1
00:00:03,120 --> 00:00:08,880
Welcome back to our last lesson on the command and control of a Windows 10 machine from Kalli.

2
00:00:09,240 --> 00:00:16,320
In this lesson, we're going to see how to gain admen level privileges or system level privileges and

3
00:00:16,320 --> 00:00:20,970
how to steal passwords from a Windows 10 computer.

4
00:00:21,270 --> 00:00:24,480
So one of the first things we want to do is come over to our Windows 10 computer.

5
00:00:24,870 --> 00:00:29,370
And if you still have your administrator command prompt up, go ahead and open that.

6
00:00:29,400 --> 00:00:36,710
If you don't just do see M.D. in your Windows 10 box and run as administrator, you should get something,

7
00:00:36,730 --> 00:00:39,540
says the administrator command prompt.

8
00:00:40,140 --> 00:00:42,750
And what we want to do is add a few users.

9
00:00:43,260 --> 00:00:46,850
So we've seen how to get just one user name.

10
00:00:47,430 --> 00:00:48,480
A couple of different ways, right?

11
00:00:48,510 --> 00:00:50,640
You can right click and you can grab that password.

12
00:00:51,030 --> 00:00:52,410
You can right.

13
00:00:52,410 --> 00:00:53,850
Click, inspect and grab that password.

14
00:00:54,180 --> 00:01:00,930
You can use the social engineers tool kit to send a phishing email to a person over the Internet and

15
00:01:00,930 --> 00:01:03,070
get their username and password that way.

16
00:01:03,540 --> 00:01:05,580
But that's one password at a time.

17
00:01:05,670 --> 00:01:11,760
What we're going to see with Materne Critter is how to download all of the user accounts on a computer.

18
00:01:12,150 --> 00:01:16,740
Now, if that's your office computer, it may only have you in a couple of other people, an I.T. person

19
00:01:16,740 --> 00:01:17,610
or something like that.

20
00:01:17,970 --> 00:01:24,570
If you're talking about a library or a school computer or a computer that's used by lots of different

21
00:01:24,570 --> 00:01:28,650
people, you may get dozens of passwords from a single infected Windows P.C..

22
00:01:29,010 --> 00:01:29,910
We're going to see how to do that.

23
00:01:29,910 --> 00:01:33,510
But to to get the most out of it, let's go and create a few accounts.

24
00:01:33,810 --> 00:01:37,530
So from an administrative command, prompt type net user.

25
00:01:38,060 --> 00:01:46,410
And let's just make up a few user names like Anna and give her a password of password one and then say

26
00:01:46,410 --> 00:01:47,640
slash add.

27
00:01:49,170 --> 00:01:49,590
Good.

28
00:01:49,980 --> 00:01:55,830
We'll do a net user ban with a little more complex password.

29
00:01:55,890 --> 00:02:01,670
Maybe BP a SSW zero r d exclamation.

30
00:02:02,340 --> 00:02:05,430
We already know that one from our Windows user.

31
00:02:06,360 --> 00:02:10,360
We can do net user, Carol.

32
00:02:11,220 --> 00:02:13,110
And let's make it a little longer.

33
00:02:13,110 --> 00:02:14,100
Password maybe.

34
00:02:14,160 --> 00:02:18,630
Captain Marvel slash ad.

35
00:02:18,960 --> 00:02:24,930
So what we're doing is adding users net user, the user name and the password slash ad will set up a

36
00:02:24,930 --> 00:02:26,910
new user on your Windows 10 box.

37
00:02:26,940 --> 00:02:28,950
And we'll add just a couple more.

38
00:02:28,980 --> 00:02:37,290
Let's do net user Clark with Super Man 20 as his password slash ad.

39
00:02:37,740 --> 00:02:42,540
You can choose fictional characters, you can choose superheroes, whatever you like for your passwords

40
00:02:42,540 --> 00:02:42,810
here.

41
00:02:43,250 --> 00:02:48,300
Net user CARRA with Supergirl.

42
00:02:50,280 --> 00:02:52,530
Girl number seven.

43
00:02:52,950 --> 00:03:00,640
And an exclamation mark slash ad and then maybe one net user, Peter.

44
00:03:01,240 --> 00:03:04,170
Spider-Man Rules.

45
00:03:04,430 --> 00:03:07,200
Spider Man Rule WSA.

46
00:03:08,010 --> 00:03:10,500
And then a smiley face after slash ad.

47
00:03:12,090 --> 00:03:17,040
So I've added five or six passwords that will oh, this is an interesting one.

48
00:03:17,430 --> 00:03:21,150
Good old Windows will say, hey, wait, this password is longer.

49
00:03:21,150 --> 00:03:23,390
The 14 characters, which is a really good thing.

