Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. Welcome to the episode number 25 off the A Z speakers, lateral and vertical movement. My name is Muhammad Regina, and I'll begin structure for today's session.
00:12
The learning operatives of this session is to understand it, hot the concepts behind this technique and apply some concepts to implement this technique. So let's get down to business. Shall we
00:24
remember that in the previous video for tunneling, we saw how to create, you know, dynamic sshh tunnels so we can mimic a proxy sucks five blocks it, um, let's say that you have a machine and you want to move to another machine either in the same network segment,
00:43
kind of a lateral move movement or something hidden in another Internet or a billon. Maybe that can actually be reached on Lee from they already compromised machine. But not from your attacking machine, maybe, or from any machine from the Internet.
00:59
Said you just want to jump to that Internet or to that other machine. Maybe, Ah,
01:03
a morgue. You see server, for example, a database, for example. I don't know.
01:08
So we can start by enabling RS h Donald, Let me just, uh here is Shelby decision aerial use or with those 10 machine as the victim that we already compromised. We really have the password. And, you know, we already have the credentials and everything. And, well, to know Oliver traffic through that machine
01:27
so he actually reach the altar machine that we cannot actually
01:30
rich from. I enable some fire will rules on my windows expedition That will only allow traffic coming from the i p ending with seven. But not, you know, any other appeal, like the one in Cali, which is ending with eight.
01:49
So let me just start by great in the tunnel again. If you miss the previous video, you have todo definitely have to go watch it again. So we could you know, these. So this get makes some sense. So dynamic tunnel,
02:07
then just enter the battery here, and I have my tunnel. Did you remember? We had proof that,
02:15
um but the timing was grating. 81 81. Remember that
02:20
So
02:21
gallant. Just go, like in here.
02:23
Uh, let me just showed you that I will let me just modify real quick
02:30
the Brexit change configuration file
02:35
so we can know it's dynamic. You know, if you mean something on? It's already modified, Okay. And just want to use the *** fight proxy. So let me just show you here
02:46
and my trust be,
02:49
um
02:51
example Port once tree nine and four for five for the S and P protocol.
02:59
And, you know, it seems that that that that is not up mean
03:05
it seems down. So let me just go through my tunnel right now. Proxy chains, which again will read your redirect all the traffic through this tunnel. And again, the Windows XB machine will actually accept traffic from from
03:22
or Windows 10 machine, which is again this this this machine. That's why we created a tunnel in that. So today, attacking to the victim's machine, it appeared that all the traffic will come from from from a trusted source, in this case, the Windows 10 machine. But you know, as again we're
03:42
going to tunnel Allah for traffic. All for you.
03:45
Poor scanning through that. And again. Don't panic if this doesn't yield. Ah,
03:52
accurate results. Remember, we're going to to, um,
03:57
another tunnel number application, so that might be a problem, but, you know, let's give it a shot
04:02
and just exact same command as before,
04:05
Just to see if we can actually get some results now.
04:13
Okay, Connected to the proxy. And it's just kind and scanning this cake could take a while. Remember, this is going through a tunnel, and there you go. He'd actually replied in it actually tells that
04:25
the these two boards are open. Okay, So that that's a huge advantage for us. So we can actually, you know, get some knowledge. And, you know, maybe this wasn't It was it was blocking traffic. Let me just give you real quick
04:42
that they'd come on there. We execute before, which is just basically this one is not actually replying to that. So
04:49
if I go to Brooks, it changed again, and I got a pass through the proxy, which is actually creating that
04:57
again. You will take a while, but I tell us accurate results that it's actually opened. So this is the magic and beauty about a lot of lot of vertical movement you can actually perform,
05:05
um, again. You can see the board's let's start off MSF counsel to this proxy chain. How about that?
05:14
Uh, Brooks chains?
05:15
Ah, MSF consul.
05:18
And he will start our MSF consul through this proxy chains
05:26
again, it will not connected the data. Basically, Squid next starring you. Are that our proxy chains? I'm sorry. Off Amazon Council. True that proxy chains. So you will not find or local hose database that will be using, You know, that is that's that's used by the MSF counsel.
