Ethical Hacking Job Interview

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

This is a good mock interview, I was asked a lot of the questions. To expand as well, be prepared to explain what your tools are doing. E.g., how does Mimikatz work (what process does it mainly tamper with), what are other modules in Mimikatz and how do they work (minidump for example), explain how Kerberoasting or Golden ticket attacks work, etc. When we interview people we like to see what a candidate is interested in and digging into that to see how far they can go. The worst type of interviews and interviewers are people who ask you a question you don't know and keep going on that same question.

👍︎︎ 11 👤︎︎ u/Hausec 📅︎︎ Nov 21 2019 🗫︎ replies

As a complete newbie in the cyber security industry, this is great content! I need a list of like all the buzzwords (eg tools, exploits, other jargon) from this video so I can just research everything. Subscribed.

👍︎︎ 1 👤︎︎ u/psychobabbleking 📅︎︎ Nov 23 2019 🗫︎ replies

A tip for all the folks who want to interview for a tester role, make sure you don’t get too caught up in the tooling. When I conduct interviews, I’m more interested in somebody being able to explain to me their methodology to testing rather than them explaining what tool they are going to use.

Using tools is fine, just make sure you understand the concept behind WHAT they are doing and that you can explain what is happening. If your answer to every question is “I use the tool and get the output”, you are probably not going to get invited back for a round 2..

