Cross-Session Relay — Capturing NetNTLMv2 from Another User's Interactive Session
Introduction Assume we have obtained a shell as attacker_svc, a low-privileged domain user. We initially gained access through WinRM using credentials acquired earlier. Another user (victim) is currently logged on interactively to the same machine. Normally, the obvious approach would be to dump LSASS and extract the user’s credentials. However, because our account lacks the required privileges, that option is off the table. Our goal is therefore to obtain access to the victim’s account without interacting with their session directly. ...