📓
Red Team Notes 2.0
  • Introduction
  • Red Team
  • Red Team Techniques
    • Initial Access
      • T1659: Content Injection
      • T1190: Exploit Public-Facing Applications
        • Rejetto HTTP File Server (HFS) 2.3
      • T1133: External Remote Services
        • SMB/Windows Admin Shares
        • RDP Service
      • T1566: Phishing
        • Phishing: Spearphishing via Service
        • Phishing: Spearphishing Link
          • Links: Social Engineering Toolkit
          • Links: Binaries
          • Links: HTA Files
        • Phishing: Spearphishing Attachment
          • Attachments: LNK Files
          • Attachments: SCR Files
          • Attachments: Dynamic Data Exchange
          • Attachments: Macros
          • Attachments: Macros - Linux
          • Attachments: Scripting Files
          • Attachments: Desktop Files
      • T1195: Supply Chain Compromise
        • Compromise Hardware Supply Chain
        • Compromise Software Supply Chain
        • Compromise Software Dependencies and Development Tools
      • T1078: Valid Accounts
        • Local Accounts
        • Domain Accounts
        • Default Accounts
      • T1199: Trusted Relationship
    • Execution
      • T1047:Windows Management Instrumentation
      • T1204: User Execution
        • Malicious File
        • Malicious Link
      • T1569: Service Execution
      • T1053: Scheduled Tasks/Job
        • Shared Modules
        • Scheduled Task
        • At (Windows)
      • T1106: Native API
      • T1559: Inter-Process Communication
        • Dynamic Data Exchange
        • Component Object Model
      • T1203: Exploitation for Client Execution
        • Common Third-Party Applications
        • Office Applications
      • T1059: Command and Scripting Interpreter
        • Network Device CLI
        • JavaScript/JScript
        • Python
        • Visual Basic
        • Unix Shell
        • Windows Command Shell
        • PowerShell
        • AutoHotKey & AutoIT
        • Deploy Container
        • Native API - Linux
    • Persistence
      • T1574: Hijack Execution Flow
        • Service File permissions Weakness
        • Path Interception by Unquoted Path
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
        • Dynamic Linker Hijacking
      • T1133:External Remote Services
        • SMB/Windows Admin Shares
        • RDP Service
      • T1546:Event Triggered Execution
        • Component Object Model Hijacking
        • PowerShell Profile
        • Application Shimming
        • Accessibility Features
        • Netsh Helper DLL
        • Screensaver
        • Default File Association
        • Unix Shell Configuration Modification
        • Trap
        • Installer Packages
      • T1543:Create or Modify System Process
        • Windows Services
        • Systemd Service
      • T1136: Create Account
        • Domain Account
        • Local Account
      • T1554:Compromise Client Software Binary
      • T1547:Boot or Logon AutoStart Execution
        • Shortcut Modification
        • Winlogon Helper DLL
        • Time Providers
        • Registry Run Keys / Startup Folder
      • T1037: Boot or Logon Initialization Scripts
        • RC Scripts
      • T1197: BITS Jobs
      • T1053: Scheduled Tasks/Job
        • Shared Modules
        • Scheduled Task
        • At (Windows)
        • Cron
        • Systemd Timers
      • T1098: Account Manipulation
        • SSH Authorized Keys
      • T1556: Modify Authentication Process
        • Pluggable Authentication Modules
      • T1653: Power Settingss
      • T1505: Server Software Component
        • WebShell
    • Privilege Escalation
      • T1546:Event Triggered Execution
        • PowerShell Profile
        • Component Object Model Hijacking
        • Application Shimming
        • Accessibility Features
        • Screensaver
        • Default File Association
      • T1612: Build Image on Host
      • T1574: Hijack Execution Flow
        • Service File permissions Weakness
        • Path Interception by Unquoted Path
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
      • T1543:Create or Modify System Process
        • Windows Services
      • T1547:Boot or Logon AutoStart Execution
        • Winlogon Helper DLL
        • Shortcut Modification
        • Time Providers
        • Registry Run Keys / Startup Folder
      • T1134: Access Token Manipulation
        • Parent PID Spoofing
        • Make and Impersonate Token
        • Create Process with Token
        • Token Impersonation/Theft
      • T1548: Abuse Elevation Control Mechanism
        • Bypass User Account Control
        • Setuid and Setgid
        • Sudo and Sudo Caching
      • T1611: Escape to Host
    • Defense Evasion
      • T1497: Virtualization/Sandbox Evasion
        • Time Based Evasion
        • User Activity Based Checks
        • System Checks
      • T1550: Use Alternate Authentication Material
        • Pass the Ticket
        • Pass the Hash
      • T1127: Trusted Developer Utilities Proxy Execution
        • MSBuild
      • T1221: Template Injection
      • T1553: Subvert Trust Controls
        • SIP and Trust Provider Hijacking
        • Code Signing
      • T1216: Signed Script Proxy Execution
      • T1218: Signed Binary Proxy Execution
        • Compiled HTML File
        • Control Panel
        • CMSTP
        • InstallUtil
        • MSHTA
        • MSIEXEC
        • ODBCCONF
        • Regsvcs/Regasm
        • Regsvr32
        • Rundll32
        • Verclsid
      • T1055: Process Injection
        • Dynamic-Link Library Injection
        • Portable Execution Injection
        • Thread Execution Hijacking
        • Asynchronous Procedure Call
        • Thread Local Storage
        • Extra Window Memory Injection
        • Process Hollowing
        • Process Doppelganging
