CSC 5930/9010 Offensive Security: Lateral Movement Professor Henry Carter Spring 2019
Recap Symmetric vs. Asymmetric encryption techniques Authentication protocols require proving possession of a secret: Without sharing it Without creating a replayable token Password cracking techniques and defenses
Post-exploit We have considered several techniques for breaking into vulnerable applications this semester Your pen testing engagements may only seek this much intrusion, but usually they are scoped a bit more thoroughly After you have successfully breached the network of a target, now what?
Privilege escalation and lateral movement According to the L-M kill chain, installation, C2, and actions on objectives are the final steps of an attack To do this effectively, attackers establish persistence in a system so that they can return This usually requires administrative privileges on a machine that controls the network "Lateral movement" refers to navigating the network to find this machine (or set of machines)
Internetworking Lateral movement looks a lot like the first exploit You are just attacking from another machine in the network The greatest impediment to lateral movement is a wellpartitioned network Understanding internetworking inside your target network is key
IP Addressing: Recap IP address: 32-bit identifier for host, router interface interface: connection between host/router and physical link routers typically have multiple interfaces host typically has one interface IP addresses associated with each interface 6
Subnets IP address: subnet part (high order bits) host part (low order bits) What s a subnet? device interfaces with same subnet part of IP address Often corresponds to a LAN but may contain multiple LANs! 7
IP addressing: CIDR CIDR: Classless InterDomain Routing subnet portion of address of arbitrary length address format: a.b.c.d/x, where x is # bits in subnet portion of address 200.23.16.0/23 8
Hierarchical addressing: more specific routes ISPs-R-Us has a more specific route to Organization 1 9
NAT: Network Address Translation Motivation: local network uses just one IP address as far as outside world is concerned: range of addresses not needed from ISP: just one IP address for all devices can change addresses of devices in local network without notifying outside world can change ISP without changing addresses of devices in local network devices inside local net not explicitly addressable, visible by outside world (a security plus). Uses IP addresses designated as private inside the LAN 10
NAT: Network Address Translation 11
Filtering: Firewalls Filtering traffic based on policy Policy determines what is acceptable traffic Access control over traffic Accept or deny Application May perform other duties Network Logging (forensics) Flagging (intrusion detection) Link QoS (differentiated services) 12
DMZ (De-militarized Zone) Zone between LAN and Internet (public facing) 13
MAC Addresses and ARP 32-bit IP address: network-layer address used to get datagram to destination IP subnet MAC (or LAN or physical or Ethernet) address: used to get frame from one interface to another physicallyconnected interface (same network) 48 bit MAC address (for most LANs) burned in the adapter ROM e.g.: 1A-2F-BB-76-09-AD; 00:1F:5B:38:FC:04 14
Self learning switch learns which hosts can be reached through which interfaces when frame received, switch learns location of sender: incoming LAN segment records sender/location pair in switch table 15
Interconnecting Switches Switches can be connected together Q: sending from A to G - how does S1 know to forward frame destined to G via S4 and S3? A: self learning! (works exactly the same as in singleswitch case!) 16
VLANs: Motivation Consider the following scenario: CS user moves office to EE, but wants connect to CS switch? single broadcast domain: all layer-2 broadcast traffic (ARP, DHCP, unknown location of destination MAC address) must cross entire LAN security/privacy, efficiency issues 17
Port-Based VLAN traffic isolation: frames to/from ports 1-8 can only reach ports 1-8 can also define VLAN based on MAC addresses of endpoints, rather than switch port dynamic membership: ports can be dynamically assigned among VLANs forwarding between VLANS: done via routing (just as with separate switches) in practice vendors sell combined switches plus routers 18
Privilege Escalation Once you have reached administrative machines, how do you escalate your privilege on the machine/in the network? Many of the techniques we've learned are already useful Traffic sniffing, password cracking, MitM attacks Your goal should be to steal or create credentials that you can later use to get back in
Things to look for Writable executables Misconfigured scripts or automated processes Stealing domain (i.e., network authentication) credentials from OS caches, Kerberos tickets, or domain controllers
Recap Once an attack has crossed into the target network, the goal becomes persistence and control over as many devices as possible Lateral movement applies exploit techniques to moving through an internal network structure The goal of lateral movement is to find credentials that will escalate the attacker's privilege to admin and all easy re-entry
Next Time... Project Presentations! 10 minutes each Include a demo of your project Write-up due at the final exam Complete and submit the internetworking lab See Blackboard for due date 22