YouTube Transcript:
Intro to Windows & AD Hacking - Red Team 2024
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
View:
welcome to the windows ad talk I I gave
welcome to the windows ad talk I I gave this talk last year and it was like two
this talk last year and it was like two
this talk last year and it was like two hours long which is why I split it up
hours long which is why I split it up
hours long which is why I split it up this year into like a GBM and a red team
this year into like a GBM and a red team
this year into like a GBM and a red team talk so hopefully it's not going to be
talk so hopefully it's not going to be
talk so hopefully it's not going to be two hours long I will say I tried to cut
two hours long I will say I tried to cut
two hours long I will say I tried to cut out slides and I cut out about half the
out slides and I cut out about half the
out slides and I cut out about half the slides and then I added some more and
slides and then I added some more and
slides and then I added some more and somehow my slides this year are 83 I
somehow my slides this year are 83 I
somehow my slides this year are 83 I have 83 slides this year and I had 82
have 83 slides this year and I had 82
have 83 slides this year and I had 82 last year so I don't know how long it's
last year so I don't know how long it's
last year so I don't know how long it's going to take we'll see I'm gonna go
going to take we'll see I'm gonna go
going to take we'll see I'm gonna go quickly I totally forgot
quickly I totally forgot
quickly I totally forgot I have I've had this bag of like sour
I have I've had this bag of like sour
I have I've had this bag of like sour patch kids sitting from the GBM uh so I
patch kids sitting from the GBM uh so I
patch kids sitting from the GBM uh so I encourage you to ask questions because
encourage you to ask questions because
encourage you to ask questions because if you ask a question I'll give you one
if you ask a question I'll give you one
if you ask a question I'll give you one of these uh now Windows here let's go
of these uh now Windows here let's go
of these uh now Windows here let's go through this right this is my thing Zero
through this right this is my thing Zero
through this right this is my thing Zero to Hero only if you practice Windows is
to Hero only if you practice Windows is
to Hero only if you practice Windows is hard you will not be an expert after
hard you will not be an expert after
hard you will not be an expert after this talk but this talk will give you
this talk but this talk will give you
this talk but this talk will give you everything you need to become an expert
everything you need to become an expert
everything you need to become an expert on your own so you just got to listen
on your own so you just got to listen
on your own so you just got to listen you got to try to understand do your
you got to try to understand do your
you got to try to understand do your best do practice later you can use these
best do practice later you can use these
best do practice later you can use these slides as a reference so don't worry if
slides as a reference so don't worry if
slides as a reference so don't worry if you're not going to remember anything
you're not going to remember anything
you're not going to remember anything but just ask questions when you don't
but just ask questions when you don't
but just ask questions when you don't understand anything okay because I
understand anything okay because I
understand anything okay because I promise you Windows is kind of hard and
promise you Windows is kind of hard and
promise you Windows is kind of hard and it confuses a lot of people and it
it confuses a lot of people and it
it confuses a lot of people and it confuses me sometimes so if you have a
confuses me sometimes so if you have a
confuses me sometimes so if you have a question someone else definitely has
question someone else definitely has
question someone else definitely has it so you know if you want you could
it so you know if you want you could
it so you know if you want you could just say can I have a Sour Patch Kids
just say can I have a Sour Patch Kids
just say can I have a Sour Patch Kids and that'll count as a question
okay sure you're gonna have one
okay sure you're gonna have one there you
there you
there you go okay uh all right so uh Microsoft
go okay uh all right so uh Microsoft
go okay uh all right so uh Microsoft documentation have too many tlas TMA uh
documentation have too many tlas TMA uh
documentation have too many tlas TMA uh that means there's too many three-letter
that means there's too many three-letter
that means there's too many three-letter acronyms too many acronyms this is true
acronyms too many acronyms this is true
acronyms too many acronyms this is true uh every time I give this talk people
uh every time I give this talk people
uh every time I give this talk people are like what is adcs what is a TGT a
are like what is adcs what is a TGT a
are like what is adcs what is a TGT a TGs and St ad DS there's too many
TGs and St ad DS there's too many
TGs and St ad DS there's too many acronyms and I will probably forget that
acronyms and I will probably forget that
acronyms and I will probably forget that some of you do not know what secm is so
some of you do not know what secm is so
some of you do not know what secm is so if you don't know what it is ask me I'll
if you don't know what it is ask me I'll
if you don't know what it is ask me I'll tell you okay
tell you okay
tell you okay okay um now I'm going to preface this
okay um now I'm going to preface this
okay um now I'm going to preface this talk with my favorite tool ever uh it's
talk with my favorite tool ever uh it's
talk with my favorite tool ever uh it's called net exec this is previously
called net exec this is previously
called net exec this is previously called crack map exec so on the right is
called crack map exec so on the right is
called crack map exec so on the right is this thing that I saw in LinkedIn and
this thing that I saw in LinkedIn and
this thing that I saw in LinkedIn and someone was like hacking active
someone was like hacking active
someone was like hacking active directory methods and they had a ton of
directory methods and they had a ton of
directory methods and they had a ton of techniques and they had a ton of tools
techniques and they had a ton of tools
techniques and they had a ton of tools and they mentioned secret stump and
and they mentioned secret stump and
and they mentioned secret stump and spray hound and PS exec and all these
spray hound and PS exec and all these
spray hound and PS exec and all these tools fun fact every single one of those
tools fun fact every single one of those
tools fun fact every single one of those tools can be replaced with just one and
tools can be replaced with just one and
tools can be replaced with just one and it's called net exac uh I'm one of the
it's called net exac uh I'm one of the
it's called net exac uh I'm one of the velers from n exac um very minor
velers from n exac um very minor
velers from n exac um very minor developer but I put in a lot of effort
developer but I put in a lot of effort
developer but I put in a lot of effort into it uh which helps uh and pretty
into it uh which helps uh and pretty
into it uh which helps uh and pretty much everything in this talk you can do
much everything in this talk you can do
much everything in this talk you can do with this these tools uh if you want to
with this these tools uh if you want to
with this these tools uh if you want to install that here's the commands you can
install that here's the commands you can
install that here's the commands you can run on Linux uh the red stuff is for
run on Linux uh the red stuff is for
run on Linux uh the red stuff is for like just normal Debbie and abtu and the
like just normal Debbie and abtu and the
like just normal Debbie and abtu and the blue stuff is for if you're in Cali
blue stuff is for if you're in Cali
blue stuff is for if you're in Cali Linux n exec is the tool that I'm going
Linux n exec is the tool that I'm going
Linux n exec is the tool that I'm going to talk about the most uh impacket is a
to talk about the most uh impacket is a
to talk about the most uh impacket is a library that net exec is based on uh and
library that net exec is based on uh and
library that net exec is based on uh and impacket also has a ton of scripts that
impacket also has a ton of scripts that
impacket also has a ton of scripts that are used for Windows and AD pen
are used for Windows and AD pen
are used for Windows and AD pen testing here's the tool there's a lot of
testing here's the tool there's a lot of
testing here's the tool there's a lot of protocols that supports it supports
protocols that supports it supports
protocols that supports it supports mssql NFS what does that say RDP wmi SSH
mssql NFS what does that say RDP wmi SSH
mssql NFS what does that say RDP wmi SSH 1 RM VNC ldb FTP SNB way too many in my
1 RM VNC ldb FTP SNB way too many in my
1 RM VNC ldb FTP SNB way too many in my opinion I only really use like three of
opinion I only really use like three of
opinion I only really use like three of them ever but you know it's good to know
them ever but you know it's good to know
them ever but you know it's good to know it's good to have yeah which do you use
it's good to have yeah which do you use
it's good to have yeah which do you use SMB is like the main one crack map exec
SMB is like the main one crack map exec
SMB is like the main one crack map exec initially was only SMB I'm pretty sure
initially was only SMB I'm pretty sure
initially was only SMB I'm pretty sure it was based on a tool called exec it
it was based on a tool called exec it
it was based on a tool called exec it was just SMB L app is really
was just SMB L app is really
was just SMB L app is really useful
useful
useful and uh when RM is really
and uh when RM is really
and uh when RM is really useful and that's that's kind of it some
useful and that's that's kind of it some
useful and that's that's kind of it some other things are useful sometimes but
other things are useful sometimes but
other things are useful sometimes but not that much uh so impacket is a
not that much uh so impacket is a
not that much uh so impacket is a collection of python classes for working
collection of python classes for working
collection of python classes for working with network protocols Windows what
with network protocols Windows what
with network protocols Windows what happened oh do you want one of these all
happened oh do you want one of these all
happened oh do you want one of these all right there you go uh
right there you go uh
right there you go uh so this is something that b so Windows
so this is something that b so Windows
so this is something that b so Windows code it's all written in C right well a
code it's all written in C right well a
code it's all written in C right well a bunch of developers at this company
bunch of developers at this company
bunch of developers at this company called fortra made this tool where they
called fortra made this tool where they
called fortra made this tool where they basically rewrote all of the windows
basically rewrote all of the windows
basically rewrote all of the windows protocols in Python so that you don't
protocols in Python so that you don't
protocols in Python so that you don't have to call it locally you can call it
have to call it locally you can call it
have to call it locally you can call it remotely from python which is really
remotely from python which is really
remotely from python which is really really nice and it's like they claim
really nice and it's like they claim
really nice and it's like they claim it's for like just Windows usage but not
it's for like just Windows usage but not
it's for like just Windows usage but not really it's a pentesting company they
really it's a pentesting company they
really it's a pentesting company they also make Cobalt strike and and uh some
also make Cobalt strike and and uh some
also make Cobalt strike and and uh some other tool core impact which is an
other tool core impact which is an
other tool core impact which is an automated automatic pen testing Tool uh
automated automatic pen testing Tool uh
automated automatic pen testing Tool uh this is really useful if you want to
this is really useful if you want to
this is really useful if you want to make your own Windows tools it's really
make your own Windows tools it's really
make your own Windows tools it's really good to learn how to use impacket which
good to learn how to use impacket which
good to learn how to use impacket which it's it's really confusing and there's
it's it's really confusing and there's
it's it's really confusing and there's absolutely zero documentation but it's
absolutely zero documentation but it's
absolutely zero documentation but it's useful uh okay I'm going to start with
useful uh okay I'm going to start with
useful uh okay I'm going to start with Recon before I do does anyone have any
Recon before I do does anyone have any
Recon before I do does anyone have any questions so far no okay so last year
questions so far no okay so last year
questions so far no okay so last year because I gave this talk like combined
because I gave this talk like combined
because I gave this talk like combined with the intro to Windows I gave it in
with the intro to Windows I gave it in
with the intro to Windows I gave it in like a structured order and not a very
like a structured order and not a very
like a structured order and not a very logical order and that I was like let's
logical order and that I was like let's
logical order and that I was like let's cover all the protocols and let's cover
cover all the protocols and let's cover
cover all the protocols and let's cover all the exploits this year because all
all the exploits this year because all
all the exploits this year because all of you learned a little bit about
of you learned a little bit about
of you learned a little bit about protocols and you learned a little bit
protocols and you learned a little bit
protocols and you learned a little bit about Windows and that kind of thing I'm
about Windows and that kind of thing I'm
about Windows and that kind of thing I'm going to try to do it instead in the
going to try to do it instead in the
going to try to do it instead in the relative order in which I would do a
relative order in which I would do a
relative order in which I would do a pent test right so like for example I go
pent test right so like for example I go
pent test right so like for example I go to a pent testing competition what do I
to a pent testing competition what do I
to a pent testing competition what do I start with I start with reconnaissance
start with I start with reconnaissance
start with I start with reconnaissance that makes sense it's not going to be
that makes sense it's not going to be
that makes sense it's not going to be the exact order but it's going to be
the exact order but it's going to be
the exact order but it's going to be close enough okay so yeah the order for
close enough okay so yeah the order for
close enough okay so yeah the order for competition yes for Windows it's
competition yes for Windows it's
competition yes for Windows it's generally it's pretty straightforward I
generally it's pretty straightforward I
generally it's pretty straightforward I think of it as like a line with like
think of it as like a line with like
think of it as like a line with like Loops so I do a little line and then
Loops so I do a little line and then
Loops so I do a little line and then eventually I get credentials and I loop
eventually I get credentials and I loop
eventually I get credentials and I loop back and I do the things that that I can
back and I do the things that that I can
back and I do the things that that I can do when I have credentials and
do when I have credentials and
do when I have credentials and eventually I become an administrator and
eventually I become an administrator and
eventually I become an administrator and then I loop back and I go for another
then I loop back and I go for another
then I loop back and I go for another line that lets me do things as an
line that lets me do things as an
line that lets me do things as an administrator and it's like it's
administrator and it's like it's
administrator and it's like it's relatively
relatively
relatively sequential but it'll vary a little bit
sequential but it'll vary a little bit
sequential but it'll vary a little bit okay so net exec one of the things you
okay so net exec one of the things you
okay so net exec one of the things you can do uh so who's who's run an nmap
can do uh so who's who's run an nmap
can do uh so who's who's run an nmap scan before you done that before okay
scan before you done that before okay
scan before you done that before okay perfect that's so great uh nmap can take
perfect that's so great uh nmap can take
perfect that's so great uh nmap can take a long time and it'll scan like all the
a long time and it'll scan like all the
a long time and it'll scan like all the ports and it can be a little bit slow um
ports and it can be a little bit slow um
ports and it can be a little bit slow um and sometimes it's a little bit
and sometimes it's a little bit
and sometimes it's a little bit inaccurate now you should do an nmap
inaccurate now you should do an nmap
inaccurate now you should do an nmap scan regardless right here I'm passing a
scan regardless right here I'm passing a
scan regardless right here I'm passing a subnet for this is the cptc subnet and
subnet for this is the cptc subnet and
subnet for this is the cptc subnet and I'm saying do do these all all these IP
I'm saying do do these all all these IP
I'm saying do do these all all these IP addresses in the subnet and it's going
addresses in the subnet and it's going
addresses in the subnet and it's going to tell me all the windows machines and
to tell me all the windows machines and
to tell me all the windows machines and it's going to give me the domain names
it's going to give me the domain names
it's going to give me the domain names and that kind of thing but something
and that kind of thing but something
and that kind of thing but something that's really nice is SMB will often
that's really nice is SMB will often
that's really nice is SMB will often report the operating system name it'll
report the operating system name it'll
report the operating system name it'll report the domain name and the computer
report the domain name and the computer
report the domain name and the computer name you can see can you see my mouse
name you can see can you see my mouse
name you can see can you see my mouse yeah here you see the domain name you
yeah here you see the domain name you
yeah here you see the domain name you can see the name of the computer you can
can see the name of the computer you can
can see the name of the computer you can see whether or not SMB signing is
see whether or not SMB signing is
see whether or not SMB signing is enabled you can see whether or not SMB
enabled you can see whether or not SMB
enabled you can see whether or not SMB version one is a thing uh and this is
version one is a thing uh and this is
version one is a thing uh and this is really fantastic it's really fast you
really fantastic it's really fast you
really fantastic it's really fast you can scan 256 machines in like 10 seconds
can scan 256 machines in like 10 seconds
can scan 256 machines in like 10 seconds or something so I really recommend this
or something so I really recommend this
or something so I really recommend this uh now once you do this you can add it
uh now once you do this you can add it
uh now once you do this you can add it to your Etsy host file and you say hey
to your Etsy host file and you say hey
to your Etsy host file and you say hey uh IP address 1010100 is dc. SCCM lab.
uh IP address 1010100 is dc. SCCM lab.