50
00:03:23,730 --> 00:03:29,940
But if you're using any old network computers or Windows 2000 or older, which you usually don't have

51
00:03:29,940 --> 00:03:31,830
to worry about in the year 2020 and beyond.

52
00:03:32,290 --> 00:03:36,870
We're going to say, yes, we do want to continue to create that user.

53
00:03:37,470 --> 00:03:41,820
So we've got several usernames and passwords that we'll be able to try to attack from the Caleigh box.

54
00:03:41,850 --> 00:03:47,190
Now, one thing that's happened here is my Caleigh machine has lost the Materne Fritter session.

55
00:03:47,580 --> 00:03:51,780
So after you've created those handful passwords, let's come back over to Caleigh for just a second.

56
00:03:53,290 --> 00:03:57,250
If you've still got your maturity's session up and running, then you're ready to run.

57
00:03:57,280 --> 00:03:59,880
You don't have to redo this, but this is a useful thing to see.

58
00:03:59,890 --> 00:04:07,270
We were running the the Web cam stream just a moment ago, and that definitely can take up a lot of

59
00:04:07,270 --> 00:04:09,280
bandwidth and cause things to crash.

60
00:04:09,640 --> 00:04:16,540
So I'm still in my expert multi handler, and I should still have all my options, show options.

61
00:04:17,620 --> 00:04:20,620
So my local sent out to an at seven is still listening.

62
00:04:20,650 --> 00:04:22,370
So I'm just going to say exploit again.

63
00:04:24,380 --> 00:04:24,680
Good.

64
00:04:24,710 --> 00:04:25,610
And it's listening.

65
00:04:26,090 --> 00:04:31,520
I'll come back over to my Windows box and I'm going to check to see if it might have woken up.

66
00:04:31,550 --> 00:04:32,350
And it did.

67
00:04:32,390 --> 00:04:34,760
Delete that fortnight, all scans.

68
00:04:34,760 --> 00:04:37,730
But look at my documents folder and copy that.

69
00:04:37,980 --> 00:04:44,180
And I'm actually going to copy that and paste it into my downloads folder because I don't want it.

70
00:04:44,870 --> 00:04:45,680
Hey, there we go.

71
00:04:45,920 --> 00:04:52,640
I don't want it to delete my original copy, but you saw something pop up from my Windows Defender antivirus

72
00:04:52,640 --> 00:04:53,360
settings.

73
00:04:54,700 --> 00:04:55,570
Yeah, there we go.

74
00:04:55,960 --> 00:04:59,110
My antivirus sitting says Windows Defender Antivirus found threats.

75
00:04:59,140 --> 00:05:01,300
Well, we turned off Windows Defender antivirus.

76
00:05:01,600 --> 00:05:02,720
It turns back on.

77
00:05:02,740 --> 00:05:05,560
That's a great thing for Windows, Windows 10 and beyond.

78
00:05:05,920 --> 00:05:09,400
We got threat protection that turns back on for us.

79
00:05:09,700 --> 00:05:11,040
So you need to say virus.

80
00:05:12,300 --> 00:05:15,190
And threat protection, we're going to open those settings.

81
00:05:18,880 --> 00:05:21,250
We're going to come down to the Manege settings.

82
00:05:22,980 --> 00:05:26,700
And we're going to turn off the Real-Time prediction more time this happens from time to time.

83
00:05:27,000 --> 00:05:32,100
It's actually a great thing that Windows has made this change because it keeps your device a little

84
00:05:32,100 --> 00:05:33,090
more well protected.

85
00:05:33,090 --> 00:05:39,090
If you had to turn it off to play a certain video game or to stream something, you you will wind up

86
00:05:39,090 --> 00:05:40,560
having to turn it off a couple of times.

87
00:05:40,590 --> 00:05:46,080
But it is worth it because you've seen what can happen if you don't have that virus in threat protection

88
00:05:46,080 --> 00:05:46,410
running.

89
00:05:46,860 --> 00:05:50,940
So now we're going to go to our documents folder where we ran an exception.

90
00:05:50,960 --> 00:05:53,730
Remember, in the previous section and we can copy that.

91
00:05:53,760 --> 00:05:56,130
We can bring it over to the downloads pasted again.

92
00:05:56,550 --> 00:06:00,540
And this time since we turned off the Real-Time protection, it doesn't catch it.

93
00:06:00,630 --> 00:06:03,420
We're going to run that fortnight, all scans.

94
00:06:04,050 --> 00:06:04,950
And look at this.

95
00:06:04,980 --> 00:06:07,540
We opened a session to over here and.

96
00:06:08,370 --> 00:06:09,270
So that's a great thing.

97
00:06:09,540 --> 00:06:13,770
Well, now that we've got a maternity section connected again to our Windows machine, or if you've

98
00:06:13,860 --> 00:06:15,630
already got yours connected, you're in good shape.