👍︎︎ 1 👤︎︎ u/drkRabbit 📅︎︎ Nov 23 2019 🗫︎ replies

Captions

what's up everybody Shalom Shalom how's everybody doing tonight so we've got we've got a pen test interview happening I see a bunch of you already talking in chat you're hyped that's good so we are we've got we've got Matt with us today and I'm gonna be bringing him on here in just a second I see people are still trickling in while we're waiting I'm gonna go ahead and quickly do a quick shout out click thank you to everybody so let's switch screens here quick patreon shout-out to everybody so $100 Jim I thank you so much $25 tier James gee thank you and at the $15 tier we got quite a quite a bunch we got Alpesh Kermit Hugo will David Alastair Jerry Sergio Daniel Jonathan Paul Ricardo and another Sergio so thank you thank you everybody and the other 92 of you that also support the channel with patreon so you make stuff like this happen and it's honored to keep doing this so today we're going to have Joseph on with us he goes by Matt I've been announcing him as Joseph but he actually goes by Matt so we're gonna have Matt on with us and Matt's gonna walk through a pen test interview with me he is a senior pen tester in the field and I'm I'll let him introduce himself a little bit but I'm gonna go ahead and bring him on now so sir you are live welcome Matt how are you doing yes going good anybody see me okay I you are you are up and running okay so I guess I'll start out a little bit about myself I'm the senior pen tester I kinda started in the IT field a little bit late I was around 30 years old I started doing just sort of systems engineer work slash helpdesk kind of stuff and moved into a security operation center which is sort of blue team work and from there I got a couple of certs and started doing some penetration testing work and now I focused mainly on red team purple teaming adversarial emulation and things like that cool so we're off the bat you said you got into it late did you so a big question that always comes through is people worried about their age did you have any hindrance with your age coming into the field no I mean uh you know I'll kind of tell you how it was though getting into the field I did the army thing during my 20s I was overseas a lot I was in the Kamath nothing nothing technical on the computer side really and I came home I tried pretty hard to get some you know IT jobs and I got my CompTIA A+ and my comp T and that plus certifications and after that it was honestly fairly simple I just put the stuff on my LinkedIn and people started you know offering me help desk positions so got Junius pretty much worked away from there yeah did it cool man um so I guess what we'll do is we'll kick off we'll kick off the interview we'll do the interview and then kind of from there we'll if you got some time we'll sit and chat take questions from the chat and then just kind of talk to your background so I think I think it's interesting to see a different perspective and people here we talk about different topics but I think it's good to hear from somebody else and you know give another perspective and a lot of things so so kind of covered the initial question which is always tell me about yourself do you so do you have any you have any hobbies outside of work well work is a big hobby of mine when you do security you gotta have to love it uh but yeah other hobbies life I'm into cars I was a mechanic before I did any kind of IT work I'm a huge nerd for like astronomy and things like that going stars you know being out of doors as much as I can aside from you know being in front of the screen all day things like that the family friends more nor normal kind of stuff so there's a lot of body building talk are you into Fitness chats chats going on the bodybuilding s Bo yeah yeah was a I was in the Army for a while did it push up or two in my life yeah yeah absolutely uh so you guess yeah you kind of have to have it as a hobby for you know for work or else it feels like work so what I guess when it comes to pen testing what what's your favorite type of job to do or assessment or you know what really what do you enjoy the most what I enjoy the most honestly is is kind of what a lot of people probably are not expecting to hear and it's kind of the most painful part which is actually implementing change on like an enterprise level you know is as much fun as popping shells are or getting someone to click on a link or doing something with trust them that stuff is so much fun but when you come back maybe three months or six months or a year later and you do the same test over again and it doesn't work because somebody actually fix it it's like oh good job you know that really is probably my my favorite part about the whole jobs so gimme a Gimli same apart that best the least and the most yeah and extend of the process to get a good fixes is you know it's it's painful it's tedious but you know at the end of the day when it actually gets fixed that is the most rewarding part for sure absolutely mmm so I'm gonna ask you a question I get asked a lot in interviews they've seen asks a lot is where do you get your news so how do you stay up-to-date on all these new vulnerabilities and exploits and everything that's out there ah you know it's Twitter it really is a few years ago I started getting into Twitter and I mean that that is the best place for open source news you know sometimes if I'm looking at something that may not be incredibly new you know doing some googled working for github repositories or medium links is also good a lot of people also use our net sec on reddit is a really good place but yeah honestly the sheer speed of things that come through my Twitter feed is kind of ridiculous so yeah that's that's usually my go-to and then this probably our net sec and then you know google door being give up things like that medium usually has particles rigged knob so that really is kind of where i find a lot of stuff really quick yeah absolutely I agree on that if you want news and you want news really fast Twitter's probably the quickest way just refresh your feed if it's trending you're gonna see it and if you're part of any discord communities or slack communities anything like that you're gonna get a part you know it's gonna be talking about in those communities as well but yeah unread it'll trend pretty much anywhere in social media you're gonna kind of find that news yeah I should I should have mentioned slack because slack is actually really good to you so the slack that I'm on is is the bloodhounds flack I know there's a thousand others out there I know that you have one out there you know I know that other local communities wherever city or state or country that you're in a lot of the larger cities have there are their own securities lags and things like that so I definitely suggest that yeah I've been to the bloodhound one