uh IP address 1010100 is dc. SCCM lab. looc right that Mak sense okay yes julen
looc right that Mak sense okay yes julen
looc right that Mak sense okay yes julen oh um well show if you
have yeah this so in this case I'm using
have yeah this so in this case I'm using the SMB protocol so if SMB now in Linux
the SMB protocol so if SMB now in Linux
the SMB protocol so if SMB now in Linux SMB is called Samba uh and it will also
SMB is called Samba uh and it will also
SMB is called Samba uh and it will also show you that it'll show you if it's a
show you that it'll show you if it's a
show you that it'll show you if it's a Linux machine uh as long as SMB is
Linux machine uh as long as SMB is
Linux machine uh as long as SMB is running and there are other ways to use
running and there are other ways to use
running and there are other ways to use active directory to determine all the
active directory to determine all the
active directory to determine all the Linux machines on the network but this
Linux machines on the network but this
Linux machines on the network but this is not one of them unless someb is
is not one of them unless someb is
is not one of them unless someb is running that make sense
running that make sense
running that make sense okay all right so we've done the
okay all right so we've done the
okay all right so we've done the reconnaissance oh
reconnaissance oh
reconnaissance oh man well yeah I guess I can use this
man well yeah I guess I can use this
man well yeah I guess I can use this okay so who hears run Eternal blue
okay so who hears run Eternal blue
okay so who hears run Eternal blue before all right perfect Eternal blue is
before all right perfect Eternal blue is
before all right perfect Eternal blue is one of those exploits that the
one of those exploits that the
one of those exploits that the NSA did they create it was it Shadow
NSA did they create it was it Shadow
NSA did they create it was it Shadow Brokers was an NSA thing I forget but
Brokers was an NSA thing I forget but
Brokers was an NSA thing I forget but basically it's an exploit that you can
basically it's an exploit that you can
basically it's an exploit that you can run with zero credentials so you can do
run with zero credentials so you can do
run with zero credentials so you can do a scan with net exec or with nmap and
a scan with net exec or with nmap and
a scan with net exec or with nmap and you can look for machines that have that
you can look for machines that have that
you can look for machines that have that are vulnerable to Eternal blue and with
are vulnerable to Eternal blue and with
are vulnerable to Eternal blue and with zero credentials you can just get
zero credentials you can just get
zero credentials you can just get administrator on any machine if they are
administrator on any machine if they are
administrator on any machine if they are vulnerable uh I don't recommend this
vulnerable uh I don't recommend this
vulnerable uh I don't recommend this it's very unstable which means in a
it's very unstable which means in a
it's very unstable which means in a pentest if you're pentesting a company
pentest if you're pentesting a company
pentest if you're pentesting a company that has tons and tons of people uh and
that has tons and tons of people uh and
that has tons and tons of people uh and tons of machines depending on domain
tons of machines depending on domain
tons of machines depending on domain control you do not want to run it
control you do not want to run it
control you do not want to run it because as pentesters people already
because as pentesters people already
because as pentesters people already think we're evil so you don't want to go
think we're evil so you don't want to go
think we're evil so you don't want to go break their systems you know so this is
break their systems you know so this is
break their systems you know so this is the kind of thing that you can detect
the kind of thing that you can detect
the kind of thing that you can detect and you put on a report but preferably
and you put on a report but preferably
and you put on a report but preferably you do not run it okay but if you're
you do not run it okay but if you're
you do not run it okay but if you're doing like a hack the Box Lab it's okay
doing like a hack the Box Lab it's okay
doing like a hack the Box Lab it's okay you can do that nobody else is using by
you can do that nobody else is using by
you can do that nobody else is using by you I guess that's true uh zero logun is
you I guess that's true uh zero logun is
you I guess that's true uh zero logun is another vulnerability it's slightly more
another vulnerability it's slightly more
another vulnerability it's slightly more recent I think it's yep from 2020 and
recent I think it's yep from 2020 and
recent I think it's yep from 2020 and this is a vulnerability in the net logon
this is a vulnerability in the net logon
this is a vulnerability in the net logon protocol that basically so uh Max you're
protocol that basically so uh Max you're
protocol that basically so uh Max you're good at crypto uh they had an AES key
good at crypto uh they had an AES key
good at crypto uh they had an AES key with a hardcoded IV and the IV was
with a hardcoded IV and the IV was
with a hardcoded IV and the IV was Zero uh so somebody discovered that and
Zero uh so somebody discovered that and
Zero uh so somebody discovered that and they figured out that you can basically
they figured out that you can basically
they figured out that you can basically break the encryption on net logon which
break the encryption on net logon which
break the encryption on net logon which is a net a log on Pro protocol on
is a net a log on Pro protocol on
is a net a log on Pro protocol on Windows you can change the password to
Windows you can change the password to
Windows you can change the password to whatever you want and log on to the
whatever you want and log on to the
whatever you want and log on to the domain controller you have access to
domain controller you have access to
domain controller you have access to everything remember on the domain
everything remember on the domain
everything remember on the domain controllers is the ntds.dit file all the
controllers is the ntds.dit file all the
controllers is the ntds.dit file all the passwords of all the users right now uh
passwords of all the users right now uh
passwords of all the users right now uh also you shouldn't run this unless you
also you shouldn't run this unless you
also you shouldn't run this unless you know what you're doing and I I'm saying
know what you're doing and I I'm saying
know what you're doing and I I'm saying that because in a pentest at cbtc
that because in a pentest at cbtc
that because in a pentest at cbtc globals I ran this and I forgot to undo
globals I ran this and I forgot to undo
globals I ran this and I forgot to undo the
the
the exploit and later the competition people
exploit and later the competition people
exploit and later the competition people came in cptcs kind of like a role
came in cptcs kind of like a role
came in cptcs kind of like a role playing competition Loki cuz you pretend
playing competition Loki cuz you pretend
playing competition Loki cuz you pretend like you're doing an actual pentest they
like you're doing an actual pentest they
like you're doing an actual pentest they came in and they were like planes are
came in and they were like planes are
came in and they were like planes are being grounded people are dying uh
being grounded people are dying uh
being grounded people are dying uh there's like a heart transplant that's
there's like a heart transplant that's
there's like a heart transplant that's going to happen but it can't get to the
going to happen but it can't get to the
going to happen but it can't get to the other state because you shut down the
other state because you shut down the
other state because you shut down the whole airport cuz I shut down the whole
whole airport cuz I shut down the whole
whole airport cuz I shut down the whole airport
airport
airport accidentally
accidentally
accidentally um uh so basically if you set the
um uh so basically if you set the
um uh so basically if you set the password if you reset the password you
password if you reset the password you
password if you reset the password you have to put it back right um but you
have to put it back right um but you
have to put it back right um but you know just be wary of that
know just be wary of that
know just be wary of that uh I'm this is stuff that I didn't
uh I'm this is stuff that I didn't
uh I'm this is stuff that I didn't include last year I didn't include the
include last year I didn't include the
include last year I didn't include the like the like safety precautions which
like the like safety precautions which
like the like safety precautions which was not good because because we got we
was not good because because we got we
was not good because because we got we didn't do that well at globals
didn't do that well at globals
didn't do that well at globals specifically because we were not being
specifically because we were not being
specifically because we were not being safe so when all of you continue to do
safe so when all of you continue to do
safe so when all of you continue to do cptc or whatever just remember to be
cptc or whatever just remember to be
cptc or whatever just remember to be safe okay all right uh let's talk about
safe okay all right uh let's talk about
safe okay all right uh let's talk about SMB um I love SMB it's the best protocol
SMB um I love SMB it's the best protocol
SMB um I love SMB it's the best protocol it's like the main one you have to use
it's like the main one you have to use
it's like the main one you have to use when you get on a network there's two
when you get on a network there's two
when you get on a network there's two different types of log on you should be
different types of log on you should be
different types of log on you should be trying if you don't have credentials
trying if you don't have credentials
trying if you don't have credentials sometimes in a pentest they will give
sometimes in a pentest they will give
sometimes in a pentest they will give you credentials to start off because you
you credentials to start off because you
you credentials to start off because you can pretend that you are like an Insider
can pretend that you are like an Insider
can pretend that you are like an Insider threat right like Adam got hired for
threat right like Adam got hired for
threat right like Adam got hired for this company's evil right they'll give
this company's evil right they'll give
this company's evil right they'll give you the atom credentials and you can do
you the atom credentials and you can do
you the atom credentials and you can do stuff but sometimes you're not going to
stuff but sometimes you're not going to
stuff but sometimes you're not going to have credentials especially in a box uh
have credentials especially in a box uh
have credentials especially in a box uh and there's two types of logon you want
and there's two types of logon you want
and there's two types of logon you want to try Anonymous log on which is guest
to try Anonymous log on which is guest
to try Anonymous log on which is guest log on that's when you have a username
log on that's when you have a username
log on that's when you have a username any username and no password and this
any username and no password and this
any username and no password and this allows you to view shares and do this
allows you to view shares and do this
allows you to view shares and do this technique called a rid brute which I'll
technique called a rid brute which I'll
technique called a rid brute which I'll talk about later to view all the users
talk about later to view all the users
talk about later to view all the users and null log on which very rarely exists
and null log on which very rarely exists
and null log on which very rarely exists but when it does is typically only on a
but when it does is typically only on a
but when it does is typically only on a domain controller will allow you to view
domain controller will allow you to view
domain controller will allow you to view shares users groups and password policy
shares users groups and password policy
shares users groups and password policy okay I've only seen this like once in a
okay I've only seen this like once in a
okay I've only seen this like once in a lab like no log on but it does exist
lab like no log on but it does exist
lab like no log on but it does exist sometimes although it's rare
sometimes although it's rare
sometimes although it's rare nowadays um here's me using at the top
nowadays um here's me using at the top
nowadays um here's me using at the top Anonymous log on you can see that I'm
Anonymous log on you can see that I'm
Anonymous log on you can see that I'm using the username a uh you can do
using the username a uh you can do
using the username a uh you can do whatever you want I always do a because
whatever you want I always do a because
whatever you want I always do a because it's the shortest thing um and I do no
it's the shortest thing um and I do no
it's the shortest thing um and I do no password and I say shares and N exec
password and I say shares and N exec
password and I say shares and N exec will spit out all the shares and my
will spit out all the shares and my
will spit out all the shares and my permissions it'll say I can read the IPC
permissions it'll say I can read the IPC
permissions it'll say I can read the IPC share I can read and write the it share
share I can read and write the it share
share I can read and write the it share I can read the user share okay uh here's
I can read the user share okay uh here's
I can read the user share okay uh here's no log on in this case it's giving me a
no log on in this case it's giving me a
no log on in this case it's giving me a status access
status access
status access denied uh I guess I'll talk about that
denied uh I guess I'll talk about that
denied uh I guess I'll talk about that later uh any questions yeah what do you
later uh any questions yeah what do you
later uh any questions yeah what do you mean that a is the shortest uh that's
mean that a is the shortest uh that's
mean that a is the shortest uh that's just basically you want to type in a
just basically you want to type in a
just basically you want to type in a nonnull user so I pick a user that's one
nonnull user so I pick a user that's one
nonnull user so I pick a user that's one character because it's fast to type and
character because it's fast to type and
character because it's fast to type and I go for a probably because my name is
I go for a probably because my name is
I go for a probably because my name is Adam uh you can do whatever you want I
Adam uh you can do whatever you want I
Adam uh you can do whatever you want I see a lot of people they type in guest
see a lot of people they type in guest
see a lot of people they type in guest so they can be more explicit um but so
so they can be more explicit um but so
so they can be more explicit um but so this is actually an old screenshot
this is actually an old screenshot
this is actually an old screenshot nowadays n exec will actually show you
nowadays n exec will actually show you
nowadays n exec will actually show you if it's guest log on it'll print out
if it's guest log on it'll print out
if it's guest log on it'll print out guest which is nice that Mak sense okay
guest which is nice that Mak sense okay
guest which is nice that Mak sense okay other
questions I'm already burning out my
questions I'm already burning out my voice um okay now let's say you have
voice um okay now let's say you have
voice um okay now let's say you have access to a share right so here we have
access to a share right so here we have
access to a share right so here we have access to the it share we can read and
access to the it share we can read and
access to the it share we can read and write uh this is atire a totally
write uh this is atire a totally
write uh this is atire a totally different lab but in this case I have a
different lab but in this case I have a
different lab but in this case I have a username and a password uh so what I do
username and a password uh so what I do
username and a password uh so what I do is I use SMB client.py which is part of
is I use SMB client.py which is part of
is I use SMB client.py which is part of the impacket library to log in with a
the impacket library to log in with a
the impacket library to log in with a username a password and an IP address I
username a password and an IP address I
username a password and an IP address I can list all the shares here's the
can list all the shares here's the
can list all the shares here's the shares and to use a share I say use and
shares and to use a share I say use and
shares and to use a share I say use and the name of the share and then I type LS
the name of the share and then I type LS
the name of the share and then I type LS and I can do cat and I can do get and
and I can do cat and I can do get and
and I can do cat and I can do get and put uh and in this case there's nothing
put uh and in this case there's nothing
put uh and in this case there's nothing in the share right but this is how you
in the share right but this is how you
in the share right but this is how you would do stuff with SB client make sense
would do stuff with SB client make sense
would do stuff with SB client make sense Andre why would you do
Andre why would you do
Andre why would you do that what do you mean
that what do you mean
that what do you mean like
like
like yeah that's ex so this is just printing
yeah that's ex so this is just printing
yeah that's ex so this is just printing out the things that exist yeah n exec
out the things that exist yeah n exec
out the things that exist yeah n exec can upload files and download files and
can upload files and download files and
can upload files and download files and list files but I just prefer to useb
list files but I just prefer to useb
list files but I just prefer to useb client it's a little bit nicer okay yeah
client it's a little bit nicer okay yeah
client it's a little bit nicer okay yeah okay uh so another thing you can do is
okay uh so another thing you can do is
okay uh so another thing you can do is password spraying now before I talk
password spraying now before I talk
password spraying now before I talk about password spraying I'm going to
about password spraying I'm going to
about password spraying I'm going to talk about the safety precautions so
talk about the safety precautions so
talk about the safety precautions so that nobody goes to Global cptc and
that nobody goes to Global cptc and
that nobody goes to Global cptc and shuts down the whole domain okay so you
shuts down the whole domain okay so you
shuts down the whole domain okay so you can see there's this argument with an
can see there's this argument with an
can see there's this argument with an exit called pass Paul password policy
exit called pass Paul password policy
exit called pass Paul password policy it'll tell me the complexity here it
it'll tell me the complexity here it
it'll tell me the complexity here it says password complexity flag
says password complexity flag
says password complexity flag 000000 that means nothing I'm allowed to
000000 that means nothing I'm allowed to
000000 that means nothing I'm allowed to type in the wrong password as many times
type in the wrong password as many times
type in the wrong password as many times as I want I can have as short of a
as I want I can have as short of a
as I want I can have as short of a password as I want ET Etc actually here
password as I want ET Etc actually here
password as I want ET Etc actually here it says minimum password length five
it says minimum password length five
it says minimum password length five maximum history length 24 that means it
maximum history length 24 that means it
maximum history length 24 that means it saves the last 24 passwords crazy right
saves the last 24 passwords crazy right
saves the last 24 passwords crazy right yeah hashes or passwords hashes yeah so
yeah hashes or passwords hashes yeah so
yeah hashes or passwords hashes yeah so not actually the passwords that shaves
not actually the passwords that shaves
not actually the passwords that shaves saves the hash passwords uh but now that
saves the hash passwords uh but now that
saves the hash passwords uh but now that I see that there's no lockout policy I
I see that there's no lockout policy I
I see that there's no lockout policy I can Brute Force as much as I want so I
can Brute Force as much as I want so I
can Brute Force as much as I want so I got a password here I have a heart a
got a password here I have a heart a
got a password here I have a heart a password called Hearts Spain for a
password called Hearts Spain for a
password called Hearts Spain for a specific user I I might as well just try
specific user I I might as well just try
specific user I I might as well just try it for all the users right maybe this
it for all the users right maybe this
it for all the users right maybe this user this person has two users uh maybe
user this person has two users uh maybe
user this person has two users uh maybe multiple users use the same password
multiple users use the same password
multiple users use the same password when I was in well if you if you look at
when I was in well if you if you look at
when I was in well if you if you look at passwords of people in gamesville
passwords of people in gamesville
passwords of people in gamesville there's a lot of people that have a
there's a lot of people that have a
there's a lot of people that have a password go Gators or they have a
password go Gators or they have a
password go Gators or they have a password that's like Go Gainesville
password that's like Go Gainesville
password that's like Go Gainesville Florida Sunshine whatever you know
Florida Sunshine whatever you know
Florida Sunshine whatever you know people love that yeah how do you know
people love that yeah how do you know
people love that yeah how do you know that a lot of people have those
that a lot of people have those
that a lot of people have those password uh you can find password dumps
password uh you can find password dumps
password uh you can find password dumps online some of which have IP addresses
online some of which have IP addresses
online some of which have IP addresses and you can download the data and
and you can download the data and
and you can download the data and correlate them so you can look at the
correlate them so you can look at the
correlate them so you can look at the passwords that are common in regions
passwords that are common in regions
passwords that are common in regions like in Austin I saw a lot of people
like in Austin I saw a lot of people
like in Austin I saw a lot of people that said go Longhorns UT
that said go Longhorns UT
that said go Longhorns UT Austin uh like I love brisket you know
Austin uh like I love brisket you know
Austin uh like I love brisket you know like yeah know stuff like that and you
like yeah know stuff like that and you
like yeah know stuff like that and you can you can come up with your own word
can you can come up with your own word
can you can come up with your own word lists based on things that are common in
lists based on things that are common in
lists based on things that are common in regions yep how common is it for
regions yep how common is it for
regions yep how common is it for password complexity to be like infinite
password complexity to be like infinite
password complexity to be like infinite Tri uh I would say it's uncommon because
Tri uh I would say it's uncommon because
Tri uh I would say it's uncommon because it's one of those things that are it's
it's one of those things that are it's
it's one of those things that are it's just so I I wouldn't know cuz I haven't
just so I I wouldn't know cuz I haven't
just so I I wouldn't know cuz I haven't really done any like actual pen tests or
really done any like actual pen tests or
really done any like actual pen tests or I've done one actual pest uh I I would
I've done one actual pest uh I I would
I've done one actual pest uh I I would say most companies are hopefully smart
say most companies are hopefully smart
say most companies are hopefully smart enough to do the simplest security
enough to do the simplest security
enough to do the simplest security configuration which is password
configuration which is password
configuration which is password policy um but yeah you can hear this is
policy um but yeah you can hear this is
policy um but yeah you can hear this is a tool that lets you make a custom word
a tool that lets you make a custom word
a tool that lets you make a custom word list for password cracking so you can
list for password cracking so you can
list for password cracking so you can actually search through all of ldap at
actually search through all of ldap at
actually search through all of ldap at UF and you can see that things are
UF and you can see that things are
UF and you can see that things are called UF UFL students Gators and it'll
called UF UFL students Gators and it'll
called UF UFL students Gators and it'll automatically create a word list of all
automatically create a word list of all
automatically create a word list of all the common based on like common words in
the common based on like common words in
the common based on like common words in the domain um also remember you can use
the domain um also remember you can use
the domain um also remember you can use local auth an account if you have a
local auth an account if you have a
local auth an account if you have a password that's doing domain log on you
password that's doing domain log on you
password that's doing domain log on you can also try it on the local computer
can also try it on the local computer
can also try it on the local computer okay by the way if I tell you you can do
okay by the way if I tell you you can do
okay by the way if I tell you you can do this what I'm saying is technically you
this what I'm saying is technically you
this what I'm saying is technically you can but you shouldn't remember when I
can but you shouldn't remember when I
can but you shouldn't remember when I mention UF don't do that don't do that
mention UF don't do that don't do that
mention UF don't do that don't do that on the UF Network do it on your own lab
on the UF Network do it on your own lab
on the UF Network do it on your own lab do it on hack the bugs try hack me okay
do it on hack the bugs try hack me okay
do it on hack the bugs try hack me okay okay good here's that technique I
okay good here's that technique I
okay good here's that technique I mentioned called rid brute you can see
