1
00:00:00,630 --> 00:00:06,540
Certainly we will be doing this on our books from the works and they Beatrice's you one 9693.

2
00:00:06,660 --> 00:00:09,480
So these changes I got into the subscription.

3
00:00:11,740 --> 00:00:14,440
Let's see that in maps, candidates.

4
00:00:15,910 --> 00:00:18,390
How many words can you say is on time?

5
00:00:18,390 --> 00:00:23,100
And you can see the DNS server and the web server.

6
00:00:25,490 --> 00:00:29,300
And you see that Kerberos and the actor traded up.

7
00:00:29,300 --> 00:00:37,700
So you can assume that this isn't actually a disaster and the domain name is egotistical bank and if

8
00:00:37,700 --> 00:00:43,430
you see the website you don't get much information and here there are some blog posts and here you can

9
00:00:43,430 --> 00:00:44,530
see the usernames.

10
00:00:45,320 --> 00:00:48,670
These are also not much where you are.

11
00:00:48,710 --> 00:00:54,380
These become users and in their voters bit you will have these user names.

12
00:00:57,500 --> 00:01:01,880
Now you can see these usernames can be made into the word list.

13
00:01:02,150 --> 00:01:04,250
So I have already made this for this.

14
00:01:05,540 --> 00:01:09,950
I have just started this first fashion.

15
00:01:10,500 --> 00:01:10,800
Fashion.

16
00:01:10,820 --> 00:01:15,170
I dropped the first name and followed by this second name.

17
00:01:15,440 --> 00:01:17,420
So you can see are the combinations.

18
00:01:18,020 --> 00:01:23,330
Now we can use a tool called two of.

19
00:01:25,110 --> 00:01:25,680
I don't get.

20
00:01:25,680 --> 00:01:29,610
I need this Kerberos to check whether this user like this or not.

21
00:01:30,330 --> 00:01:34,200
So we will get different response whether these are if the user exists.

22
00:01:36,740 --> 00:01:37,420
Gertrude.

23
00:01:37,430 --> 00:01:46,100
And if you run this and you can see the option is user enum and we need to specify the domain.

24
00:01:53,290 --> 00:01:57,850
And we say further DC that is the domain controller and then.

25
00:02:00,110 --> 00:02:01,580
We need to space for users.

26
00:02:03,800 --> 00:02:06,050
And you can see we got only two rider names.

27
00:02:06,060 --> 00:02:07,430
You have Smith and Head Smith.

28
00:02:09,590 --> 00:02:11,560
Now we can use impact.

29
00:02:14,320 --> 00:02:15,430
And B users

30
00:02:18,100 --> 00:02:19,090
who check any

31
00:02:22,180 --> 00:02:25,240
Kerberos pre-order indication, not record users.

32
00:02:26,050 --> 00:02:32,020
So they have this don't appropriate setting the user control user can control.

33
00:02:37,110 --> 00:02:41,640
So I think it's a signal that Bishop.

34
00:02:54,240 --> 00:02:59,270
Think we need a space where something like users file out.

35
00:02:59,270 --> 00:03:00,910
We can just simply request.

36
00:03:00,920 --> 00:03:02,150
There are only two users.

37
00:03:02,150 --> 00:03:03,110
We can say Smith.

38
00:03:06,160 --> 00:03:07,360
So we don't have password.

39
00:03:07,450 --> 00:03:08,340
Just pretend to.

40
00:03:09,620 --> 00:03:11,360
And we got that paid for.

41
00:03:12,860 --> 00:03:17,000
So this dude is and group with this.

42
00:03:18,140 --> 00:03:19,520
You have to go and password.

43
00:03:24,320 --> 00:03:25,640
There is no.

44
00:03:28,250 --> 00:03:34,580
We can get the TDD for this because there is no don't don't record period not for this user.

45
00:03:34,970 --> 00:03:43,160
So we can crack this using that John the report so it's simply John Morris and the hash of cracking

46
00:03:43,170 --> 00:03:45,080
we will get the password in.

47
00:03:47,420 --> 00:03:50,860
And here you can see the password is the strokes.

48
00:03:52,430 --> 00:03:54,850
So we can log in using random.

49
00:03:59,630 --> 00:04:04,820
User name is Smith and the password is 133.

50
00:04:06,020 --> 00:04:08,110
And now I have run this power up.

51
00:04:08,120 --> 00:04:09,450
You did not give any users.

52
00:04:09,470 --> 00:04:10,970
So what I'm going to do is.

53
00:04:10,970 --> 00:04:11,890
I'm going to.

54
00:04:19,280 --> 00:04:22,460
Pull some script that is in to pass pretty.

55
00:04:25,050 --> 00:04:28,140
It takes, uh, rum.

56
00:04:28,440 --> 00:04:30,210
It takes some basic takes.

57
00:04:31,820 --> 00:04:33,260
They are profitable.

58
00:04:33,500 --> 00:04:38,450
And this is the binary we are using auto, you know.

59
00:04:38,540 --> 00:04:40,610
So it will check for the future.

