Lateral Movement Flashcards

1
Q

ARP Cache

A
  • Before you can start exploiting other targets on the network, you must first map the network. If you cannot pivot through the compromised computer to use your own system, you may not have access to a port scanner to map the network.
  • One of the most reliable ways to build a network map is to look at the ARP cache on the compromised computer.
  • When a computer receives an ARP response, it saves it into the ARP cache. This means the IP addresses of any computers that the compromised computer communicates with will have ARP cache entries.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Extracting Passwords from Memory

A
  • If you achieve SYSTEM or root privileges on the staging system, you’ll be able to access RAM to extract password hashes or even plaintext passwords.
  • Often these credentials will be valid for other systems on the network, particularly if Active Directory is used on the network.
  • With password hashes, as long as the original passwords are weak, an attacker can usually crack them with a password cracking tool such as ‘hashcat’, but plaintext passwords are far more preferable.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Man in the Middle (MITM) Attacks

A
  • Man in the middle (MITM) attacks rely on an attacker inserting themselves in the middle of communication between two systems on the network and using that to sniff traffic they wouldn’t ordinarily be able to see.
  • One common goal in a MITM attack is to intercept password hashes as they go across the network, to allow people to log into important systems such as file servers.
  • After intercepting these password hashes, an attacker can attempt to crack them with ‘hashcat’.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

ARP Spoofing / Poisoning

A
  • One common method for performing a MITM attack is to exploit the ARP protocol.
  • The flaw in the ARP protocol comes because if an ARP response is sent to a computer, it will store that value in it’s ARP cache even if it didn’t make an ARP request asking for a response.
  • In other words, any computer on the local network can claim to be any IP address even if they aren’t that computer.
  • In other words, each party believes that the IP address they are trying to send data to is at the attacker’s MAC address. Once the switch gets those packets, it will send them to the attacker, which will forward them on to the true destination after reading them.
  • The attacker will have to continually send ARP responses throughout the attack otherwise the attack will fail.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly