1 00:00:00,180 --> 00:00:02,790 -: Hello and welcome back. 2 00:00:02,790 --> 00:00:05,910 So in this lecture we're going to touch 3 00:00:05,910 --> 00:00:10,080 on a subject that we haven't covered in the course yet. 4 00:00:10,080 --> 00:00:14,850 For this we're going to need knowledge of two major things. 5 00:00:14,850 --> 00:00:19,500 One of those things is knowledge of active directory. 6 00:00:19,500 --> 00:00:22,440 Now, since this is out of the aspect for this course 7 00:00:22,440 --> 00:00:25,380 we will not be covering what Active directory is 8 00:00:25,380 --> 00:00:27,030 or how it works. 9 00:00:27,030 --> 00:00:30,000 So I do recommend for you to go and read about it 10 00:00:30,000 --> 00:00:33,900 or just to get the basic knowledge so you can follow along 11 00:00:33,900 --> 00:00:36,330 through this challenge that we're going to go through 12 00:00:36,330 --> 00:00:37,263 in this lecture. 13 00:00:38,250 --> 00:00:41,010 So I recommend going onto the Microsoft website 14 00:00:41,010 --> 00:00:44,790 because all of the documentation and all of the definition 15 00:00:44,790 --> 00:00:48,450 and structure of Active Directory can be found here. 16 00:00:48,450 --> 00:00:50,776 You just type in active directory, you click 17 00:00:50,776 --> 00:00:55,500 on any of these links and you start reading about it. 18 00:00:55,500 --> 00:00:59,310 Now this is a lot of things to read 19 00:00:59,310 --> 00:01:01,470 so you don't really have to do that. 20 00:01:01,470 --> 00:01:03,630 You can just go and Google 21 00:01:03,630 --> 00:01:05,820 on some other website that gives more plain 22 00:01:05,820 --> 00:01:08,460 and simple explanation of Active directory 23 00:01:08,460 --> 00:01:10,290 what it is and how it works. 24 00:01:10,290 --> 00:01:13,860 And that should be enough for this lecture. 25 00:01:13,860 --> 00:01:18,860 The second thing that we need is a Try Hack Me account. 26 00:01:18,930 --> 00:01:19,763 So 27 00:01:19,763 --> 00:01:22,950 in my Back bound course I do cover the Try Hack Me platform 28 00:01:22,950 --> 00:01:26,220 but for this course I think we are encountering it 29 00:01:26,220 --> 00:01:27,780 for the first time. 30 00:01:27,780 --> 00:01:31,800 So go ahead, create an account on the Try Hack Me platform. 31 00:01:31,800 --> 00:01:33,750 And once you create an account 32 00:01:33,750 --> 00:01:35,850 there is one more thing that you should do 33 00:01:35,850 --> 00:01:38,520 and that is to connect to their VPNs 34 00:01:38,520 --> 00:01:41,400 so you can access their virtual machines that are used 35 00:01:41,400 --> 00:01:42,243 for practice. 36 00:01:43,080 --> 00:01:45,930 So for this particular lecture we're going to 37 00:01:45,930 --> 00:01:49,833 cover the attractive directory challenge. 38 00:01:50,910 --> 00:01:53,880 Now you can find the attacktive directory challenge 39 00:01:53,880 --> 00:01:55,500 at this link right here. 40 00:01:55,500 --> 00:02:00,500 So try hack me.com room and then slash attractive directory. 41 00:02:02,640 --> 00:02:03,870 Once you go there 42 00:02:03,870 --> 00:02:06,990 you will also have a simple explanation here 43 00:02:06,990 --> 00:02:09,300 on how you can deploy the machine 44 00:02:09,300 --> 00:02:11,340 that we are going to be targeting as well 45 00:02:11,340 --> 00:02:13,950 as how you can connect to their vpn. 46 00:02:13,950 --> 00:02:15,840 So to connect to their vpn 47 00:02:15,840 --> 00:02:18,540 just follow along this small tutorial 48 00:02:18,540 --> 00:02:22,883 under the task number one and you should be connected 49 00:02:22,883 --> 00:02:25,560 to the open VPN at the end of this task. 50 00:02:25,560 --> 00:02:27,840 As you can see right here 51 00:02:27,840 --> 00:02:31,230 I downloaded my VPN configuration file 52 00:02:31,230 --> 00:02:33,731 and I used pseudo open VPN to open 53 00:02:33,731 --> 00:02:36,630 and run this configuration file. 54 00:02:36,630 --> 00:02:40,800 So you will need to use pseudo once you do that. 55 00:02:40,800 --> 00:02:42,030 Let me lower this. 56 00:02:42,030 --> 00:02:43,620 We no longer need this window. 