and it's it's actually nice and there's a lot of big names in there and they're actually quite friendly like they're not you know it's not pretentious or so it's a good place to get experience as well mmm-hmm so I saw one come through in the chat a question I actually think it's good do you have the do you have a biggest weakness when it comes to pen testing what would you say your biggest weaknesses or where can you improve um well you know my biggest weakness is programming um I'm not a huge programmer and honestly the only reason I'm not huge programmers because somebody tools get pushed out so frequently I've never had a necessity to say hey you need to go out there program something you know I actually have more programming experience within like PowerShell from my blue team days trying to automate different tasks that I do you know in my red days so yeah honestly it probably is program awesome okay so that's it for kind of the you know getting to know you questions so I kind of want to dive into what I call like a scenario bass question so we're going to from start to finish cover a assessment assessment and so the the assessment is you're assigned with an external penetration test and you have any and all tools available at your disposal so if you want an expensive tool you can have it social engineering and denial service are out of scope and if you breach the perimeter you're actually allowed to continue on to the internal network to see how far you can go with this and then we're just going to kind of take this step by step and we'll walk through and hopefully own the whole thing by the time it's done so starting starting with your external this assessments just starting what what's your methodology how does it start sure let me ask you this you said external does that include IP addresses and domains yes well we'll say that it does okay so I guess let let's come and give in to some important things that you know some people should know are like kickoff meetings so the kickoff meeting is a combi meeting with different business owners and stakeholders and there is usually some questions that you want to ask right so what IP ranges for domains are completely off limits you know maybe there are some kind of upgrade going or change going or maybe you know something might go down if you do an aggressive scan on it you know things like that just to try to really get if you have an understanding of you know the underpinnings of the networking things like that so once that's kind of established you want to kind of ask you know is there a certain time of day that you want things tested do you only need things tested on the weekend things like that to try to you know understand what the customer wants and needs and obviously the last thing that you want to do is cause some kind of the incident where you know a business critical asset goes so that so to me that that is very important get that written down but on to the fun stuff the first thing that I'm probably going to do and and it is sort of tiered and if this is just a pen test I'm usually very thorough so I'm going to you know if I have some domains and scope for XYZ company comm you know I'm gonna start doing some sub domain enumeration you know within the sub domain numeration there's a lot of good tools you know there are tools out there that will do things like sub domain enumeration through registration services vo like SSL and TLS and there's also you know sub domain enumeration through you know simple brute force you know whether you know some kind of Barney P sub domain is available but maybe you know whatever and on top of that I'm going to also start doing some you know IP enumeration when I do port scanning I tend to start out with the most common ports first and then once I kind of get those those common ports in there you know in the common course that I do pretty simple you know eighty four forty three eighty eighty you know 3389 twenty one twenty two just very common force that are most likely going to be open outside on the internet and once I come in together that information I start looking for low-hanging fruit are you know are there login portal to available are there long and portals available over HTTP are there you know login portals that do not require a multi-factor authentication you know are there vulnerable web portals that might have some kind of CVE within exploit database you know that maybe I can try to exploit is there something that might be vulnerable to you know some somebody forgot to change the default credentials into a certain place so those are kind of the things that I like to start out with and as the penetration test goes on you know like for instance let's say that you know it's 8 o'clock at night and I finally get the scope done the perky you know the kickoff meeting you know is is is 8 p.m. here on the East Coast but it's 5 p.m. on the west coast they're leaving for the day I'm getting ready to go home but I've already done most of my basic scannings and things like that you know I might say hey you know what I'm just gonna go ahead and scan all the ports you know go to sleep come back see what's open and just really kind of take a deep look at everything that I have available to me I might come back the next morning and you know once I kind of have this information like hey this is oh and here's a possible vector this is open it's possibly vulnerable to X Y or Z this is open so you kind of as you do these pork scans these sub domain enumerations you know and once you have those you can run you know your web scanners or just you know if it's if it's a website you know you might just want to map the application that that you're going after so once you sort of go through that phase you know what I like to do is I like to do so he said social engineering is out scope obviously denial the service is almost always out of scope you might want to look for you know hey how power people's emails listed there's a website you walk and write it down I can't really see the screen but it's hunter dot IO and you can type just about any or company address that you want in there it'll tell you like hey this this company goes by first name dot last name whatever company comm and you can either use like open source intelligence and you can try to pull you know a list of you know email addresses and things like that or you can create your own word list you know a lot of times you know there's there's issues where you know you can do a username enumeration you know user enumeration through you know maybe some kind of web portal says you know Haven an incredible username or incorrect password but your username is right you know you can do things like that and you can script that out or you can just kind of use the tool like herb suite or something like that and look at the different response codes so you know