mentioned called rid brute you can see
mentioned called rid brute you can see that I'm using Anonymous log on guest
that I'm using Anonymous log on guest
that I'm using Anonymous log on guest log on and what this does is it says hey
log on and what this does is it says hey
log on and what this does is it says hey I know that relative identifiers
I know that relative identifiers
I know that relative identifiers typically start with 500 for like
typically start with 500 for like
typically start with 500 for like built-in users and for users that are
built-in users and for users that are
built-in users and for users that are new it starts at 1,000 so it just says
new it starts at 1,000 so it just says
new it starts at 1,000 so it just says hey what is rid 500 and it gets back to
hey what is rid 500 and it gets back to
hey what is rid 500 and it gets back to you and it says it's administrator what
you and it says it's administrator what
you and it says it's administrator what is rid 1000 nothing what is
is rid 1000 nothing what is
is rid 1000 nothing what is 1008 it's the domain controller machine
1008 it's the domain controller machine
1008 it's the domain controller machine account what is 1110 it's you know Etc
account what is 1110 it's you know Etc
account what is 1110 it's you know Etc and you can see here there's a there's
and you can see here there's a there's
and you can see here there's a there's an atom user that's
an atom user that's
an atom user that's 115 it just kind of brute forced and it
115 it just kind of brute forced and it
115 it just kind of brute forced and it said what is rid this if it responds it
said what is rid this if it responds it
said what is rid this if it responds it knows what it is yes Andre can you
knows what it is yes Andre can you
knows what it is yes Andre can you explain how at 49 I thought they started
explain how at 49 I thought they started
explain how at 49 I thought they started at 500 I thought so too but I guess not
at 500 I thought so too but I guess not
at 500 I thought so too but I guess not um yeah so this is really useful you can
um yeah so this is really useful you can
um yeah so this is really useful you can always do this if you have Anonymous log
always do this if you have Anonymous log
always do this if you have Anonymous log on I see a lot of people who are like
on I see a lot of people who are like
on I see a lot of people who are like expert pentesters who don't know this
expert pentesters who don't know this
expert pentesters who don't know this and they're like how do I figure out the
and they're like how do I figure out the
and they're like how do I figure out the usernames this is
usernames this is
usernames this is how Okay uh this is no authentication
how Okay uh this is no authentication
how Okay uh this is no authentication when it actually works here I'm using
when it actually works here I'm using
when it actually works here I'm using zero username zero password I'm asking
zero username zero password I'm asking
zero username zero password I'm asking for the TCT users right that's the users
for the TCT users right that's the users
for the TCT users right that's the users argument and it gives me a list of the
argument and it gives me a list of the
argument and it gives me a list of the usernames the last time they Chang their
usernames the last time they Chang their
usernames the last time they Chang their password all the bad password count and
password all the bad password count and
password all the bad password count and a description you'll notice that here
a description you'll notice that here
a description you'll notice that here there's a password in the description
there's a password in the description
there's a password in the description and the reason that happens sometimes is
and the reason that happens sometimes is
and the reason that happens sometimes is because administrators occasionally do
because administrators occasionally do
because administrators occasionally do not know that the description is public
not know that the description is public
not know that the description is public they think it's just like an internal
they think it's just like an internal
they think it's just like an internal thing but the description is public so
thing but the description is public so
thing but the description is public so that's how I got this user Samuel tarle
that's how I got this user Samuel tarle
that's how I got this user Samuel tarle password heartspan questions about
password heartspan questions about
password heartspan questions about that okay let's see what time it is
that okay let's see what time it is
that okay let's see what time it is oh my God it's 6:30 I'm nowhere near
oh my God it's 6:30 I'm nowhere near
oh my God it's 6:30 I'm nowhere near done uh here's a here's a fun little
done uh here's a here's a fun little
done uh here's a here's a fun little fact SB allows you to get code execution
fact SB allows you to get code execution
fact SB allows you to get code execution how crazy is that SMB is just a
how crazy is that SMB is just a
how crazy is that SMB is just a fileshare protocol why can we execute
fileshare protocol why can we execute
fileshare protocol why can we execute code I don't know because it's Windows
code I don't know because it's Windows
code I don't know because it's Windows uh if you're a local
uh if you're a local
uh if you're a local administrator uh on a machine you can
administrator uh on a machine you can
administrator uh on a machine you can execute commands using something called
execute commands using something called
execute commands using something called SMB exec so here I am using the capital
SMB exec so here I am using the capital
SMB exec so here I am using the capital x argument on N exec which is run as
x argument on N exec which is run as
x argument on N exec which is run as Powershell and it's printing out the PS
Powershell and it's printing out the PS
Powershell and it's printing out the PS version table the Parell version so if
version table the Parell version so if
version table the Parell version so if you if you ever have local admin which
you if you ever have local admin which
you if you ever have local admin which by the way if you have local admin n
by the way if you have local admin n
by the way if you have local admin n exec will print out poned it'll say
exec will print out poned it'll say
exec will print out poned it'll say you've been you've pwned this machine as
you've been you've pwned this machine as
you've been you've pwned this machine as this user uh it'll do that for every
this user uh it'll do that for every
this user uh it'll do that for every protocol but if if it says pwned that
protocol but if if it says pwned that
protocol but if if it says pwned that means you have code
means you have code
means you have code execution
execution
execution questions yes I guess what's the
questions yes I guess what's the
questions yes I guess what's the difference between a user that has p and
difference between a user that has p and
difference between a user that has p and one that does for SMB it means local
one that does for SMB it means local
one that does for SMB it means local admin is pwned on ldap domain admin is
admin is pwned on ldap domain admin is
admin is pwned on ldap domain admin is pwned okay uh for winrm it's if you're
pwned okay uh for winrm it's if you're
pwned okay uh for winrm it's if you're in the PS remote group that it says
in the PS remote group that it says
in the PS remote group that it says pwned essentially it will say pwned if
pwned essentially it will say pwned if
pwned essentially it will say pwned if there's something that allows you to
there's something that allows you to
there's something that allows you to execute commands Okay it depends on the
execute commands Okay it depends on the
execute commands Okay it depends on the protocol but pwned means you got onto
protocol but pwned means you got onto
protocol but pwned means you got onto the
the
the machine
machine
machine okay all right there's another thing
okay all right there's another thing
okay all right there's another thing that I do at the beginning of a pent
that I do at the beginning of a pent
that I do at the beginning of a pent test that requires some background uh
test that requires some background uh
test that requires some background uh there's a protocol called llmnr that I
there's a protocol called llmnr that I
there's a protocol called llmnr that I didn't talk about this stands for link
didn't talk about this stands for link
didn't talk about this stands for link local m multicast name resolution you
local m multicast name resolution you
local m multicast name resolution you don't have to worry about what that is
don't have to worry about what that is
don't have to worry about what that is it's basically DNS uh Windows has this
it's basically DNS uh Windows has this
it's basically DNS uh Windows has this thing where if it's enabled on a network
thing where if it's enabled on a network
thing where if it's enabled on a network which it is by default if my computer
which it is by default if my computer
which it is by default if my computer says hey I'm looking for a file share
says hey I'm looking for a file share
says hey I'm looking for a file share called adom and it doesn't exist I go
called adom and it doesn't exist I go
called adom and it doesn't exist I go and requests to every other machine on
and requests to every other machine on
and requests to every other machine on the domain do you know do you know where
the domain do you know do you know where
the domain do you know do you know where Adam is do you know where the file share
Adam is do you know where the file share
Adam is do you know where the file share called adom is and any of them can
called adom is and any of them can
called adom is and any of them can respond with any IP address and my
respond with any IP address and my
respond with any IP address and my computer just believes it no
computer just believes it no
computer just believes it no verification uh which means that you can
verification uh which means that you can
verification uh which means that you can just sit there and respond to every lolr
just sit there and respond to every lolr
just sit there and respond to every lolr request with your IP address so anytime
request with your IP address so anytime
request with your IP address so anytime someone mistypes something it'll make a
someone mistypes something it'll make a
someone mistypes something it'll make a request to your computer now the reason
request to your computer now the reason
request to your computer now the reason that's rough is because every time you
that's rough is because every time you
that's rough is because every time you request with SMB you send over a
request with SMB you send over a
request with SMB you send over a password hash to authenticate which
password hash to authenticate which
password hash to authenticate which means that if I make a fake SMB server
means that if I make a fake SMB server
means that if I make a fake SMB server and I redirect everyone over to my SMB
and I redirect everyone over to my SMB
and I redirect everyone over to my SMB server I can just collect hashes so some
server I can just collect hashes so some
server I can just collect hashes so some pentesters tell me that they just leave
pentesters tell me that they just leave
pentesters tell me that they just leave this running for 24 hours and they get
this running for 24 hours and they get
this running for 24 hours and they get like 5050 hashes and they try to crack
like 5050 hashes and they try to crack
like 5050 hashes and they try to crack this hashes they get passwords they get
this hashes they get passwords they get
this hashes they get passwords they get onto the domain questions about
this Windows see Windows is nice and
this Windows see Windows is nice and easy it makes things you make a typo
easy it makes things you make a typo
easy it makes things you make a typo it'll try to figure it out for you
it'll try to figure it out for you
it'll try to figure it out for you but it'll also do this uh so it's
but it'll also do this uh so it's
but it'll also do this uh so it's enabled by it's enabled by default you
enabled by it's enabled by default you
enabled by it's enabled by default you should disable it Andre you actually
should disable it Andre you actually
should disable it Andre you actually need to crack the half can you just use
need to crack the half can you just use
need to crack the half can you just use the hash to this is not an ntlm hash
the hash to this is not an ntlm hash
the hash to this is not an ntlm hash this is a net nlm hash which does
this is a net nlm hash which does
this is a net nlm hash which does require cracking uh in this case you can
require cracking uh in this case you can
require cracking uh in this case you can see it's a V2 hash which means it's not
see it's a V2 hash which means it's not
see it's a V2 hash which means it's not downgrade to an ntlm
downgrade to an ntlm
downgrade to an ntlm hash
hash
hash okay let's talk about relaying so that
okay let's talk about relaying so that
okay let's talk about relaying so that was something that we call relaying but
was something that we call relaying but
was something that we call relaying but technically relaying is when you capture
technically relaying is when you capture
technically relaying is when you capture a hash and forward it to another host to
a hash and forward it to another host to
a hash and forward it to another host to authenticate it with it so you know like
authenticate it with it so you know like
authenticate it with it so you know like a a relay in a race where you have a
a a relay in a race where you have a
a a relay in a race where you have a little thing and you relay it over to
little thing and you relay it over to
little thing and you relay it over to someone it's the same thing here you
someone it's the same thing here you
someone it's the same thing here you grab a hash and you relay it over to
grab a hash and you relay it over to
grab a hash and you relay it over to another host and you try to authenticate
another host and you try to authenticate
another host and you try to authenticate as the person who authentic D at to you
as the person who authentic D at to you
as the person who authentic D at to you um now sometimes you can capture hash by
um now sometimes you can capture hash by
um now sometimes you can capture hash by doing so that was like getting people to
doing so that was like getting people to
doing so that was like getting people to browse to an SMB share or people doing a
browse to an SMB share or people doing a
browse to an SMB share or people doing a typo through llmnr sometimes there are
typo through llmnr sometimes there are
typo through llmnr sometimes there are exploits that allow you to coer off so
exploits that allow you to coer off so
exploits that allow you to coer off so you can coer someone by exploiting them
you can coer someone by exploiting them
you can coer someone by exploiting them into authenticating to you uh you can
into authenticating to you uh you can
into authenticating to you uh you can also capture a hash by getting a
also capture a hash by getting a
also capture a hash by getting a database to request a file on your SMB
database to request a file on your SMB
database to request a file on your SMB share uh you can do it by sending an
share uh you can do it by sending an
share uh you can do it by sending an email with an image in it uh but the
email with an image in it uh but the
email with an image in it uh but the image points to your SMB share so when
image points to your SMB share so when
image points to your SMB share so when someone opens the email it tries to Rend
someone opens the email it tries to Rend
someone opens the email it tries to Rend the image and it requests the image from
the image and it requests the image from
the image and it requests the image from your SMB share and it tries to
your SMB share and it tries to
your SMB share and it tries to authenticate you can do it by making a
authenticate you can do it by making a
authenticate you can do it by making a website request a file to your SMB share
website request a file to your SMB share
website request a file to your SMB share so let's say you have a website that
so let's say you have a website that
so let's say you have a website that like will render files for you instead
like will render files for you instead
like will render files for you instead of typing in a local path you can type
of typing in a local path you can type
of typing in a local path you can type in a URL and it'll make a request to you
in a URL and it'll make a request to you
in a URL and it'll make a request to you you the attacker and send a hash does
you the attacker and send a hash does
you the attacker and send a hash does that make sense was that confusing no
that make sense was that confusing no
that make sense was that confusing no that makes sense so there's a lot of
that makes sense so there's a lot of
that makes sense so there's a lot of ways that you can get hashes and you can
ways that you can get hashes and you can
ways that you can get hashes and you can try to crack them and get access to
try to crack them and get access to
try to crack them and get access to stuff now if you want to do actual
stuff now if you want to do actual
stuff now if you want to do actual relaying you have to do something and
relaying you have to do something and
relaying you have to do something and that exec will allow you to do this
that exec will allow you to do this
that exec will allow you to do this thing where they generate a relay list
thing where they generate a relay list
thing where they generate a relay list so you know how I mentioned like if you
so you know how I mentioned like if you
so you know how I mentioned like if you coer authentication to you you can send
coer authentication to you you can send
coer authentication to you you can send that hash over to someone else SMB by
that hash over to someone else SMB by
that hash over to someone else SMB by default well on servers only SMB signing
default well on servers only SMB signing
default well on servers only SMB signing is enabled and SMB signing is this thing
is enabled and SMB signing is this thing
is enabled and SMB signing is this thing where it'll say are you really who you
where it'll say are you really who you
where it'll say are you really who you say you are so if SMB signing is
say you are so if SMB signing is
say you are so if SMB signing is disabled you can relay authentication
disabled you can relay authentication
disabled you can relay authentication from another person over to you and just
from another person over to you and just
from another person over to you and just pretend you're that other person and the
pretend you're that other person and the
pretend you're that other person and the server will not check if you're actually
server will not check if you're actually
server will not check if you're actually who you say you are does that make sense
who you say you are does that make sense
who you say you are does that make sense so if I want to do that kind of exploit
so if I want to do that kind of exploit
so if I want to do that kind of exploit one second I would do I would generate a
one second I would do I would generate a
one second I would do I would generate a relay list with net exec and this is
relay list with net exec and this is
relay list with net exec and this is just going to find every machine that
just going to find every machine that
just going to find every machine that has SMB signing disabled and it'll tell
has SMB signing disabled and it'll tell
has SMB signing disabled and it'll tell me these are the machines that are
me these are the machines that are
me these are the machines that are vulnerable these are the machines you
vulnerable these are the machines you
vulnerable these are the machines you can trick and lie to
can trick and lie to
can trick and lie to Colin requires the hash as
Colin requires the hash as
Colin requires the hash as well this this would be with a net nlm
well this this would be with a net nlm
well this this would be with a net nlm hash uh so it's not past the hash this
hash uh so it's not past the hash this
hash uh so it's not past the hash this is a relay
is a relay
is a relay attack um Andre
attack um Andre
attack um Andre that email yeah do that requ any user
that email yeah do that requ any user
that email yeah do that requ any user interaction or does
interaction or does
interaction or does it it does so you might have noticed
it it does so you might have noticed
it it does so you might have noticed that on on Outlook for your school email
that on on Outlook for your school email
that on on Outlook for your school email if it doesn't trust the email it will
if it doesn't trust the email it will
if it doesn't trust the email it will not load the image it'll be like do you
not load the image it'll be like do you
not load the image it'll be like do you want to load this image hases anyone
want to load this image hases anyone
want to load this image hases anyone realize that this is one of the reasons
realize that this is one of the reasons
realize that this is one of the reasons why is because now just one of the
why is because now just one of the
why is because now just one of the reasons but this is one reason is they
reasons but this is one reason is they
reasons but this is one reason is they don't want you to load a for image and
don't want you to load a for image and
don't want you to load a for image and send credentials over or hashes over
send credentials over or hashes over
send credentials over or hashes over Okay so so one of the cool things you
Okay so so one of the cool things you
Okay so so one of the cool things you can do is there's a module in Ed exit
can do is there's a module in Ed exit
can do is there's a module in Ed exit called Slinky so uh there's a link file
called Slinky so uh there's a link file
called Slinky so uh there's a link file in Windows that's basically a shortcut
in Windows that's basically a shortcut
in Windows that's basically a shortcut every link file has an image like a
every link file has an image like a
every link file has an image like a image preview if you can for example
image preview if you can for example
image preview if you can for example write to an SMB share you can upload a
write to an SMB share you can upload a
write to an SMB share you can upload a lnk file that has an image that points
lnk file that has an image that points
lnk file that has an image that points to your malicious SMB server so that way
to your malicious SMB server so that way
to your malicious SMB server so that way anytime someone just opens a
anytime someone just opens a
anytime someone just opens a folder it'll try to preview the image
folder it'll try to preview the image
folder it'll try to preview the image and'll authenticate now this can be in
and'll authenticate now this can be in
and'll authenticate now this can be in other places than just an SMB share but
other places than just an SMB share but
other places than just an SMB share but an SMB share is the most likely because
an SMB share is the most likely because
an SMB share is the most likely because you can write to that remotely does that
you can write to that remotely does that
you can write to that remotely does that make sense yeah okay now let's talk
make sense yeah okay now let's talk
make sense yeah okay now let's talk about some coion exploits I'm going to
about some coion exploits I'm going to
about some coion exploits I'm going to go through this quickly because they're
go through this quickly because they're
go through this quickly because they're kind of complicated and you don't really
kind of complicated and you don't really
kind of complicated and you don't really have to fully understand how they work
have to fully understand how they work
have to fully understand how they work and also there's uh we're a little bit
and also there's uh we're a little bit
and also there's uh we're a little bit behind I probably should have known uh
behind I probably should have known uh
behind I probably should have known uh there's a exploit called patite patam
there's a exploit called patite patam
there's a exploit called patite patam which is I think from like 20121 or 2022
which is I think from like 20121 or 2022
which is I think from like 20121 or 2022 that allows you to course a Windows host
that allows you to course a Windows host
that allows you to course a Windows host to authenticate so this isn't like a
to authenticate so this isn't like a
to authenticate so this isn't like a miscon configuration this is an exploit
miscon configuration this is an exploit
miscon configuration this is an exploit and it's an exploit in RPC uh so you can
and it's an exploit in RPC uh so you can
and it's an exploit in RPC uh so you can run petite patam and course it to
run petite patam and course it to
run petite patam and course it to authenticate to wherever you want
authenticate to wherever you want
authenticate to wherever you want there's also one called Shadow course
there's also one called Shadow course
there's also one called Shadow course it's very similar except it's in the
it's very similar except it's in the
it's very similar except it's in the file server remote vsss protocol don't
file server remote vsss protocol don't
file server remote vsss protocol don't worry about that what that means uh but
worry about that what that means uh but
worry about that what that means uh but this only exists if this particular
this only exists if this particular
this only exists if this particular service FS uh RVP is enabled on the
service FS uh RVP is enabled on the
service FS uh RVP is enabled on the machine uh there's also things to
machine uh there's also things to
machine uh there's also things to automatically CO as of like a week ago n
automatically CO as of like a week ago n
automatically CO as of like a week ago n exec has a module called coer plus that
exec has a module called coer plus that
exec has a module called coer plus that lets you pass in an IP address which is
lets you pass in an IP address which is
lets you pass in an IP address which is going to be your malicious IP address
going to be your malicious IP address
going to be your malicious IP address and it'll just automatically go through
and it'll just automatically go through
and it'll just automatically go through all the machines and say DFS course
all the machines and say DFS course
all the machines and say DFS course petite patam uh printer bug Ms even
petite patam uh printer bug Ms even
petite patam uh printer bug Ms even it'll just go through a bunch of corion
