1
00:00:00,150 --> 00:00:02,580
All right now let's set up the situation here.

2
00:00:02,610 --> 00:00:07,200
We've got our Windows server running and we've got every machine running.

3
00:00:07,230 --> 00:00:11,880
So I've got my two windows 10 machine my Windows server running and we're going to use this tool that

4
00:00:11,880 --> 00:00:15,210
we just installed cracked mapping ZEC and it's gonna look something like this.

5
00:00:15,240 --> 00:00:16,650
We can say track map exact.

6
00:00:17,040 --> 00:00:20,600
We can do dash dash help and take a look at what it's got to offer us.

7
00:00:20,820 --> 00:00:22,970
And I can make this a little bit bigger.

8
00:00:23,010 --> 00:00:28,670
We could scroll up to the top and really what it does is we need to provide it with a target.

9
00:00:28,710 --> 00:00:34,260
Typically we either provide target IP addresses a range or a cider notation we can do a bunch of different

10
00:00:34,260 --> 00:00:34,590
things.

11
00:00:34,590 --> 00:00:39,150
My favorite is just just give it a cider notation and you're going to see what that looks like.

12
00:00:39,300 --> 00:00:44,560
Then we're gonna have to provide a user name a domain and a password.

13
00:00:44,640 --> 00:00:49,960
Well we can provide it username and password and do a dash dash local if it's a local account.

14
00:00:50,250 --> 00:00:56,280
But from here we're going to provide a username domain password because as of right now we have just

15
00:00:56,280 --> 00:01:03,480
captured the user account of f Castle password 1 and there's so many different things that we can do

16
00:01:03,480 --> 00:01:03,810
here.

17
00:01:03,810 --> 00:01:07,890
There's actually a lot of models that we can run now the models are kind of finicky but I must show

18
00:01:07,890 --> 00:01:10,680
you some cool little tricks that we can attempt to do here.

19
00:01:10,680 --> 00:01:13,500
So first of all let's just check our status.

20
00:01:13,500 --> 00:01:14,670
How about we do that.

21
00:01:14,670 --> 00:01:16,470
So we're going to do something like this.

22
00:01:16,470 --> 00:01:24,030
We're gonna save crack MF Zac and we're going to say a user actually let's go ahead and specify the

23
00:01:24,120 --> 00:01:30,330
domain or where we're going to be attacking so 1 9 2 1 6 8 fifty seven zero slash twenty four for me.

24
00:01:30,330 --> 00:01:32,860
So it's gonna sweep the entire network with this.

25
00:01:33,000 --> 00:01:43,700
We're gonna say user of f Castle domain of Marvel dot local and password of password 1.

26
00:01:44,640 --> 00:01:45,780
So go ahead and fire that off

27
00:01:52,650 --> 00:01:53,950
and there we go.

28
00:01:53,980 --> 00:02:01,090
So it has gone ahead and attempted to attack my dot one machine which is my local machine here but it

29
00:02:01,090 --> 00:02:04,260
also attacked the network that we have right.

30
00:02:04,270 --> 00:02:09,670
So you've got the Hydra DC you've got Spider-Man and then the Punisher here and you could see that it

31
00:02:09,670 --> 00:02:14,970
came through it tried this username and password on Hydra DC it did not work.

32
00:02:15,130 --> 00:02:15,820
What does it tell us.

33
00:02:15,820 --> 00:02:21,850
That means that this user does not have SMB access because this is trying to access SMB here doesn't

34
00:02:21,850 --> 00:02:24,940
have SMB access to the domain controller.

35
00:02:24,970 --> 00:02:28,390
Unfortunately we don't win that easy all the time.

36
00:02:28,420 --> 00:02:30,090
We've also tried Spider-Man.

37
00:02:30,100 --> 00:02:30,720
Right.

38
00:02:30,720 --> 00:02:34,120
And we knew about the Punisher but we didn't know about Spider-Man.

39
00:02:34,900 --> 00:02:37,160
So that's nice.

40
00:02:37,180 --> 00:02:39,480
So we've got Spider-Man now and the punisher.

41
00:02:39,490 --> 00:02:42,410
So we've owned a second machine when it says pone here.

42
00:02:42,460 --> 00:02:45,070
That means we now have access to a second machine.

43
00:02:45,130 --> 00:02:46,150
So can we do.

44
00:02:46,150 --> 00:02:54,370
We could go P.S. if Zack that pie and we can use these credentials and do it to adopt one forty two

45
00:02:54,700 --> 00:02:56,740
as we did with DOT 141.

46
00:02:56,830 --> 00:02:59,710
We can also do something which this is kind of cool.

47
00:02:59,710 --> 00:03:08,650
We could do something like dash at Sam and if we get on it sometimes it will work for us.

48
00:03:08,650 --> 00:03:12,420
It's going to try to dump the Sam file and here it didn't work.

49
00:03:12,550 --> 00:03:13,720
That's OK.