once a month ports are scanned once I know what the web application kind of stuff looks like if I'm really trying to get in through the outside I'm gonna look for low-hanging fruit I'm gonna look for you know hey maybe there's a server out there that's like Server 2008 or you know it's end-of-life and it's got some brand new you know 2019 CBE available and there's a concept out there you know maybe there are some default credentials on you know some kind of interview interface on a server somewhere another thing that you can do that a lot of people are starting to do is is stuff out on the cloud on maybe there's some AWS keys out there you know or you know some credentials on github or some kind of keys on bit of somewhere to where you can just really um try to grab a thread and once you're able to grab that threat whether it's its default credentials whether there's a server out there that's just way old validated unpatched that you can grab into maybe there's a subdomain out there where you can just stuff credentials all day long until you get something easy you know for instance uh a lot of people and make hey you do some open source intelligence you grab a list of valid emails and you can just plug in a an easy password right now it's you know winter 2019 age start out with winter winter 2019 with a question mark or a hashtag or a dollar sign or something like that I'm just really try to get in there um you know a lot of companies have remote portals to where you know you can get in through you know some kind of remote desktop protocol or access some kind of computer on the network not really like a jump box or something that you can that you can log into hopefully and here is something that's also important to you when you're doing the external portion you know and they say okay well if you get in you can continue your route in and continue to hack into the network but let's be very clear if you're actually doing a penetration test and you're doing like some external reconnaissance if you find something with default credentials if you find like some kind of credentials out on github or you find like some some AWS s3 buckets or something like if you're able to actually get in that is that that is a moment where you stop everything you're doing and you call whoever your point of contact is you know a lot of companies they have maybe you know it's the same person that there's different times right so there's you know you might have someone called a handler you might have someone called a trusted agent or a business owner or a stakeholder or a manager or whoever but if you actually do find a way in from the outside tell somebody right away and as you're scanning this stuff I'm kind of backtracking here make sure you're writing down okay this is the source IP that I'm scanning from you know this this is the IP range that I'm scanning this is the command that I'm running and this is the time that I'm doing it and if you find bad stuff you say hey this is where I found that bad stuff and if you really find something that critical let somebody know and a lot of times you know if the business owner stakeholders handlers whatever you know have some common decency you'll say okay you got in please continue we're gonna shut down this way for somebody else to get in so that's kind of you know that that's I like to split it kind of down the middle you know that that's the external part and if you're able to get in externally then let's move on to the internal part does that make sense yeah that's that's perfect so what we're after there just for the crowd is this this is a good detailed response so you want to be detailed in these situations you want to describe because there's so much behind methodology there's so much behind enumeration you have to describe it so the difference between a senior in a junior level is that a junior level is going to sit there and say well yeah my first step is I'm gonna I'm gonna scan the network I'm gonna start running in the app or I'm gonna start running necess and that's not really the first step the first step is meeting with the client the first step is making sure you have all of your ducks in a row you've got your IP in your you know your IPS and scope you got to not trust the client when they give you an IP address or website you have to verify that it's actually their website their IPO yes and then you can kick into your methodology once you have all the other ducks in a row you can start your scanning in your numeration you can start looking for the login forms low hanging fruit the password spraying so there are so many little different things to touch on that a detailed response like that is I think is important so let's take it from here and let's move in so let's say that we were doing this testing and we found a web interface and on that web interface maybe let's say that we we scanned it with burp suite and burp suite is saying that it thinks that there is blind sequel injection on it how how could we confirm the blind sequel ejection so so what I always do and what has always been really successful for me if some kind of sequel injection tool says hey if you heuristic test say that it might be vulnerable to blind I always do the sleep test because if there is some kind of if there's some kind of injection point I'll say ok sleep for 5 you know whatever you know kind of sequel back in my sequel interests sequel you know or whatever I always do like to sleep for 5 if you know if it takes a while that I'll do sleep for 10 and if it's leaves for longer than you know sleep if it just continually gets longer I'm like yeah okay definitely blind let's let let's move forward so that is the correct answer okay clarification for people who aren't pen testers is the the sequel injection here since it's blind we can't see a result there's no error message on the screen so if we're able to put in a sleep and it does sleep for five seconds then we put in asleep and it does sleep for 10 seconds then we know that these commands are actually functioning on the back end even though we can't see any results on the front end so that's uh that's that's a correct answer so okay so we've got we've got the sequel injection so let's say you're writing the report for this sequel injection how would you recommend a client mitigate sequel ejection uh pretty simple it's input validation if you don't have input validation both for you know your SQL queries or or anything else you're gonna make yourself vulnerable to both sequel injection and cross-site scripting and just I mean all kinds of bad things potentially come execution other things yeah so another another way to put it is parameterized queries so with your with your sequel code you should be using parameterised queries in order to prevent prevent these things from happening okay so you got in through sequel injection