search
Read BlogpostsLet's Connect

Lateral movement

hashtag
Pass-the-Hash (PtH)

impacket-wmiexec <domain>/<user>@<ip> -hashes <LM>:<NT>
# impacket-wmiexec -hashes :4de2bbb92b158793ba49e0becabb0aa0 'rahul.Dhawan'@10.10.10.12

cme smb <ip> -u <user> -H <NTLM_hash>

Why: Reuse a dumped NTLM hash to authenticate as that user.

  • Requires NTLM hash (usually from LSASS/secretsdump)

  • Used to pivot to other systems via SMB, WMI, WinRM

hashtag
Pass-the-Ticket (PtT)

kerberos::ptt <ticket.kirbi>
# kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

Why: Reuse .kirbi ticket to impersonate user on other machines.

  • Requires extracted Kerberos TGT or TGS from memory

  • Works on services supporting Kerberos (e.g., SMB, LDAP)

hashtag
Overpass-the-Hash (Pass-the-Key)

Why: Use NTLM hash to request a fresh TGT.

  • Requires NTLM hash and domain context

  • Enables Kerberos-auth to lateral targets

hashtag
WMExec / PSExec / WinRM

Why: Shell access on remote machine using valid creds/hash.

  • Requires admin or RDP/WMI access

  • Establishes interactive shell to move deeper

hashtag
Session Hijacking

Why: Find where privileged users are logged in to pivot further.

  • Requires net session/logon rights (often local admin)

  • Lets you target high-priv endpoints for lateral escalation

hashtag
RDP Pivot

Why: Direct GUI access to another host.

  • Requires RDP enabled & credentials

  • Convenient for interacting with GUI-only targets

hashtag
WMI Event Subscription or Scripting Abuse

Why: Execute code remotely via WMI.

  • Needs valid creds with remote WMI access

  • Useful when PsExec/SMB blocked

PreviousmimikatzNextPivoting and Networking

Last updated