57 00:02:43,620 --> 00:02:46,350 You should have their IP address. 58 00:02:46,350 --> 00:02:49,980 If you type I config and scroll all the way down 59 00:02:49,980 --> 00:02:51,990 there will be another interface turning 60 00:02:51,990 --> 00:02:55,923 up with an IP address for this vpn. 61 00:02:57,360 --> 00:02:59,190 Okay, awesome. 62 00:02:59,190 --> 00:03:00,330 Once we do that 63 00:03:00,330 --> 00:03:04,170 we are ready to get started with attacking this machine. 64 00:03:04,170 --> 00:03:07,500 So we are strictly going to focus 65 00:03:07,500 --> 00:03:10,230 on completing these challenges right here 66 00:03:10,230 --> 00:03:12,240 that we are provided. 67 00:03:12,240 --> 00:03:15,780 So we're not going to mention some other different ways 68 00:03:15,780 --> 00:03:17,610 that certain things can be done. 69 00:03:17,610 --> 00:03:20,460 We just want to complete this task. 70 00:03:20,460 --> 00:03:23,430 So for the first task, which is setting up the machine 71 00:03:23,430 --> 00:03:28,430 and the VPN, there is nothing really that we need to do 72 00:03:29,010 --> 00:03:33,540 but once we do that we can just click on start machine 73 00:03:33,540 --> 00:03:37,350 and our machine or our target machine will be started 74 00:03:37,350 --> 00:03:42,150 and it's IP address will be shown in one minute. 75 00:03:42,150 --> 00:03:44,610 The machine expires in about one hour 76 00:03:44,610 --> 00:03:47,670 but you can always click on add one hour 77 00:03:47,670 --> 00:03:49,590 if you haven't finished everything 78 00:03:49,590 --> 00:03:53,493 or you can just terminate the machine and restart it again. 79 00:03:54,997 --> 00:03:58,680 Okay, so once we finish the first task 80 00:03:58,680 --> 00:04:02,910 we are ready to go onto the second task, which is set up. 81 00:04:02,910 --> 00:04:06,300 Now for this, I already finished all of these things 82 00:04:06,300 --> 00:04:09,840 but you will need to do it installing in packet. 83 00:04:09,840 --> 00:04:12,210 So it does give you commands 84 00:04:12,210 --> 00:04:14,220 and the tools that you will need to 85 00:04:14,220 --> 00:04:17,579 install certain things that this challenge requires. 86 00:04:17,579 --> 00:04:20,976 So for example, you need to keep the impacket dot kit 87 00:04:20,976 --> 00:04:25,977 and it'll be stored in the slash opt slash impacket. 88 00:04:26,370 --> 00:04:28,140 Another thing that you need to do is install 89 00:04:28,140 --> 00:04:31,950 the requirements for the packet with PIP three 90 00:04:31,950 --> 00:04:34,800 and you need to run the setup.py file 91 00:04:34,800 --> 00:04:36,630 once you complete these two commands. 92 00:04:36,630 --> 00:04:39,420 So just follow along, read through all of this 93 00:04:39,420 --> 00:04:42,330 follow along the commands that you need to execute 94 00:04:42,330 --> 00:04:44,580 for this challenge. 95 00:04:44,580 --> 00:04:46,890 And in case you encounter some issues, there is 96 00:04:46,890 --> 00:04:51,360 also different commands here that might work instead. 