Remote access to the target system is sometimes limited to RDP protocol only (either Remote Desktop or Terminal Server access).
This is often the case with heavily firewalled systems, such as branch office servers exposed on the Internet with port TCP/3389 opened alone.
Previously gathered credentials might have allowed the pentester to break into such a system. However, how to get further without being able to access the Internet from the target ?
Locally available utilities (such as the NET command, VBScript-ing and the like) are invaluable in this case. But what about hardcore, process-injecting utilities ?
A pretty well-known trick in this case is the ability to mount through the RDP protocol many client-side resources, such as printers (NOT recommended), clipboard and ... hard drives.
At this point, the novice pentester got his C drive mounted on the remote server, and all his utilities wiped out by server antivirus.
Now it is time to call upon the forgotten lore of MS-DOS, namely the SUBST command which is still available on Windows XP SP3.
After having created a C:\TAZ directory on his laptop, the experienced pentester types at the CMD console prompt:
SUBST D: C:\TAZ
... and is now able to exchange with the remote target through a virtual "D:" drive, without getting owned.
Having compromised the remote network beyond hope, he now types:
SUBST D: /D
... and might have finished the assessment report by 5:00 PM, if he is wise enough NOT to use LaTeX.