1
00:00:00,180 --> 00:00:08,160
OK so I am now on the domain controller and I have many cats in the the three files that were in the

2
00:00:08,170 --> 00:00:10,130
X 64 folder of the zip.

3
00:00:10,290 --> 00:00:15,560
Just extracted here to the downloads and I'm just gonna go ahead and go into a command prompt.

4
00:00:17,450 --> 00:00:23,540
And something I should point out to let me bring back up edge is if you go up top to the wiki the wiki

5
00:00:23,540 --> 00:00:29,900
is a great place to learn a lot about me me cats and what it's capable of and all the different things

6
00:00:29,900 --> 00:00:31,460
that it has here.

7
00:00:31,460 --> 00:00:37,340
So please please please look through the different modules that are available to you in exactly what

8
00:00:37,340 --> 00:00:38,780
they're doing.

9
00:00:38,840 --> 00:00:45,500
So from here let's go ahead and I'm going to see these to my downloads folder and then I'm going to

10
00:00:45,500 --> 00:00:49,130
go ahead and execute many cats.

11
00:00:49,880 --> 00:00:53,680
And it should bring up something that looks just like this.

12
00:00:53,720 --> 00:00:58,580
So the first thing that we're going to do and this is the first step that you should always do is you

13
00:00:58,580 --> 00:01:05,400
should run this privilege and privilege is the module the first part is the module and then we're going

14
00:01:05,400 --> 00:01:09,130
to use to Collins and then we're going to say debug.

15
00:01:09,320 --> 00:01:11,460
And we're looking for a privileged 20.

16
00:01:11,470 --> 00:01:12,620
OK.

17
00:01:12,690 --> 00:01:19,070
Now debug means that it's allowing us to debug a process that we wouldn't otherwise have access to and

18
00:01:19,070 --> 00:01:20,750
this is per the wiki.

19
00:01:20,750 --> 00:01:26,000
So we're going to attempt to dump some information out of memory.

20
00:01:26,120 --> 00:01:26,480
Right.

21
00:01:26,480 --> 00:01:30,490
And if we're going to do this we need to be able to bypass this.

22
00:01:30,500 --> 00:01:34,310
So if we don't we don't have the privilege debug on.

23
00:01:34,310 --> 00:01:39,800
We're not gonna be able to bypass these attacks or the memory protections that are in place especially

24
00:01:39,800 --> 00:01:46,190
for the LSA Ellis assess that EMC which we need to bypass protections on that to be able to dump the

25
00:01:46,190 --> 00:01:49,640
Alsace and take the credentials that are stored there.

26
00:01:49,670 --> 00:01:56,080
So we're going to run a few attacks against this so the first attack I'm going to show you is a very

27
00:01:56,080 --> 00:01:57,070
common attack.

28
00:01:57,490 --> 00:02:04,410
So we're going to type in S E K you are LSA and then we're going to do two colons here and we're in

29
00:02:04,410 --> 00:02:05,910
type in log on password

30
00:02:09,170 --> 00:02:10,210
now for this one.

31
00:02:10,220 --> 00:02:17,600
I want you to imagine that not only are we compromising the domain controller here and I'm going to

32
00:02:17,600 --> 00:02:22,480
scroll up just a bit but imagine that maybe we just compromised a regular computer.

33
00:02:22,550 --> 00:02:30,080
Now the log on passwords when we dump this for a regular computer are going to show us the computer

34
00:02:30,200 --> 00:02:36,650
you see the computer username and the A.T.M. hash for that as well as any user that has logged in since

35
00:02:36,650 --> 00:02:39,420
the last reboot and that's stored here in memory.

36
00:02:39,680 --> 00:02:40,090
All right.

37
00:02:40,730 --> 00:02:47,750
So we're we're taking advantage of this stored in memory and say for example you saw earlier with man

38
00:02:47,750 --> 00:02:53,010
in the middle six where we actually used a computer to pull down information.

39
00:02:53,240 --> 00:02:59,420
Well it's possible that we have mis configuration in our environment where a computer is capable of

40
00:02:59,420 --> 00:03:03,480
logging into the domain controller and running exploits.

41
00:03:03,500 --> 00:03:09,270
So it's always good to check this hash and this hashes entail them not until and b to so we can pass

42
00:03:09,270 --> 00:03:12,630
this hash around and try to utilize it in attacks.

43
00:03:12,800 --> 00:03:17,380
This would be taking advantage of Mimi Katz past the hash feature.