97 00:04:51,360 --> 00:04:53,520 And once you're done with the impacket 98 00:04:53,520 --> 00:04:55,950 you also want to install Bloodhound 99 00:04:55,950 --> 00:04:59,010 and Neo4J with the command provided down below. 100 00:04:59,010 --> 00:05:01,680 It might require pseudo, I don't really remember 101 00:05:01,680 --> 00:05:04,710 but give it a try without and with pseudo. 102 00:05:04,710 --> 00:05:07,800 If you have issues, always perform APT 103 00:05:07,800 --> 00:05:10,440 update and APT upgrade first 104 00:05:10,440 --> 00:05:14,640 and then redo the installation of these packages. 105 00:05:14,640 --> 00:05:16,517 Okay, once that is done 106 00:05:16,517 --> 00:05:20,940 we are ready for the first real task, which is enumeration. 107 00:05:20,940 --> 00:05:23,040 So you will notice that right here I have some 108 00:05:23,040 --> 00:05:26,670 of the tasks completed, but we're just going to ignore that 109 00:05:26,670 --> 00:05:28,770 and we're going to pretend as 110 00:05:28,770 --> 00:05:31,710 if we are restarting this from the beginning. 111 00:05:31,710 --> 00:05:33,180 Okay. 112 00:05:33,180 --> 00:05:35,070 So enumeration, 113 00:05:35,070 --> 00:05:37,350 Welcome to tactic directory. 114 00:05:37,350 --> 00:05:40,770 Now here is the introduction and here is the part 115 00:05:40,770 --> 00:05:43,431 that explains why enumeration should be done first 116 00:05:43,431 --> 00:05:48,431 and which tools we can use to complete the enumeration part. 117 00:05:49,920 --> 00:05:54,330 So right here we have several questions that we 118 00:05:54,330 --> 00:05:56,760 need to answer and some of them are already answered 119 00:05:56,760 --> 00:06:00,030 but don't mind that at the moment. 120 00:06:00,030 --> 00:06:03,930 And let's go with the first task. 121 00:06:03,930 --> 00:06:05,430 So let's read through this real quick. 122 00:06:05,430 --> 00:06:09,540 Basic enumeration starts out with an Nmap scan. 123 00:06:09,540 --> 00:06:13,410 Nmap is a relatively complex utility that has been refined 124 00:06:13,410 --> 00:06:17,280 over the years to detect what ports are open on a device 125 00:06:17,280 --> 00:06:19,020 but services are running 126 00:06:19,020 --> 00:06:23,130 and even detect what operating system is it running. 127 00:06:23,130 --> 00:06:24,420 It's important to note 128 00:06:24,420 --> 00:06:27,270 that not all services may be detected correctly 129 00:06:27,270 --> 00:06:30,270 and not enumerated to its fullest potential. 130 00:06:30,270 --> 00:06:33,090 Despite Nmap being an overly complex utility 131 00:06:33,090 --> 00:06:35,490 it cannot enumerate everything. 132 00:06:35,490 --> 00:06:38,280 Therefore, after an initial N map scan 133 00:06:38,280 --> 00:06:40,200 we'll be using other utilities to help us 134 00:06:40,200 --> 00:06:44,190 enumerate the devices or the services running on the device. 135 00:06:44,190 --> 00:06:49,143 Okay, we have some notes here that will be used for later. 136 00:06:50,160 --> 00:06:52,260 And the three questions that we get in this 137 00:06:52,260 --> 00:06:54,930 part of the task is what tool will allow us 138 00:06:54,930 --> 00:06:58,650 to enumerate port 1 39 N 4 45, 139 00:06:58,650 --> 00:07:01,230 What is the net bio domain name of the machine 140 00:07:01,230 --> 00:07:02,850 and what invalid 141 00:07:02,850 --> 00:07:07,050 TLD or TLD is also known as top level domain 142 00:07:07,050 --> 00:07:09,903 do people commonly use for their active directory domain? 