50
00:03:13,900 --> 00:03:18,490
So it tries to go in and this is successful a lot of the time where it goes in and they'll try to dump

51
00:03:18,490 --> 00:03:20,890
the Sam file out of these machines.

52
00:03:21,070 --> 00:03:25,150
And if we look up here there's a few different things that we can do with it.

53
00:03:25,150 --> 00:03:31,510
We could try to dump the Sam or LSA A.D. S which we talked about way in the beginning or and talk about

54
00:03:31,510 --> 00:03:35,020
it again here and a little bit we could enumerate shares.

55
00:03:35,020 --> 00:03:36,790
There's all kinds of things that we can add on.

56
00:03:36,790 --> 00:03:39,940
Again there's all these modules which we're not going to even cover.

57
00:03:39,940 --> 00:03:45,820
I do recommend reading the documentation on this because it can go really deep and it's surprising how

58
00:03:45,820 --> 00:03:46,800
deep this can actually go.

59
00:03:46,830 --> 00:03:51,480
But from here let's just talk about what we can do.

60
00:03:51,490 --> 00:03:58,030
So we were able to dump the Sam here but we can utilize a tool called Secrets dump which we're going

61
00:03:58,030 --> 00:04:02,220
to cover in the next video on how to get the Sam file and we can just do that.

62
00:04:02,330 --> 00:04:03,400
Yes exactly right.

63
00:04:03,400 --> 00:04:12,580
So we had P.S. exact pi and we could say marvel and we could say F Castle password 1 and we could put

64
00:04:12,580 --> 00:04:19,740
that at 1 9 2 1 6 8 fifty seven dot 142 and try to get a shell there.

65
00:04:20,410 --> 00:04:21,520
And wouldn't you know it.

66
00:04:21,610 --> 00:04:22,750
So am I.

67
00:04:22,880 --> 00:04:29,170
Hostname where authority system on Spider-Man so this is a quick win here.

68
00:04:29,230 --> 00:04:33,520
We can take advantage of this as we're going to see in the next video dumping some hashes out getting

69
00:04:33,520 --> 00:04:35,560
some more information extracting this.

70
00:04:35,560 --> 00:04:42,190
We could also go try to get a shell on this machine via the return fritter.

71
00:04:42,190 --> 00:04:44,810
P.S. exact as well and utilize those.

72
00:04:44,830 --> 00:04:49,120
So that's just a quick overview of how useful passing the password is.

73
00:04:49,120 --> 00:04:54,130
This is if I get a credential the very first thing I'm doing is I'm passing it around the network because

74
00:04:54,130 --> 00:04:55,530
I know it's valid.

75
00:04:55,540 --> 00:05:01,420
You can also utilize this the password spray but I would recommend against doing that on domain accounts

76
00:05:01,810 --> 00:05:05,340
because what happens is say we have 50 machines here.

77
00:05:05,560 --> 00:05:10,690
You take this username you could put any password you want here and try to spray it across a network.

78
00:05:10,720 --> 00:05:17,290
And what's going to happen is you're going to get failed logging attempts and if you get so many in

79
00:05:17,290 --> 00:05:19,780
a row you might lock out your user account.

80
00:05:19,780 --> 00:05:24,130
However if you have a local account what you're going to see here in a couple videos you can actually

81
00:05:24,130 --> 00:05:31,210
try password spring against it and you could just throw anything you want at it to see if it sticks

82
00:05:32,200 --> 00:05:36,700
and you might get lucky and the local council have that same lockout policy like domain accounts do

83
00:05:36,720 --> 00:05:37,340
so.

84
00:05:37,480 --> 00:05:42,280
I always like to do some password spraying on local accounts as another strategy if you're kind of stuck

85
00:05:42,340 --> 00:05:49,080
in not getting anywhere or if you've come across them different passwords or different password phrases

86
00:05:49,080 --> 00:05:51,590
or patterns that you might have noticed in the network.

87
00:05:51,600 --> 00:05:55,890
It's another good thought to have to just try it again some different accounts or even just admin or

88
00:05:55,890 --> 00:05:57,150
an administrator.

89
00:05:57,150 --> 00:05:59,070
So that's it for this lesson.

90
00:05:59,100 --> 00:06:03,720
We're going to go ahead and move on to the next lesson which is how to dump hashes.

91
00:06:03,720 --> 00:06:05,460
Now that we have this here.

92
00:06:05,460 --> 00:06:06,790
So we've got a user account.

93
00:06:06,900 --> 00:06:11,100
Let's dump hashes with this user account especially on the two machines that we found.

94
00:06:11,100 --> 00:06:12,300
And we'll store those hashes.

95
00:06:12,300 --> 00:06:17,800
We'll even try to crack those hashes and I'll move on to passing the hash as well just as an example.

96
00:06:17,880 --> 00:06:19,440
So I'll get you over in the next video.