Learn Active Directory!

John Hammond · Beginner ·🔐 Cybersecurity ·1y ago

Key Takeaways

The video covers the inner workings of Active Directory, its security risks, and how attackers can exploit them, with a focus on credential capture, privilege escalation, and RDP session hijacking using tools like Responder, VMI, and Powershell.

Full Transcript

hello hello everybody how's it going look fingers crossed we got the show on the road you know how it is with uh live video live stream uh I always get a little bit anxious when we kind of click the button and see if things are actually happening but I see the tabs refreshing over on my other monitor that's the benefit of having a couple extra eyes uh they call me four eyes for a reason but with that look bring up chat and we can banter for just a couple moments if that's a okay let's see does it let me show chat I swear I'll figure out streaming at some point but hey super good to see everyone um hey let me be straight up let me uh let me not to say talk smack but let me speak the truths because uh it's no secret I have been putting together a couple live streams pre previously when we got together with Ellie to chat about some crypto when we got together with michall to chat about some ENT open source intelligence and it's been a lot of fun because it has been showcasing the skills talents the Mastery of a lot of the cool uh just hacking training courseware developers authors and instructors um and I hope it's I don't know I don't know to say if it's clear if it's evident but without a doubt no secret I would like to help showcase spread the love and make sure we can shine a spotlight on them so we're doing like it if it's not clear just hacking training live streams to keep you informed to keep you aware of all the sweet stuff that we're doing um if you're also interested in some other forms of that if you can't catch the live stream we do have a little newsletter that I'm trying to cook up as well uh and give me the time please with with your permission and blessing I got to do the not to say shill but I got to talk about this cool thing that we're doing I I am very pleased and proud of and do love a lot of the just hacking training work so with that we do these live streams but thank you for your grace and let me turn into a billboard every now and again with that let me do the Spiel let me let me cruise through because there are a couple sweet updates uh I will try to share my screen for a little bit but I know I know everyone is tuning in because we are supposed to be doing some active directory fun and we will without a doubt um I just want to take a couple minutes so here's the uh loose run of show you know we never do any regimented any scripted thing um I want to have a couple moments here as is usual to hang out banter give you some quick updates and then get our special guest in the mix uh so we have a phenomenal uh slavi parv and I'm I'll have to ask him can you forgive me uh and how I butcher his name if I do uh forgive me but I do want to uh give him the spotlight let him do some showand tell some sweet demonstrations in cooking show magic for active directory stuff and everything that he's been showcasing in his just hacking training mastering active directory security courses um with that let me tell you all the stuff that's up so I'll share my screen and I'll choose just a window no we can go to that screen I think that's fair all right so okay just a teaser because it has to be done for folks that aren't tracking we've spun up and we're getting started with our crack our old College try for the schoolhouse not to say an academy right but a training platform and it is courses it is exercises it is challenges it is activities hack alongs with a video or even some old archives from Capture the Flag competitions that we've hosted so uh I hope there is some good value there we want to make sure that it is Affordable accessible and easy um letting folks get into a whole blown lab environment because I think that's the benefit is that you can really easily spin up tons of virtual machines kind of all within the course itself uh there are quizzes there are uh Little Learning check your knowledge and understanding sections final Capstone things and we're having a whole lot of fun putting it together so if you are curious the link is just hacking.com and we've been trying to get this schedule going where some of the folks from our seriously phenomenal lineup of great folks that are helping contribute and I'm so so grateful for all their support we're getting more as time goes on which I am super excited about but one thing is that I've got to try try an attempt to put my hat in the ring uh and I think we have put out just now what is our dark web and cyber crime investigations course so I would love to at least tease and show that to you then it's out about you can jump in there is a 20% off little discount uh for launch for the very start of things popping off now let me please say this is not something that has a ginormous or really accessible virtual machine and lab environment in it because it's telling you and teaching you a little bit more about torit Services the dark web all those do onion domains and I can't really recreate that inside of a virtual machine you know uh with that said uh I'd still love for you to be able to learn a little bit more about how it all comes to life let me add the other note in disclaimer though it's not sharing Union URLs or links or websites for those cyber crime Shenanigans it's a very very strange tight RPP and balancing act of hey we're chatting about cyber crime but I can't be emboldening em blazing and encouraging that so I hope I have your grace with that but it is something that I am very excited about and it this is a collaboration this is actually from a whole lot of folks that are doing investigations actively for threat actors out in about I though folks might have been tracking the snowflake breach you saw conr Muka a lot of the other individuals that have kind of been associated with that um and I hope it's fun I hope it's neat I hope it's cool I hope you get a better understanding of that shady underworld but if I may please say this is just a step in the pond step uh a pebble in the pond and a step in the right direction laying the foundation and getting the movement going um so we will do