it'll just go through a bunch of corion
it'll just go through a bunch of corion vulnerabilities it'll try to exploit
vulnerabilities it'll try to exploit
vulnerabilities it'll try to exploit them uh there's one that I like a little
them uh there's one that I like a little
them uh there's one that I like a little bit better which is called coercer and
bit better which is called coercer and
bit better which is called coercer and this is one that will go through every
this is one that will go through every
this is one that will go through every single RPC endpoint and it's much more
single RPC endpoint and it's much more
single RPC endpoint and it's much more thorough and it has just one more
thorough and it has just one more
thorough and it has just one more coercion bug I believe uh it'll do the
coercion bug I believe uh it'll do the
coercion bug I believe uh it'll do the same thing it'll go through a ton of RPC
same thing it'll go through a ton of RPC
same thing it'll go through a ton of RPC endpoints it'll go through a ton of
endpoints it'll go through a ton of
endpoints it'll go through a ton of hosts and it'll try to coarse
hosts and it'll try to coarse
hosts and it'll try to coarse authentication over to your listener
authentication over to your listener
authentication over to your listener which is going to be your malicious IP
which is going to be your malicious IP
which is going to be your malicious IP address are people getting confused
address are people getting confused
address are people getting confused now no I'm surprised good job I'm proud
now no I'm surprised good job I'm proud
now no I'm surprised good job I'm proud of you uh any
of you uh any
of you uh any questions okay are people not asking
questions okay are people not asking
questions okay are people not asking questions because they just don't know
questions because they just don't know
questions because they just don't know what to ask yes yeah so so it's what
what to ask yes yeah so so it's what
what to ask yes yeah so so it's what exactly trying to do what is coercer
exactly trying to do what is coercer
exactly trying to do what is coercer yeah what it coercer so I give it a a
yeah what it coercer so I give it a a
yeah what it coercer so I give it a a list of hosts
list of hosts
list of hosts and I give it a username and a password
and I give it a username and a password
and I give it a username and a password which is not necessary but usually you
which is not necessary but usually you
which is not necessary but usually you kind of have to have one and I give it a
kind of have to have one and I give it a
kind of have to have one and I give it a listener so what this is doing is it's
listener so what this is doing is it's
listener so what this is doing is it's looping through all the IP addresses in
looping through all the IP addresses in
looping through all the IP addresses in the host file and it's trying to get
the host file and it's trying to get
the host file and it's trying to get those hosts to authenticate to me which
those hosts to authenticate to me which
those hosts to authenticate to me which is the listener IP address does that
is the listener IP address does that
is the listener IP address does that makes sense so far and it's doing this
makes sense so far and it's doing this
makes sense so far and it's doing this using like the image methods like
using like the image methods like
using like the image methods like different in this case it's using
different in this case it's using
different in this case it's using vulnerabilities exploits so the this
vulnerabilities exploits so the this
vulnerabilities exploits so the this thing was like a misconfiguration you
thing was like a misconfiguration you
thing was like a misconfiguration you should not let random person right to an
should not let random person right to an
should not let random person right to an SMB share right but this is going to be
SMB share right but this is going to be
SMB share right but this is going to be using
using
using exploits that makes sense okay so it's
exploits that makes sense okay so it's
exploits that makes sense okay so it's like automatic it's automatic yeah this
like automatic it's automatic yeah this
like automatic it's automatic yeah this is very useful it'll just go through
is very useful it'll just go through
is very useful it'll just go through everything sometimes I have no idea what
everything sometimes I have no idea what
everything sometimes I have no idea what it's doing but it works and I'm like
it's doing but it works and I'm like
it's doing but it works and I'm like fantastic it worked I got a hash that's
fantastic it worked I got a hash that's
fantastic it worked I got a hash that's nice okay now if you want to receive
nice okay now if you want to receive
nice okay now if you want to receive those hashes you can use a tool called
those hashes you can use a tool called
those hashes you can use a tool called responder so here I am running responder
responder so here I am running responder
responder so here I am running responder on my tun tunnel interface which is my
on my tun tunnel interface which is my
on my tun tunnel interface which is my VP SC interface and every time someone
VP SC interface and every time someone
VP SC interface and every time someone authenticates to me you see over here I
authenticates to me you see over here I
authenticates to me you see over here I got the hash so here I got the hash for
got the hash so here I got the hash for
got the hash so here I got the hash for the Kings Landing machine account which
the Kings Landing machine account which
the Kings Landing machine account which by the way in Windows all machine
by the way in Windows all machine
by the way in Windows all machine accounts end with a dollar sign so
accounts end with a dollar sign so
accounts end with a dollar sign so that's how I know that this is a machine
that's how I know that this is a machine
that's how I know that this is a machine account is it says Kings Landing dollar
account is it says Kings Landing dollar
account is it says Kings Landing dollar sign and I he I see the hash here so if
sign and I he I see the hash here so if
sign and I he I see the hash here so if I want I can copy this over to a file I
I want I can copy this over to a file I
I want I can copy this over to a file I can try to crack it and see if there's a
can try to crack it and see if there's a
can try to crack it and see if there's a user a password I'll give you a hint
user a password I'll give you a hint
user a password I'll give you a hint though you will never crack a computer
though you will never crack a computer
though you will never crack a computer account machine hash because those
account machine hash because those
account machine hash because those hashes are regenerated every month
hashes are regenerated every month
hashes are regenerated every month they're I think 128 characters long and
they're I think 128 characters long and
they're I think 128 characters long and some of the characters are not even
some of the characters are not even
some of the characters are not even human readable so basically you're never
human readable so basically you're never
human readable so basically you're never going to crack those hashes
going to crack those hashes
going to crack those hashes ever but if it's like a user account you
ever but if it's like a user account you
ever but if it's like a user account you probably can or you maybe can right yeah
probably can or you maybe can right yeah
probably can or you maybe can right yeah what is your machine a machine account
what is your machine a machine account
what is your machine a machine account so there's user accounts right every
so there's user accounts right every
so there's user accounts right every computer this computer has a machine
computer this computer has a machine
computer this computer has a machine account which is like an account that is
account which is like an account that is
account which is like an account that is used for connecting to the domain and
used for connecting to the domain and
used for connecting to the domain and doing things related to the system right
doing things related to the system right
doing things related to the system right um I don't really fully know why there
um I don't really fully know why there
um I don't really fully know why there are machine accounts to be honest
are machine accounts to be honest
are machine accounts to be honest because they certainly could have gone
because they certainly could have gone
because they certainly could have gone another route but yeah yes that's
another route but yeah yes that's
another route but yeah yes that's different from the system account which
different from the system account which
different from the system account which deals with like Services that's correct
deals with like Services that's correct
deals with like Services that's correct this machine account is a domain account
this machine account is a domain account
this machine account is a domain account whereas the system account is local are
whereas the system account is local are
whereas the system account is local are machine accounts like log or just
machine accounts like log or just
machine accounts like log or just something technically you can log in so
something technically you can log in so
something technically you can log in so the zero log on exploit lets you reset
the zero log on exploit lets you reset
the zero log on exploit lets you reset the machine account password you can log
the machine account password you can log
the machine account password you can log in as a machine account and then you
in as a machine account and then you
in as a machine account and then you become n Authority
system uh yes you are there ways to make
system uh yes you are there ways to make sure your own hat is generated with
sure your own hat is generated with
sure your own hat is generated with non-readable characters likewise that
non-readable characters likewise that
non-readable characters likewise that with useres so let's say let's say
with useres so let's say let's say
with useres so let's say let's say you're a user and you want to log in how
you're a user and you want to log in how
you're a user and you want to log in how do you type the a non-readable
do you type the a non-readable
do you type the a non-readable character you know what I mean yeah okay
character you know what I mean yeah okay
character you know what I mean yeah okay I think it's technically possible I know
I think it's technically possible I know
I think it's technically possible I know the H keys because I did it by accident
the H keys because I did it by accident
the H keys because I did it by accident once maybe uh you
that's correct you should not be
that's correct you should not be accessing them manually attackers will
accessing them manually attackers will
accessing them manually attackers will do it and you can use that as a
do it and you can use that as a
do it and you can use that as a detection but there you will like
detection but there you will like
detection but there you will like machine accounts are logged into on a
machine accounts are logged into on a
machine accounts are logged into on a regular basis by other machine accounts
regular basis by other machine accounts
regular basis by other machine accounts so sometimes it's hard to
so sometimes it's hard to
so sometimes it's hard to determine you know Andre what do you
determine you know Andre what do you
determine you know Andre what do you mean other machines are loged into my
mean other machines are loged into my
mean other machines are loged into my Mach like the domain controller oh yeah
Mach like the domain controller oh yeah
Mach like the domain controller oh yeah okay I wonder how many slides I have
okay I wonder how many slides I have
okay I wonder how many slides I have left um
left um
left um okay so here's how you relay hashes
okay so here's how you relay hashes
okay so here's how you relay hashes here's how you do an actual relay attack
here's how you do an actual relay attack
here's how you do an actual relay attack there's three steps one you generate the
there's three steps one you generate the
there's three steps one you generate the relay list and I'm calling it tf. text
relay list and I'm calling it tf. text
relay list and I'm calling it tf. text this is the list of hosts with SMB
this is the list of hosts with SMB
this is the list of hosts with SMB signing disabled SMB signing is disabled
signing disabled SMB signing is disabled
signing disabled SMB signing is disabled by default on workstations like user
by default on workstations like user
by default on workstations like user accounts but it's enabled by default on
accounts but it's enabled by default on
accounts but it's enabled by default on servers so if you see a server with SMB
servers so if you see a server with SMB
servers so if you see a server with SMB signing disabled that's rough there are
signing disabled that's rough there are
signing disabled that's rough there are legitimate reasons to disable SMB
legitimate reasons to disable SMB
legitimate reasons to disable SMB signing because it makes things take
signing because it makes things take
signing because it makes things take longer but
longer but
longer but eh it should be enabled I think it is
eh it should be enabled I think it is
eh it should be enabled I think it is enabled by default on Windows 11 and
enabled by default on Windows 11 and
enabled by default on Windows 11 and server 2025 the next thing you do is you
server 2025 the next thing you do is you
server 2025 the next thing you do is you set up your listener this is a tool
set up your listener this is a tool
set up your listener this is a tool called ntlm relay X and I'm passing in
called ntlm relay X and I'm passing in
called ntlm relay X and I'm passing in my file of targets and I'm also enabling
my file of targets and I'm also enabling
my file of targets and I'm also enabling smb2 which you kind of have to do in a
smb2 which you kind of have to do in a
smb2 which you kind of have to do in a lot of impacket tools I don't know why
lot of impacket tools I don't know why
lot of impacket tools I don't know why but you just do it and this is a cool
but you just do it and this is a cool
but you just do it and this is a cool tool where any time it receives a hash
tool where any time it receives a hash
tool where any time it receives a hash it'll try to forward the hash over to
it'll try to forward the hash over to
it'll try to forward the hash over to the vulnerable machines and it'll
the vulnerable machines and it'll
the vulnerable machines and it'll automat atically dump all the passwords
automat atically dump all the passwords
automat atically dump all the passwords on the machine if it's successful you
on the machine if it's successful you
on the machine if it's successful you can also make it automatically give you
can also make it automatically give you
can also make it automatically give you a shell you can also make it
a shell you can also make it
a shell you can also make it automatically give you an elap shell
automatically give you an elap shell
automatically give you an elap shell which is something that lets you modify
which is something that lets you modify
which is something that lets you modify LP properties it can do a lot of stuff
LP properties it can do a lot of stuff
LP properties it can do a lot of stuff by default it just dumps
by default it just dumps
by default it just dumps passwords uh so once you have your
passwords uh so once you have your
passwords uh so once you have your listener set up you course
listener set up you course
listener set up you course authentication
authentication
authentication using uh neec using coercer using
using uh neec using coercer using
using uh neec using coercer using whatever else all right make
whatever else all right make
whatever else all right make sense okay so that's like oh and here's
sense okay so that's like oh and here's
sense okay so that's like oh and here's an example I had to redact a lot of
an example I had to redact a lot of
an example I had to redact a lot of stuff cuz this is from an exam that I
stuff cuz this is from an exam that I
stuff cuz this is from an exam that I took but here's me at the top have I
took but here's me at the top have I
took but here's me at the top have I have my listener at the bottom I ran the
have my listener at the bottom I ran the
have my listener at the bottom I ran the petite patam exploit and you can see it
petite patam exploit and you can see it
petite patam exploit and you can see it dumped the hashes it gave me
dumped the hashes it gave me
dumped the hashes it gave me administrator hash and in this case it's
administrator hash and in this case it's
administrator hash and in this case it's my local hashes my Sam hashes so these
my local hashes my Sam hashes so these
my local hashes my Sam hashes so these are my local account uh and remember
are my local account uh and remember
are my local account uh and remember this is an ntlm hash which means I can
this is an ntlm hash which means I can
this is an ntlm hash which means I can log in I can pass the hash and I can log
log in I can pass the hash and I can log
log in I can pass the hash and I can log in with just the hash without cracking
in with just the hash without cracking
in with just the hash without cracking the password
the password
the password questions yes the exam that you was easy
I don't know uh I'm not going to say
I don't know uh I'm not going to say which exam it is because I'm putting
which exam it is because I'm putting
which exam it is because I'm putting this recording on YouTube and I don't
this recording on YouTube and I don't
this recording on YouTube and I don't want I don't want people to report me
want I don't want people to report me
want I don't want people to report me but you know I'm definitely allowed to
but you know I'm definitely allowed to
but you know I'm definitely allowed to post I mean I redacted it I think it's
post I mean I redacted it I think it's
post I mean I redacted it I think it's fine but anyway it's from an exam I took
fine but anyway it's from an exam I took
fine but anyway it's from an exam I took yeah what class was it for it was no it
yeah what class was it for it was no it
yeah what class was it for it was no it was for a certification exam
was for a certification exam
was for a certification exam yeah
yeah
yeah okay yes Andre that actually or did you
okay yes Andre that actually or did you
okay yes Andre that actually or did you did I what like
did I what like
did I what like is it just below or is it actually uh
is it just below or is it actually uh
is it just below or is it actually uh yeah technically I probably should have
yeah technically I probably should have
yeah technically I probably should have blacked it out fun fact there are ways
blacked it out fun fact there are ways
blacked it out fun fact there are ways for you to undo pixelation I kind of
for you to undo pixelation I kind of
for you to undo pixelation I kind of forgot about that but it's okay I trust
forgot about that but it's okay I trust
forgot about that but it's okay I trust nobody's going to do that okay so let's
nobody's going to do that okay so let's
nobody's going to do that okay so let's say hopefully you've gotten credentials
say hopefully you've gotten credentials
say hopefully you've gotten credentials by now here are the exploits that need
by now here are the exploits that need
by now here are the exploits that need credentials uh print nightmare is this
credentials uh print nightmare is this
credentials uh print nightmare is this vulnerability a set of vulnerabilities
vulnerability a set of vulnerabilities
vulnerability a set of vulnerabilities that existed in 2021 where someone
that existed in 2021 where someone
that existed in 2021 where someone reported it and it got patched and it
reported it and it got patched and it
reported it and it got patched and it got exploited again and it got patched
got exploited again and it got patched
got exploited again and it got patched and exploited again again and as a
and exploited again again and as a
and exploited again again and as a result we have print nightmare 1 2 3 4
result we have print nightmare 1 2 3 4
result we have print nightmare 1 2 3 4 Hive nightmare ptite patam all of these
Hive nightmare ptite patam all of these
Hive nightmare ptite patam all of these are related and print nightmare in
are related and print nightmare in
are related and print nightmare in particular is something that allows you
particular is something that allows you
particular is something that allows you to exploit an RPC endpoint uh for the
to exploit an RPC endpoint uh for the
to exploit an RPC endpoint uh for the printer driver to get remote code
printer driver to get remote code
printer driver to get remote code execution as an administrator as long as
execution as an administrator as long as
execution as an administrator as long as you have some kind of
you have some kind of
you have some kind of credentials uh that's all you have to
credentials uh that's all you have to
credentials uh that's all you have to know so you can look up online yourself
know so you can look up online yourself
know so you can look up online yourself how to scan it I'll give you a hint that
how to scan it I'll give you a hint that
how to scan it I'll give you a hint that exec will do it for you here's another
exec will do it for you here's another
exec will do it for you here's another vulnerability no called No pack this of
vulnerability no called No pack this of
vulnerability no called No pack this of vulnerability that exists in Kerberos
vulnerability that exists in Kerberos
vulnerability that exists in Kerberos that I'm not going to explain in full
that I'm not going to explain in full
that I'm not going to explain in full but I do think this is so a lot of
but I do think this is so a lot of
but I do think this is so a lot of exploits are like buffer overflows and
exploits are like buffer overflows and
exploits are like buffer overflows and crypto vulnerabilities this is literally
crypto vulnerabilities this is literally
crypto vulnerabilities this is literally just a logic bug somebody put an if
just a logic bug somebody put an if
just a logic bug somebody put an if statement in the wrong place and allowed
statement in the wrong place and allowed
statement in the wrong place and allowed you to become domain
you to become domain
you to become domain admin with any user
admin with any user
admin with any user account uh I really recommend you look
account uh I really recommend you look
account uh I really recommend you look up online how it works cuz I think it's
up online how it works cuz I think it's
up online how it works cuz I think it's really cool if you want I'll send you a
really cool if you want I'll send you a
really cool if you want I'll send you a talk from the guy who discovered it uh a
talk from the guy who discovered it uh a
talk from the guy who discovered it uh a talk that I really like uh here's a list
talk that I really like uh here's a list
talk that I really like uh here's a list of some of the modules this is actually
of some of the modules this is actually
of some of the modules this is actually outdated as of now there's probably like
outdated as of now there's probably like
outdated as of now there's probably like 30% more modules in N exec but you can
30% more modules in N exec but you can
30% more modules in N exec but you can see there's a noack module that will
see there's a noack module that will
see there's a noack module that will check if a domain controller is
check if a domain controller is
check if a domain controller is vulnerable and you can download from
vulnerable and you can download from
vulnerable and you can download from here this tool called noack upy that
here this tool called noack upy that
here this tool called noack upy that will allow you to impersonate whatever
will allow you to impersonate whatever
will allow you to impersonate whatever user you
user you
user you want okay
want okay
want okay questions okay all right let's talk
questions okay all right let's talk
questions okay all right let's talk about ldap let's say you've gone through
about ldap let's say you've gone through
about ldap let's say you've gone through all of andb and you're like I have no
all of andb and you're like I have no
all of andb and you're like I have no idea what to do here's what I would do
idea what to do here's what I would do
idea what to do here's what I would do with
with
with ldap something you can do remember that
ldap something you can do remember that
ldap something you can do remember that as long as you are a user you can scan
as long as you are a user you can scan
as long as you are a user you can scan lb and you can look at all the
lb and you can look at all the
lb and you can look at all the attributes sometimes you can do it
attributes sometimes you can do it
attributes sometimes you can do it without a username so what I'm doing
without a username so what I'm doing
without a username so what I'm doing here is I'm getting the What's called
here is I'm getting the What's called
here is I'm getting the What's called the base naming contexts of a domain
the base naming contexts of a domain
the base naming contexts of a domain controller which tells me that the
controller which tells me that the
controller which tells me that the domain name is snaps. local okay it's DC
domain name is snaps. local okay it's DC
domain name is snaps. local okay it's DC equal snap laabs DC equals local that's
equal snap laabs DC equals local that's
equal snap laabs DC equals local that's all you have to worry about and once I
all you have to worry about and once I
all you have to worry about and once I have that I give it that base and I say
have that I give it that base and I say
have that I give it that base and I say DC snap laabs local I give it a username
DC snap laabs local I give it a username
DC snap laabs local I give it a username and a password I don't know why username
and a password I don't know why username
and a password I don't know why username is D and password is W but it is and it
is D and password is W but it is and it
is D and password is W but it is and it lists out a ton of stuff now this is
lists out a ton of stuff now this is
lists out a ton of stuff now this is going to be really hard for you to read
going to be really hard for you to read
going to be really hard for you to read and it used to confuse me so much it's
and it used to confuse me so much it's
and it used to confuse me so much it's going to take some time for you to know