60
00:04:40,700 --> 00:04:41,480
So we.

61
00:04:47,310 --> 00:04:55,610
We took instead of profitable commercial end user users description field and then business and and

62
00:04:56,090 --> 00:04:57,830
then navigation accounts.

63
00:04:59,000 --> 00:05:08,840
So I have ordered dinner this one here the ordering and you can basically run the bread down on this

64
00:05:08,840 --> 00:05:12,230
one and get the information.

65
00:05:12,230 --> 00:05:20,120
So down there to give you the information that a particular user has this, uh, discussing capability.

66
00:05:20,120 --> 00:05:26,980
So that means they use that user can request that they see any letters changes to the Gerber catalog

67
00:05:27,410 --> 00:05:32,090
and obviously we can get the hashes of are the users.

68
00:05:34,750 --> 00:05:40,510
And you can see user data and you can submit their score and host this.

69
00:05:43,830 --> 00:05:48,330
I mean, you draw down all this data in order to exceed.

70
00:05:49,900 --> 00:05:50,620
Partial.

71
00:05:52,190 --> 00:05:55,730
Education policy by pass and using the Medicare.

72
00:06:02,440 --> 00:06:06,910
And output file we can place in the current progression.

73
00:06:11,730 --> 00:06:14,280
And we should see the get requests from that machine.

74
00:06:16,350 --> 00:06:17,670
In order to run this.

75
00:06:25,150 --> 00:06:34,300
And here you can see the congressional users, the hit submit account has DSP and said there's a response

76
00:06:34,300 --> 00:06:41,020
minimum sonar slash it's not domain and instead of profitable users we have it.

77
00:06:41,140 --> 00:06:46,750
So that's how we got into this, our initial foothold and the DCC capabilities.

78
00:06:46,900 --> 00:06:53,230
So these are well pretty common domain administrators, enterprise administrators, etc..

79
00:06:54,070 --> 00:06:57,280
And don't you have this SBC loan manager?

80
00:06:57,280 --> 00:07:01,330
So this guy also had this replication getting this out.

81
00:07:02,350 --> 00:07:08,050
So we need to get to this account so that we can dump the yourself out of the users.

82
00:07:08,800 --> 00:07:13,330
And here you can also see the description for this and nothing juicy.

83
00:07:15,850 --> 00:07:25,330
So I have written a piece for any local excavation and I have found the catalog on credentials.

84
00:07:25,780 --> 00:07:27,160
So you can run one piece.

85
00:07:27,160 --> 00:07:31,120
It's going to take some time and you'll get these credentials.

86
00:07:31,840 --> 00:07:34,980
This one is the password file, as we see managed to.

87
00:07:37,690 --> 00:07:47,980
So since we had the password and this user has the application genius, we can go ahead and use secrets.

88
00:07:48,250 --> 00:07:48,640
Don't.

89
00:08:03,660 --> 00:08:06,630
I actually forgot this usage.

90
00:08:06,780 --> 00:08:07,680
The syntax.

91
00:08:36,310 --> 00:08:38,650
So anyway, let's just figure this out.

92
00:08:46,460 --> 00:08:47,470
Describe.

93
00:09:20,220 --> 00:09:29,460
I think we can use this index as we see lawn jihad, colon password.

94
00:09:31,390 --> 00:09:33,130
At the IP address.

95
00:09:33,460 --> 00:09:36,730
So this syntax is pretty common for the impact of TOS.

96
00:09:57,400 --> 00:09:59,470
And we can see we've got the cash.

97
00:10:00,640 --> 00:10:05,890
So we can copy these and build a mesh and try to log in.

98
00:10:13,430 --> 00:10:14,510
As administrator.

99
00:10:16,050 --> 00:10:17,360
I think it's.

100
00:10:24,870 --> 00:10:31,310
The computer is still using this and PLM version one we can be successfully wrapping.

101
00:10:36,300 --> 00:10:40,150
And we can see we got that mutual practice.

102
00:10:40,320 --> 00:10:42,210
Now we can go and pitch that room.

103
00:10:50,710 --> 00:10:53,260
That's after this video, this Sunday box.

104
00:10:54,490 --> 00:11:02,080
First we how the user names from the website and we how we use the computer to brute force the average

105
00:11:02,080 --> 00:11:02,620
user names.

106
00:11:02,620 --> 00:11:11,950
And from those user names we have found this Yosemite user having this ID set and then we got the hash

107
00:11:11,950 --> 00:11:13,450
because of the weak password.

108
00:11:13,450 --> 00:11:21,470
We Texas when we crack the password and log bin and after some enumeration, we came to know that SBC

109
00:11:21,520 --> 00:11:29,980
Road Manager has this application user and we have escalated to that user using the inches followed

110
00:11:29,980 --> 00:11:30,760
by the one piece.

111
00:11:30,970 --> 00:11:38,560
And with that we have done put the hashes of are with this since it's using and DRM version one it does

112
00:11:38,560 --> 00:11:41,080
accept the hash you should have password.

113
00:11:41,530 --> 00:11:43,150
So that's how we logged in.