      • T0127: Obfuscated Files or Information
        • Binary Padding
        • Software Packing
        • Steganography
        • Compile After Delivery
        • Indicator Removal from Tools
      • T1036: Masquerading
        • Invalid Code Signature
        • Right-to-Left-Override
        • Rename System Utilities
        • Masquerade Task or Service
        • Match Legitimate Name or location
      • T1202: Indirect Command Execution
      • T1562: Impair Defenses
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Disable or Modify System Firewall
        • Disable or Modify Linux Audit System
        • Indicator Blocking
      • T1070: Indicator Removal on Host
        • Clear Windows Event Logs
        • Clear Command History
        • File Deletion
        • Network Share Connection Removal
        • TimeStomping
      • T1574: Hijack Execution Flow
        • Path Interception by Unquoted Path
        • Service File permissions Weakness
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
      • T1564: Hide Artifacts
        • VBA Stomping
        • Run Virtual Instance
        • NTFS File Attributes
        • Hidden Window
        • Hidden File System
        • Hidden Users
        • Ignore Process Interrupts
        • File/Path Exclusions
        • Hidden Files and Directories
      • T1222: File Directory Permissions Modification
        • Linux and Mac File and Directory Permissions Modification
        • Windows File and Directory Permissions Modification
      • T1480: Execution Guardrails
        • Environmental Keying Linux
        • Environmental Keying
      • T1197: BITS Jobs
      • T1134: Access Token Manipulation
        • Parent PID Spoofing
        • Make and Impersonate Token
        • Create Process with Token
        • Token Impersonation/Theft
      • T1548: Abuse Elevation Control Mechanism
        • Bypass User Account Control
      • De-obfuscate/Decode Files or Information
    • Credential Access
      • T1552: Unsecured Credentials
        • Group Policy Preferences
        • Private Keys
        • Credentials in Registry
        • Credentials in Files
      • T1558: Steal or Forge Kerberos Tickets
        • AS-REP Roasting
        • Kerberoasting
        • Silver Ticket
        • Golden Ticket
      • T1003: OS Credential Dumping
        • DCSync
        • Cached Domain Credentials
        • LSA Secrets
        • NTDS
        • Security Account Manager
        • LSASS Memory
      • T1040: Network Sniffing
      • T1556: Modify Authentication Process
        • Password Filter DLL
        • Domain Controller Authentication
      • T1557: Man-in-the-Middle
        • Arp Cache Poisoning
        • LLMNR/NBT-NS Poisoning and SMB Relay
      • T1056: Input Capture
        • Web Portal Capture
        • GUI Input Capture
        • Keylogging
      • T1187: Forced Authentication
      • T1555: Credentials from Password Stores
        • Credentials from Web Browsers
      • T1110: Brute Force
        • Credential Stuffing
        • Password Spraying
        • Password Cracking
        • Password Guessing
    • Discovery
      • T1124: System Time Discovery
      • T1007: System Service Disvcovery
      • T1033: System Owner/User Directory
      • T1049: System Network Connections Discovery
      • T1016: System Network Configuration Discovery
      • T1082: System Information Discovery
      • T1518: Software Discovery
        • Security Software Discovery
      • T1018: Remote System Discovery
      • T1012: Query Registry
      • T1057: Process Discovery
      • T1069: Permissions Groups Discovery
        • Local Groups
        • Domain Groups
      • T1120: Peripheral Device Discovery
      • T1201: Password Policy Discovery
      • T1040: Network Sniffing
      • T1135: Network Share Discovery
      • T1046: Network Servie Scanning
      • T1083: File and Directory Discovery
      • T1486: Domain Trust Discovery
      • T1217: Browser Bookmark Discovery
      • T1010: Application Window Discovery
      • T1087: Account Discovery
        • Domain Account
        • Local Account
    • Lateral Movement
      • T1080: Taint Shared Content
      • T1072: Software Deployment Tools
      • T1021: Remote Services
        • Windows Remote Management
        • VNC
        • Distributed Component Object Model
        • SMB/Windows Admin Shares
        • Remote Desktop Protocol
      • T1563: Remote Service Session Hijacking
        • RDP Hijacking
      • T1570: Lateral Tool Transfer
      • T1534: Internal Spearphishing
      • T1210: Exploitation of Remote Services
      • T1550 Use Alternate Authentication Material
        • Pass the Ticket
        • Pass the Hash
  • Active Directory
    • Active Directory
      • Lightweight Directory Access Protocol
      • Kerberos
      • Forest, Tress and Domains
    • Active Directory Attacks
      • Kerberoasting
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Golden Tickets
      • Silver Tickets
      • Skeleton Keys
      • Active Directory Certificate Services
      • NTLMRelay
      • AS-REP Roasting
  • Red Team Infrastructure
    • RED TEAM INFRASTRUCTURE
    • Domain Name and Categorization
    • Reconnaissance
      • Passive
      • Active
    • Weaponization
      • Macros
      • HTA
      • ZIP
      • ISO
    • Delivery
      • Gophish
      • EvilGinx
      • PwnDrop
  • Situational Awareness
    • Covenant and C#
    • Empire and PowerShell
  • Credential Dumping
    • Mimikatz
    • Lsass Dumping
    • SharpChromium
  • Persistence
    • Userland Persistence
    • Elevated Persistence
  • Defense Evasion
    • Disable or Modify Tools
    • Obfuscating Files
  • Privilege Escalation
    • PowerUp
    • PrivescCheck
  • Lateral Movement
    • RDP
    • PowerShell Remoting
  • Files
    • Red Team Guide
Powered by GitBook
On this page

