1
00:00:01,050 --> 00:00:07,680
All right, in the previous two lessons, we saw how to, first of all, pull off the exploit of swapping

2
00:00:07,680 --> 00:00:16,650
our command file for the set etsi or the Sticky Keys executable file and our Windows System 32 directory

3
00:00:17,040 --> 00:00:22,050
that gave us the ability to compromise the computer by just pressing the shift key five times.

4
00:00:22,380 --> 00:00:24,730
I'll demonstrate that one more time here.

5
00:00:25,260 --> 00:00:25,830
There we go.

6
00:00:25,830 --> 00:00:33,240
We've got a beautiful Windows command prompt running as the system level user entity authority.

7
00:00:33,240 --> 00:00:39,330
That's a windows into authority, the super administrator route on this Windows seven computer that

8
00:00:39,330 --> 00:00:40,680
I own several years ago.

9
00:00:41,160 --> 00:00:46,500
And once we could run that command prompt, we could reset my username with just net user beeping,

10
00:00:46,500 --> 00:00:48,920
beeping, reset my username to beeping.

11
00:00:48,930 --> 00:00:54,420
So now I don't need to remember my username from all those years ago, but if I log in is beeping,

12
00:00:55,380 --> 00:01:00,900
I'm hoping that my important work files and some of my family vacation photos are still on this old

13
00:01:00,900 --> 00:01:02,250
computer from years ago.

14
00:01:03,740 --> 00:01:08,030
And look at that, my important work files and family vacation photos.

15
00:01:08,270 --> 00:01:10,940
OK, maybe I staged those files for you a little bit.

16
00:01:11,480 --> 00:01:18,440
But the point is, anything that was on this computer from several years ago that I just could not access

17
00:01:18,440 --> 00:01:26,210
anymore because I forgot my password, I can now get to and I can see everything that was not encrypted

18
00:01:26,210 --> 00:01:26,980
on this computer.

19
00:01:27,260 --> 00:01:33,980
The only way really to protect against this is to disable and bypass the ability to boot from a CD or

20
00:01:33,980 --> 00:01:34,630
DVD.

21
00:01:35,360 --> 00:01:38,440
The other way to protect your files is to encrypt them.

22
00:01:38,510 --> 00:01:46,430
If I encrypt something in here, like my family vacation photos by right clicking coming to advanced

23
00:01:47,090 --> 00:01:52,700
and then telling it to encrypt the contents to secure the data, well then everything is going to be

24
00:01:52,700 --> 00:01:57,850
encrypted using my username and this password, the big pain that I'm using right now.

25
00:01:58,340 --> 00:02:04,310
So if someone comes in and resets my password later, they won't be able to see any of the files that

26
00:02:04,310 --> 00:02:06,410
I encrypted using that previous password.

27
00:02:06,410 --> 00:02:11,840
They will have to know my username and real password before they can do this.

28
00:02:12,440 --> 00:02:15,270
So any and files that I've encrypted will still be safe.

29
00:02:15,290 --> 00:02:20,300
That's one of the reasons we use encryption on computers these days, is because if someone does get

30
00:02:20,300 --> 00:02:26,420
our laptop, if we walk away from it in a coffee shop or if we leave it in an airport, or if someone

31
00:02:26,420 --> 00:02:32,720
just accesses our desktop and runs this hack, any files that are encrypted will not be visible to those

32
00:02:32,720 --> 00:02:36,140
new users who use even the administrative level account.

33
00:02:36,350 --> 00:02:40,820
Well, let's see that administrative level account, because I think I had some more files on this computer.

34
00:02:41,060 --> 00:02:45,560
Maybe I saved them as administrator and I didn't take time to reset that administrative password.

35
00:02:46,100 --> 00:02:51,470
Let's switch users by logging off and coming back in as Iron Man.

36
00:02:51,500 --> 00:02:54,530
And remember, Iron Man is a member of the administrative group.

37
00:02:55,040 --> 00:02:57,410
So if I use this password, Jarvis.

38
00:02:59,330 --> 00:03:04,070
It's going to do a little bit of setup because this is a brand new user who's logging in for the first

39
00:03:04,070 --> 00:03:04,460
time.

40
00:03:04,760 --> 00:03:10,040
It just so happens that we created this user with the username Ironmen and Password Jarvis.

41
00:03:10,910 --> 00:03:16,460
And because this is a brand new user, if I go into Iron Mans documents, they're completely empty.

42
00:03:16,820 --> 00:03:23,150
However, Iron Man is an administrator on this computer, so Iron Man can not only look inside Iron

43
00:03:23,150 --> 00:03:23,930
Man's folders.

44
00:03:24,770 --> 00:03:30,110
But it is an administrator, he can continue through to be Paines folders.

45
00:03:31,270 --> 00:03:37,090
They are my family vacation photos, my important work files, now, if I go back up, I can look at

46
00:03:37,090 --> 00:03:38,050
administrator.