05:45
So, uh,
05:46
now that we're inside hopes or about that
05:51
that were inside
05:57
or himself, Consul, through the proxy chains, we can actually, um,
06:02
use, for example, that remember that this machine is actually vulnerable to this module of this exploit, which is Ah, the eternal Blue
06:14
exploits. So show options.
06:17
And what do you think we need? Thio? Well, that's just said exploit here. Uh,
06:24
so we can have a river shell
06:26
said payload. I'm starting to explode with Pei. Liu
06:30
said payload. Okay. Show options?
06:34
I hope so.
06:36
What options do you think we cut to enter here?
06:45
Well, let's start by, you know, entering or normal options. Because at the end, all of this is going to the proxy change. So said our host and the one
06:57
his Windows experience set.
07:00
Listen, the host,
07:02
um,
07:04
my colleague machine
07:10
run
07:15
and boom. We have an exploit.
07:18
OK, that's super cool. Let me just killed kill all of this
07:25
and just started normal immersive counsel so we can see that we can actually see the difference in this if we actually start that,
07:35
uh, let me just copy. Pays here, there
07:40
the module's exploiter we want to use
07:45
used this one. Remember? This is the Amazon council version without the proxy chains.
07:51
Ah, set payload
07:54
this copy days again
08:00
and show options. Said our host.
08:07
What is your host
08:13
said, Uh,
08:13
this is important.
08:20
Now listen, the Hope Centauri
08:24
and run it.
08:28
Okay, Okay. Sorry.
08:33
He would try to execute. Remember, guys, you're using the exact same
08:37
payload, exact same module in the MSF counsel, but you know, it will not work. Connects the connection timed out. It means that he's not actually replying to any off approves or in this case that exploit itself. So
08:50
let me just exiting here and told you that. So this is how you can achieve lateral and vertical movement, right? Leveraging this capabilities on, you know, the tor network, or, you know, in this case, specifically
09:05
them
09:07
the tunnels that you can create with the s H server client capabilities.
09:11
Uh, Jeff, there's that.
09:15
That's how you can pivot with dynamic poor foreboding. But you could do the same with local poor forward and maybe a little bit more manual, But it can also work. Maybe, for whatever reason, I'm just trying to give you all the tools that I can think of. Okay? For whatever reason, you cannot actually, uh,
09:33
P But, um,
09:35
all all all of this traffic or you can actually you cannot actually rich all of this traffic. So let me just put it
09:45
this command in year and just give you a glimpse of it. Okay? Thesis for local port.
09:54
I'm sorry for, um,
09:56
local tunneling. Um, the poor that will be axing 81 81. Ah, I p of the victim. That cannot actually directly this case. This one. Um,
10:09
but, uh, you know, both over local or Mo port. You know, in this case for this one, it's me. It means that whenever access this on my local machines, it will go through this.
10:22
Okay? All the traffic Daigo here, my local machine. It will go to this and you know, for creating or tunnel. That's it. we just run it,
10:35
okay? Created or eternal successfully. Okay, I have another tongue. Sorry about that. Let me just exit. Discuss on it was created correctly.
10:46
That the end, I was using the same port.
10:48
Um,
10:52
and with that, we can again I start our final, but this time without the proxy chimps, just as with it in the first example. Remember, eh? So far, we have since two examples with the Amazon Council, which is basically what we also em up example as well. But with the advice of counsel,
11:11
we saw two examples. One
11:13
Ford. When using proxy chains directly, we call in the Amazon Council, and the other one was calling himself concert without any proxy chains, and it was obviously failing. Is that the end? We're blocked. Oh, are Carly machines is not allowed to to interact with the victim's machine, which is again
11:33
our Windows XB machine.
11:35
So again, let me start the MSF council again without, um,
11:39
that the proxy chains capability.
11:43
And why do you think? Is that what do you think this time will actually work? I will give you some time to think about it.
11:50
Um, but images that exact same exploit
11:54
again.
12:01
Sorry.
12:05
Okay. Show options. I will not change the payload. It doesn't matter. But this time I will set the remote host.
12:15
Oh my God!
12:18
And directly to our windows at Speed machine.
12:22
Is that correct?