99
00:06:15,930 --> 00:06:22,330
What we're going to do is type background one more time because we're actually going to use that Materne

100
00:06:22,330 --> 00:06:26,160
printer session to inject something called privilege escalation.

101
00:06:26,550 --> 00:06:35,280
We're going to use the a feature inside Windows 10 to gain route access or system level access to our

102
00:06:35,280 --> 00:06:38,100
Windows 10 computer so that we can actually still those passwords.

103
00:06:38,490 --> 00:06:52,590
So the exploit for that now control L is use exploit slash windows slash local slash bypass UAC underscore

104
00:06:52,590 --> 00:06:55,510
fied features on demand helper.

105
00:06:56,790 --> 00:06:57,180
Who.

106
00:06:57,270 --> 00:06:58,860
Now that is a long command.

107
00:06:59,010 --> 00:07:06,540
I know but we're gonna use exploit slash windows slash local slash bypass UAC that will bypass the user

108
00:07:06,540 --> 00:07:13,200
account controls that usually keep you from getting access to these important things like passwords

109
00:07:13,500 --> 00:07:20,100
for other users and the features on Demand Help or The Fired Helper is a program on Windows 10 that's

110
00:07:20,430 --> 00:07:22,290
there for a useful purpose.

111
00:07:22,320 --> 00:07:23,550
But it can be misused.

112
00:07:23,550 --> 00:07:26,790
And you can see here how Kelly's gonna do that.

113
00:07:27,030 --> 00:07:31,140
So if I say sessions, I need to know which session I want to attack.

114
00:07:31,170 --> 00:07:36,360
And that session to over here, you can see on the left hand side, if you're still on your first session,

115
00:07:36,360 --> 00:07:37,500
you may have session one.

116
00:07:37,900 --> 00:07:44,010
We're going to set the session to two or one or whatever.

117
00:07:44,010 --> 00:07:47,040
Your session number is going to set the payload.

118
00:07:48,430 --> 00:07:57,520
Two windows slash materne critter slash reverse underscore TCAP.

119
00:07:58,630 --> 00:08:05,560
So we're gonna make use of that Materne critter connection and we're going to inject another Materne

120
00:08:05,560 --> 00:08:08,440
critter section, but this one is gonna be at a higher level of privilege.

121
00:08:08,740 --> 00:08:11,280
We need to set the local host just like we did before.

122
00:08:11,290 --> 00:08:16,360
L host to 10 Dotto dot nine.

123
00:08:16,360 --> 00:08:18,310
Dot seven is my Caleigh box.

124
00:08:18,310 --> 00:08:26,590
You can IPA if you need to get the IP address and then we want to run exploit and I will try to start

125
00:08:26,590 --> 00:08:27,580
a reverse handler.

126
00:08:28,150 --> 00:08:37,360
And you saw something flash up on the screen there in my Windows 10 box, but nothing terribly out of

127
00:08:37,360 --> 00:08:39,160
the ordinary for a regular user.

128
00:08:39,620 --> 00:08:44,980
But if this works correctly, you should have a new Materne Fritter session opened up.

129
00:08:45,370 --> 00:08:49,060
And this session is not going to be your regular old user session.

130
00:08:49,060 --> 00:08:52,400
This is an administrative or system level user.

131
00:08:52,420 --> 00:08:54,020
Once we escalate those privileges.

132
00:08:54,490 --> 00:08:56,980
So it created a third session.

133
00:08:56,980 --> 00:09:00,160
So now and now we have, well, at least a second session.

134
00:09:00,580 --> 00:09:01,870
We had an original session.

135
00:09:01,870 --> 00:09:04,030
It closed out, so we connected with a second session.

136
00:09:04,300 --> 00:09:09,340
We use the second session with a background to then bypass the user account control.

137
00:09:09,640 --> 00:09:14,800
And now we'll have the ability to get system level access on this Windows team computer.

138
00:09:16,220 --> 00:09:22,580
So I'm going to use control l and I'm going to use the command get system.

139
00:09:23,950 --> 00:09:26,710
And let's see if we can get system level access.

140
00:09:26,750 --> 00:09:28,200
Well, it says it got system.

141
00:09:28,240 --> 00:09:33,550
The a technique one, by the way, if you get an error here that says it's already at an elevated state,

142
00:09:33,560 --> 00:09:35,920
that means you are already in an administrative account.

143
00:09:36,310 --> 00:09:37,150
And that's OK.

144
00:09:37,330 --> 00:09:38,650
The on command should work.

145
00:09:38,950 --> 00:09:43,690
If you didn't get a new maternity or section, you may have to actually go back and rerun the entire

146
00:09:43,690 --> 00:09:44,800
exploit one more time.

