A common practice in lateral movement is to look for stored passwords and hashes after establishing remote access to the victim's host. The remote access can be a limited shell, a remote desktop session, or, even better, a root/administrator shell. That being said, if you're connected with a low‐privileged user, then your probability of success will be very low. Why? It's evident that with a root account, you can read any file on the system to reveal what you're looking for (e.g., showing the contents of the / etc/shadow file on a Linux OS). Professionals in the field use the terms pivoting and lateral movement interchangeably. In this chapter, we will use the two terms to talk about the same principle. Also, this task is considered a post‐exploitation phase in penetration testing engagements because it happens after exploiting the target host.

In this chapter, you will learn about the following topics so you can jump from one host to another with ease:

• Understanding Windows password hashes
• Dumping Windows password hashes
• Learning about pass the hash
• Port forwarding concepts
  • Local port forwarding
  • Remote port forwarding
  • Dynamic port forwarding

Dumping Windows Hashes

In this section, you will learn how to extract hashed passwords from a Windows host. Passwords can be in two forms, cleartext or hashed, and in Windows, passwords are stored in the NTLM hash format (you will learn more about this type of hash in the next section). ...