12:24
I'll give you one moment to think about it. No, it's not correct. Remember that we actually created a tunnel in here that is telling us that whatever I go to my local machine
12:35
to port anyone, anyone. It will tunnel all the traffic through this machine to go to this machine in this sport. I said that because it sounds a little bit confusing, but that's it. It that what it is whenever I go to ah ah, local host on port 81 81
12:52
it will turn out all the traffic. True, this machine
12:56
and it will go to this big tin machine. So this victim machine will think that a traffic is actually coming from this epic. So I will change the remote host to guess what
13:09
to my local machine
13:11
and well said they're remote.
13:13
That remote Ah
13:18
sport
13:18
to 81 81.
13:22
Remember that, right?
13:24
Okay,
13:26
right.
13:28
Oops, sorry.
13:35
Okay, is actually working so But the problem will be that, um Remember, this is not a Windows machine. So this we should fail at the first time. Um,
13:48
because, you know, this is for a Windows machine. So it's actually working, and no session was created. What? They're things that because at the end, the payload will be actually trying to get back to the Windows XB machine because that that's the one that is thinking that the pinging and all the payload is coming from
14:07
so that you will not get a reversal that was expected. Ah,
14:15
but for this case, we can also use a bind shell. So limit set a payload.
14:20
Remember? That's the beauty about reverse and buying shells they give us just copied out in here. I'm too lazy to actually type it,
14:31
uh, show options
14:35
and we can tell it Thio, go back to a specific machine. In this case, it automatically set up there or local host. But we obviously don't want to do that.
14:48
So, what do you think? We can actually put in that?
14:52
I will give you a month *** about it. Let me just running a city's just deceive, actually. Well, actually, work
15:00
uh, remote host. Okay, we'll go with that.
15:20
It will not work, obviously, because at the end, this is our local I p. So show options again set our host
15:33
show options and injustice to You can see that
15:39
and run.
15:39
I'm sorry.
15:54
Hopes I really messed up the pay. Look, I'm sorry. It was because
16:00
let me just show. Do you hear
16:03
it was changing these a swell.
16:07
So let me just go back in here and change into O R
16:12
or local machine
16:18
Bright Hopes.
16:23
So this is how you can actually ah, leverage the proxy change and lateral and vertical movement thio, um,
16:33
to compromise author machines behind maybe ah, network address, translation or not, or behind a villain or something like that. Um,
16:41
sometimes it will work. This was to show you that you can actually use, um,
16:48
dynamic tunnelling or yeah, dynamic. Pour forward in our local for forward. And you can also use reverse sport forwarded, but for immunity for this to make more sense, you have to really watch the previous video. Yeah, you can actually leverage all of these capabilities from the SS H. Donald's.
17:07
So actually
17:10
get what you want and in this case, uh, maybe creating, ah,
17:15
dynamic pour forward. It was more useful for us than a local performer, things that they had a local performer and my B word with daughter tunics. But, you know, that's the point you can actually use, uh, any type of proxy or any type of poor forwarding that will work for your scenario
17:33
on the point is that you can move from one machine to the other without any problems.
17:37
And I know she's
17:42
Can you reach machines behind a network address? Translation or not, which is a distinct naked as you can. You can actually do that. I mean, maybe that this not working behind ah firewall or ah, machine you already compromised. Yeah. You can actually reach those. That's kind of the whole thing. We're pivoting our people in
18:02
Oh, are you know, lateral and vertical movement.
18:04
Uh, can we actually get remote control? But using this technique Yeah, we can We can actually, we can Yeah, we definitely can.
18:11
We said that in the video with the MSF council by executing EMS of counsel through Brooks change,
18:21
we and this video will learn some concepts of this of this technique. And we implemented some tools and commands to execute this technique, and we saw how malicious it can be.
18:30
Ah, supplemental materials. It's always the hacker playbook. And every possible sorted you confined in goal and YouTube you can actually, actually, people I use a really cool modules are really cool. Both explosive ation modules in the arms of counsel or with the with
18:51
MSF Uh, I'm sorry we didn't matter. Predator Shell. You can actually execute a pivoting with that. So, yeah, I encouraged you to to actually read that.
19:00
Looking forward in the next video, we'll see some techniques to erase your tracks or, you know, clear logs and everything's that. This is the system administrators can't find you. Or can I at least trace you back to your location or your order activities?
19:17
Well, that's it for today, folks. I hope you enjoyed the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor