1
00:00:00,120 --> 00:00:07,220
So we've got these three hashes here and all we need to copy is this second half right here.

2
00:00:07,380 --> 00:00:13,200
So we're going to copy the second half and we can copy this and we're going to use crack map exact to

3
00:00:13,200 --> 00:00:14,630
try to break it.

4
00:00:14,660 --> 00:00:16,710
So or at least try to pass it.

5
00:00:16,770 --> 00:00:22,150
So what we can do is we could say something like track map exact.

6
00:00:22,320 --> 00:00:25,050
Give the range that we're going to test again.

7
00:00:25,050 --> 00:00:32,250
So fifty seven zero twenty four and then we're going to say user name and this one is Frank Castle like

8
00:00:32,250 --> 00:00:32,810
this.

9
00:00:33,120 --> 00:00:37,290
So because we have the space and they're going to go ahead just put that in quotations and then we're

10
00:00:37,290 --> 00:00:41,530
going to do a capital H for hash paste that in there.

11
00:00:42,060 --> 00:00:47,940
And the last thing we want to note is that this is local so dash dash local is important to put in here.

12
00:00:47,940 --> 00:00:55,070
Go ahead and hit enter and see it's going to try to pass this around the network and gain access.

13
00:00:55,170 --> 00:01:03,250
Now it doesn't say that it's pound here which is interesting but we do have the user light up green

14
00:01:03,250 --> 00:01:07,510
which is an indicator that this might have actually worked in the attack.

15
00:01:07,510 --> 00:01:13,360
So if we see Poland or we seen a green one here like a green plus sign that's a good indicator that

16
00:01:13,360 --> 00:01:15,820
this has worked pone is a guarantee.

17
00:01:15,820 --> 00:01:21,760
The Green Arrow or the green plus sign here is a good chance but this has resulted in false positives

18
00:01:21,760 --> 00:01:22,810
in the past.

19
00:01:22,810 --> 00:01:28,230
We do know that it worked and it attempted to pass it along the rest of the way here.

20
00:01:28,270 --> 00:01:32,110
It was unsuccessful as expected which is OK.

21
00:01:32,200 --> 00:01:37,280
But again passing this hash around the network you never know what you're going to find.

22
00:01:37,300 --> 00:01:43,690
You never know this could light up Green for All of these with pound all the way down the list and then

23
00:01:43,750 --> 00:01:44,220
guess what.

24
00:01:44,230 --> 00:01:49,180
We have every single machine and I've had this happen in countless assessments.

25
00:01:49,180 --> 00:01:54,850
And if you want to story time quick story time there was a assessment that I was up against that was

26
00:01:54,850 --> 00:01:58,660
using something called privilege access management which are going to talk about really quick in the

27
00:01:58,660 --> 00:02:05,170
next video but that's a great mitigation to these sorts of attacks because what happens is a user goes

28
00:02:05,170 --> 00:02:08,720
in and they have to check out their domain account.

29
00:02:08,740 --> 00:02:15,280
So there are tools called like cyber arc or psychotic that can be used where you go in you type a password

30
00:02:15,550 --> 00:02:21,250
you check out your domain account and your domain account password is really long it's some crazy complex

31
00:02:21,250 --> 00:02:28,840
15 to 30 character password you utilize that for eight hours or so and then guess what when you check

32
00:02:28,840 --> 00:02:34,360
it back in that password rotates to a new password so you only know this crazy complex password for

33
00:02:34,390 --> 00:02:35,500
eight hours.

34
00:02:35,500 --> 00:02:42,880
It's impossible to capture eleven are or any kind of hash that's NTI and B2 and try to crack it but

35
00:02:42,880 --> 00:02:49,570
guess what I was able to use SMB really on an assessment dump out the same hashes just like this.

36
00:02:49,570 --> 00:02:54,970
I saw administrator on there I just went and copied this put it into crack map exact just like I did

37
00:02:54,970 --> 00:02:55,750
here.

38
00:02:55,960 --> 00:03:00,830
Fluid around the network and it owned everything in cyber.

39
00:03:00,850 --> 00:03:01,900
Perfect access management.

40
00:03:01,930 --> 00:03:07,360
That's not cheap we're talking million dollar software that they focus on security in their domain controller

41
00:03:07,360 --> 00:03:12,910
went down in seconds because they weren't thinking about their local admin accounts local Afghan accounts

42
00:03:12,940 --> 00:03:17,850
are so important especially if you're reusing these passwords it's gonna hurt you so bad.

43
00:03:17,890 --> 00:03:22,970
So keep this in mind as another form of attack utilizing these local hashes.

44
00:03:23,020 --> 00:03:28,660
And another thing to do as well is you can't put this into P.S. exactly and get a shell out of it if

45
00:03:28,660 --> 00:03:32,050
you want you can use P.S. exact up pi to do this.

46
00:03:32,050 --> 00:03:38,410
So for example if we go to P.S. exact and we just say dash dash help you'll see in here that there is

47
00:03:38,410 --> 00:03:45,000
a place for hashes so you can utilize the whole hash to authenticate instead of utilizing a password.

48
00:03:45,340 --> 00:03:56,180
So we can do something along the lines of this his exact pie and will this say something like we'll

49
00:03:56,180 --> 00:04:05,790
say Frank Castle like this and we won't give it a password and we'll just say at this will be 1 9 2

50
00:04:05,850 --> 00:04:14,820
1 6 8 fifty seven got one forty one and then we'll say hatches and then we need the whole hatch for

51
00:04:14,820 --> 00:04:20,940
this one so we need to alum hatch and the empty hatch and if we look here this is the 11th hatch and

52
00:04:20,940 --> 00:04:26,580
the second part is the ante Hatch you need the entire hatch for P.S. exact to work here it's gotten

53
00:04:26,580 --> 00:04:34,390
past that and we'll hit enter and we can see while this user was able to authenticate here we were able

54
00:04:34,390 --> 00:04:35,980
to request the share.

55
00:04:36,100 --> 00:04:39,220
We weren't able to get any admin access via this one.

56
00:04:39,220 --> 00:04:46,840
So even though this user has access to this machine we're still not able to get a right able share where

57
00:04:46,840 --> 00:04:53,470
we can upload and get a shell and to prove concept here we can try it on another computer say forty

58
00:04:53,470 --> 00:04:58,240
two where we know we don't have privileges and you can see there's a log in failure so there's a difference

59
00:04:58,240 --> 00:05:00,540
here but this is just another thing that you can do.

60
00:05:00,540 --> 00:05:06,250
You can attempt to get a show with this local user without ever having to use P.S. exact or know the

61
00:05:06,250 --> 00:05:07,270
password or anything.

62
00:05:07,270 --> 00:05:13,660
So just building upon this if you pass is password around the network and this password works all over

63
00:05:13,660 --> 00:05:18,080
the place then your next move would be to do this setup here.

64
00:05:18,160 --> 00:05:21,220
Put your hash in and then try to fire it and get a shell.

65
00:05:21,220 --> 00:05:23,380
This is a quick way to own a domain controller.

66
00:05:23,380 --> 00:05:28,720
For example if the domain controller is allowing something like this or that user is valid on that domain

67
00:05:28,720 --> 00:05:29,780
controller.

68
00:05:29,800 --> 00:05:35,080
So from here we're gonna go ahead and talk mitigation strategies and then we'll move on to some more

69
00:05:35,080 --> 00:05:36,760
fun attacks in active directory.