143 00:07:10,770 --> 00:07:11,610 Okay. 144 00:07:11,610 --> 00:07:14,220 So as our task told us, 145 00:07:14,220 --> 00:07:18,095 the first approach will be to run a simple Nmap scan 146 00:07:18,095 --> 00:07:21,150 which we can do by typing Nmap. 147 00:07:21,150 --> 00:07:24,420 And then we just paste the IP address given to 148 00:07:24,420 --> 00:07:27,090 us right here and press enter. 149 00:07:27,090 --> 00:07:28,740 So this is the basic Nmap scan. 150 00:07:28,740 --> 00:07:32,010 We're not using any other options and we'll just 151 00:07:32,010 --> 00:07:35,040 get several ports open. 152 00:07:35,040 --> 00:07:37,530 Now, based on these ports, we can already assume 153 00:07:37,530 --> 00:07:40,770 that this target is running an active directory. 154 00:07:40,770 --> 00:07:45,000 Since we see net bios, we see curbs, we see ldap 155 00:07:45,000 --> 00:07:49,590 all these ports can indicate an active directory. 156 00:07:49,590 --> 00:07:51,600 Now if we want to check the versions 157 00:07:51,600 --> 00:07:55,560 we already know that we can run the dash as these can 158 00:07:55,560 --> 00:07:58,847 and this will deploy the versions or this will 159 00:07:58,847 --> 00:08:03,573 output diversions of softwares running on these open ports. 160 00:08:05,490 --> 00:08:09,240 Okay, so we can see all of it right here and here 161 00:08:09,240 --> 00:08:12,330 under this service on the ldap, we can already 162 00:08:12,330 --> 00:08:13,620 see the 163 00:08:13,620 --> 00:08:15,360 first answer 164 00:08:15,360 --> 00:08:17,970 to the third question right here 165 00:08:17,970 --> 00:08:20,610 which is what invalid top level domain do people 166 00:08:20,610 --> 00:08:23,460 commonly use for their active directory domain? 167 00:08:23,460 --> 00:08:25,740 And the answer is dot local. 168 00:08:25,740 --> 00:08:28,560 We got dot local right here output it. 169 00:08:28,560 --> 00:08:32,549 So if you paste it here it will be the correct answer. 170 00:08:32,549 --> 00:08:35,159 But before that, since this is the third question 171 00:08:35,159 --> 00:08:38,159 just don't mind it at the moment. 172 00:08:38,159 --> 00:08:41,340 We did get the output of it in the SV scan 173 00:08:41,340 --> 00:08:44,039 but let's answer the second question first. 174 00:08:44,039 --> 00:08:47,433 What is the net bios domain name of the machine? 175 00:08:48,270 --> 00:08:50,850 So here we really don't get the output for that 176 00:08:50,850 --> 00:08:53,640 but there are several tools that we can use to 177 00:08:53,640 --> 00:08:55,020 get the output. 178 00:08:55,020 --> 00:08:57,363 One of those tools is enum4linux. 179 00:08:59,070 --> 00:09:03,660 If you just type enum4linux and you paste the IP address 180 00:09:03,660 --> 00:09:07,110 it will perform several different tasks 181 00:09:07,110 --> 00:09:10,590 or checks including trying to discover the net 182 00:09:10,590 --> 00:09:12,750 bio's domain name of the machine. 183 00:09:12,750 --> 00:09:16,533 So it'll take several seconds for it to finish. 184 00:09:17,820 --> 00:09:19,830 So let's wait for that. 185 00:09:19,830 --> 00:09:22,470 Okay, so we can control c this 186 00:09:22,470 --> 00:09:25,050 we don't need it to run any longer. 187 00:09:25,050 --> 00:09:26,430 We got what we searched for 188 00:09:26,430 --> 00:09:30,540 so the netbio's domain name we can find 189 00:09:30,540 --> 00:09:32,610 or we can read it right from here. 190 00:09:32,610 --> 00:09:36,850 So here are the accounts on the active directory 191 00:09:36,850 --> 00:09:37,899 and 192 00:09:37,899 --> 00:09:39,557 THM dash AD 193 00:09:39,557 --> 00:09:41,700 would be the domain name. 194 00:09:41,700 --> 00:09:44,100 And we can also read it up here. 195 00:09:44,100 --> 00:09:48,210 It already got outputted to us before, which is right here 196 00:09:48,210 --> 00:09:49,350 domain name 197 00:09:49,350 --> 00:09:52,260 THM dash AD. 198 00:09:52,260 --> 00:09:54,690 So if you copy this, you paste it right here 199 00:09:54,690 --> 00:09:57,510 it will be the correct answer. 