going to take some time for you to know
going to take some time for you to know what to skip and what to care about but
what to skip and what to care about but
what to skip and what to care about but something you can do is you can use like
something you can do is you can use like
something you can do is you can use like frequency analysis and you can look for
frequency analysis and you can look for
frequency analysis and you can look for Strings that are uncommon so this is a
Strings that are uncommon so this is a
Strings that are uncommon so this is a bash command that will look that will
bash command that will look that will
bash command that will look that will sort by
sort by
sort by uh the frequency of a string and it'll
uh the frequency of a string and it'll
uh the frequency of a string and it'll basically say what's uncommon what isn't
basically say what's uncommon what isn't
basically say what's uncommon what isn't what's more unique right because the
what's more unique right because the
what's more unique right because the unique stuff is probably what you care
unique stuff is probably what you care
unique stuff is probably what you care about and this will give me like a list
about and this will give me like a list
about and this will give me like a list of
of
of users um now if you want to make this
users um now if you want to make this
users um now if you want to make this easy easier there's also a impacket tool
easy easier there's also a impacket tool
easy easier there's also a impacket tool called get 80 users which will list all
called get 80 users which will list all
called get 80 users which will list all the users and there's also something in
the users and there's also something in
the users and there's also something in N exec that will get the description of
N exec that will get the description of
N exec that will get the description of every user remember I told you that
every user remember I told you that
every user remember I told you that sometimes admins will accidentally put a
sometimes admins will accidentally put a
sometimes admins will accidentally put a password in the description here's the
password in the description here's the
password in the description here's the password of the aid in
password of the aid in
password of the aid in user and it says change password from
user and it says change password from
user and it says change password from default password oh this is another
default password oh this is another
default password oh this is another thing that admins will do is they'll
thing that admins will do is they'll
thing that admins will do is they'll give every new user the same password
give every new user the same password
give every new user the same password and the users are supposed to change it
and the users are supposed to change it
and the users are supposed to change it but sometimes they don't so if you find
but sometimes they don't so if you find
but sometimes they don't so if you find a default password you should try it for
a default password you should try it for
a default password you should try it for all the users right assuming lockup
all the users right assuming lockup
all the users right assuming lockup policy is unique
policy is unique
policy is unique is Chill enough lacks enough um now
is Chill enough lacks enough um now
is Chill enough lacks enough um now something I will note the the point of
something I will note the the point of
something I will note the the point of password spraying is like typically the
password spraying is like typically the
password spraying is like typically the lockup policy is if you log in more than
lockup policy is if you log in more than
lockup policy is if you log in more than three times incorrectly it locks you out
three times incorrectly it locks you out
three times incorrectly it locks you out or it locks the user out which is bad
or it locks the user out which is bad
or it locks the user out which is bad one second um password spraying is great
one second um password spraying is great
one second um password spraying is great because you only try one log on on every
because you only try one log on on every
because you only try one log on on every user so every user has one out of three
user so every user has one out of three
user so every user has one out of three strikes that's okay you know but if you
strikes that's okay you know but if you
strikes that's okay you know but if you lock out a user in an Enterprise
lock out a user in an Enterprise
lock out a user in an Enterprise environment like let's say you lock out
environment like let's say you lock out
environment like let's say you lock out the CEO that's kind of rough because the
the CEO that's kind of rough because the
the CEO that's kind of rough because the CEO is going to go to his board meeting
CEO is going to go to his board meeting
CEO is going to go to his board meeting and he going to talk to the investors
and he going to talk to the investors
and he going to talk to the investors and be like H I can't log in so that's
and be like H I can't log in so that's
and be like H I can't log in so that's why you don't want to lock out users
why you don't want to lock out users
why you don't want to lock out users yeah
yeah
yeah Colin is one of them like IP lock
Colin is one of them like IP lock
Colin is one of them like IP lock like Lo no no it it's like once a user
like Lo no no it it's like once a user
like Lo no no it it's like once a user has not logged in has gotten the wrong
has not logged in has gotten the wrong
has not logged in has gotten the wrong password 3 times sometimes it's three
password 3 times sometimes it's three
password 3 times sometimes it's three sometimes it's five the user is no
sometimes it's five the user is no
sometimes it's five the user is no longer allowed to log in so there isn't
longer allowed to log in so there isn't
longer allowed to log in so there isn't a way to like Lo from a certain IP pass
a way to like Lo from a certain IP pass
a way to like Lo from a certain IP pass there there uh it's not a password
there there uh it's not a password
there there uh it's not a password policy you can prevent IP addresses from
policy you can prevent IP addresses from
policy you can prevent IP addresses from log trying to log in you can also
log trying to log in you can also
log trying to log in you can also prevent people from trying to log in at
prevent people from trying to log in at
prevent people from trying to log in at certain times or from certain devices
certain times or from certain devices
certain times or from certain devices but that that's not a thing okay other
but that that's not a thing okay other
but that that's not a thing okay other questions Andre you just said prevent
questions Andre you just said prevent
questions Andre you just said prevent people from Ling in from certain devices
people from Ling in from certain devices
people from Ling in from certain devices how's that different from preventing
how's that different from preventing
how's that different from preventing them from
them from
them from l i mean like uh some people are not
l i mean like uh some people are not
l i mean like uh some people are not allowed to log in from a mobile device
allowed to log in from a mobile device
allowed to log in from a mobile device you know uh sometimes two two-factor
you know uh sometimes two two-factor
you know uh sometimes two two-factor authentication is required for a laptop
authentication is required for a laptop
authentication is required for a laptop but not for a mobile device which is a
but not for a mobile device which is a
but not for a mobile device which is a bad idea yes can you
it it depends on how they configured it
it it depends on how they configured it sometimes it's like 24 hours sometimes
sometimes it's like 24 hours sometimes
sometimes it's like 24 hours sometimes it's never you know uh sometimes you
it's never you know uh sometimes you
it's never you know uh sometimes you have to ask the admin hey I locked out
have to ask the admin hey I locked out
have to ask the admin hey I locked out help me and sometimes it'll reset after
help me and sometimes it'll reset after
help me and sometimes it'll reset after like 24 hours it just depends on how
like 24 hours it just depends on how
like 24 hours it just depends on how it's been
it's been
it's been configured other questions oh so many
configured other questions oh so many
configured other questions oh so many people have been asking me questions
people have been asking me questions
people have been asking me questions anyone want want these nobody wants them
anyone want want these nobody wants them
anyone want want these nobody wants them you want
you want
you want them there we go you can have one
them there we go you can have one
them there we go you can have one two all right hold on I'm almost done
two all right hold on I'm almost done
two all right hold on I'm almost done which I'm so relieved at by the way I'm
which I'm so relieved at by the way I'm
which I'm so relieved at by the way I'm sorry I've been trying to get rid of
these uh more like I don't want them and
these uh more like I don't want them and they're just kind of sitting in my
they're just kind of sitting in my
they're just kind of sitting in my room oh oh yeah oh yeah what's your
room oh oh yeah oh yeah what's your
room oh oh yeah oh yeah what's your question um so wouldn't it raise a flag
question um so wouldn't it raise a flag
question um so wouldn't it raise a flag that a bunch of people log in that's
that a bunch of people log in that's
that a bunch of people log in that's true that's very true and if you're a
true that's very true and if you're a
true that's very true and if you're a blue teamer if you want to come to my
blue teamer if you want to come to my
blue teamer if you want to come to my blue team talk tomorrow I'm going to
blue team talk tomorrow I'm going to
blue team talk tomorrow I'm going to talk about how to detect and defend
talk about how to detect and defend
talk about how to detect and defend against some of these attacks cuz some
against some of these attacks cuz some
against some of these attacks cuz some attacks are really easy when there's no
attacks are really easy when there's no
attacks are really easy when there's no login uh logging and some of them are so
login uh logging and some of them are so
login uh logging and some of them are so easy to detect right uh so you're right
easy to detect right uh so you're right
easy to detect right uh so you're right uh that's one thing we do a frequency
uh that's one thing we do a frequency
uh that's one thing we do a frequency analysis if the same user or the same IP
analysis if the same user or the same IP
analysis if the same user or the same IP address tries to log into every single
address tries to log into every single
address tries to log into every single account or if we see aund failed logins
account or if we see aund failed logins
account or if we see aund failed logins within five seconds that's rough and you
within five seconds that's rough and you
within five seconds that's rough and you know something's going on other
know something's going on other
know something's going on other questions
questions
questions okay okay so that's our L app easy nice
okay okay so that's our L app easy nice
okay okay so that's our L app easy nice and easy how do we make it even
and easy how do we make it even
and easy how do we make it even easier there's a tool called blood hound
easier there's a tool called blood hound
easier there's a tool called blood hound Blood Hound is really really cool it
Blood Hound is really really cool it
Blood Hound is really really cool it will grab all the objects in active
will grab all the objects in active
will grab all the objects in active directory it'll grab the users the
directory it'll grab the users the
directory it'll grab the users the groups the permissions all this stuff
groups the permissions all this stuff
groups the permissions all this stuff and it'll make a graph with nodes where
and it'll make a graph with nodes where
and it'll make a graph with nodes where two nodes are connected by an edge a
two nodes are connected by an edge a
two nodes are connected by an edge a direct it's a directed graph where one
direct it's a directed graph where one
direct it's a directed graph where one node can access another node if in real
node can access another node if in real
node can access another node if in real life that user or that object can access
life that user or that object can access
life that user or that object can access the other object does that make sense so
the other object does that make sense so
the other object does that make sense so all the administrator people can access
all the administrator people can access
all the administrator people can access every user so as a result we have a node
every user so as a result we have a node
every user so as a result we have a node called admins and we have a node called
called admins and we have a node called
called admins and we have a node called students and admins can access students
students and admins can access students
students and admins can access students that Mak sense so if you scale this up
that Mak sense so if you scale this up
that Mak sense so if you scale this up uh you can make a giant directed graph
uh you can make a giant directed graph
uh you can make a giant directed graph and you can use graph Theory to find the
and you can use graph Theory to find the
and you can use graph Theory to find the shortest path from one user to another
shortest path from one user to another
shortest path from one user to another so let's say I exploit and I get access
so let's say I exploit and I get access
so let's say I exploit and I get access to the Aiden user but I want to become
to the Aiden user but I want to become
to the Aiden user but I want to become the domain admin because I'm a I'm a
the domain admin because I'm a I'm a
the domain admin because I'm a I'm a hacker and I want to get I want to pone
hacker and I want to get I want to pone
hacker and I want to get I want to pone the whole network I can put it into
the whole network I can put it into
the whole network I can put it into blood hound and I can say what is the
blood hound and I can say what is the
blood hound and I can say what is the shortest path from Aiden to admin and
shortest path from Aiden to admin and
shortest path from Aiden to admin and it'll give it to me now Blood Hound by
it'll give it to me now Blood Hound by
it'll give it to me now Blood Hound by default finds the shortest path in a
default finds the shortest path in a
default finds the shortest path in a unweighted graph there are new tools
unweighted graph there are new tools
unweighted graph there are new tools that allow you to make it a weighted
that allow you to make it a weighted
that allow you to make it a weighted graph in order to say hey some some
graph in order to say hey some some
graph in order to say hey some some exploits are easier than others so
exploits are easier than others so
exploits are easier than others so sometimes a chain of 10 is easier than a
sometimes a chain of 10 is easier than a
sometimes a chain of 10 is easier than a chain of three and I'm not going to talk
chain of three and I'm not going to talk
chain of three and I'm not going to talk about that today but it's something to
about that today but it's something to
about that today but it's something to to note questions about
to note questions about
to note questions about that yes I'm kind of confused what you
that yes I'm kind of confused what you
that yes I'm kind of confused what you mean by T I'll show you so here I have a
mean by T I'll show you so here I have a
mean by T I'll show you so here I have a user called xy1 D3 this is from a hack
user called xy1 D3 this is from a hack
user called xy1 D3 this is from a hack the Box called razor black and that user
the Box called razor black and that user
the Box called razor black and that user can log in to a machine called haven DC
can log in to a machine called haven DC
can log in to a machine called haven DC it's
it's
it's controller and that domain controller
controller and that domain controller
controller and that domain controller can do an exploit called a DC sync that
can do an exploit called a DC sync that
can do an exploit called a DC sync that allows me to grab the credentials of
allows me to grab the credentials of
allows me to grab the credentials of every single user right and once I have
every single user right and once I have
every single user right and once I have credentials every single user I can do
credentials every single user I can do
credentials every single user I can do whatever I want so that's an exploit
whatever I want so that's an exploit
whatever I want so that's an exploit path where I first log into the machine
path where I first log into the machine
path where I first log into the machine and then I dump all the credentials that
and then I dump all the credentials that
and then I dump all the credentials that make sense Andre can
make sense Andre can
make sense Andre can have no I don't think
have no I don't think
have no I don't think soide uh I don't think there's negative
soide uh I don't think there's negative
soide uh I don't think there's negative effort in anything real
effort in anything real
effort in anything real life um now if you want to collect by
life um now if you want to collect by
life um now if you want to collect by the way fair warning do not I need all
the way fair warning do not I need all
the way fair warning do not I need all of you to promise do not do this on the
of you to promise do not do this on the
of you to promise do not do this on the UF Network or anywhere real unless they
UF Network or anywhere real unless they
UF Network or anywhere real unless they give you permission can people agree to
give you permission can people agree to
give you permission can people agree to that people agree to that I don't want
that people agree to that I don't want
that people agree to that I don't want to get in trouble except for one
to get in trouble except for one
to get in trouble except for one person I don't want to get in trouble
person I don't want to get in trouble
person I don't want to get in trouble listen listen if you know what you're
listen listen if you know what you're
listen listen if you know what you're doing actually don't do it don't it just
doing actually don't do it don't it just
doing actually don't do it don't it just don't do it uh now you can do it on hack
don't do it uh now you can do it on hack
don't do it uh now you can do it on hack the box I really it's it's really cool I
the box I really it's it's really cool I
the box I really it's it's really cool I think it's very like the idea of graph
think it's very like the idea of graph
think it's very like the idea of graph theory in pen testing uh if you're on a
theory in pen testing uh if you're on a
theory in pen testing uh if you're on a local machine you can use a collector
local machine you can use a collector
local machine you can use a collector called sharp Hound which will collect
called sharp Hound which will collect
called sharp Hound which will collect all the stuff for a specific domain and
all the stuff for a specific domain and
all the stuff for a specific domain and that's local you can upload the data
that's local you can upload the data
that's local you can upload the data blood to data to blood hound and it'll
blood to data to blood hound and it'll
blood to data to blood hound and it'll like do a bunch of analysis and you can
like do a bunch of analysis and you can
like do a bunch of analysis and you can also do it remotely with this tool
also do it remotely with this tool
also do it remotely with this tool called blood hound. py you pass on a
called blood hound. py you pass on a
called blood hound. py you pass on a user a password a domain and you say
user a password a domain and you say
user a password a domain and you say collect all the info and it'll collect
collect all the info and it'll collect
collect all the info and it'll collect all the info uh and then you graph it
all the info uh and then you graph it
all the info uh and then you graph it it'll give you a ton of cool graphs and
it'll give you a ton of cool graphs and
it'll give you a ton of cool graphs and cool exploit paths um and uh yeah this
cool exploit paths um and uh yeah this
cool exploit paths um and uh yeah this is a really fantastic tool for finding
is a really fantastic tool for finding
is a really fantastic tool for finding vulnerabilities um and it can sometimes
vulnerabilities um and it can sometimes
vulnerabilities um and it can sometimes make exploitation very very easy
make exploitation very very easy
make exploitation very very easy questions okay there's some dangerous
questions okay there's some dangerous
questions okay there's some dangerous privileges you'll notice that every Edge
privileges you'll notice that every Edge
privileges you'll notice that every Edge has a privilege Can PS remote DC sync
has a privilege Can PS remote DC sync
has a privilege Can PS remote DC sync contains now that that contains
contains now that that contains
contains now that that contains privilege requires zero exploitation if
privilege requires zero exploitation if
privilege requires zero exploitation if I'm in the admins group I'm not
I'm in the admins group I'm not
I'm in the admins group I'm not exploiting anything I just already have
exploiting anything I just already have
exploiting anything I just already have that PR privilege which is why I said
that PR privilege which is why I said
that PR privilege which is why I said sometimes a path of 10 is easier than a
sometimes a path of 10 is easier than a
sometimes a path of 10 is easier than a path of three if you have a path of 10
path of three if you have a path of 10
path of three if you have a path of 10 that just says contains contains
that just says contains contains
that just says contains contains contains contains I already have access
contains contains I already have access
contains contains I already have access to it but if I have a path that requires
to it but if I have a path that requires
to it but if I have a path that requires me to exploit things that might be
me to exploit things that might be
me to exploit things that might be harder Andre does each Edge have a
harder Andre does each Edge have a
harder Andre does each Edge have a direction it does have a direction this
direction it does have a direction this
direction it does have a direction this is the old version of Blood Hound where
is the old version of Blood Hound where
is the old version of Blood Hound where the graphing visual
the graphing visual
the graphing visual they use it's kind of dumb the the you
they use it's kind of dumb the the you
they use it's kind of dumb the the you see this is like an arrow you see how
see this is like an arrow you see how
see this is like an arrow you see how this is like the tip of an arrow cuz
this is like the tip of an arrow cuz
this is like the tip of an arrow cuz it's
it's
it's smaller this confused me when I was
smaller this confused me when I was
smaller this confused me when I was first using Blood Hound 2 but this is
first using Blood Hound 2 but this is
first using Blood Hound 2 but this is the start and this is the end okay that
the start and this is the end okay that
the start and this is the end okay that make sense yeah okay so this some
make sense yeah okay so this some
make sense yeah okay so this some dangerous privileges generic all means
dangerous privileges generic all means
dangerous privileges generic all means you have full rights to an object do
you have full rights to an object do
you have full rights to an object do whatever you want you can change the
whatever you want you can change the
whatever you want you can change the password you can add it to a group you
password you can add it to a group you
password you can add it to a group you can make a machine account by the way on
can make a machine account by the way on
can make a machine account by the way on Windows bya fault you can make 10
Windows bya fault you can make 10
Windows bya fault you can make 10 machine accounts on the domain and
machine accounts on the domain and
machine accounts on the domain and that's just normal you can make 10
that's just normal you can make 10
that's just normal you can make 10 machine accounts I I'm assuming you
machine accounts I I'm assuming you
machine accounts I I'm assuming you can't do that on the UF domain but I I
can't do that on the UF domain but I I
can't do that on the UF domain but I I haven't checked uh you can also generic
haven't checked uh you can also generic
haven't checked uh you can also generic write that'll allow you to add log on
write that'll allow you to add log on
write that'll allow you to add log on scripts who remembers me talking about
scripts who remembers me talking about
scripts who remembers me talking about log on scripts on on Thursday that you
log on scripts on on Thursday that you
log on scripts on on Thursday that you can add a script to a user that'll
can add a script to a user that'll
can add a script to a user that'll that'll run whenever they log on scary
that'll run whenever they log on scary
that'll run whenever they log on scary you know put malware on that whatever uh
you know put malware on that whatever uh
you know put malware on that whatever uh you can change the owner you can change
you can change the owner you can change
you can change the owner you can change Access Control lists etc etc DC sync uh
Access Control lists etc etc DC sync uh
Access Control lists etc etc DC sync uh so so you can have multiple let me let
so so you can have multiple let me let
so so you can have multiple let me let me explain this um you can have multiple
me explain this um you can have multiple
me explain this um you can have multiple domain controllers on a network and all
domain controllers on a network and all
domain controllers on a network and all the domain controllers should be synced
the domain controllers should be synced
the domain controllers should be synced up but you know whenever you do
up but you know whenever you do
up but you know whenever you do something when you change something it
something when you change something it
something when you change something it doesn't talk to every domain controller
doesn't talk to every domain controller
doesn't talk to every domain controller instead what happens is
instead what happens is
instead what happens is every I think it's 24 hours or 48 hours
every I think it's 24 hours or 48 hours
every I think it's 24 hours or 48 hours or something all the domain controllers