Was this helpful?

  1. Red Team Techniques
  2. Lateral Movement

T1210: Exploitation of Remote Services

PreviousT1534: Internal SpearphishingNextT1550 Use Alternate Authentication Material

Last updated 4 years ago

Was this helpful?

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

There are several well-known vulnerabilities that exist in common services such as SMB and RDP as well as applications that may be used within internal networks such as MySQL and web server services.

Depending on the permissions level of vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement as well.

Example

For this demonstration I will use a very well-known vulnerability EternalBlue(MS17-010) in this Demo I will gain access to 1 machine and them proxy onto another PC in the internal Network

Initial Access:

Currently we hold an Initial Access (Phishing) now we need to enumerate the environment and search for other Workstations in the Domain

We can use a command GetDomainComputer and find any workstations in the Domain and we find 3.

Now let's ping each of them to see which one is active. For Demo purposes we know it's Charlie.

A port scan gives us valuable information that the SMB port is open and listening

Now let's create a PortForwarding Connection from the victim machine and have access from our attacking Box to attack the Service, we can use the built-innetsh to achieve this

If there is a better way with other tools please do let me know as I am new to this myself LOL

##################################################

netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4000 connectaddress=10.0.2.18 connectport=445

##################################################

Once the Port forwarding is correct let us scan the machine and look for anything exploits.

This scan should be a good output but I couldn’t get these results please see the ones below this to see what I saw please do let me know how to achieve this

Above we see the result of an nmap scan giving us information on the Workstation, we know at this point that the machine is vulnerable to EternalBlue. And various other scan show promising results

Nmap

Amap

Now we exploit

And move to a different machine now, we can upgrade our shell to continue with Covenant as well.