T1210: Exploitation of Remote Services

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

There are several well-known vulnerabilities that exist in common services such as SMB and RDP as well as applications that may be used within internal networks such as MySQL and web server services.

Depending on the permissions level of vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement as well.

Example

For this demonstration I will use a very well-known vulnerability EternalBlue(MS17-010) in this Demo I will gain access to 1 machine and them proxy onto another PC in the internal Network

Initial Access:

Currently we hold an Initial Access (Phishing) now we need to enumerate the environment and search for other Workstations in the Domain

We can use a command GetDomainComputer and find any workstations in the Domain and we find 3.

Now let's ping each of them to see which one is active. For Demo purposes we know it's Charlie.

A port scan gives us valuable information that the SMB port is open and listening

Now let's create a PortForwarding Connection from the victim machine and have access from our attacking Box to attack the Service, we can use the built-innetsh to achieve this

If there is a better way with other tools please do let me know as I am new to this myself LOL

##################################################

netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4000 connectaddress=10.0.2.18 connectport=445

##################################################

Once the Port forwarding is correct let us scan the machine and look for anything exploits.

This scan should be a good output but I couldn’t get these results please see the ones below this to see what I saw please do let me know how to achieve this

Above we see the result of an nmap scan giving us information on the Workstation, we know at this point that the machine is vulnerable to EternalBlue. And various other scan show promising results

Nmap

Amap

Now we exploit

And move to a different machine now, we can upgrade our shell to continue with Covenant as well.