1
00:00:00,240 --> 00:00:00,720
All right.

2
00:00:00,750 --> 00:00:05,490
So now we're gonna legalize responder and we're going to pull down this hash.

3
00:00:05,880 --> 00:00:09,260
So you should already have the pick a tool kit installed.

4
00:00:09,300 --> 00:00:10,260
If you don't.

5
00:00:10,320 --> 00:00:13,620
There are multiple videos here so please be watching the videos all the way through.

6
00:00:13,630 --> 00:00:19,560
Don't skip ahead or go out and Google impact get hub and install it that way.

7
00:00:19,980 --> 00:00:27,870
So from here let's go ahead and type in responder and you should be able to auto complete all we're

8
00:00:27,870 --> 00:00:30,690
gonna type in now is a dash capital I.

9
00:00:30,960 --> 00:00:36,690
And this is our interface our interface here is going to be either net zero and I will go ahead and

10
00:00:36,690 --> 00:00:41,520
just open up a new tab because we're going to need that and let's go ahead and just type in I have config

11
00:00:41,550 --> 00:00:47,700
or IPA and you can see here that we have our IP address and it's on Ethan and zero.

12
00:00:47,730 --> 00:00:53,070
So that's what we're gonna be listening on the Internet either at zero interface and then the rest that

13
00:00:53,070 --> 00:00:55,920
we're gonna need is just a dash RTW.

14
00:00:56,040 --> 00:00:58,000
So you're not to worry too much about what this is.

15
00:00:58,020 --> 00:01:01,480
This is a saying these are the different types of what we're gonna be listening on.

16
00:01:01,590 --> 00:01:06,600
One of them is w pad you can look at the dash help for this but this is the most common settings and

17
00:01:06,600 --> 00:01:11,880
if you want to see a Hash again more than once go ahead and just do a dash of V.

18
00:01:11,910 --> 00:01:15,870
So if we're not saving this Apple right now I just do a dash V for verbose.

19
00:01:15,930 --> 00:01:20,460
This is an optional setting once you're actually working in the field but just for now just in case

20
00:01:20,460 --> 00:01:22,510
you capture the hashing you want to see it again.

21
00:01:22,560 --> 00:01:23,330
This is a good way.

22
00:01:23,340 --> 00:01:26,220
Otherwise soars in a pop file for later on.

23
00:01:26,220 --> 00:01:29,140
Let's go ahead and just do a dash RTW like this.

24
00:01:29,340 --> 00:01:30,050
You can see OK.

25
00:01:30,090 --> 00:01:32,340
It says Hey you're listening on Ethan at 0.

26
00:01:32,340 --> 00:01:33,960
Here's your IP address.

27
00:01:33,960 --> 00:01:41,190
And when you scroll up here are your poisonous OK element are and then when element are fails it actually

28
00:01:41,400 --> 00:01:43,400
goes down and works on empty DNS.

29
00:01:43,410 --> 00:01:47,100
So it goes to DNS element R and B DNS.

30
00:01:47,160 --> 00:01:51,090
It's also listening on DNS and it's doing a few different things here.

31
00:01:51,090 --> 00:01:56,220
It's running a few different servers and all we're doing is running those servers in the middle just

32
00:01:56,220 --> 00:02:00,780
to see if we can get a connection from any of these and try to intercept and respond back.

33
00:02:00,780 --> 00:02:03,420
So you see here now it says it's listening for events.

34
00:02:03,420 --> 00:02:09,270
So go ahead and go over to your Windows machine and you can see that I've actually put my Windows machines

35
00:02:09,270 --> 00:02:15,170
just as a lab setting this is kind of what's nice about having the actual Pro version is you can just

36
00:02:15,180 --> 00:02:18,170
keep all of your windows machines in one area.

37
00:02:18,270 --> 00:02:19,860
So I've got my windows machine spun up.

38
00:02:19,890 --> 00:02:25,980
I've got Windows Server 2016 and I've got the Windows 10 Frank Castle machine spun up so the Punisher

39
00:02:25,980 --> 00:02:26,970
and the Windows Server.

40
00:02:27,630 --> 00:02:33,510
And what we're gonna do is we're just going to open up a file share like this or a folder and I'm just

41
00:02:33,510 --> 00:02:35,970
going to point this right at our attacker machine.

42
00:02:35,970 --> 00:02:42,210
So mine was 1 9 2 1 6 8 5 7 1 thirty nine I do believe.

43
00:02:42,240 --> 00:02:46,310
Let's go ahead and double check that 5 7 1 thirty nine.

44
00:02:46,370 --> 00:02:46,910
OK.

45
00:02:47,570 --> 00:02:53,840
And then I'm going to do here is hit enter and it shouldn't resolve right this should this should wig

46
00:02:53,840 --> 00:02:54,240
out.

47
00:02:54,260 --> 00:02:58,940
Nothing should happen here and you see it's trying to Internet credentials access is denied.

48
00:02:58,940 --> 00:03:02,930
We actually do have a server up and running an SMB server.

49
00:03:03,500 --> 00:03:04,700
And look what's happened here.

50
00:03:04,700 --> 00:03:10,370
But we do have we do have the SMB server up earnings those trying to connect to that but you could see

51
00:03:10,370 --> 00:03:16,160
that it has pulled down the hash and it pulled it down twice which is fine but it's pull down the IP

52
00:03:16,160 --> 00:03:24,140
address of the machine we're attacking the user and the user domain and then hash right here.

53
00:03:24,140 --> 00:03:28,410
So everything that we talked about in the last one this is exactly what happens.

54
00:03:28,490 --> 00:03:35,330
So let's go ahead and recap this and I'm going to blow this up so you're on your first assessment.

55
00:03:35,330 --> 00:03:41,300
You're sitting on an internal and first thing you want to do at least in my my playbook.

56
00:03:41,310 --> 00:03:44,540
One of the first things I'm doing I'm running a responder now.

57
00:03:44,550 --> 00:03:49,110
It just depends how loud we're gonna be I'm gonna show you some other things but this is especially

58
00:03:49,110 --> 00:03:55,350
if the client has never had a pen test before this is always a good go to now clients are getting smarter

59
00:03:55,350 --> 00:04:01,070
about this attack and technique and we'll talk about that in the actual defense video for this.

60
00:04:01,080 --> 00:04:05,160
But clients are getting smarter about this and they're starting to turn this off.

61
00:04:06,030 --> 00:04:11,820
But for now I would say 70 percent of the clients that I test against are still running MLM and are

62
00:04:11,820 --> 00:04:16,980
on their networks and this is allowing for easy wins especially if they have a poor password policy

63
00:04:16,980 --> 00:04:18,840
which a lot of clients will.

64
00:04:18,840 --> 00:04:24,570
So this is a great initial attack vector to capture some hashes and we'll capture these hashes take

65
00:04:24,570 --> 00:04:26,250
it off line try to crack it.

66
00:04:26,250 --> 00:04:28,680
It's amazing we can do a lot with this.

67
00:04:28,710 --> 00:04:35,250
So from here we're going to go ahead and install hash cap or use hash tag on our machine I'll show you

68
00:04:35,250 --> 00:04:36,870
a couple of different methods of how we do it.

69
00:04:36,890 --> 00:04:39,990
Then we'll talk about the fences and move on to the next attack.

70
00:04:40,050 --> 00:04:41,630
So let's go ahead and move on.

71
00:04:41,640 --> 00:04:43,100
Next video I'll see you over there.

72
00:04:43,100 --> 00:04:45,240
When we work on cracking this hash.