we managed to get remote code execution we landed inside the network you already passed the DMZ all the fun stuffs over you're on the corporate network so now you're on the corporate we're gonna treat this like it's an internal you don't have to worry about the noise factor this is actually a first time they've ever had an internal it's already going pretty bad for them so you know just be as noisy as if pop as possible if they catch you they catch you that's fine but I just want to know your methodology behind what you would do on an internal and what you're looking for now yes if I don't have to worry about noise once again I'm gonna start looking for love hanging fruit I'm gonna run responder you know responder abuses a local link multi what is it Network response probably so Sahad yeah month like Kent's name resolution negative FPAA yeah run responder look trying to pull some password ashes you know another thing that you can do is you know you can run like men middle six you know just sort of abused some ipv6 features as well and just sort of bring that up with a lot of people are not up to that another thing that you might want to do if you're not worried about noise you can get it you can run bloodhound you know for anybody here that does know andhe's one pound it creates a graph to where he can map Active Directory relationships you know if you do that then you can kind of take that later and you can actually say like hey these people are over permission so yeah like responder if you grab password hashes and let people know hey ll M&R and env NS are most likely not needed in your network and also running this man and it'll set you know just be careful with your ipv6 traffic if you're not tracking it now if you're not filtering it into your sim or whatever running bloodhound you can gather results to say like hey this person should not be able to remote desktop into every single computer on the network this person is a you know whatever clerk a cashier or something um you know another thing that you can do is is you can start looking for very well known vulnerabilities like hey let's medically you know what what what's vulnerable shellshock what's vocal - you know MSO 867 which is configured with what is a vulnerable to internal blue what's vulnerable to blue key and and here's the thing you don't even have to exploit all this stuff like if you're on the internal network and you're doing a pen test you know you're your biggest value add to this company is to tell this company like where they're where they have issues right because for anybody here that doesn't really know much almost every single person in the world will tell you yeah our company is super hard on the outside and kind of squishy on the inside so try to like get get yourself a list of postponed vulnerable to maybe some of the most most common exploits um you know and that's a blue key shellshock you know eternal blue Conficker you know things like that grab some password hashes you can do with those password hashes another thing that you can do is maybe abuse some internal email relates so for instance I'll give you one you know example of an email relay and this is probably across the board for every company in the world you know SMTP not whatever you know domain.com is probably like an open you I think that's the default for cobalt strike so if you can abuse open email relays and maybe send some phishing emails you know maybe outsider an executive or domain administrator or some kind of admin of some sort you know you can do that another thing that you can do is is the view service accounts so there's a thing called Kerberos ting so Kerberos ting is essentially you can as almost the lowest privileged user in an Active Directory environment you can actually obtain password hashes for service accounts and a lot of times companies have those things misconfigured maybe those service accounts are running as some kind of whatever admin of computers they have interactive logon rice you know there's there's a lot of dirty things that you can do with that you know another thing that you might want to look at is is other low-hanging fruit maybe you know someone is running SME version one and you're actually able to do some kind of ntlm relay you know to where SMB traffic is run back and forth and you can actually start popping shells that way you know if if if traffic is not a problem and you're on a large network and you're pretty much allowed to do whatever you want you know my my biggest value-add would be to look for the lowest hanging fruit grab as many passwords as I can um you know try to escalate to domain administrator or some kind of administrator and once you're actually in it here's the thing once you hit domain administrator that that is really where your penetration test starts right you had domain administrator start looking for other stuff like are you all storing passwords somewhere that you shouldn't be storing passwords you know do low-level users have access to maybe your code repositories or maybe SCCM instance you know they're there there are so many things you can do once you get into the the internal part of a network past the DMZ to where the the corporate network actually is and in order to do that and this just my opinion you feel free to send in a rummy you know without actually disrupting business and making your customer mad figure out where the low-hanging fruit is you know like I already said a few boomer abilities grab the password get yourself dumb an Advent and really try to come up with the most amount of easy ones it can't like a pastor stuff turn these protocols off update your SMB version you know stop storing passwords here and there you know lock down your code repositories better and and and make it harder for people like you know and if if this noise that I'm creating is not causing a lot of alerts and I'm not getting some kind of feedback from your security team that's also a problem too you might want to invest a little bit more to your security appliances okay so you did a great job answering that so there are I didn't tell you how far to go or not how far to go so there are some things that we touched on they're probably gonna touch on again in a minute or we skip so some things that he touched on things like bloodhound or something like something like Kerberos sting assumes having an account already which you did say you absolutely said that so those kind of tactics are good we're going to touch that in a second another thing that I think we should mention is SMB signing because you don't have to be authenticated for that that's another one that you would want to look for man the middle six is effing fantastic by the way a great tool probably the number one way on Oni networks lately just because of what it's capable of doing and it's capable of dumping a lot of things similar to