47
00:03:39,500 --> 00:03:44,630
And all I have to do is click through for permission to continue, and now I can look for those other

48
00:03:44,630 --> 00:03:47,910
files that I think I had on this old computer from forever ago.

49
00:03:47,930 --> 00:03:49,310
Let's go to the desktop.

50
00:03:49,670 --> 00:03:51,200
There's nothing in documents.

51
00:03:51,230 --> 00:03:52,260
Let's check here.

52
00:03:52,760 --> 00:03:54,550
Look at that.

53
00:03:54,560 --> 00:04:02,510
There are are all my old files from when I was working on my certified ethical hacker certification.

54
00:04:02,660 --> 00:04:03,080
Wow.

55
00:04:03,080 --> 00:04:03,920
Very nice.

56
00:04:04,890 --> 00:04:10,380
So you can see as this new user, Iron Man, that I just created.

57
00:04:11,960 --> 00:04:19,160
I'm not only able to see my old files, I'm able to see everybody's files on this computer, this old

58
00:04:19,160 --> 00:04:22,460
laptop, as long as they didn't use encryption.

59
00:04:22,460 --> 00:04:26,890
So if you want to protect against this hack, use encryption on the hard drive.

60
00:04:27,080 --> 00:04:32,030
But if you tie it to your usernames, if you're doing this for a large enterprise, it's a great way

61
00:04:32,030 --> 00:04:35,300
to protect that data because someone is going to lose an old laptop.

62
00:04:35,660 --> 00:04:41,480
And by encrypting that information, you'll make sure that even though someone can use that laptop because

63
00:04:41,480 --> 00:04:46,760
they can create a new user, just like we did using a simple Windows 10 boot disk or even a bootable

64
00:04:47,150 --> 00:04:50,480
USB drive, they'll be able to create new users.

65
00:04:50,480 --> 00:04:53,570
They just won't be able to access those old files if they're encrypted.

66
00:04:53,990 --> 00:04:59,090
And the second way you can protect against these types of attacks is to make sure that you turn off

67
00:04:59,090 --> 00:05:01,460
that ability to change the boot order.

68
00:05:01,640 --> 00:05:07,460
If you're a system administrator for a company, you may not want people to be able to boot from a CD

69
00:05:07,460 --> 00:05:08,930
disk or boot from USB.

70
00:05:09,170 --> 00:05:15,500
You can go into bios on your company's computers and you can turn off or disable or password protect

71
00:05:15,710 --> 00:05:17,340
that ability to change the boot order.

72
00:05:17,930 --> 00:05:21,380
So we've seen a vulnerability that sticky keys.

73
00:05:21,560 --> 00:05:26,420
We've seen an exploit the ability to copy the command prompt file over.

74
00:05:26,420 --> 00:05:32,870
If I hit shift key here five times, I'm going to see a new command prompt window pop up open from anywhere

75
00:05:32,870 --> 00:05:33,460
I may be.

76
00:05:33,920 --> 00:05:41,420
Then third, we saw the compromise where I was able to add a new user and then I can log in.

77
00:05:41,420 --> 00:05:42,110
Is that user.

78
00:05:42,380 --> 00:05:47,630
I can make that user an administrator using just a couple of simple commands at the command prompt.

79
00:05:47,870 --> 00:05:53,390
And then I can see all the files on the computer from all the users on this machine.

80
00:05:54,050 --> 00:06:00,530
Well, this is a great first exercise in practical hands on real world ethical hacking, because you

81
00:06:00,530 --> 00:06:05,600
may have an old computer or someone may give you an old computer someday and you may want to be able

82
00:06:05,600 --> 00:06:10,580
to set up a brand new user without installing a whole new operating system or wiping the hard drive.

83
00:06:10,820 --> 00:06:16,550
You may you may want to help your friends access some old files that they thought were gone forever

84
00:06:16,550 --> 00:06:19,910
because they just couldn't remember their password from years ago.

85
00:06:20,390 --> 00:06:27,650
And if you work in information security in a company, you can use this to bypass some user settings

86
00:06:27,650 --> 00:06:30,640
and actually see what a user has installed on your computer.

87
00:06:30,950 --> 00:06:36,770
We use some tools like this sometimes when we're doing forensics or gathering information on what someone's

88
00:06:36,770 --> 00:06:38,020
been doing on our network.

89
00:06:38,240 --> 00:06:43,970
However, use this, make sure you use it with full permission from the owner of the system or the owner

90
00:06:43,970 --> 00:06:48,780
of the network or use it on computers that you own and control.

91
00:06:49,250 --> 00:06:53,260
I hope you've enjoyed this first Hands-On exercise and ethical hacking.

92
00:06:53,510 --> 00:06:54,800
We'll see you in the next lesson.