1
00:00:00,150 --> 00:00:08,550
So the first thing that I like to do when I compromise a user account or a machine is I like to do what

2
00:00:08,550 --> 00:00:12,490
it's called Pass the password or possibly pass the hash.

3
00:00:12,510 --> 00:00:18,210
So when we talk about what this is this is just passing this around the network.

4
00:00:18,210 --> 00:00:20,780
So remember we captured the password.

5
00:00:20,790 --> 00:00:24,140
Password one to read cracked it when we captured it with responder.

6
00:00:24,150 --> 00:00:28,260
Now we have a user name and a credential and we logged into a machine.

7
00:00:28,260 --> 00:00:32,760
We dumped some hashes and we have credentials there as well.

8
00:00:32,760 --> 00:00:33,440
Right.

9
00:00:33,450 --> 00:00:40,560
So utilizing those we can either take those credentials off line that we dumped or we can take those

10
00:00:40,770 --> 00:00:44,370
hashes and try to pass them around or pass the password around.

11
00:00:44,400 --> 00:00:49,110
So taking a look at what this means on a technical level there is a tool that we're going to use called

12
00:00:49,140 --> 00:00:50,610
crack map exactly.

13
00:00:50,730 --> 00:00:57,150
Now crack the SEC just takes the user name domain and password as you see here and what it does is it

14
00:00:57,150 --> 00:01:01,060
throws that password all around the subnet here.

15
00:01:01,110 --> 00:01:05,070
So we'll take it against the subnet third around and we'll see where it sticks.

16
00:01:05,070 --> 00:01:11,610
Now if you recall we have our user Frank Cassell who is not only an admin on the Punisher machine but

17
00:01:11,610 --> 00:01:15,040
also an admin on Spider man machine as well.

18
00:01:15,180 --> 00:01:21,150
So playing off the different example of past the hash let's say that we have a P.S. exact here which

19
00:01:21,150 --> 00:01:22,200
is what I setup.

20
00:01:22,320 --> 00:01:23,840
We have P.S. exact with maternal.

21
00:01:23,850 --> 00:01:27,420
We get on to this machine and we run a hash stump.

22
00:01:27,660 --> 00:01:32,880
Well we can take the hash stump of that local user here and you can see we just capture the last bit

23
00:01:32,880 --> 00:01:36,540
of this hash and we'll just try to pass that around.

24
00:01:36,570 --> 00:01:41,520
So what that looks like is something like this where you do the same thing against the network here

25
00:01:41,760 --> 00:01:44,780
with the user f Castle which is a local user.

26
00:01:44,880 --> 00:01:50,850
And then the capital H for a hash and then dash dash local signifying that we're going to go ahead and

27
00:01:50,850 --> 00:01:52,230
pass this round locally.

28
00:01:52,650 --> 00:01:56,880
And you could see that we didn't have any luck on this one and that's OK but that's still what we're

29
00:01:56,880 --> 00:02:02,280
after is we're after trying to pass as local hash around to see if we can get on any machines.

30
00:02:02,280 --> 00:02:03,900
This one is a big one.

31
00:02:03,900 --> 00:02:05,490
These two are big ones.

32
00:02:05,520 --> 00:02:08,610
Now you do not have to crack this password to build a pass as hash ram.

33
00:02:08,730 --> 00:02:09,870
That's huge.

34
00:02:09,870 --> 00:02:13,680
The other thing is if you do have a password you could pass that around and see where you can get on

35
00:02:14,070 --> 00:02:15,480
any machine as well.

36
00:02:15,480 --> 00:02:18,350
These local accounts are very dangerous.

37
00:02:18,360 --> 00:02:23,710
The issue is a lot of administrators will reuse the same account and password to set up machines.

38
00:02:24,000 --> 00:02:28,800
So if you're able to dump an administrator password or a hash then guess what.

39
00:02:28,800 --> 00:02:34,950
You can pass Ash along network and I have seen it where the entire network uses the same local administrator

40
00:02:34,950 --> 00:02:40,050
password or hash and you own the whole network without really having to compromise anything.

41
00:02:40,050 --> 00:02:46,250
So looking into these local hashes these local accounts are super important as well.

42
00:02:46,260 --> 00:02:48,970
So from here we're going to install our tool.

43
00:02:49,080 --> 00:02:54,060
We're going to take a look at a couple different features and what we can do here and then we're going

44
00:02:54,060 --> 00:02:59,070
to play around crack map exactly and see what it's capable of as well so let's go ahead and just dive

45
00:02:59,070 --> 00:03:02,760
into the next video and we're going to go ahead and install a crack map Zach.