bloodhound just giving you a lot of information on what's what users are in what groups it can dump all the groups to OU's it can you can look for things like you know passwords in notes or you know stored in service accounts or you know stored on a user in Active Directory cuz nobody thinks that you can see them but they're easily you know pulled down so just that that enumeration factor and pulling these hashes you know these these basics just looking for that low-hanging fruit again especially like you touched on with this being a if this is a first assessment we need to find all the big wins and we need to find where they can most improve and then the next time we come through if it's next year then you know it's gonna be a little harder on us and then we'll find more details and we'll give them even more to the point eventually where hopefully you know it's really difficult for us to move any further inside their network so moving on with that so let's say that okay you mentioned responder we captured a hash with responder we've cracked the hash what what can we do with this username and password let's leave out let's leave out Kerberos sting we talked on that one but we'll leave out bloodhound - what are some things that we can do once you have it what are the first steps that you're going to start taking with this user name/password I mean honestly see what the username and password can do you know what what groups is this person a member of do they have a path to do some kind of administrator you know does this person have Remote Desktop privileges to another computer which may be and I'll kind of talk about this a little bit so maybe let's say that this person has privileges to Remote Desktop into another computer and they can also be admin to this computer and let's say that this is a shared computer with another person who also has admin privileges but maybe it has access to different groups so maybe this you know maybe I can use this person's username and password - maybe laterally moved to another computer you know via remote desktop or some other method what can you palsy there can you name your tool that that might be able to check for something like that um yeah sure willow well I mean you know blood and blood hound as a good tool I'm going to use cobalt strike you know a lot of people on here you know may use Metasploit but there's also you know some other kind of simple tools you can use the native Windows command line you know if you're into PowerShell you know there's there's Power View if you're you know in a more mature environment that maybe has PowerShell logging you can use a.net tool written C sharp sharp you to kind of see like where your privileges are or what groups your number of you know maybe where you can actually remote into so so yeah go you're stuck a little in advanced mode I'm looking for a baby baby free throw answer so you've got you've got the credentials and you want to pass them around the network you know you know what I'm asking about like if I say I've got password one and I just want to throw that around all the SMB shares what am I looking for sure sure yeah so so yeah maybe maybe you have like this last 24 you have and you have a username and password maybe you want to use something like crap math exec and just though that use your name and password against a slash 24 and just see where you have raipur look you know this the silly little illustration here is your you know slash 24 you know and you can use crap at that exact and I'll just go through all these it'll say like no right no right no right Oh thing do you do you have access to this you can you can write into this see share you can you can have code execution here and you can kind of move laterally from there perfectly I don't know what your that spot on that's that's what I was looking forward to yourself okay you're showing you're showing your advanced side but for the for the younger crowd just just when we get those those credentials passing around might get you easy win and there are other tools as well like PS exec SMB exec WMI exec all part of that impact toolkit that you can utilize to kind of get access to these machines as well so let's say okay let's say you have access to a machine okay let's say you passed it around and you pass you pass the password around and you gain access to five machines and you're a local administrator on these machines so what are your your steps here we're going to go ahead and skip bloodhound Power View any of those enumerations just uh cover for me some maybe so the basics what you can do with you no matter / tishell what are some things you might be looking for with this with a simple meterpreter shell okay yeah sure and I have local admin I'm gonna yeah I'm gonna look for GPP passwords so that's group policy preferences that's something a little bit older but it is still about you you can still find that out there so so GPP password is essentially a password encrypted with an algorithm that is actually publicly known and you can actually decrypt it if you can do that you're spot-on you know if you're if you're a local admin there you might want to start trying to look for different tokens on machine so maybe there's more than one session maybe there's another local admin on a machine with different privileges that you want and you can steal that that person's token can we coming in that tool for the the crowd or at least the the bank yeah yeah it's called incognito yeah so using incognito yeah you can list different tokens and steal whatever token that you want you know if it's if it's a workstation you're probably I mean you're most likely not going to see another another admin logged in to at the same time that you are but there might also be a service that's running is some kind of administrator or maybe maybe the service isn't really running ism as an administrator but it does have rights and maybe a server that you want to get onto and you can steal that token and move maybe from that workstation to a server and I start there might be a domain controller or something with access to a domain controller you know there's you know a lot of different you know maybe caste you can run you know meterpreter has many tests built into it you know if you don't have you know the W digest disabled you know you can get clear text credentials like right off the bat you know if there is someone else logged in there through RTD or something like that you are on server you can snag log on log on password so or yeah or if your or if your system level of privilege on you can pretty much if if you're an administrator on a machine and it's it's no factory you can become system level privilege and do whatever to that machine that you want honestly if we're at this point I am an administrator and I am on some type of of you know important machine that I want