200 00:09:57,510 --> 00:10:01,200 And what tool will allow us to enumerate port 139? 201 00:10:01,200 --> 00:10:03,480 445 we can use in enum4linux 202 00:10:03,480 --> 00:10:07,770 but it is not the only tool that can be used. 203 00:10:07,770 --> 00:10:10,870 This THM dash ad can also be discovered 204 00:10:11,790 --> 00:10:14,520 with MSF console. 205 00:10:14,520 --> 00:10:16,650 So let me show you, there is a module 206 00:10:16,650 --> 00:10:20,010 the auxiliary module that can be used to also 207 00:10:20,010 --> 00:10:25,010 get the domain name once we input the target ip. 208 00:10:25,200 --> 00:10:29,190 So let's just wait for the MSF console to open up. 209 00:10:29,190 --> 00:10:31,470 And the auxiliary module that we want to 210 00:10:31,470 --> 00:10:33,963 use is the SMB version. 211 00:10:34,830 --> 00:10:37,920 We might have already used it before in the course 212 00:10:37,920 --> 00:10:40,440 but right now we're going to use it 213 00:10:40,440 --> 00:10:45,033 for the purposes of enumerating attacktive directory. 214 00:10:46,110 --> 00:10:48,210 Okay, so the MSF console opened up 215 00:10:48,210 --> 00:10:51,120 and we want to go use auxiliary. 216 00:10:51,120 --> 00:10:52,240 We want to go 217 00:10:53,670 --> 00:10:54,930 scanner first. 218 00:10:54,930 --> 00:10:59,100 Go scanner than SMB and SMB version 219 00:10:59,100 --> 00:11:00,300 so show options 220 00:11:00,300 --> 00:11:03,900 will give us all the input fields that we need to provide. 221 00:11:03,900 --> 00:11:06,900 And the only one is our hosts 222 00:11:06,900 --> 00:11:10,170 which we can just paste like this. 223 00:11:10,170 --> 00:11:13,560 And if I type run it should work. 224 00:11:13,560 --> 00:11:16,530 And in the output we should get the domain name 225 00:11:16,530 --> 00:11:20,010 that we are asked for in the enumeration phase. 226 00:11:20,010 --> 00:11:24,450 And here it is authentication domain THM dash ad. 227 00:11:24,450 --> 00:11:27,522 So it's also another tool that can be used to 228 00:11:27,522 --> 00:11:30,570 discover the domain name. 229 00:11:30,570 --> 00:11:32,520 Okay, awesome. 230 00:11:32,520 --> 00:11:36,030 Now that we cover the first part of the enumeration 231 00:11:36,030 --> 00:11:41,010 now let's go to the enumerating users via Kerberos. 232 00:11:41,010 --> 00:11:43,950 So if you read through the Microsoft documentation 233 00:11:43,950 --> 00:11:46,200 that I provided you for the active directory 234 00:11:46,200 --> 00:11:49,077 you will also encounter something called Kerberos. 235 00:11:49,077 --> 00:11:53,070 And we do get a little bit of a definition right here. 236 00:11:53,070 --> 00:11:54,270 So a whole host 237 00:11:54,270 --> 00:11:58,200 of other services are running including Kerberos. 238 00:11:58,200 --> 00:12:01,050 Kerberos is a key authentication service 239 00:12:01,050 --> 00:12:03,453 within active directory. 240 00:12:04,350 --> 00:12:06,840 And after this definition it does provide us 241 00:12:06,840 --> 00:12:08,070 with a little bit of a hint 242 00:12:08,070 --> 00:12:11,490 of how we can approach this challenge. 