more of this and maybe get a more thorough cyber threat intelligence course in the mix that will get more much more tactical with the links with the actual places to check out for current real threat actors ransomware leak sites etc etc but I know that's a whole another Direction and dimension for excuse me for and from what we're doing with active directory so with that I'd love to tell you a little bit more about that course the M mastering active directory uh security is actually going to be structured and set up as a sort of path sort of like a collection of what will be multip multiple courses in which case you might have seen there is volume one and volume two and these are incredible because they are laying the foundation I think volume one understandably starts a little bit more hand holding guided fundamentals and getting into the real um understanding and then volume two starts you to play with a little bit more that is significantly larger than volume one because you get into action but I can sing the Praises although I can't really do it as much justice as I can with the source with the absolute Mastermind slavy himself so we'll bring him in in just a moment but I do want to have uh another quick little shout out and showcase um thank you so much for tuning in to these streams I realize it's a way to learn and it's also a way for me to try and help spread the word and get info out so you being here means a heck of a lot to me and what we'd like to try to do is help share a code like a discount code so we can give you a little bit more access because you have been here so cutesy copon code I know we got to do it right but there's also 20% off for both the mastering active directory in Mad Services um the courses there are going to be accessible with the 20% off discount code that we can share all throughout the live stream we'll pop it up in chat we'll pin it on the screen I don't want to have you sit here waste your time and you don't know wait till the very end I don't want to do that to you I feel like that's kind of sleazy if I say oh we're gonna we're gon to lease this code have a discount but then dangle the carrot so you have to sit here for an hour and wait for that thing um so if I could if anyone maybe the voice is in the back of my head uh production over in the background the the ear mouthpiece the earpiece that I have yeah let's go ahead and get started if uh we could drop that coupon code and then let's get slobby in the house I can go ahead and pin that super duper quick cool let me go ahead and start the party and we'll get slobby up in here thank you so much chat people oh I have uh clicked the wrong one because you are too fast excellent mad stream 20 gets 20% off both volume 1 and volume two and with that I've successfully accidentally burned 10 minutes and let's do the real show let's actually get slavy up in the house I'll turn off the music and let's do some active directory thank you so much everyone for being here slav if you're ready my friend we can start the party cool hello hello hi John good to see you great to see you my friend how is life how is everything it's Friday is great is our first interaction in public so that's actually quite exciting no I'm right there with you very excited to be here and actually present uh our common work that you have designed so far well I can sing your Praises but uh I think you have an incredible list of accolades uh wealth of experience uh and quite a resume um could you tell me a little bit more about you or hey what you've been up to what you're doing now and what you're all about at least to help had some background contacts for folks tuning in absolutely and thank you for that um I'm one of those new guys so to speak because I actually graduated University back uh 10 years ago with cyber security so cyber security is actually in my veins and you just have to learn it on the job I studied cyber security as I started and in the past 10 years or so I've been switching between different Consulting companies where I have been doing a lot of penetration tests and different roles around that um offensive site of cyber security one of my roles was actually on the defensive site as well because I want to challenge myself a little bit more and I was doing digital forensics and easy response but uh after a couple of cases where I don't sleep for days and nights I think uh I turned things around I went back on the offensive side um and I came back into the hacking Community which I'm really happy to be part of excellent um I have also been an instructor in some of the other platforms uh before I have been engaged with e learning security where I developed quite a few of the courses in there and I have also created some modules in hack the box as well previously and heck yeah now we get to do that together in uh just hacking training well I am super flattered and grateful for your support uh and just incredible I think coming from a lot of strong arms in the community a lot of hey incredible contributors for the industry um I really like a couple of the notes that you had about even just your kind of growth and red teaming and offensive security being a heck of a lot of fun trying some of the defensive work blue team work because it's both right you gotta have both you have to really be on all ends of uh what we do but it is time that is quite important for you as an attacker to understand what traces you leave behind you and the best way to understand that is to understand the defensive side what can they see depending on the actions that you take so just by executing a task or running a file what artifacts are left behind for the guys to catch then you can also understand how EDR products and Sim systems are working how they can catch you on the way so you can try to avoid that now with this course that we're designing here and we're going to talk about we're not really trying to hide or carry out any of this more advanced um Mastery where simply loud noisy we want to find issues in active directory and we want to exploit them but maybe at the later stage hey we'll may get to discuss something more advanced and actually try to fight against uh best in-class systems tools and so on can you actually maybe fill me in on that structure the architecture in your mind of look volume one I know covering a lot more credentials volume two a