to stay on I'm probably gonna start really looking at persistence mechanism so you know persistence mechanisms are essentially like you know if the box and anyone here doing any kind of service or doing any content us and you know how important persistence is because it's so hard to get a show these days you know once you lose that shell is the worst thing that could happen to a pen tester or red teamer so you know persistence mechanisms like through a scheduled task or there's some kind of registry change change or maybe you know a fun one release some tradecraft but people will be able to see this after after the cast is over correct yep this'll be an on-demand so yeah so so here so so so so here's a fun one that I like to use so it's called image file execution options and you can map this to the attack fighter framework right so let's say that you have that you drop the file to disk and the file looks benign no one's ever going to catch it it bypasses all ababy and you know that you want to make sure that you get that you get this persistence mechanism on point well you can actually set it to wear either upon an opening of a common file or upon closing of a common file once someone closes that file it will actually execute your malicious executable so every time somebody either opens or closes the exit this program it will launch your executable and it's fairly it's it's honestly not really taught so I prefer to have persistence no that's that's a great answers again yeah so just as a recap things we're looking for our hash jump maybe cats you know extracting whatever credentials you can taking the hash again and again running maybe crack map exec or seeing you know if you can crack the hash offline to just you know just to have it and start passing those around seeing if they get you in any we're seeing again if you can move laterally to a new machine seeing if anybody's logged in like you said looking for the the token impersonation and just you know if you're desperate maybe even looking for for files on the machine stored passwords and text documents or or wherever so it all comes down and we said in the beginning and still here it all comes down to information gathering and enumeration when when you're doing this stuff a lot of the exploitation is kind of the easy part so ok moving on in this scenario so you have successfully enumerated the domain and you discovered you're in a child domain you've also dumped some local hashes and store credentials with me me cats so one of the credentials turns out to be domain administrator and you now have access to the child domain controller so can you walk me through how you might leverage this access for persistence and name an attack that we can use I guess for persistence would be one and for escalating to the parent domain controller and there's you can name whatever attack you want there's a few but I think I might be looking for one in particular so sure uh so a mama travel domain controller and I'm in access and I need to access the parent domain controller that I've got I've got two answers I've kept two answers the first answer which is the easiest but it's starting to get it's starting to get caught now I'm going to make a golden ticket so if you're on a child domain and you need to get on to a parent domain and you've you've got the hashes that you need you can create a gold ticket the way that I personally would create a golden ticket is I would make a sacrificial token for someone who doesn't exist I would then inject that I would inject that golden ticket into the session and then I would you know try to access that that parent domain controller it'll work if you want to be a little bit more stealthy what you might want to do is create something called a silver ticket the silver ticket is essentially a good way to access the the parent domain controller without manipulating the Kerberos ticket granting ticket service and setting off alarms within your security operations center whatever that might be so yeah those are two kind of two kind of ways golden tickets probably the most popular silver ticket is is not not only a little bit less popular but it's a lot more stealthy as far as persistence if you do create a golden ticket the cool thing about a golden ticket is um you know if you have the password hash to the Kerberos ticket granting ticket service you can persist on a domain almost until the company is no longer in existence gonna order like once the krbtgt hash is exposed the only way to fix that is to change the krbtgt hash two times you've got to change it like today is 1120 2019 we can change it today and then we literally have to wait 24 hours to change it again and then once it's changed again then we could actually not have any more persistence and then you never know what kind of services are going to break after that so yeah so those are kind of the ways I would do it yet make yourself a golden ticket if you want to you know really get in there super easy and maybe you'll set up something maybe you won't it's still were ticketed honestly you're probably not going to get caught and then three if you just have the Kerberos ticket granting ticket service hash then yeah I mean you can honestly persist on the domain pretty much until the other time so so I via perfect no that's great that's that's exactly what I was looking for so spot-on on the answer so that is that's it so I'm gonna I'm gonna wrap it up here on the scenario base so other questions like so a few things to point out this is this is great this is how a senior would answer some of these questions and I think that if you are sitting here and you're junior level or you're trying to get into the field I would take notes and listen to some of this feedback and you could really utilize that to go kill it in your interviews other questions that I had that we're not to be able to get to but is a web application testing methodology I've always curious to know that you're probably going to get asked that I did hint on that in the scenario base with knowing if you know it's blind sequel injection is and knowing if you know the mitigation strategies for that almost always asked about Wireless assessments wpa2 personal maybe wpa2 enterprise and how you perform those sometimes you get asked about physical penetration tests so those comes as well so if you're doing this you know as a consultant role and not an internal role you're probably going to get asked a lot more because you're gonna have to wear many more hats and do a lot more different types of assessments but yeah it's it's important too that you are thinking about not just what you're doing but what the client the client is like what their needs are thinking about the you know the rules of engagement and where you guys stay in scope testing scope and you also have to be prepared to do a debrief and be sociable