That time i basically invented pass the hash exploits / ntlm challenge forwarding but didnt get credit because i kept the real exploit for this issue a secret. 23 years later i regret not posting my modified smbclient that did connectback pth in 2000…
AtStake would have fired me because despite the l0pht’s best efforts they put a moratorium on exploit code that could be actually used. The scope and impact of this kind of issue (definitely not limited to telnet haha, simply file://unc in the right places was enough to trigger auths back then) wasn’t fully realized until much later but anyway, here’s the cve from then.