243 00:12:11,490 --> 00:12:13,080 And with this port open 244 00:12:13,080 --> 00:12:15,540 and we saw the kerberos running on an open port 245 00:12:15,540 --> 00:12:19,980 we can use a tool called Kerbrute to brute force directory 246 00:12:19,980 --> 00:12:23,943 of users, passwords and even perform password spraying. 247 00:12:24,870 --> 00:12:27,090 And here's the little note, several 248 00:12:27,090 --> 00:12:29,130 of the users have informed me that the latest version 249 00:12:29,130 --> 00:12:32,246 of Kerbrute does not contain the userEnum flag in Kerbrute. 250 00:12:32,246 --> 00:12:33,510 If that is the case 251 00:12:33,510 --> 00:12:36,660 with the version you have selected, try an older version. 252 00:12:36,660 --> 00:12:38,973 So just quick note right here. 253 00:12:39,960 --> 00:12:41,430 And enumeration. 254 00:12:41,430 --> 00:12:44,700 So for this challenge we will need a modified user list 255 00:12:44,700 --> 00:12:47,970 and a password list which will be used to cut 256 00:12:47,970 --> 00:12:51,180 down on time of enumeration of users and passwords. 257 00:12:51,180 --> 00:12:52,083 Hash cracking. 258 00:12:53,430 --> 00:12:56,490 All right, so three things we're going to need 259 00:12:56,490 --> 00:12:58,590 for this part of the challenge. 260 00:12:58,590 --> 00:13:00,432 We're going to need Kerbrute. 261 00:13:00,432 --> 00:13:02,850 So just click on this link open 262 00:13:02,850 --> 00:13:05,440 in a different tab so you can download a tool 263 00:13:07,290 --> 00:13:10,050 and you also want to download the user list 264 00:13:10,050 --> 00:13:12,150 and the password list, which you can also open 265 00:13:12,150 --> 00:13:15,240 in a different tab and download it from there. 266 00:13:15,240 --> 00:13:17,430 Now, I've already downloaded all three. 267 00:13:17,430 --> 00:13:19,560 As you can see I have Kerbrute right here. 268 00:13:19,560 --> 00:13:23,460 I have the users and the password list right here. 269 00:13:23,460 --> 00:13:25,620 So simply just save the user list 270 00:13:25,620 --> 00:13:29,160 and the password list and you will get these two txt files. 271 00:13:29,160 --> 00:13:33,000 And Kerbrute tool can be downloaded from GitHub. 272 00:13:33,000 --> 00:13:35,850 If we go right here and here 273 00:13:35,850 --> 00:13:37,680 you will have the versions depending 274 00:13:37,680 --> 00:13:39,870 on which operating system you're running. 275 00:13:39,870 --> 00:13:43,376 We want clinic CMD 64 and you can download it 276 00:13:43,376 --> 00:13:44,710 or you can see 277 00:13:45,870 --> 00:13:48,310 the download or installation process 278 00:13:49,200 --> 00:13:50,760 by deleting the releases 279 00:13:50,760 --> 00:13:53,160 and going to just the Kerbrute page 280 00:13:53,160 --> 00:13:55,170 or the Kerbrute official page. 281 00:13:55,170 --> 00:13:57,540 You could have also clicked right here probably. 282 00:13:57,540 --> 00:14:02,010 And here if I scroll all the way down, 283 00:14:02,010 --> 00:14:03,360 we will see the usage 284 00:14:03,360 --> 00:14:07,350 and we will also see the installation guide 285 00:14:07,350 --> 00:14:11,620 which tells us how we can install Kerbrute. 286 00:14:11,620 --> 00:14:14,220 Okay, again, back to our challenge 287 00:14:14,220 --> 00:14:16,080 or to our attacktive directory. 288 00:14:16,080 --> 00:14:20,730 And once it loads up, let's see which questions do we get 289 00:14:20,730 --> 00:14:22,733 in this part of the challenge? 290 00:14:22,733 --> 00:14:26,910 Okay, let's go down once again, enumerating 291 00:14:26,910 --> 00:14:30,210 and the three questions are already answered, but let's see 292 00:14:30,210 --> 00:14:33,180 how did we come up with these solutions? 