or something all the domain controllers
or something all the domain controllers are going to attempt to sync up with
are going to attempt to sync up with
are going to attempt to sync up with each other so that they're the same uh a
each other so that they're the same uh a
each other so that they're the same uh a fun unintentional side effect of that is
fun unintentional side effect of that is
fun unintentional side effect of that is that if you change your password
that if you change your password
that if you change your password uh you might be able to log in with your
uh you might be able to log in with your
uh you might be able to log in with your old password and your new password
old password and your new password
old password and your new password because two different domain controllers
because two different domain controllers
because two different domain controllers are going to have a different password
are going to have a different password
are going to have a different password in them um but sometimes you can do this
in them um but sometimes you can do this
in them um but sometimes you can do this thing where instead of so how DC sync
thing where instead of so how DC sync
thing where instead of so how DC sync works is you say hey domain controller
works is you say hey domain controller
works is you say hey domain controller give me all your info including your
give me all your info including your
give me all your info including your ntds.dit file if I as a user can DC sync
ntds.dit file if I as a user can DC sync
ntds.dit file if I as a user can DC sync I can ask hey domain controller give me
I can ask hey domain controller give me
I can ask hey domain controller give me all your info including your ntds.dit
all your info including your ntds.dit
all your info including your ntds.dit file and I can grab all the passwords
file and I can grab all the passwords
file and I can grab all the passwords and that's why a DC sync is dangerous
and that's why a DC sync is dangerous
and that's why a DC sync is dangerous because you can just grab all the
because you can just grab all the
because you can just grab all the credentials from the domain questions
credentials from the domain questions
credentials from the domain questions about that yes are there no systems that
about that yes are there no systems that
about that yes are there no systems that like first pass verification and then
like first pass verification and then
like first pass verification and then they'll give you the information first
they'll give you the information first
they'll give you the information first that is a thing it's very very very
that is a thing it's very very very
that is a thing it's very very very rarely
rarely
rarely enabled um you already have the
enabled um you already have the
enabled um you already have the permission then wouldn't you be
permission then wouldn't you be
permission then wouldn't you be authenticated or permission to DC sync
authenticated or permission to DC sync
authenticated or permission to DC sync yeah well well you you'd be on the
yeah well well you you'd be on the
yeah well well you you'd be on the domain but you don't have everyone's
domain but you don't have everyone's
domain but you don't have everyone's password so a DC sync would give you
password so a DC sync would give you
password so a DC sync would give you everybody's password right including the
everybody's password right including the
everybody's password right including the admin so but it's like a if you have DC
admin so but it's like a if you have DC
admin so but it's like a if you have DC Sync It's like a valid thing that you
Sync It's like a valid thing that you
Sync It's like a valid thing that you could do in theory it's not like an
could do in theory it's not like an
could do in theory it's not like an exploit yes I mean it's it's uh it's
exploit yes I mean it's it's uh it's
exploit yes I mean it's it's uh it's like abusing a misconfiguration yeah
like abusing a misconfiguration yeah
like abusing a misconfiguration yeah okay right uh but
okay right uh but
okay right uh but yeah okay man I have five minutes left
yeah okay man I have five minutes left
yeah okay man I have five minutes left and all C let's go hey 30 slides left we
and all C let's go hey 30 slides left we
and all C let's go hey 30 slides left we can do it right okay
can do it right okay
can do it right okay so let's talk about some curos
so let's talk about some curos
so let's talk about some curos vulnerabilities there's I'm not going to
vulnerabilities there's I'm not going to
vulnerabilities there's I'm not going to talk about all the curos attacks if
talk about all the curos attacks if
talk about all the curos attacks if you're interested you can look it up
you're interested you can look it up
you're interested you can look it up there's two main curos attacks there's
there's two main curos attacks there's
there's two main curos attacks there's one called Kerber roasting I'm going to
one called Kerber roasting I'm going to
one called Kerber roasting I'm going to go in reverse order one called kerb
go in reverse order one called kerb
go in reverse order one called kerb roasting and one called as rep roasting
roasting and one called as rep roasting
roasting and one called as rep roasting now in keros you can request the hash of
now in keros you can request the hash of
now in keros you can request the hash of a service account for free anybody can
a service account for free anybody can
a service account for free anybody can do that that is built-in basic
do that that is built-in basic
do that that is built-in basic functionality uh and it is a feature not
functionality uh and it is a feature not
functionality uh and it is a feature not a bug so if there are service accounts
a bug so if there are service accounts
a bug so if there are service accounts that have what's called an SPN attached
that have what's called an SPN attached
that have what's called an SPN attached to them a service principal name you can
to them a service principal name you can
to them a service principal name you can just request the hash to the service
just request the hash to the service
just request the hash to the service account and you can crack it and a big
account and you can crack it and a big
account and you can crack it and a big problem with this is a lot of companies
problem with this is a lot of companies
problem with this is a lot of companies will make service accounts that are like
will make service accounts that are like
will make service accounts that are like domain admins or they like service
domain admins or they like service
domain admins or they like service accounts where the the account name is
accounts where the the account name is
accounts where the the account name is printer and the password is printer
printer and the password is printer
printer and the password is printer that's rough your service accounts
that's rough your service accounts
that's rough your service accounts because hashes can be request so easily
because hashes can be request so easily
because hashes can be request so easily should have really long passwords
should have really long passwords
should have really long passwords because nobody should be logging into
because nobody should be logging into
because nobody should be logging into them ever it does not have to be
them ever it does not have to be
them ever it does not have to be convenient and that is something that
convenient and that is something that
convenient and that is something that you can do uh without even having
you can do uh without even having
you can do uh without even having credentials on the domain uh as rep
credentials on the domain uh as rep
credentials on the domain uh as rep roasting is similar except it's with
roasting is similar except it's with
roasting is similar except it's with users rather than service accounts
users rather than service accounts
users rather than service accounts there's a thing called
there's a thing called
there's a thing called pre-authentication so I don't know if
pre-authentication so I don't know if
pre-authentication so I don't know if yall remember in keros there's a thing
yall remember in keros there's a thing
yall remember in keros there's a thing where you request a ticket granting
where you request a ticket granting
where you request a ticket granting ticket and sometimes it'll You by
ticket and sometimes it'll You by
ticket and sometimes it'll You by default it'll verify Who You Are by
default it'll verify Who You Are by
default it'll verify Who You Are by trying to decrypt your timestamp with
trying to decrypt your timestamp with
trying to decrypt your timestamp with your NT does anyone remember that yeah
your NT does anyone remember that yeah
your NT does anyone remember that yeah sometimes it won't verify who you are
sometimes it won't verify who you are
sometimes it won't verify who you are and in that case it'll just send a TGT
and in that case it'll just send a TGT
and in that case it'll just send a TGT to anyone and that is
to anyone and that is
to anyone and that is uh thing called as rep roasting uh where
uh thing called as rep roasting uh where
uh thing called as rep roasting uh where you are taking advantage of a bad as
you are taking advantage of a bad as
you are taking advantage of a bad as response authentication server
response authentication server
response authentication server response so sometimes you can grab a
response so sometimes you can grab a
response so sometimes you can grab a user hash if pre-authentication is
user hash if pre-authentication is
user hash if pre-authentication is disabled or you could grab a service
disabled or you could grab a service
disabled or you could grab a service account hash with curb roasting now
account hash with curb roasting now
account hash with curb roasting now these are both things that you can
these are both things that you can
these are both things that you can discover with uh n exec you can ASR
discover with uh n exec you can ASR
discover with uh n exec you can ASR roast and you can curb roast you can
roast and you can curb roast you can
roast and you can curb roast you can also use impacket or you can look in
also use impacket or you can look in
also use impacket or you can look in blood hound and there's a query in
blood hound and there's a query in
blood hound and there's a query in Bloodhound that'll tell you all the curb
Bloodhound that'll tell you all the curb
Bloodhound that'll tell you all the curb Roble users and all the reposable
Roble users and all the reposable
Roble users and all the reposable users something I should note is that
users something I should note is that
users something I should note is that keros only works if your clock is synced
keros only works if your clock is synced
keros only works if your clock is synced with a domain controller so when you run
with a domain controller so when you run
with a domain controller so when you run an nmap scan edmac will tell you hey
an nmap scan edmac will tell you hey
an nmap scan edmac will tell you hey there's a clock skew of seven hours you
there's a clock skew of seven hours you
there's a clock skew of seven hours you have to sync up your time with a domain
have to sync up your time with a domain
have to sync up your time with a domain controller and you can do it with this
controller and you can do it with this
controller and you can do it with this command ntp date and the the IP address
command ntp date and the the IP address
command ntp date and the the IP address of the domain controller and TPS a
of the domain controller and TPS a
of the domain controller and TPS a protocol called the time Network
protocol called the time Network
protocol called the time Network protocol and uh you can do it that way
protocol and uh you can do it that way
protocol and uh you can do it that way I'll give you a warning sometimes I do
I'll give you a warning sometimes I do
I'll give you a warning sometimes I do this and I think it's like 700 p.m.
this and I think it's like 700 p.m.
this and I think it's like 700 p.m. because my clock is wrong but then when
because my clock is wrong but then when
because my clock is wrong but then when I finished the pen test it's actually
I finished the pen test it's actually
I finished the pen test it's actually 4:00 a.m.
4:00 a.m.
4:00 a.m. so I don't know I guess get your sleep
so I don't know I guess get your sleep
so I don't know I guess get your sleep but you have to you have to modify your
but you have to you have to modify your
but you have to you have to modify your time when you're doing keros stuff yeah
time when you're doing keros stuff yeah
time when you're doing keros stuff yeah do you know why you have to modify your
do you know why you have to modify your
do you know why you have to modify your time uh because keros will you remember
time uh because keros will you remember
time uh because keros will you remember I mentioned it'll verify time stamps and
I mentioned it'll verify time stamps and
I mentioned it'll verify time stamps and stuff um realistically they could fix
stuff um realistically they could fix
stuff um realistically they could fix that pretty easily by using what is it
that pretty easily by using what is it
that pretty easily by using what is it UTC time but they they don't do it you
UTC time but they they don't do it you
UTC time but they they don't do it you know uh oh no well that's never going
know uh oh no well that's never going
know uh oh no well that's never going back
back
back [Music]
[Music]
[Music] on oh you have to do the keyboard
on oh you have to do the keyboard
on oh you have to do the keyboard yeah oh I wish we knew that last time
yeah oh I wish we knew that last time
yeah oh I wish we knew that last time yeah last time the computer was on but
yeah last time the computer was on but
yeah last time the computer was on but the other screen wasn't turn
[Music]
[Music] off oh oh all right there we go
off oh oh all right there we go
off oh oh all right there we go okay um but yeah you gotta do that uh
okay um but yeah you gotta do that uh
okay um but yeah you gotta do that uh here's an example from a lab I did where
here's an example from a lab I did where
here's an example from a lab I did where I tried to as rep roast and it says no
I tried to as rep roast and it says no
I tried to as rep roast and it says no entries found here's a Powershell
entries found here's a Powershell
entries found here's a Powershell command where I get the user of a
command where I get the user of a
command where I get the user of a username called as rep roast me and I
username called as rep roast me and I
username called as rep roast me and I make it so that do not require preauth
make it so that do not require preauth
make it so that do not require preauth set to true and now that
set to true and now that
set to true and now that pre-authentication is not allowed or not
pre-authentication is not allowed or not
pre-authentication is not allowed or not enabled I can request the hash how cool
enabled I can request the hash how cool
enabled I can request the hash how cool is that uh here's me doing the same
is that uh here's me doing the same
is that uh here's me doing the same thing with a service account or no
thing with a service account or no
thing with a service account or no actually this is me using n exec and
actually this is me using n exec and
actually this is me using n exec and this is me using impacket using the get
this is me using impacket using the get
this is me using impacket using the get NP users thatp who wants to guess what
NP users thatp who wants to guess what
NP users thatp who wants to guess what get NP user stands
for what uh it's no pre
for what uh it's no pre off um but yeah yeah you can get the
off um but yeah yeah you can get the
off um but yeah yeah you can get the hash you can crack it do whatever you
hash you can crack it do whatever you
hash you can crack it do whatever you want here's the same thing with curb
want here's the same thing with curb
want here's the same thing with curb roasting I try to curb roast nothing
roasting I try to curb roast nothing
roasting I try to curb roast nothing happens here I'm using a command to set
happens here I'm using a command to set
happens here I'm using a command to set the SPN add a service principal name to
the SPN add a service principal name to
the SPN add a service principal name to a service called kerb roast me and now I
a service called kerb roast me and now I
a service called kerb roast me and now I can use n exac to curb roast and it'll
can use n exac to curb roast and it'll
can use n exac to curb roast and it'll give me the hash of curb roast me I can
give me the hash of curb roast me I can
give me the hash of curb roast me I can use get user spns who knows what get
use get user spns who knows what get
use get user spns who knows what get user SPN stands
for service principal name good uh and
for service principal name good uh and it'll give me the hash and I can try to
it'll give me the hash and I can try to
it'll give me the hash and I can try to crack it okay questions about
crack it okay questions about
crack it okay questions about that all right we're almost done we're
that all right we're almost done we're
that all right we're almost done we're so close we're probably not going to do
so close we're probably not going to do
so close we're probably not going to do a lab today for some reason I thought
a lab today for some reason I thought
a lab today for some reason I thought this would take less than an hour it's
this would take less than an hour it's
this would take less than an hour it's not going to happen um anyone want want
not going to happen um anyone want want
not going to happen um anyone want want uh my last one two three four five sour
uh my last one two three four five sour
uh my last one two three four five sour pkin yeah have a you can have
it oh no that's so I'm so sorry who who
it oh no that's so I'm so sorry who who else wants one you want one you want
one
one what Andre St and Aiden all right I'm
what Andre St and Aiden all right I'm
what Andre St and Aiden all right I'm out I'm very sorry I hope you still have
out I'm very sorry I hope you still have
out I'm very sorry I hope you still have incentive to ask questions all right now
incentive to ask questions all right now
incentive to ask questions all right now we're going to talk about something
we're going to talk about something
we're going to talk about something called adcs This is active directory
called adcs This is active directory
called adcs This is active directory certificate Services Windows loves to
certificate Services Windows loves to
certificate Services Windows loves to make their own tooling for everything so
make their own tooling for everything so
make their own tooling for everything so if you want to have your own private key
if you want to have your own private key
if you want to have your own private key uh infrastructure on the network you can
uh infrastructure on the network you can
uh infrastructure on the network you can use
use
use adcs now adcs is very interesting a lot
adcs now adcs is very interesting a lot
adcs now adcs is very interesting a lot of people use this and they'll set up
of people use this and they'll set up
of people use this and they'll set up certificates and certificate templates
certificates and certificate templates
certificates and certificate templates that allow people to request access to a
that allow people to request access to a
that allow people to request access to a resource Windows itself Microsoft itself
resource Windows itself Microsoft itself
resource Windows itself Microsoft itself put on a Blog Post online
put on a Blog Post online
put on a Blog Post online recommendations for how to set up adcs
recommendations for how to set up adcs
recommendations for how to set up adcs because people were having trouble so
because people were having trouble so
because people were having trouble so they said this is really easy here's how
they said this is really easy here's how
they said this is really easy here's how to do
to do
to do it uh if you followed Microsoft's
it uh if you followed Microsoft's
it uh if you followed Microsoft's instructions you were
instructions you were
instructions you were vulnerable uh and that just shows you
vulnerable uh and that just shows you
vulnerable uh and that just shows you how big of a company it is because even
how big of a company it is because even
how big of a company it is because even its own employees don't know what's
its own employees don't know what's
its own employees don't know what's going on um but this resulted in this
going on um but this resulted in this
going on um but this resulted in this white paper by this company spect drops
white paper by this company spect drops
white paper by this company spect drops where they result they they published
where they result they they published
where they result they they published eight different type of exploitations
eight different type of exploitations
eight different type of exploitations where if you followed Microsoft's advice
where if you followed Microsoft's advice
where if you followed Microsoft's advice you were vulnerable to eight different
you were vulnerable to eight different
you were vulnerable to eight different types of attacks that some would allow
types of attacks that some would allow
types of attacks that some would allow you to gain admin with no credentials at
you to gain admin with no credentials at
you to gain admin with no credentials at all some would allow you to gain admin
all some would allow you to gain admin
all some would allow you to gain admin with some credentials and all of them
with some credentials and all of them
with some credentials and all of them were results of
were results of
were results of exploiting bad
exploiting bad
exploiting bad configurations uh you can use a tool
configurations uh you can use a tool
configurations uh you can use a tool called certify to find all the
called certify to find all the
called certify to find all the vulnerable and enabled
vulnerable and enabled
vulnerable and enabled certificates uh and sometimes you can
certificates uh and sometimes you can
certificates uh and sometimes you can just say hey can I request a certificate
just say hey can I request a certificate
just say hey can I request a certificate for the admin user and it'll go yeah uh
for the admin user and it'll go yeah uh
for the admin user and it'll go yeah uh and you can log in with that
and you can log in with that
and you can log in with that certificate here's an example template
certificate here's an example template
certificate here's an example template where you can see the enrollment
where you can see the enrollment
where you can see the enrollment permissions and you can see this pki
permissions and you can see this pki
permissions and you can see this pki extended key usage uh all you really
extended key usage uh all you really
extended key usage uh all you really have to care about is this enrollment
have to care about is this enrollment
have to care about is this enrollment permissions here for now um let's see if
permissions here for now um let's see if
permissions here for now um let's see if there's anything interesting enrollment
there's anything interesting enrollment
there's anything interesting enrollment permissions
permissions
permissions uh oh I guess this is a bad example but
uh oh I guess this is a bad example but
uh oh I guess this is a bad example but sometimes they'll say you can enroll as
sometimes they'll say you can enroll as
sometimes they'll say you can enroll as domain admin and the PE the people who
domain admin and the PE the people who
domain admin and the PE the people who can enroll is
can enroll is
can enroll is anyone and that is easy it's true
anyone and that is easy it's true
anyone and that is easy it's true Microsoft made it so easy for their
Microsoft made it so easy for their
Microsoft made it so easy for their clients but they also made their clients
clients but they also made their clients
clients but they also made their clients very very vulnerable and this was a
very very vulnerable and this was a
very very vulnerable and this was a huge
huge
huge uh thing for pent testers for many years
uh thing for pent testers for many years
uh thing for pent testers for many years and it still is kind of a problem uh
and it still is kind of a problem uh
and it still is kind of a problem uh we're now up to ESC
we're now up to ESC
we're now up to ESC someone just results uh released an
someone just results uh released an
someone just results uh released an exploit called
exploit called
exploit called EKU uh which is
EKU uh which is
EKU uh which is esc5 and it's just another version of
esc5 and it's just another version of
esc5 and it's just another version of adcs being exploitable not because of
adcs being exploitable not because of
adcs being exploitable not because of like vulnerabilities but just
like vulnerabilities but just
like vulnerabilities but just misconfigurations
misconfigurations
misconfigurations questions yeah Miss Kong like config why
questions yeah Miss Kong like config why
questions yeah Miss Kong like config why is it like Windows just uniquely
is it like Windows just uniquely
is it like Windows just uniquely vulnerable just the way that it's
vulnerable just the way that it's
vulnerable just the way that it's Windows is just very
Windows is just very
Windows is just very complex very complex it can also Al do a
complex very complex it can also Al do a
complex very complex it can also Al do a lot of stuff whatever you want it can
lot of stuff whatever you want it can
lot of stuff whatever you want it can happen CU Microsoft really wants to
happen CU Microsoft really wants to
happen CU Microsoft really wants to please its consumers and its uh
please its consumers and its uh
please its consumers and its uh customers uh but it's not uniquely
customers uh but it's not uniquely
customers uh but it's not uniquely vulnerable it's just so easy to mess up
vulnerable it's just so easy to mess up
vulnerable it's just so easy to mess up and there's so many complexities because
and there's so many complexities because
and there's so many complexities because of how old it is right it's 20 30 years
of how old it is right it's 20 30 years
of how old it is right it's 20 30 years old uh and you know it's just a a result
old uh and you know it's just a a result
old uh and you know it's just a a result of convenience here's the thing about
of convenience here's the thing about
of convenience here's the thing about security is convenience and security are
security is convenience and security are
