Breaking In Windows: 3 Techniques to Connect Remotely

When pentesting Active Directory, knowing what alternatives you have for remote connectivity can make the difference between getting an easy interactive shell or spending minutes in frustration. RDP is either not enabled or the port is closed. In this post, I’ll show you three ways to get a direct shell on Windows (remotely) along with the pros and cons of each, and what the network and Windows requirements are.

Our 1st step should be performing initial enumeration via nmap. This simple but critical step, will let us know what inbound ports are open. Missing this step when pivoting is common. And we can mistake having the right permissions to connect vs able to connect. In other words, having Local Admin credentials is not enough. Because we are not seated in front of the computer, we must be able to connect remotely as well. The port or ports that are open will dictate the command we can use.

I like nmap because its simplicity. And we can use this flags to confirm what are those open ports:

sudo nmap -p- -Pn -n --reason 10.211.55.3

Using “reason” here gives me the technical explanation for the port’s state. It’s not needed, but I like to see what happens behind the scenes. The “Pn” and “n” are used to avoid name resolution problems and false negatives due to firewalls. Always…