Stand-alone workstation
• Corporate workstation (home or office)
• Get on the network
• Access broker – purchase access
• Where to from here?
Where does ransomware land?
3. • Office 365 account
• Internal phishing for more credentials
• Deliver malicious files
• VPN endpoint
• Scan and identify neighbouring hosts
• Determine privileges
• Find vulnerabilities
• Webshell on perimeter
• Scan and identify neighbouring hosts
• Determine privileges
• Find vulnerabilities
Next steps – lateral movement
4. • Stand-alone workstation
• Scan and identify neighbouring hosts
• Determine privileges
• Find vulnerabilities
• Corporate workstation - Active Directory domain member
• Determine local privileges
• Scan and identify neighbouring hosts
• Determine privileges on neighbouring hosts
• Collect credentials
• Local admin - jackpot
Next steps – lateral movement
5. • Ransomware operator has an account (most likely for low-
level access)
• Account in local admin?
• If yes then extract hashes (more credentials – recent
admin?)
• Workgroup or domain joined
• Tools
• Mimikatz
• JTR
Determining local privileges
6. • VPN or workstation
• Looking for services open on the network
• Ports
• Windows networking 135, 139, 445
• Remote desktop 3389
• Web services 80/443
• Tools
• Nmap - NSE
• Masscan
Scanning for neighbouring hosts
7. • Use existing credentials
• Local admin
• Domain users or everyone in admin group
• Interactive user in admin group
• C$ or Admin! overly shared
• Interactive user in admin group
• Tools - Metasploit
• SMB auxiliary scanner
• Username / password / domain / IP range
• PSExec auxiliary scanner
• Meterpreter payload
• Will load the psexecsvc.exe on target host
Accessing identified hosts
8. • Local admin
• Domain users or everyone in admin group
• Interactive user in admin group
• C$ or Admin! Overly shared
• Interactive user in admin group
• Tools
• Powershell
• Computer manager msc
Misconfigured or overlapping permissions
9. • Scripts
• Excel file
• CPASSWORD!
• SAM file in files system
• Disk images can be mounted
• Search tools
• Findstr
• Explorer
Credentials in plaintext files or backups
11. • Keep workstations and servers patched
• Vulnerability scanner (network or on-box)
• CIS https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Limit local admin
• Strong passwords
• Expiring passwords?
• Password managers
• IPS between network zones
Protection measures
12. • Education, no graphical representation of passwords
• Education, don’t store backups where everyone can see them
• Lateral movement testing
• Antivirus
• Endpoint detection and response
• Network detection and response
Protection measures
13. • Kali Linux
• Windows 8.1 IE11 image from Microsoft
• VirtualBox (NAT network or bridged)
• Password discovery
• File discovery
• Metasploit
• Mimikatz (kiwi)
• Secrets dump
• Windows Defender and Windows Firewall
CTF workstation – 5 flags for exam