# T1210: Exploitation of Remote Services Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources. There are several well-known vulnerabilities that exist in common services such as SMB and RDP as well as applications that may be used within internal networks such as MySQL and web server services. Depending on the permissions level of vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement as well. **Example** For this demonstration I will use a very well-known vulnerability EternalBlue(MS17-010) in this Demo I will gain access to 1 machine and them proxy onto another PC in the internal Network Initial Access: Currently we hold an Initial Access (Phishing) now we need to enumerate the environment and search for other Workstations in the Domain ![](/files/-MRkzcJFbSBp-aKQdGUy) We can use a command **GetDomainComputer** and find any workstations in the Domain and we find 3. ![](/files/-MRkzbYeTO9sdrFZIBqP) ![](/files/-MRkzfvZTJqt-aymsmIB) ![](/files/-MRkzf4v1Oyg6ZoII2OH) ![](/files/-MRkzgt-FTHIotyAa_bo) Now let's ping each of them to see which one is active. For Demo purposes we know it's Charlie. ![](/files/-MRkzhocuQq1amWUSsy8) A port scan gives us valuable information that the SMB port is open and listening ![](/files/-MRkziWx8Oza6tHaRU4p) Now let's create a PortForwarding Connection from the victim machine and have access from our attacking Box to attack the Service, we can use the built-innetsh to achieve this **If there is a better way with other tools please do let me know as I am new to this myself LOL** **##################################################** **`netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4000 connectaddress=10.0.2.18 connectport=445`** **##################################################** Once the Port forwarding is correct let us scan the machine and look for anything exploits. **This scan should be a good output but I couldn’t get these results please see the ones below this to see what I saw please do let me know how to achieve this** ![](/files/-MRkzla-Mgru2WVElOi2) Above we see the result of an nmap scan giving us information on the Workstation, we know at this point that the machine is vulnerable to EternalBlue. And various other scan show promising results **Nmap** ![](/files/-MRkzmX91jTb3WeGB_EK) **Amap** ![](/files/-MRkznSWHE_mHzha5v4B) Now we exploit ![](/files/-MRkzqq7BXe0P0MnkJLn) And move to a different machine now, we can upgrade our shell to continue with Covenant as well. ![](/files/-MRkzq9CXjgS3B0iaC-J) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/lateral-movement/t1210-exploitation-of-remote-services.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.