44
00:03:17,570 --> 00:03:19,500
So keep that in mind here.

45
00:03:19,520 --> 00:03:25,250
The other thing that we're looking for is accounts that I've logged in so let's scroll down until we

46
00:03:25,250 --> 00:03:26,600
find the administrator.

47
00:03:26,600 --> 00:03:30,740
So the administrator is the only account I've logged in with on this domain controller.

48
00:03:30,740 --> 00:03:33,440
And we also pull down the administrators hash.

49
00:03:33,740 --> 00:03:40,610
So if there was a machine where say for example a domain admin have logged into and it does have to

50
00:03:40,610 --> 00:03:46,400
be the domain controller but that domain admin had logged into then we can possibly get their hash and

51
00:03:46,400 --> 00:03:53,040
use that to pass around and potentially we could take advantage of this WD digest here.

52
00:03:53,330 --> 00:03:54,980
So what is the W digest.

53
00:03:55,310 --> 00:04:02,960
Well it is a feature that on Windows 7 and before was enabled by default.

54
00:04:02,960 --> 00:04:06,700
And what it did was it stored your password in clear text.

55
00:04:06,710 --> 00:04:13,310
Thank you windows from Windows 10 on they have patched or Windows 8 on their patch this.

56
00:04:13,310 --> 00:04:16,640
And what that means is they just turned it off.

57
00:04:16,670 --> 00:04:18,630
The feature still exists.

58
00:04:18,650 --> 00:04:20,210
So what can we do.

59
00:04:20,270 --> 00:04:28,640
We could actually turn on w digest with Mimi cats and then we can go ahead and wait for somebody to

60
00:04:28,670 --> 00:04:35,540
log onto the computer so it does require somebody to log all off or log out and then log into the computer.

61
00:04:35,540 --> 00:04:40,580
But if we're patient or waiting through something for a couple of days this isn't a bad idea to turn

62
00:04:40,580 --> 00:04:43,610
on w digests because that's a registry feature.

63
00:04:43,610 --> 00:04:46,970
So even if they reboot the computer it's still going to come back on.

64
00:04:46,970 --> 00:04:50,720
We go in there we wait we find the clear text password and then we're good to go.

65
00:04:51,200 --> 00:04:57,470
So this is a really really useful tool that we can use here or a command that we can use.

66
00:04:57,980 --> 00:05:03,410
So other commands that we can use and not all of these are going to work but one of them is trying to

67
00:05:03,410 --> 00:05:05,030
dump the the.

68
00:05:05,060 --> 00:05:12,290
Sam so we can just say something like LSA dump and then we could say sand like this and try to dump

69
00:05:12,290 --> 00:05:13,270
that.

70
00:05:13,550 --> 00:05:17,940
And this one doesn't work and that's ok sometimes it doesn't work.

71
00:05:17,960 --> 00:05:20,150
We could try a SAM WE COULD TRY patch.

72
00:05:20,150 --> 00:05:22,670
See if that works that doesn't work.

73
00:05:22,670 --> 00:05:23,060
OK.

74
00:05:23,090 --> 00:05:24,560
Let's try something else though.

75
00:05:24,560 --> 00:05:30,550
So backing up just briefly just because we're not able to dump the Sam doesn't mean we're not able to

76
00:05:30,550 --> 00:05:32,170
obtain it in other ways.

77
00:05:32,170 --> 00:05:37,960
We can get a shell with Metis boy and dump the Sam we can use secrets dumped up pi and dumped the Sam.

78
00:05:37,960 --> 00:05:41,040
We could also just download the Sam and dump it as well.

79
00:05:41,050 --> 00:05:46,630
So just because mean me cats can't do it here in this situation doesn't mean it's not something you

80
00:05:46,630 --> 00:05:47,770
should know.

81
00:05:47,950 --> 00:05:52,960
And it's also something that you should know there's alternative options that you've seen already in

82
00:05:52,960 --> 00:05:53,880
the course.

83
00:05:54,010 --> 00:05:59,400
So the big one that I really want to show you then I'm excited about is this.

84
00:05:59,410 --> 00:06:07,150
It's LSA dumb LSA and then we're gonna say patch like this and watch what happens.

85
00:06:07,150 --> 00:06:09,520
And I should note that the patch is important.

86
00:06:09,550 --> 00:06:11,010
If you don't put the patch look so happy.

87
00:06:11,100 --> 00:06:12,790
Look what happens here.

