I recently was watching an old episode of “Friends”. During this one particular episode, Ross was trying to move a couch into his upstairs apartment. As they were trying to carry the couch upstairs, they reached a point where they had to turn a corner. As you can imagine - the couch becomes stuck and Ross was yelling, "PIVOT!!" Since joining Core, anytime I hear the word ‘pivot’, I think about it in terms of how an attacker would move through a network.
One of the techniques that attackers use once they get into a network is understanding where they’re at and how to get to the valuable information they’re really looking for. Typically, that information is on a separate piece of the network. While I doubt the attacker is visualizing Ross yelling, “Pivot!” I think they try to pivot as quickly as they can. So if attackers use these techniques, then as pen testers, we also need to use the same techniques.
How do Attackers Pivot?
Attackers are looking for any foothold they can leverage to gain access into a network. The cheapest and most effective way of gaining access to networks today is through some form of phishing. The attacker scopes out a target, creates some type of email with malware attached to it and then sends it off hoping to trick the user into clicking on whatever it is they've attached. For the purpose of this, we'll assume the user clicks on the malware and the attacker now has successfully infiltrated the victim's network. At this point, the attack will begin to do some additional fact finding. They will try to find information like what additional users have access to this machine, what networks can this machine talk to, are there any shares on this system and perhaps, where the local DNS servers or even domain controllers are. They do all of this because in most cases the person they've infected isn't actually their goal. It's typically some other system or other data point in the network. Once they gain enough information from this user, they will then begin to try and blend in with the normal network traffic and attempt gaining access to these other systems.
How Do Attackers Blend in?
One of the most common services used in networks today, Remote Desktop Protocol (RDP). Now that the attacker has scrubbed usernames and passwords off of the initial victim’s machine and identified critical servers, he will then use RDP to potentially log into other servers – while using the initial victim's machine as his source. This is one the most basic forms of pivoting. The attacker started by sending a phishing email from outside of the organization. Once he gained access to the victim’s machine, he does his info gathering and then uses that info to look as if he's a normal user on the network moving to the real target. This type of attack is all too common.
What Does This Tell Us as Ethical Hackers?
As pen testers, we need tools that give us the ability to test these very methods. It's not good enough anymore to just test the web vector or the client side vector. We need to test beyond that and see just how far we can get into our networks to better understand preventive measures that we need to put in place. As you conduct your pen tests, don't just stop with the first machine breached. Do as Ross would and PIVOT!