293 00:14:33,180 --> 00:14:35,160 And the first one is what command 294 00:14:35,160 --> 00:14:39,810 with Kerbrute will allow us to numerate valid user names? 295 00:14:39,810 --> 00:14:44,810 So once you download Kerbrute, let's exit the MSF console. 296 00:14:45,960 --> 00:14:48,750 Yeah, this is the command to exit Python, not MSF console. 297 00:14:48,750 --> 00:14:50,340 So let's do it properly. 298 00:14:50,340 --> 00:14:51,690 We go to desktop or 299 00:14:51,690 --> 00:14:54,360 wherever you have your Kerbrute downloaded 300 00:14:54,360 --> 00:14:57,660 and you change the directory to the Kerbrute. 301 00:14:57,660 --> 00:15:00,600 If you compiled it the way that is shown 302 00:15:00,600 --> 00:15:03,330 on the GitHub installation page, then 303 00:15:03,330 --> 00:15:07,020 in the desk directory you will have all the 304 00:15:07,020 --> 00:15:08,160 executable files. 305 00:15:08,160 --> 00:15:09,630 Now I deleted the rest 306 00:15:09,630 --> 00:15:14,630 since the only one that we need is Kerbrute linux, AMD 64. 307 00:15:15,000 --> 00:15:16,650 Now to just run it 308 00:15:16,650 --> 00:15:20,520 we can type dot slash Kerbrute 309 00:15:20,520 --> 00:15:22,230 and just press enter. 310 00:15:22,230 --> 00:15:26,343 It'll give us the help menu for this tool. 311 00:15:27,510 --> 00:15:30,990 Now it is asked what command within Kerbrute 312 00:15:30,990 --> 00:15:33,450 will allow us to enumerate valid user names. 313 00:15:33,450 --> 00:15:35,790 And already here under the available commands 314 00:15:35,790 --> 00:15:40,200 we can see user in them, which will enumerate valid domain 315 00:15:40,200 --> 00:15:43,080 usernames via Kerberos, so we can already specify it right 316 00:15:43,080 --> 00:15:46,110 here without even running the command first. 317 00:15:46,110 --> 00:15:49,740 But let's see, since for the other two questions 318 00:15:49,740 --> 00:15:52,200 we will need to run that command. 319 00:15:52,200 --> 00:15:55,320 Let's do it like this to run it properly. 320 00:15:55,320 --> 00:15:57,720 And let me just move this a little bit up. 321 00:15:57,720 --> 00:16:00,280 To run it properly, you want to type Kerbrute 322 00:16:01,290 --> 00:16:05,280 or the executable name and then user enum, then 323 00:16:05,280 --> 00:16:08,970 dash D will be the domain as we can see right here. 324 00:16:08,970 --> 00:16:11,590 And we saw in the first part, the domain 325 00:16:13,260 --> 00:16:18,260 given or the full domain given is spooky sec dot local. 326 00:16:18,900 --> 00:16:21,090 Remember when we provided it dot local 327 00:16:21,090 --> 00:16:24,000 under the first enumeration part? 328 00:16:24,000 --> 00:16:28,620 Well this is the first or the full domain to our target. 329 00:16:28,620 --> 00:16:30,900 And we can also specify the IP address 330 00:16:30,900 --> 00:16:33,693 by using dash dash dc. 331 00:16:34,590 --> 00:16:38,850 And we should also see that option somewhere. 332 00:16:38,850 --> 00:16:40,683 Or is it in? 333 00:16:41,610 --> 00:16:42,810 Okay, here it is. 334 00:16:42,810 --> 00:16:45,870 Dash dash dc is the location of the 335 00:16:45,870 --> 00:16:48,780 domain controller to Target. 336 00:16:48,780 --> 00:16:52,020 So if it is left blank, if it's not specified 337 00:16:52,020 --> 00:16:56,010 it'll look this up on or over dns. 338 00:16:56,010 --> 00:17:00,450 So here essentially we want to copy the IP address 339 00:17:00,450 --> 00:17:02,313 and paste it right here. 340 00:17:04,319 --> 00:17:08,520 And since we are provided with user and password lists 341 00:17:08,520 --> 00:17:12,119 we can use the user list to enumerate users. 