88
00:06:12,790 --> 00:06:17,590
So the patch allows us to actually get to the information.

89
00:06:17,590 --> 00:06:22,360
So here you can see the information was coming up through an error.

90
00:06:22,360 --> 00:06:31,260
Now here we're actually able to dump the LSA so the LSA briefly is the local security authority.

91
00:06:31,300 --> 00:06:38,950
So what that is is a protected subsystem in Windows authentication and it authenticates and create log

92
00:06:38,950 --> 00:06:41,650
on sessions to the local computer.

93
00:06:41,800 --> 00:06:45,700
Well we're on a domain controller and we're dumping the LSA here.

94
00:06:45,760 --> 00:06:48,500
So this is one option that we can do.

95
00:06:48,640 --> 00:06:55,010
Now the other option is if we want to we can download or try to download the anti DNS that get.

96
00:06:55,030 --> 00:06:57,500
Remember this file from a long time ago.

97
00:06:57,580 --> 00:07:03,160
What seems like forever ago in the course the A.D. is that debt will contain all the credentials as

98
00:07:03,160 --> 00:07:03,420
well.

99
00:07:03,430 --> 00:07:11,490
But what we're looking at here is we're looking at usernames and entail them hashes.

100
00:07:11,500 --> 00:07:12,350
Guess what.

101
00:07:12,430 --> 00:07:18,440
We could take these hashes offline and try to crack them and we could try to crack these.

102
00:07:18,550 --> 00:07:19,930
And this is important.

103
00:07:19,930 --> 00:07:20,860
Why do we do this.

104
00:07:20,890 --> 00:07:21,210
There's.

105
00:07:21,260 --> 00:07:24,710
OK there's two reasons we're doing this dump here.

106
00:07:24,720 --> 00:07:28,590
One is we're going to take these off line and try to crack these passwords.

107
00:07:28,590 --> 00:07:34,320
If we're capable of cracking these passwords we need to know what percentage that we're capable of because

108
00:07:34,570 --> 00:07:38,820
you've got to think in a real environment we're going to dump probably hundreds of different hashes

109
00:07:39,300 --> 00:07:44,420
and we're gonna take those we're gonna try to crack them and let's say we crack 10 percent or 30 percent.

110
00:07:44,460 --> 00:07:50,640
Well that is a number that we can relay back to the client and say look your password policy is either

111
00:07:50,640 --> 00:07:54,060
strong or it's weak or somewhere in between right.

112
00:07:54,090 --> 00:08:00,010
If we're cracking 50 percent of the passwords we know that that client has a poor password policy.

113
00:08:00,090 --> 00:08:04,410
If we're only cracking like one or two passwords then their password policy is pretty good and we can

114
00:08:04,410 --> 00:08:11,550
kind of identify what passwords we're weak in how they can improve upon it but it gives a concrete number

115
00:08:11,550 --> 00:08:17,070
to the client to say hey look this is how bad your password policy is or how good your password policy

116
00:08:17,070 --> 00:08:17,660
is.

117
00:08:17,670 --> 00:08:22,500
So this is one of the best practices that you will do as a penetration tester.

118
00:08:22,500 --> 00:08:29,040
The other thing and what we're going to kind of lead into and why I'm showing you Mimi Katz is we can

119
00:08:29,040 --> 00:08:34,920
run an attack called a golden ticket attack and I'm going to cover that in the next video but we need

120
00:08:34,920 --> 00:08:38,900
this Cobra's ticket granting ticket to be a little pull that off.

121
00:08:38,970 --> 00:08:46,830
So we're going to pause here and this is really the the rundown for Mimi Katz what I'm going to do when

122
00:08:46,920 --> 00:08:51,870
we're done with the next video is we're gonna have one final video in this active directory section

123
00:08:52,290 --> 00:08:59,890
and I'm going to provide you a bunch of resources that are very very good for learning actor directory.

124
00:08:59,910 --> 00:09:04,100
So we'll cover some of the Web sites and then we'll put them all down in the description below.

125
00:09:04,140 --> 00:09:10,440
So that way you have references for all these Web sites and you can go check them out and learn more

126
00:09:10,440 --> 00:09:13,970
about active directory pen testing at a deeper level.

127
00:09:14,010 --> 00:09:16,110
So from here.

128
00:09:16,150 --> 00:09:19,890
Let's go ahead and talk about Golden Ticket checks and I'll see you in the next video.