It is often the case that the initially compromised computer is not the final target. In such a case, attackers attempt to move through the infrastructure of the target’s organization to gain more access across the network in order to find the system where the information they seek resides. While there are multiple ways of moving across the network of the target’s organization it usually starts with credential harvesting and network enumeration then continues with jumping to other systems and repeating the cycle until the final destination is reached.
Credential harvesting
It’s a common practice across the PC users to store their login credentials in browsers. Attackers usually embed credential harvesting modules in their malware in order to take advantage of this browser feature. A quick example of this credential harvesting from a Chrome web browser is shown in Figure 1.
Figure 1: Credential harvesting from a Chrome web browser
Another way to harvest user’s credentials is to use a key logger. It’s also a common feature of malware which is used by APT actors during their campaigns. To illustrate such an approach one could use a built-in key-logging module in meterpreter’s RAT. An example of such an activity is shown in Figure 2.
Figure 2: Credential harvesting via key-logging
While the previous approaches can be executed from the limited user’s context, it’s not always the case that the credentials are stored in the web browser or that the user happens to be typing his credentials during the day. Therefore, a previously successfully conducted privilege escalation attack allows an attacker to obtain user’s credentials from the memory, often in plain-text. For such a purpose a variation of a well-known tool mimikatz is usually used. An example of such an attack can be performed by using the creds_all command from a kiwi module (see Figure 3).
Figure 3: Credential harvesting from the memory
Network fingerprinting
Once enough credentials are obtained by the attacker, the network fingerprinting is performed. In order to perform an efficient reconnaissance of the target’s network advanced attackers usually rely on native tools or scripts allowing them to stay under radar. An example of such a tool is a Powershell script PowerView from the PowerSploit’s toolkit. It allows, for example, quick identification of network systems where the current user has local administrator’s access. As shown in Figure 4, the current user was found to have local administrator’s privileges on NODE4.contoso.com.
Figure 4: Enumerating local admin privileges of the current user on remote systems
Another powerful feature of this script is the ability to find systems where certain users are currently logged in. This is important for attackers in order to focus their attacks on specific systems and thus reducing noise while trying to break into arbitrary systems. An example of such an activity is shown in Figure 5.
Figure 5: Hunting for open sessions of highly privileged Domain accounts
In this scenario, a user of the Domain Admins’ group, the most privileged group in Windows domain environment, is logged into a system NODE4 where the compromised user has local administrator’s privileges. This allows the attacker to use credentials of the current user to move laterally to that machine. An example of such an activity can be performed with psexec module as shown in Figure 6.
Figure 6: Moving laterally to another system with previously collected credentials
By executing the commands via the psexec approach the payload which gets delivered to the remote system is launched under system privileges and establishes a command and control channel to the attacker’s server. This allows an attacker to extract user credentials form the memory in the same way as shown before and therefore obtain plain-text credentials of a Domain Admin’s account (see Figure 7).
Figure 7: Domain administrator’s password retrieval from memory on NODE4
Having credentials of a user who is in a Domain Admins’ group usually means that an access to all systems within the Windows Domain is gained. Therefore, the attacker can now freely move across all the network in order to find sensitive information. For example, it’s now possible for an attacker to jump to a FILE_SERVER machine and have full access to the system (see Figure 8).
Figure 8: System level access gained on FILE_SERVER via psexec with Domain Administrator’s credentials
The provided examples mainly focus on Windows environment as it’s the most common platform in nowadays enterprises. However, there are cases where the IT environment is mixed, having Windows, Linux and Unix based systems. In such a case attackers try to harvest SSH credentials via keylogging or stealing private keys from file systems which they were able to compromise. In cases when the authentication is centralized via AD and LDAP attackers target those authentication servers in order to extract or tamper login data. Additionally, for certain air-gapped networks VPN credentials are also collected throughout the campaign in order to reach systems which are disconnected from the network and managed through secure VPN connections in the local network.