342 00:17:12,119 --> 00:17:13,180 All we have to do 343 00:17:14,250 --> 00:17:16,119 is type in users 344 00:17:17,880 --> 00:17:19,079 dot txt. 345 00:17:19,079 --> 00:17:20,940 But let me just see if it's in the same directory. 346 00:17:20,940 --> 00:17:22,020 It's not in the same directory. 347 00:17:22,020 --> 00:17:24,390 So we have to specify the full path home, Mr. 348 00:17:24,390 --> 00:17:29,250 Hacker, desktop users dot txt, or pretty much wherever 349 00:17:29,250 --> 00:17:31,710 you have it saved, just specify the full path 350 00:17:31,710 --> 00:17:35,400 to the user's file and if I press enter 351 00:17:35,400 --> 00:17:39,243 it will output all the users that it managed to find. 352 00:17:40,440 --> 00:17:45,440 As we can see valid username for James SVC admin. 353 00:17:45,540 --> 00:17:47,940 And it also has something interesting right here, 354 00:17:47,940 --> 00:17:50,190 which we will talk about in just a second. 355 00:17:50,190 --> 00:17:55,190 And there are other valid usernames such as administrator 356 00:17:55,260 --> 00:18:00,260 which will also be interesting later on and the backup 357 00:18:00,450 --> 00:18:03,180 which will certainly be interesting later on. 358 00:18:03,180 --> 00:18:05,610 So let's answer these questions right here. 359 00:18:05,610 --> 00:18:08,280 What notable account is discovered? 360 00:18:08,280 --> 00:18:09,900 These should jump at you. 361 00:18:09,900 --> 00:18:11,970 The first thing that we see is SVC admin. 362 00:18:11,970 --> 00:18:13,350 And why is it? 363 00:18:13,350 --> 00:18:15,870 Well, that's because it's the only one 364 00:18:15,870 --> 00:18:20,760 that outputted the entire hash right here for us to see. 365 00:18:20,760 --> 00:18:23,970 So that's the first account that is discovered 366 00:18:23,970 --> 00:18:26,040 and that is notable and interesting to us. 367 00:18:26,040 --> 00:18:29,190 Now we will see what we can do with this hash later on 368 00:18:29,190 --> 00:18:31,560 but let's specify SVC admin 369 00:18:31,560 --> 00:18:34,470 as an result right here. 370 00:18:34,470 --> 00:18:37,110 What is the other notable account that is discovered? 371 00:18:37,110 --> 00:18:39,270 Well, it's definitely backup 372 00:18:39,270 --> 00:18:41,910 since it's not that common to see it. 373 00:18:41,910 --> 00:18:44,610 But administrator would also be a decent answer 374 00:18:44,610 --> 00:18:46,950 because administrator is always something 375 00:18:46,950 --> 00:18:49,920 that we are targeting, but it is a normal account to see 376 00:18:49,920 --> 00:18:52,680 on active directory, whether it being administrator 377 00:18:52,680 --> 00:18:54,840 or route or anything like that. 378 00:18:54,840 --> 00:18:57,540 It's a must to have on active directory. 379 00:18:57,540 --> 00:18:59,820 So we'll just going to go with backup 380 00:18:59,820 --> 00:19:02,220 as the other notable account that is discovered 381 00:19:02,220 --> 00:19:05,430 since it can be interesting for us. 382 00:19:05,430 --> 00:19:07,500 Now, once you answer these two questions 383 00:19:07,500 --> 00:19:08,550 you can close this tool. 384 00:19:08,550 --> 00:19:10,860 No need for it to run anymore. 385 00:19:10,860 --> 00:19:14,278 And in the next lecture we're going to see how 386 00:19:14,278 --> 00:19:17,580 useful this will be for us 387 00:19:17,580 --> 00:19:20,850 in the exploitation phase of this challenge. 388 00:19:20,850 --> 00:19:22,250 See you in the next lecture.