A very common attack that many networks are vulnerable to is called LLMNR or NBT-NS poisoning. Through this attack it is possible to gain access to a user’s NTLMv1 or v2 password hash. A more interesting attack can be carried out under the same premise though. Instead of just obtaining a password hash the user’s authenticated session to another host can be exploited to run arbitrary code on the server. In this episode of Tradecraft Security Weekly Beau Bullock (@dafthack) shows how to perform this attack using the PowerShell tool Inveigh.