147
00:09:45,160 --> 00:09:52,210
So start back and see if you can get a session, then background that session, then connect using the

148
00:09:52,330 --> 00:09:53,650
third helper exploit.

149
00:09:54,850 --> 00:10:01,180
Just go back to the beginning of this, this video one more time after get a system we can check to

150
00:10:01,180 --> 00:10:05,790
see if we really do have system little access with get you I.D..

151
00:10:07,100 --> 00:10:09,200
And look at our user name now.

152
00:10:09,590 --> 00:10:11,330
And we were just i.e. user.

153
00:10:11,390 --> 00:10:16,760
Earlier, we saw that a couple of times, but the user name now is TE Authority system.

154
00:10:16,760 --> 00:10:19,880
We are root level on this windows in teh box.

155
00:10:20,150 --> 00:10:23,570
So we're gonna use a package called Kiwi.

156
00:10:25,550 --> 00:10:32,720
There we go, this is called Mimi Katz, you loda by saying use Kiwi and then the command to dump all

157
00:10:32,720 --> 00:10:34,790
of our Windows passwords as L.

158
00:10:34,790 --> 00:10:38,360
S a underscored dump underscore Sam.

159
00:10:40,040 --> 00:10:41,840
Look at that.

160
00:10:42,230 --> 00:10:44,490
We have hashes for each one of our users.

161
00:10:44,510 --> 00:10:46,790
Now, these are not the plain text passwords.

162
00:10:47,180 --> 00:10:49,070
These are just the user hashes.

163
00:10:49,100 --> 00:10:53,720
But let's choose Anna's password, that in TLM hash.

164
00:10:54,440 --> 00:11:02,280
If we control shift C to copy that, we can come out to a service like Hash Killer and come a hash killer

165
00:11:02,280 --> 00:11:11,150
dot io, come to the hash cracker, come down to n TLM, paste that hash that we just found.

166
00:11:12,140 --> 00:11:13,910
And then usually you'll have to do a captcha.

167
00:11:14,330 --> 00:11:20,330
UW six T for H g.

168
00:11:21,360 --> 00:11:25,440
And we're going to learn how to do password cracking in a later section.

169
00:11:25,770 --> 00:11:30,480
But this is a great way to check to see if you've got a real Windows password that you might be able

170
00:11:30,480 --> 00:11:31,020
to crack.

171
00:11:31,470 --> 00:11:33,870
And look at that.

172
00:11:33,990 --> 00:11:35,350
I may need to control.

173
00:11:35,600 --> 00:11:44,430
Plus, if you see that password, that hash has been resolved to password one.

174
00:11:45,650 --> 00:11:48,740
So we actually got into a Windows computer guy now.

175
00:11:49,100 --> 00:11:56,780
Really great idea would be to highlight and copy all of these hashes and just right click copy the selection

176
00:11:57,350 --> 00:12:04,600
and open up maybe a text document under favorites, text editor and paste these into that text document.

177
00:12:04,610 --> 00:12:09,410
You'll want to clean these up so that they've got just the username and the hash probably.

178
00:12:10,130 --> 00:12:17,930
But with just these hashes and a couple of free online tools like hash killer or hashes dot com where

179
00:12:17,930 --> 00:12:23,750
you can paste in a hash and see if that password has already been cracked out on the Internet, you're

180
00:12:23,750 --> 00:12:28,190
probably going to be able to recover most of the passwords that are on a Windows computer.

181
00:12:29,000 --> 00:12:37,160
So I think we probably did our job in scaring you into never downloading and running a suspicious file,

182
00:12:37,460 --> 00:12:41,690
whether it's from a friend, whether it's from somebody pretending to be a friend, whether it's just

183
00:12:41,690 --> 00:12:46,640
from a Web site or even if you're just downloading something you think you're getting for free.

184
00:12:47,360 --> 00:12:51,860
The latest movie that you're downloading is free from a Web site to watch the whole movie.

185
00:12:52,790 --> 00:12:54,350
It's not just executable files.

186
00:12:54,380 --> 00:12:55,820
It's PDAF files.

187
00:12:55,820 --> 00:12:56,750
It's Web pages.

188
00:12:57,110 --> 00:13:03,890
It could even be movie files or image files that are infected with viruses almost exactly like this

189
00:13:03,890 --> 00:13:11,540
remote access Trojan that we called Materne Critter that gave us complete command and control of a Windows

190
00:13:11,540 --> 00:13:14,120
computer from Alcalay Linux box.

191
00:13:14,510 --> 00:13:19,520
So when we come back in the next lesson, we're going to wrap up the commanding control with some ways

192
00:13:19,520 --> 00:13:24,050
to protect yourself from viruses like the one we just created.

193
00:13:24,350 --> 00:13:25,520
We'll see you in the next lesson.