you don't have to be an extrovert you could be an introvert but you have to be sociable enough to give a debrief have good well-spoken skills and good writing skills on top of good technical skills so you really have to be this well-rounded person so if you if you're watching tonight and you're saying hey I don't know this or I don't know that what did he say take some notes go look it up and it'll it'll really help you out so I want to be the first to thank you for for coming on stream I don't know if there's anything is there anything you wanna you want to pitch or any advice you want to give or anything for for the people watching may be the the newer people or just anyone in general yeah sure um you know judging just for anybody on here literally a few years ago I mean my first smartphone was like 2014 I was so technology unsaddle you know if you really want to be a fantastic you really want to be a or whatever just keep at it I mean it's gonna come in time I think I saw a couple things like you know I know that I'm overly technical but yeah just just keep going on it stay on the path you will get there and honestly even even more so than being technical what's way better than being technical is being able to talk to people like literally they don't even let me talk to people at my job they're like too technical so take a little bit advice from heat he has excellent communication skills and that then I will honestly take you further than you know your your yeah communication will take you much further than technical skills and so something to touch on that we talked about kind of in private but I think it's public to share is that um you know you you were told that you were stupid right like that you like this isn't the like this you would make it kind of deal is that is that never good statement yeah oh yeah yeah yeah yeah yeah people told ya people a lot of people told me oh you're you know you don't have any experience you're dumb all this and that but honestly yeah yeah nobody is too dumb to do this I think I think the best I think the best thing that I've ever heard was from a guy I follow on Twitter his name is Derek rook and he said something like information security is a feel that that involves so quickly that if you don't know much now you can learn enough to be relevant and a couple of year because it changes so fast you know so that that's kind of a double-edged sword if you're really trying to get into it now if you really try hard and push art you can be relevant in a couple years but then again it's also one of those things like if it's not a passion of yours if you're not really into if you're only into account for the money and you kind of rest on your laurels then you know it yeah like cool yeah no I think I think that's great advice and that's that that's what I harp on too is that you know if you want to be in the field you've got to stay on top of it and you got to be motivated this has got to be something you're passionate about or else you're just going to get left behind so you know if you're not the one where you you go home at night and you're like I still want a pen test you know I want to I want to mess around maybe hack the box or do bug bounties or whatever it is like the wheel is almost always spinning I feel like four people in the field and if you don't have that passion you're you are going to get left behind so it doesn't come down to intelligence it doesn't come down to age it doesn't come down to any of this but your effort it's the amount of effort you're willing to put into it and you know some people some people get it right away and some people takes a lot more effort but if you're willing to put in the effort you might have to work harder than some other people did but if you're willing to put in that effort you can succeed and make it into the field yeah so yeah I do have one more thing yet you had about technology in general because my first shot was help desk I don't know what a percentage basis of your followers actually have a job in technology but here's the cool thing about technology you can get a job in technology right now like let's say that you get your eight plus and you make whatever amount of money you can come and chill and just make that money and enjoy your life and do whatever that you want to do and it's fine but the cool thing about technology is if you want to if you're like you know what I'm tired of making this this this amount of money doing helpdesk I want to get a network engineer I'm going to get my cc in it here's a cool thing you don't have to go out and do another five years in college to get your CCNA and they get like a big table right and then let's say that you want to do you know hey you did helpdesk and you know then you went and got your CCNA and you you're a network engineer now you're a cisco command line and you can do this kind of stuff and then you kind of get you know hey I have an interest in you know security now I want to be like a Cisco expert security engineer you know it's technology is just such a good field to get in because you don't necessarily need a degree you know certifications are out there I mean the amount of information you can get from Google is so fast and it's just so wonderful I mean you can seriously go from I mean you can get like an A+ and chill and do your helpdesk and replace hard drives and love life or you know you can you can bounce and kind of move up and you know maybe make a ton of money and I mean it's just tech technology the technology field whether you're security health s database security whatever it's just such a good field yeah I agree 100% man I think we're on we're on par with a lot of this so we actually it is nine o'clock on the dot so for her timing it's fantastic um anything else any other final words if you're not subscribed to he's twitch it was YouTube it felt like and subscribe thank you man I appreciate it and I saw a donation come through earlier Sean Sean OB I'm hope I'm saying right $100 thanks man that's that's insane you're insane um so thank you thank you again that I really do appreciate you coming on you're gonna help a lot of people out so I'll have the video up on YouTube here in a couple hours and I think I think it's gonna be great so thank you thank you so much for joining us I really do it not a problem alright catch you later bye

Info

Channel: The Cyber Mentor

Views: 43,882

Rating: undefined out of 5

Keywords: thecybermentor, the cyber mentor, hacking, ethical hacking, information security, cybersecurity, hacker, m4v3r1ck, mentor, infosec, pentester, pentest, how to hack, beginner, offensive security certified professional, certification, sans, elearnsecurity, ptp, interview, interview tips, mock interview, hacking interview

Id: IDpjaS6OYPU

Channel Id: undefined

Length: 59min 46sec (3586 seconds)

Published: Wed Nov 20 2019