::: left till the conference

Lateral movement automation

15 min
Main Stage

In a corporate network, lateral movement is a great way to escalate privileges and find necessary information.

But it is hindered when we face filtering between network segments. Sometimes, we have to open multiple embedded tunnels, which is hard to automate. In other words, lateral movement is rarely possible without pivoting.

Trying to solve this problem and move away from pivoting, an interesting solution was found – a recursive shell, i.e. a shell that can be opened from another shell.

In fact, it is a proxy based on DCOM and available through the MSRPC pile built into victim. As a result, we can forward ports exclusively through port 445/tcp.

This kind of lateral movement significantly hinders active countermeasures because it happens through a chain of MSRPC proxies and the real source of the attack is hard to identify. 

A demo.


Andrey Zhukov
Other Reports
Defensive Track
Attacking the microservice applications: methods and practical tips
Hardware Zone
How do we make Flipper Zero?
Defensive Track
The invisible hand of AppSec in release builds