security is convenience and security are inversely perform proportional right you
inversely perform proportional right you
inversely perform proportional right you can have someone have 10 Factor
can have someone have 10 Factor
can have someone have 10 Factor authentication that's really secure but
authentication that's really secure but
authentication that's really secure but really annoying and nobody wants it or
really annoying and nobody wants it or
really annoying and nobody wants it or you could have it so there's zero
you could have it so there's zero
you could have it so there's zero password at all that's really convenient
password at all that's really convenient
password at all that's really convenient but it's really vulnerable right
but it's really vulnerable right
but it's really vulnerable right Microsoft likes to be real nice to its
Microsoft likes to be real nice to its
Microsoft likes to be real nice to its real nice to everyone and it's so
real nice to everyone and it's so
real nice to everyone and it's so convenient but as a result it's
convenient but as a result it's
convenient but as a result it's vulnerable they're getting better
vulnerable they're getting better
vulnerable they're getting better they're adding more secure defaults and
they're adding more secure defaults and
they're adding more secure defaults and they're trying hard to make it so that
they're trying hard to make it so that
they're trying hard to make it so that it's both secure and convenient but you
it's both secure and convenient but you
it's both secure and convenient but you know it's
know it's
know it's hard other
hard other
hard other questions okay I'm so I'm I'm so glad
questions okay I'm so I'm I'm so glad
questions okay I'm so I'm I'm so glad people are asking questions this is
people are asking questions this is
people are asking questions this is great all right oh we're we're so close
great all right oh we're we're so close
great all right oh we're we're so close to finishing
to finishing
to finishing okay have
okay have
okay have I I think it's true now I we're so close
I I think it's true now I we're so close
I I think it's true now I we're so close to finishing this section of the of the
to finishing this section of the of the
to finishing this section of the of the presentation all right so I'm not going
presentation all right so I'm not going
presentation all right so I'm not going to cover exactly how this works but
to cover exactly how this works but
to cover exactly how this works but there's this thing called secm this is
there's this thing called secm this is
there's this thing called secm this is like the new hot thing for pent testers
like the new hot thing for pent testers
like the new hot thing for pent testers it's the system Center configuration
it's the system Center configuration
it's the system Center configuration manager this is something that it admins
manager this is something that it admins
manager this is something that it admins can use to configure machines on a
can use to configure machines on a
can use to configure machines on a network hey there's a new machine I want
network hey there's a new machine I want
network hey there's a new machine I want to install all this stuff on it put it
to install all this stuff on it put it
to install all this stuff on it put it through secm I want to update all the
through secm I want to update all the
through secm I want to update all the software and all my machines send it
software and all my machines send it
software and all my machines send it through secm and there's a lot of
through secm and there's a lot of
through secm and there's a lot of vulnerabilities in this but I'll tell
vulnerabilities in this but I'll tell
vulnerabilities in this but I'll tell you the easiest
you the easiest
you the easiest vulnerability is Windows had this thing
vulnerability is Windows had this thing
vulnerability is Windows had this thing where they would set up a machine they'
where they would set up a machine they'
where they would set up a machine they' set up a computer account for you and
set up a computer account for you and
set up a computer account for you and they do it with a domain admin account
they do it with a domain admin account
they do it with a domain admin account you know you give it a laptop and it'll
you know you give it a laptop and it'll
you know you give it a laptop and it'll log in with domain admin it'll do all
log in with domain admin it'll do all
log in with domain admin it'll do all the stuff uh there was a way for you to
the stuff uh there was a way for you to
the stuff uh there was a way for you to just grab the credentials as it logged
just grab the credentials as it logged
just grab the credentials as it logged in that it was using to log in and those
in that it was using to log in and those
in that it was using to log in and those credentials were domain
credentials were domain
credentials were domain administrators so you could just hey hey
administrators so you could just hey hey
administrators so you could just hey hey please update me and then you you get
please update me and then you you get
please update me and then you you get domain admin you know uh there's so many
domain admin you know uh there's so many
domain admin you know uh there's so many other things wrong with secm and it's so
other things wrong with secm and it's so
other things wrong with secm and it's so complicated and to be honest I've
complicated and to be honest I've
complicated and to be honest I've forgotten a lot of the complexities
forgotten a lot of the complexities
forgotten a lot of the complexities because I haven't done it since last
because I haven't done it since last
because I haven't done it since last year at
year at
year at cbtc but uh if you want to learn more
cbtc but uh if you want to learn more
cbtc but uh if you want to learn more about more about it there's a website
about more about it there's a website
about more about it there's a website that I love love love that was made by a
that I love love love that was made by a
that I love love love that was made by a lot of really fantastic people who do
lot of really fantastic people who do
lot of really fantastic people who do windows ad pen testing called the
windows ad pen testing called the
windows ad pen testing called the hacker. recipes this is a great place to
hacker. recipes this is a great place to
hacker. recipes this is a great place to look uh and this is a tool that will
look uh and this is a tool that will
look uh and this is a tool that will allow you to do secm exploitation and I
allow you to do secm exploitation and I
allow you to do secm exploitation and I have a sticker on my water bottle of the
have a sticker on my water bottle of the
have a sticker on my water bottle of the tool okay uh let's talk about web right
tool okay uh let's talk about web right
tool okay uh let's talk about web right so we've been through SMB we've been
so we've been through SMB we've been
so we've been through SMB we've been through elap we've been through Cerros
through elap we've been through Cerros
through elap we've been through Cerros adcs secm nothing worked what do we do
adcs secm nothing worked what do we do
adcs secm nothing worked what do we do you go on a website usually you're going
you go on a website usually you're going
you go on a website usually you're going to have some web server right especially
to have some web server right especially
to have some web server right especially if it's a huge system a lot of windows
if it's a huge system a lot of windows
if it's a huge system a lot of windows by default is going to call is going to
by default is going to call is going to
by default is going to call is going to be running IIs uh now this is very rare
be running IIs uh now this is very rare
be running IIs uh now this is very rare but IAS can be very old and there might
but IAS can be very old and there might
but IAS can be very old and there might be remote code execution just as a
be remote code execution just as a
be remote code execution just as a result of the software being old you can
result of the software being old you can
result of the software being old you can also sometimes write code to it so
also sometimes write code to it so
also sometimes write code to it so sometimes there's misconfigurations
sometimes there's misconfigurations
sometimes there's misconfigurations where there's an FTP server or an SMB
where there's an FTP server or an SMB
where there's an FTP server or an SMB share that's writable by everyone and it
share that's writable by everyone and it
share that's writable by everyone and it just so happens that a web server route
just so happens that a web server route
just so happens that a web server route is in that file uh directory well you
is in that file uh directory well you
is in that file uh directory well you can just write websites like web pages
can just write websites like web pages
can just write websites like web pages onto there and if the web page is using
onto there and if the web page is using
onto there and if the web page is using an executable language like PHP ASP or
an executable language like PHP ASP or
an executable language like PHP ASP or aspx you can just write
aspx you can just write
aspx you can just write code and then put it in the root of the
code and then put it in the root of the
code and then put it in the root of the website browse to it and it'll be
website browse to it and it'll be
website browse to it and it'll be executed you can execute whatever you
executed you can execute whatever you
executed you can execute whatever you want that Mak
want that Mak
want that Mak sense uh so this is a thing that you can
sense uh so this is a thing that you can
sense uh so this is a thing that you can do sometimes uh otherwise you just have
do sometimes uh otherwise you just have
do sometimes uh otherwise you just have to try common exploits you know SQL
to try common exploits you know SQL
to try common exploits you know SQL injection template injection code
injection template injection code
injection template injection code injection whatever it is sometimes you
injection whatever it is sometimes you
injection whatever it is sometimes you have to do SQL injection right you can
have to do SQL injection right you can
have to do SQL injection right you can uh use SQL injection to do things that
uh use SQL injection to do things that
uh use SQL injection to do things that I'm going to talk about later sometimes
I'm going to talk about later sometimes
I'm going to talk about later sometimes you can course authentication if there's
you can course authentication if there's
you can course authentication if there's local file inclusion you can make it
local file inclusion you can make it
local file inclusion you can make it include a web page and in this case
include a web page and in this case
include a web page and in this case instead of including a file locally you
instead of including a file locally you
instead of including a file locally you make it include your malicious SMB
make it include your malicious SMB
make it include your malicious SMB server so that you can uh grab a hash um
server so that you can uh grab a hash um
server so that you can uh grab a hash um sometimes you can just inject commands I
sometimes you can just inject commands I
sometimes you can just inject commands I don't know uh something I've seen in
don't know uh something I've seen in
don't know uh something I've seen in some Labs is like a website will have a
some Labs is like a website will have a
some Labs is like a website will have a ton of names of people and the person
ton of names of people and the person
ton of names of people and the person will be like I love puppies and my
will be like I love puppies and my
will be like I love puppies and my puppy's name is Ron and my birth year is
puppy's name is Ron and my birth year is
puppy's name is Ron and my birth year is 1992 and then you try the password Ron
1992 and then you try the password Ron
1992 and then you try the password Ron 1992 for that username and it works you
1992 for that username and it works you
1992 for that username and it works you know uh if you have a user called Adam
know uh if you have a user called Adam
know uh if you have a user called Adam Hassan you can try the users the
Hassan you can try the users the
Hassan you can try the users the usernames Adam Hassan a Hassan ad Hassan
usernames Adam Hassan a Hassan ad Hassan
usernames Adam Hassan a Hassan ad Hassan Etc right because most do companies UF
Etc right because most do companies UF
Etc right because most do companies UF UF is not like this but most places will
UF is not like this but most places will
UF is not like this but most places will have a
have a
have a designated format for usernames you can
designated format for usernames you can
designated format for usernames you can try that
questions we're not goingon to go that
questions we're not goingon to go that over over
over over
over over time oh thank
time oh thank
time oh thank you uh now let's say you have SQL right
you uh now let's say you have SQL right
you uh now let's say you have SQL right now I mentioned sometimes you can course
now I mentioned sometimes you can course
now I mentioned sometimes you can course authentication Ms SQL has this really
authentication Ms SQL has this really
authentication Ms SQL has this really interesting thing where you can read
interesting thing where you can read
interesting thing where you can read files from the file system and read
files from the file system and read
files from the file system and read files from remote locations like your
files from remote locations like your
files from remote locations like your malicious SMB server uh sometimes you
malicious SMB server uh sometimes you
malicious SMB server uh sometimes you can also
can also
can also execute commands if you are privileged
execute commands if you are privileged
execute commands if you are privileged enough using something called XP command
enough using something called XP command
enough using something called XP command shell which by the way is automated by
shell which by the way is automated by
shell which by the way is automated by the mssql client from impacket uh
the mssql client from impacket uh
the mssql client from impacket uh sometimes there's also confidential info
sometimes there's also confidential info
sometimes there's also confidential info in the database sometimes you can find
in the database sometimes you can find
in the database sometimes you can find usernames password hashes you can crack
usernames password hashes you can crack
usernames password hashes you can crack the hashes that kind of thing questions
the hashes that kind of thing questions
the hashes that kind of thing questions about
about
about that okay uh here's me using n exec with
that okay uh here's me using n exec with
that okay uh here's me using n exec with the mssql protocol I'm logging in it
the mssql protocol I'm logging in it
the mssql protocol I'm logging in it tells me hey uh Samwell tarly can access
tells me hey uh Samwell tarly can access
tells me hey uh Samwell tarly can access Castle back so I use MS SQL client with
Castle back so I use MS SQL client with
Castle back so I use MS SQL client with the domain name the user the password
the domain name the user the password
the domain name the user the password and I use Windows off um and it gives me
and I use Windows off um and it gives me
and I use Windows off um and it gives me access it gives me a little thing where
access it gives me a little thing where
access it gives me a little thing where I can like run whatever I want I can
I can like run whatever I want I can
I can like run whatever I want I can query the database I can try to execute
query the database I can try to execute
query the database I can try to execute commands it probably won't work unless
commands it probably won't work unless
commands it probably won't work unless you're an admin um I can try to course
you're an admin um I can try to course
you're an admin um I can try to course authentication I forgot oh no here's a
authentication I forgot oh no here's a
authentication I forgot oh no here's a here's a module that I created for
here's a module that I created for
here's a module that I created for automatically coursing authentication
automatically coursing authentication
automatically coursing authentication using n exec it'll go through every
using n exec it'll go through every
using n exec it'll go through every single type of uh SQL command that can
single type of uh SQL command that can
single type of uh SQL command that can course off and it'll try to do it so you
course off and it'll try to do it so you
course off and it'll try to do it so you can use that
can use that
can use that questions okay uh this is going to be
questions okay uh this is going to be
questions okay uh this is going to be the shortest the shortest section RDP uh
the shortest the shortest section RDP uh
the shortest the shortest section RDP uh you can also use net exec to figure out
you can also use net exec to figure out
you can also use net exec to figure out if you have access to RDP remember
if you have access to RDP remember
if you have access to RDP remember that's remote desktop protocol you get
that's remote desktop protocol you get
that's remote desktop protocol you get the keyboard and The Mouse and the
the keyboard and The Mouse and the
the keyboard and The Mouse and the screen uh you can use these tools x free
screen uh you can use these tools x free
screen uh you can use these tools x free RTP or R desktop or rinaa all of them
RTP or R desktop or rinaa all of them
RTP or R desktop or rinaa all of them are good all of them have their own
are good all of them have their own
are good all of them have their own benefits um I like our desktop if our
benefits um I like our desktop if our
benefits um I like our desktop if our desktop doesn't work I use X3 RDP
desktop doesn't work I use X3 RDP
desktop doesn't work I use X3 RDP because it has better
because it has better
because it has better authentication
authentication
authentication negotiation um who knows what I mean
negotiation um who knows what I mean
negotiation um who knows what I mean when I say negotiation authentic or
when I say negotiation authentic or
when I say negotiation authentic or authentication
negotiation that makes sense because I
negotiation that makes sense because I didn't explain it uh windows by default
didn't explain it uh windows by default
didn't explain it uh windows by default will try to use the best type of
will try to use the best type of
will try to use the best type of authentication so they'll typically
authentication so they'll typically
authentication so they'll typically start with
start with
start with Kerberos and if I say I don't like
Kerberos and if I say I don't like
Kerberos and if I say I don't like Kerberos it'll say okay can we do net
Kerberos it'll say okay can we do net
Kerberos it'll say okay can we do net ntlmv2 and if I say I don't like that
ntlmv2 and if I say I don't like that
ntlmv2 and if I say I don't like that it'll say okay can we use net ntlmv1 now
it'll say okay can we use net ntlmv1 now
it'll say okay can we use net ntlmv1 now typically it will only allow kerros and
typically it will only allow kerros and
typically it will only allow kerros and net ntlmv2 but on more P permissive
net ntlmv2 but on more P permissive
net ntlmv2 but on more P permissive domains it will allow you to get even
domains it will allow you to get even
domains it will allow you to get even worse and worse and that's something
worse and worse and that's something
worse and worse and that's something that we call a negotiation I'm
that we call a negotiation I'm
that we call a negotiation I'm negotiating what protocol I'm allowed to
negotiating what protocol I'm allowed to
negotiating what protocol I'm allowed to use for authentication and XF free RDP
use for authentication and XF free RDP
use for authentication and XF free RDP is good at doing that
is good at doing that
is good at doing that negotiation
negotiation
negotiation questions okay
questions okay
questions okay winrm uh winrm is allows you to get P
winrm uh winrm is allows you to get P
winrm uh winrm is allows you to get P Powershell remotely you can use net exec
Powershell remotely you can use net exec
Powershell remotely you can use net exec to see if you can win RM in and if you
to see if you can win RM in and if you
to see if you can win RM in and if you can it'll say pwned uh and if it does
can it'll say pwned uh and if it does
can it'll say pwned uh and if it does you can use this tool called evil winrm
you can use this tool called evil winrm
you can use this tool called evil winrm you pass it an IP address a username a
you pass it an IP address a username a
you pass it an IP address a username a password and it gives you access to
password and it gives you access to
password and it gives you access to Powershell winrm is also nice because
Powershell winrm is also nice because
Powershell winrm is also nice because you can download and upload files and
you can download and upload files and
you can download and upload files and you can log in with pass the hash just
you can log in with pass the hash just
you can log in with pass the hash just like an impacket and just like in that
like an impacket and just like in that
like an impacket and just like in that EXC questions about that okay all right
EXC questions about that okay all right
EXC questions about that okay all right now it's the last section the last
now it's the last section the last
now it's the last section the last section or the second last I don't
remember uh I'll tell you post
remember uh I'll tell you post exploitation right when you get onto
exploitation right when you get onto
exploitation right when you get onto machine hopefully by now you've gotten
machine hopefully by now you've gotten
machine hopefully by now you've gotten access to the machine hopefully if you
access to the machine hopefully if you
access to the machine hopefully if you haven't I really recommend just going
haven't I really recommend just going
haven't I really recommend just going back and trying it all again and just
back and trying it all again and just
back and trying it all again and just making sure you're doing absolutely
making sure you're doing absolutely
making sure you're doing absolutely everything uh you can do password
everything uh you can do password
everything uh you can do password dumping there's a fantastic tool called
dumping there's a fantastic tool called
dumping there's a fantastic tool called mimik cats uh you can also use there's
mimik cats uh you can also use there's
mimik cats uh you can also use there's supposed to be a space here uh but you
supposed to be a space here uh but you
supposed to be a space here uh but you can use impacket secret stump. py uh
can use impacket secret stump. py uh
can use impacket secret stump. py uh which will do things remotely you can
which will do things remotely you can
which will do things remotely you can use net exec to dump LSA Secrets which
use net exec to dump LSA Secrets which
use net exec to dump LSA Secrets which is uh like domain Secrets Sam which is
is uh like domain Secrets Sam which is
is uh like domain Secrets Sam which is local Secrets ntds which is the domain
local Secrets ntds which is the domain
local Secrets ntds which is the domain controller secrets and Laps which is
controller secrets and Laps which is
controller secrets and Laps which is like Cloud secrets you can do a lot of
like Cloud secrets you can do a lot of
like Cloud secrets you can do a lot of stuff with n exec it's great but you can
stuff with n exec it's great but you can
stuff with n exec it's great but you can also use mimik cats to get
also use mimik cats to get
also use mimik cats to get credentials um you just look up how to
credentials um you just look up how to
credentials um you just look up how to do that right uh questions about
do that right uh questions about
do that right uh questions about that okay uh here's a great trackme I
that okay uh here's a great trackme I
that okay uh here's a great trackme I really really recommend this for post
really really recommend this for post
really really recommend this for post exploitation sometimes when you get on a
exploitation sometimes when you get on a
exploitation sometimes when you get on a machine and you have low level access
machine and you have low level access
machine and you have low level access you want to do stuff to get more
you want to do stuff to get more
you want to do stuff to get more credentials get higher privileges that
credentials get higher privileges that
credentials get higher privileges that kind of thing now I've already talked
kind of thing now I've already talked
kind of thing now I've already talked about domain privilege escalation how do
about domain privilege escalation how do
about domain privilege escalation how do you get to domain admin are you tired
you get to domain admin are you tired
you get to domain admin are you tired Andre you said that was the last section
Andre you said that was the last section
Andre you said that was the last section I think this is the last section all
I think this is the last section all
I think this is the last section all right now if you want to locally
right now if you want to locally
right now if you want to locally escalate privileges let's say you have
escalate privileges let's say you have
escalate privileges let's say you have access to a service
access to a service
access to a service account uh I want to get access to the
account uh I want to get access to the
account uh I want to get access to the admin account the local admin account
admin account the local admin account
admin account the local admin account you can do something on Windows which is
you can do something on Windows which is
you can do something on Windows which is Mii SL priv it'll show you all the
Mii SL priv it'll show you all the
Mii SL priv it'll show you all the Privileges now in this case I'm domain
Privileges now in this case I'm domain
Privileges now in this case I'm domain admin which means I have all the
admin which means I have all the
admin which means I have all the Privileges right there's a lot of them
Privileges right there's a lot of them
Privileges right there's a lot of them but there are some Dangerous Ones yes
but there are some Dangerous Ones yes
but there are some Dangerous Ones yes does evm automatically like enable those
does evm automatically like enable those
does evm automatically like enable those privileges for you usually okay this is
privileges for you usually okay this is
privileges for you usually okay this is I logged in as the domain admin oh yeah
