Built-In Lateral Movement Tools

I’m writing this post to hopefully help serve as a reference that documents multiple ways you can move laterally within a network.  There’s a bunch of different tools that are built right into Windows which help facilitate lateral movement, how kind of Microsoft :).  For now, lets start looking over our options.

WMI – Windows Management Instrumentation

WMI has become more and more prevalent to red teamers and hackers after Matt Graeber really helped bring out its usefulness at Blackhat.  WMI allows you to do so many different things that it would take multiple blog posts to document, however I’ll try to go over the useful things right now.  One thing to note: WMI for nearly all cases requires local administrative access on a system, so you will need to be running in the context of a user that has local admin access (or provide the credentials) on the system you are targeting.

One of the classes that’s immediately useful is the Win32_Process class.  This allows us to create and run a process on a machine, local or remote.  I wrote a PowerShell tool called WMIOps which easily allows you to use WMI to create a process on a remote system, such as powershell, or running any other command.  For example, lets say there was a system called “win7pdws2-pc” on the domain “sonofflynnlab” with a local admin username “test2” and password “P@ssword123”.  If you wanted to start “notepad.exe” on the remote system, you could use WMIOps and run:

Invoke-ExecCommandWMI -User sonofflynnlab\test2 -Pass P@ssword123 -Command notepad.exe -Targets win7pdws2-pc

Start processes on a remote system using WMI

This command will start notepad.exe on the testwinpc, and you have remote code execution!   The ReturnValue of “0” lets us know that it executed successfully.  On our target system, we can see notepad.exe is running.

notepadrunning

This is useful when you may not be able to access a system over SMB, but you can using WMI.  Also, WMI is generally a sneakier way (at the moment) of executing code on remote systems as you are not having to drop anything to disk.

At Jobs

At jobs are way to schedule and start a process on a remote system.  Similar to WMI, you will need local administrative rights on the system in order to schedule an at job.  To schedule an at job, at a minimum you will need to provide the path to the file you want to run and the time you want the process started.  So lets get the current time on the remote system, to do this, just run:

net time \\<computername>

nettime

Since the current time on the target system is 11:50 AM, lets schedule a job to run about 3 minutes in the future.  In this example, I want to start notepad.exe on the target system.  To schedule this job, I can just run the following:

at \\win7pdws2-pc 11:53 notepad.exe

atjobcli

I can see that my job is job number 2 for this system.  Now, when the system hits 11:53 AM, it will run the notepad.exe process.  One key difference between using at jobs and WMI is WMI runs in the context of the account you provided.  At jobs run as system.

atjobrunning

You can also use WMI to schedule jobs on a remote system.  WMIOps allows you to easily list, delete, and create jobs on a remote system.  So, lets say you wanted to use WMIOps to create a job at 12:18 to start notepad.exe.  You would run the following command:

Invoke-SchedJobManipulation -User sonofflynnlab\test2 -Pass P@ssword123 -Targets win7pdws2-pc -Create notepad.exe -Time 12:18

wmiopsjobschedule

Creating the job was successful, and we can see our job was assigned JobID 3.

Powershell Remoting

WinRM is a very nifty way to execute PowerShell code on a remote system.  As with the previous options, it will require that you have local administrative rights on the system you are targeting.

If WinRM is enabled on the system you are targeting, you can execute PowerShell commands on the target, giving you the flexibility of PowerShell.  The ports that you would probably see WinRM listening on is 5985 (http), or 5986 (https) (source).

To use WinRM to run a program/execute code on your target system, you could use the Invoke-Command cmdlet:

Invoke-Command -ComputerName win7pdws2-pc -ScriptBlock { hostname }

Invoke-Command -ComputerName win7pdws2-pc -ScriptBlock { ping 8.8.8.8 }

winrm

Raphael Mudge has a great post on using WinRM.  Be sure to check it out!

Remote Desktop

I don’t think I really need to go into any sort of description for this :).  Remote desktop is useful on servers where you can connect remotely without interrupting a users session.  RDPing into someone’s workstation can cause issues, and can be easily detected.  I wouldn’t recommend RDPing into a workstation unless it’s not being used at all.

Still want to try to RDP in?  WMIOps also has a function called Find-ActiveUsersWMI.  When you point this function at a workstation, it will attempt to see if LogonUI.exe or a *.scr (screensaver) process is running.  If either are running, it will let you know the user is likely not at their workstation.  If neither are, they probably are there!  To check, just use:

Find-ActiveUsersWMI -User sonofflynnlab\test2 -Pass P@ssword123 -Targets winypdws2-pc

usersactivecheck

 

I hope this helps to document a couple of tools built into Windows which helps to facilitate lateral movement within a network.  By no means is this an all-inclusive list, but a start.  If there’s something else you think is worth calling out in this post, please be sure to let me know!

 

 

Leave a Reply