I logged in as the domain admin oh yeah
I logged in as the domain admin oh yeah Andre display privileges by not enabled
Andre display privileges by not enabled
Andre display privileges by not enabled uh like is it dis in all the possible
uh like is it dis in all the possible
uh like is it dis in all the possible prives no it's only showing the enabled
prives no it's only showing the enabled
prives no it's only showing the enabled ones now here's I want to so here's
ones now here's I want to so here's
ones now here's I want to so here's something that confused me yeah enabled
something that confused me yeah enabled
something that confused me yeah enabled does not mean you have the privilege
does not mean you have the privilege
does not mean you have the privilege you all these privileges are ones that
you all these privileges are ones that
you all these privileges are ones that you have it does not show you privileges
you have it does not show you privileges
you have it does not show you privileges that you do not have now sometimes it'll
that you do not have now sometimes it'll
that you do not have now sometimes it'll say disabled even though you have the
say disabled even though you have the
say disabled even though you have the privilege and what this means is you
privilege and what this means is you
privilege and what this means is you have enabled means you have the
have enabled means you have the
have enabled means you have the privilege for that particular
privilege for that particular
privilege for that particular process and disabled means you can get
process and disabled means you can get
process and disabled means you can get it but it's not there for that
it but it's not there for that
it but it's not there for that particular process you mean the process
particular process you mean the process
particular process you mean the process that you R the command
that you R the command
that you R the command yes uh now the reason for that is
yes uh now the reason for that is
yes uh now the reason for that is there's different Integrity levels in
there's different Integrity levels in
there's different Integrity levels in Windows you have a higher Integrity if
Windows you have a higher Integrity if
Windows you have a higher Integrity if you log in through R desk or through RDP
you log in through R desk or through RDP
you log in through R desk or through RDP because you're interactive but if you go
because you're interactive but if you go
because you're interactive but if you go a reverse shell you're low
a reverse shell you're low
a reverse shell you're low Integrity don't worry about that too
Integrity don't worry about that too
Integrity don't worry about that too much but you're not going to have many
much but you're not going to have many
much but you're not going to have many privileges enabled yes Colin I was on a
privileges enabled yes Colin I was on a
privileges enabled yes Colin I was on a physical I
physical I
physical I did and I still got you that sometimes
did and I still got you that sometimes
did and I still got you that sometimes will be the case but if it says disabled
will be the case but if it says disabled
will be the case but if it says disabled don't worry about it you still have it
don't worry about it you still have it
don't worry about it you still have it what you still have the privilege it's
what you still have the privilege it's
what you still have the privilege it's just not currently in
use there like power tra scripts you can
use there like power tra scripts you can run to enable disable privileges right I
run to enable disable privileges right I
run to enable disable privileges right I don't know I've never need to do any I
don't know I've never need to do any I
don't know I've never need to do any I just just ignore this just ignore the
just just ignore this just ignore the
just just ignore this just ignore the state don't worry about it all you have
state don't worry about it all you have
state don't worry about it all you have to worry about is a privilege name and
to worry about is a privilege name and
to worry about is a privilege name and you can look it up right now there's a
you can look it up right now there's a
you can look it up right now there's a few dangerous privileges there's one
few dangerous privileges there's one
few dangerous privileges there's one called SE install always elevated and a
called SE install always elevated and a
called SE install always elevated and a lot of admins will enable because they
lot of admins will enable because they
lot of admins will enable because they hate people asking hey can can you
hate people asking hey can can you
hate people asking hey can can you install this for me um and this is
install this for me um and this is
install this for me um and this is something we'll always install things as
something we'll always install things as
something we'll always install things as an administrator which if you boil that
an administrator which if you boil that
an administrator which if you boil that down what it means is you can always run
down what it means is you can always run
down what it means is you can always run any code you want as administrator so
any code you want as administrator so
any code you want as administrator so you can escalate privileges there's one
you can escalate privileges there's one
you can escalate privileges there's one called sbug privileges which is used
called sbug privileges which is used
called sbug privileges which is used that a lot of developers have this
that a lot of developers have this
that a lot of developers have this allows you to read and write process
allows you to read and write process
allows you to read and write process memory so if there are secrets in memory
memory so if there are secrets in memory
memory so if there are secrets in memory like hashes you can dump the hashes uh
like hashes you can dump the hashes uh
like hashes you can dump the hashes uh you can dump memory uh you can even
you can dump memory uh you can even
you can dump memory uh you can even write to memory technically and
write to memory technically and
write to memory technically and I guess I've never done this before but
I guess I've never done this before but
I guess I've never done this before but I bet you could you could uh replace
I bet you could you could uh replace
I bet you could you could uh replace your security token to make it look like
your security token to make it look like
your security token to make it look like you're an administrator I I might be
you're an administrator I I might be
you're an administrator I I might be wrong about that I'm just speculating um
wrong about that I'm just speculating um
wrong about that I'm just speculating um there's one called SE impersonate
there's one called SE impersonate
there's one called SE impersonate privilege this is something that
privilege this is something that
privilege this is something that typically service accounts have because
typically service accounts have because
typically service accounts have because service accounts need to be able to
service accounts need to be able to
service accounts need to be able to impersonate other
impersonate other
impersonate other users um and this is one that'll give
users um and this is one that'll give
users um and this is one that'll give you like automatic admin and you can
you like automatic admin and you can
you like automatic admin and you can often exploit this with something called
often exploit this with something called
often exploit this with something called a potato attack which I'll talk about
a potato attack which I'll talk about
a potato attack which I'll talk about later and there's also SE backup
later and there's also SE backup
later and there's also SE backup privilege and restore privilege which
privilege and restore privilege which
privilege and restore privilege which allows you to read and write any file
allows you to read and write any file
allows you to read and write any file you want if you're on domain controller
you want if you're on domain controller
you want if you're on domain controller and you have SE backup privilege you can
and you have SE backup privilege you can
and you have SE backup privilege you can just read the ntds.dit file and you can
just read the ntds.dit file and you can
just read the ntds.dit file and you can dump all the hashes Andre so it says
dump all the hashes Andre so it says
dump all the hashes Andre so it says Cent is about same as us uh
Cent is about same as us uh
Cent is about same as us uh yes other
yes other
yes other questions okay uh this is a great blog
questions okay uh this is a great blog
questions okay uh this is a great blog post
post
post uh yeah it's a good blog post to look at
uh yeah it's a good blog post to look at
uh yeah it's a good blog post to look at it has some of the dangerous
it has some of the dangerous
it has some of the dangerous privileges let's talk about potato
privileges let's talk about potato
privileges let's talk about potato attacks I'm not going to fully explain
attacks I'm not going to fully explain
attacks I'm not going to fully explain it I only only learned today why it's
it I only only learned today why it's
it I only only learned today why it's called a potato attack um but a potato
called a potato attack um but a potato
called a potato attack um but a potato attack is just any attack where you can
attack is just any attack where you can
attack is just any attack where you can basically trick a process to run as an
basically trick a process to run as an
basically trick a process to run as an administrator and give you access to it
administrator and give you access to it
administrator and give you access to it so some processes on windows are always
so some processes on windows are always
so some processes on windows are always running as admin sometimes you can trick
running as admin sometimes you can trick
running as admin sometimes you can trick them into doing things for you and uh
them into doing things for you and uh
them into doing things for you and uh the reason it's called a potato attack
the reason it's called a potato attack
the reason it's called a potato attack is because the first one was called
is because the first one was called
is because the first one was called rotten potato cuz the Creator said this
rotten potato cuz the Creator said this
rotten potato cuz the Creator said this is such a dirty expit it's such a rotten
is such a dirty expit it's such a rotten
is such a dirty expit it's such a rotten EXP so he called it rotten potato and
EXP so he called it rotten potato and
EXP so he called it rotten potato and then everyone after that called it a
then everyone after that called it a
then everyone after that called it a potato attack so there's Hot Potato
potato attack so there's Hot Potato
potato attack so there's Hot Potato rotten potato Lonely Potato juicy potato
rotten potato Lonely Potato juicy potato
rotten potato Lonely Potato juicy potato I really like juicy potato and God
I really like juicy potato and God
I really like juicy potato and God potato those are the best
ones potato
ones potato what I don't know you can make
what I don't know you can make
what I don't know you can make one all right so yeah the reason that
one all right so yeah the reason that
one all right so yeah the reason that servers accounts of SE impersonate
servers accounts of SE impersonate
servers accounts of SE impersonate privilege is cuz let's say you're a file
privilege is cuz let's say you're a file
privilege is cuz let's say you're a file system and a user logs into the file
system and a user logs into the file
system and a user logs into the file system you expect it to show you your
system you expect it to show you your
system you expect it to show you your files right the only way it can do that
files right the only way it can do that
files right the only way it can do that is by essentially impersonating you and
is by essentially impersonating you and
is by essentially impersonating you and logging in as you so service accounts
logging in as you so service accounts
logging in as you so service accounts are very often very highly privileged
are very often very highly privileged
are very often very highly privileged and they can impersonate any user they
and they can impersonate any user they
and they can impersonate any user they want so if you log in and you see see
want so if you log in and you see see
want so if you log in and you see see impersonate privilege you can run God
impersonate privilege you can run God
impersonate privilege you can run God potato and it'll give you
potato and it'll give you
potato and it'll give you administrator questions about that Andre
administrator questions about that Andre
administrator questions about that Andre so what's the commonality between all
so what's the commonality between all
so what's the commonality between all the potatoes is it person no uh well all
the potatoes is it person no uh well all
the potatoes is it person no uh well all service account accounts will typically
service account accounts will typically
service account accounts will typically have SE impersonate privilege although
have SE impersonate privilege although
have SE impersonate privilege although that's becoming less and less true over
that's becoming less and less true over
that's becoming less and less true over time as things are being hardened and
time as things are being hardened and
time as things are being hardened and secured uh but typically if you see SE
secured uh but typically if you see SE
secured uh but typically if you see SE impersonate privilege then you can use a
impersonate privilege then you can use a
impersonate privilege then you can use a potato
potato
potato attack um but all of them are just
attack um but all of them are just
attack um but all of them are just things that allow you to impersonate a
things that allow you to impersonate a
things that allow you to impersonate a user and do something with it right so
user and do something with it right so
user and do something with it right so you can impersonate the administrator
you can impersonate the administrator
you can impersonate the administrator process and get that process to run
process and get that process to run
process and get that process to run whatever you want and that's a drastic
whatever you want and that's a drastic
whatever you want and that's a drastic oversimplification and it's barely
oversimplification and it's barely
oversimplification and it's barely accurate but you can read more into it
accurate but you can read more into it
accurate but you can read more into it right here if you want okay other
right here if you want okay other
right here if you want okay other questions all right uh there's another
questions all right uh there's another
questions all right uh there's another vulnerability that allows for privilege
vulnerability that allows for privilege
vulnerability that allows for privilege escalation on Windows called unquoted
escalation on Windows called unquoted
escalation on Windows called unquoted service path windows will do this thing
service path windows will do this thing
service path windows will do this thing where if you don't have quotes around a
where if you don't have quotes around a
where if you don't have quotes around a space it'll try to guess where the where
space it'll try to guess where the where
space it'll try to guess where the where the path is supposed to be so in this
the path is supposed to be so in this
the path is supposed to be so in this case you can see that my path is program
case you can see that my path is program
case you can see that my path is program files a subfolder b subfolder c
files a subfolder b subfolder c
files a subfolder b subfolder c subfolder Windows has what they call a
subfolder Windows has what they call a
subfolder Windows has what they call a search path where if there's no quotes
search path where if there's no quotes
search path where if there's no quotes they don't know what the real path is so
they don't know what the real path is so
they don't know what the real path is so they first try C program.exe and if it
they first try C program.exe and if it
they first try C program.exe and if it exists they execute it if it doesn't
exists they execute it if it doesn't
exists they execute it if it doesn't exist they try program files a.exe right
exist they try program files a.exe right
exist they try program files a.exe right before the space if it exists they
before the space if it exists they
before the space if it exists they execute it so if you have an unquoted
execute it so if you have an unquoted
execute it so if you have an unquoted service path where you can write to
service path where you can write to
service path where you can write to program
program
program files make a.exe
files make a.exe
files make a.exe and when the service runs it's going to
and when the service runs it's going to
and when the service runs it's going to find a.exe before it finds this whole
find a.exe before it finds this whole
find a.exe before it finds this whole thing and it's going to run that as
thing and it's going to run that as
thing and it's going to run that as whatever privilege in this case it's
whatever privilege in this case it's
whatever privilege in this case it's running as local system and it's set to
running as local system and it's set to
running as local system and it's set to auto start which means I I think if I
auto start which means I I think if I
auto start which means I I think if I remember correctly it'll start on
remember correctly it'll start on
remember correctly it'll start on boot so you just put your malicious
boot so you just put your malicious
boot so you just put your malicious program there you put your payload your
program there you put your payload your
program there you put your payload your sliver payload or whatever and it'll
sliver payload or whatever and it'll
sliver payload or whatever and it'll execute as admin
execute as admin
execute as admin questions uh yes Andre is it hand that
questions uh yes Andre is it hand that
questions uh yes Andre is it hand that way because there's way
to
to uh's yeah so Linux just refuses you have
uh's yeah so Linux just refuses you have
uh's yeah so Linux just refuses you have to have quotes if there's spaces or you
to have quotes if there's spaces or you
to have quotes if there's spaces or you have to escape the spaces but Windows
have to escape the spaces but Windows
have to escape the spaces but Windows tries to be nice it says you forgot the
tries to be nice it says you forgot the
tries to be nice it says you forgot the quotes that's okay I'll figure it out
quotes that's okay I'll figure it out
quotes that's okay I'll figure it out for you goddamn sense though no in what
for you goddamn sense though no in what
for you goddamn sense though no in what world would I want to stop at the
world would I want to stop at the
world would I want to stop at the space it's like you run a command and
space it's like you run a command and
space it's like you run a command and then you have the like afterwards H that
then you have the like afterwards H that
then you have the like afterwards H that might be it that is probably what's your
might be it that is probably what's your
might be it that is probably what's your name again B what is it bu buay yeah
name again B what is it bu buay yeah
name again B what is it bu buay yeah what's your question I was just going to
what's your question I was just going to
what's your question I was just going to ask as a user could I just go on my file
ask as a user could I just go on my file
ask as a user could I just go on my file exp and find these files if they did
exp and find these files if they did
exp and find these files if they did exist on my computer or would it be like
exist on my computer or would it be like
exist on my computer or would it be like tyal so this is a service that runs a
tyal so this is a service that runs a
tyal so this is a service that runs a program and this output I'm just I'm
program and this output I'm just I'm
program and this output I'm just I'm using sqc to query the service but
using sqc to query the service but
using sqc to query the service but there's a tool called power up the new
there's a tool called power up the new
there's a tool called power up the new version is called sharp up uh and sharp
version is called sharp up uh and sharp
version is called sharp up uh and sharp up will automatically look for unquoted
up will automatically look for unquoted
up will automatically look for unquoted service paths there's also a tool called
service paths there's also a tool called
service paths there's also a tool called win peas and one called seat belt that
win peas and one called seat belt that
win peas and one called seat belt that will do the same thing and more they'll
will do the same thing and more they'll
will do the same thing and more they'll look for even more preg escalation
look for even more preg escalation
look for even more preg escalation vulnerabilities other
vulnerabilities other
vulnerabilities other questions okay oh my God I'm done we're
questions okay oh my God I'm done we're
questions okay oh my God I'm done we're done uh I know uh other questions that
done uh I know uh other questions that
done uh I know uh other questions that people have yes Andre uh I guess for the
people have yes Andre uh I guess for the
people have yes Andre uh I guess for the previous thing is it possible for some
previous thing is it possible for some
previous thing is it possible for some services like based on
services like based on
services like based on privileges
the we go back to the SL EAS show which
the we go back to the SL EAS show which slide the one we just talked about this
slide the one we just talked about this
slide the one we just talked about this one yeah like can you have so that some
one yeah like can you have so that some
one yeah like can you have so that some services are able to
services are able to
services are able to accesse but permissions prevent like
accesse but permissions prevent like
accesse but permissions prevent like generally you can't see it like I don't
generally you can't see it like I don't
generally you can't see it like I don't know what you're asking for General user
know what you're asking for General user
know what you're asking for General user usually they wouldn't be able to see
usually they wouldn't be able to see
usually they wouldn't be able to see because of permission restrictions but
because of permission restrictions but
because of permission restrictions but if you run as an elevated user then it
if you run as an elevated user then it
if you run as an elevated user then it does see that like program.exe and ex
does see that like program.exe and ex
does see that like program.exe and ex and effort to like try and
and effort to like try and
and effort to like try and hide I'm not following okay let's talk
hide I'm not following okay let's talk
hide I'm not following okay let's talk about it later okay other
about it later okay other
about it later okay other questions all right well I hope all of
questions all right well I hope all of
questions all right well I hope all of you become Windows experts I'm
you become Windows experts I'm
you become Windows experts I'm graduating soon and ufit needs one and I
graduating soon and ufit needs one and I
graduating soon and ufit needs one and I promise if you are the only person that
promise if you are the only person that
promise if you are the only person that knows Windows you will get into every
knows Windows you will get into every
knows Windows you will get into every competition uh this knowledge was very
competition uh this knowledge was very
competition uh this knowledge was very useful for me during cptc and during
useful for me during cptc and during
useful for me during cptc and during cyber force and it will be for all of
cyber force and it will be for all of
cyber force and it will be for all of you as well so learn Windows ask
you as well so learn Windows ask
you as well so learn Windows ask questions uh I will say here's some
questions uh I will say here's some
questions uh I will say here's some fantastic resources
fantastic resources
fantastic resources this is like from top to bottom the
this is like from top to bottom the
this is like from top to bottom the order in which I would do them I have a
order in which I would do them I have a
order in which I would do them I have a TCM security course that's entirely free
TCM security course that's entirely free
TCM security course that's entirely free I have the N exec Wiki I have a try
I have the N exec Wiki I have a try
I have the N exec Wiki I have a try hackme room which I really recommend all
hackme room which I really recommend all
hackme room which I really recommend all of you try because I promise that if you
of you try because I promise that if you
of you try because I promise that if you use these slides as a reference you can
use these slides as a reference you can
use these slides as a reference you can do it in like an hour or two game of
do it in like an hour or two game of
do it in like an hour or two game of active directory is a vulnerable Network
active directory is a vulnerable Network
active directory is a vulnerable Network that you can deploy on your own it has
that you can deploy on your own it has
that you can deploy on your own it has like 15 machines or something and you
like 15 machines or something and you
like 15 machines or something and you can put it on AWS and it costs like 3
can put it on AWS and it costs like 3
can put it on AWS and it costs like 3 cents per hour uh the hacker recipe is a
cents per hour uh the hacker recipe is a
cents per hour uh the hacker recipe is a great website with a ton of resources
great website with a ton of resources
great website with a ton of resources and vul lab is a version of hack the box
and vul lab is a version of hack the box
and vul lab is a version of hack the box that is harder and has a lot of really
that is harder and has a lot of really
that is harder and has a lot of really cool active directory stuff on it all
cool active directory stuff on it all
cool active directory stuff on it all right you can talk to me after if you
right you can talk to me after if you
right you can talk to me after if you have other questions
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
Works with YouTube, Coursera, Udemy and more educational platforms
Get Instant Transcripts: Just Edit the Domain in Your Address Bar!
YouTube
←
→
↻
https://www.youtube.com/watch?v=UF8uR6Z6KLc
YoutubeToText
←
→
↻
https://youtubetotext.net/watch?v=UF8uR6Z6KLc