little bit more protocols what do you have in store for I don't know what would be volume three and I don't know if there's even four or five how far will you go with this thing yeah um that's actually a great question so thank you for that um like you said volume one one is really primarily about understanding what is active directory what is domain controllers domain admins the very Basics uh of active directory we even Implement active directory from scratch we spin up Windows servers we promote them to domain controllers we go through the entire journey of getting active directory up and running together and then we discuss credentials see credentials are very important in active directory because it's not just about username usernames and passwords um it also can be certificates it could also be password hashes um so getting a hold of any credential could be as good as having a password in most cases because you can authenticate with it and you can pretend to be any user if you still their credential and that's what we're trying to focus and also some of the issues that we have uncovered with passwords over the years like for example by default active directory have a password policy which is seven characters and if you have a password policy which requires seven characters your password could easily be to password one right that's something easily guessable so you as an attacker you need to understand what they against and uh doing information gathering to figure out um how your current environment is hardened that you're trying to compromise is the first step and trying to identify additional credentials to move laterally across the environment to it would be the next next natural step as well if you can't find any additional vulnerabilities um there's many things that we can discuss about credentials really because one thing is pentex passwords how are password stored like I mentioned password policies um passwords of domain users of local users how do they defer how can you use domain users how can you loty move with them reuse of passwords both for local users and uh admin accounts and so on so when we talk about credentials there's a lot more than just simply using a username and password that I need to discuss um and like I said one of the things which is quite interesting is reusing credentials I guess you might have seen in some environments John yourself people tend to have now two user accounts one being the normal user account say John and an admin account on top of that being admin John but how many organizations have actually checked that their it admins don't use the same password across both accounts because if you have two accounts but use the same password eventually the segmentation of identities doesn't exist um so password Shar is also another big uh topic that we were discussing in the first uh version of ma MTH and now I love it honestly I think I know sometimes it's a weird Balancing Act of like hey the introductory and beginning content because folks might and I know hey we do have a very very broad I think a vared audience that's so diverse of people from all skill levels uh which is a blessing and a curse because uh hey some folks folks might roll their eyes and say oh this is just the start you know everybody knows this but I think it's super duper important uh especially with what you've all laid out here for these first couple sets the first couple volumes because you're laying such a thorough Foundation that you can add to this even as new things come up I I hope that's a huge driving point is that look this is going to be updated over time as new things come out but because you'll have such a strong base in understanding of the inner workings of even something when you zoom in as much as credentials or protocols volume two Etc sorry I didn't mean I didn't want to interrupt but I think that's I love to see this even if it means going back to the basics to a certain extent right yeah I actually think the basics is also important for another reason because um season experts and professionals they of course they already know this beginner stuff but new people also constantly enrolling in our field and it's very important to have well defined basics for them um so going forward is going to be easier for them to get on board much faster because we get to share all our experiences in a in a course like this one and another thing is active directory is a very old system if we can call it a system because it's not just one system right and its main purpose is to provide identity it's it's an identity provider but it can be extended to be so many more things you can add services that can make it a file server DNS you name it it can almost support all of it so by doing everything from the very Basics we get to discuss all of these different Services as well not just the identity protection part and we're going to be attacking that in later modules of mats we'll spin up a pki a DNS a ABC and we're going to be going against uh this figure out what kind of attacks exist so we can better prepare our students to um uh to actually uh exploit these vulnerabilities and discover them in uh in real life and like I said active directory is a very very old uh system it's constantly being updated and new features are being added but new features doesn't mean that they're secure as well like from the very beginning active directory has been quite insecure um new research is demonstrating that even more and more almost every month there's a new escalation pattern active directory and um it will keep coming and that's why it's also important to have modules split the way that we have done them so far because we can constantly keep adding new and new attacks as they get released discovered or maybe something that we discover ourselves that we can discuss in this modules and what I'm going to say which sounds crazy is that active directory was not released really to be secure from the very beginning because if you think about Microsoft as an organization they need to create a product which is usable for larger amount of people out of the box so when you deploy active directory pretty much everything is up and running from the very beginning as opposed to being disabled to begin with and having many services and functions that you're not necessarily going to use uh being active opens up your attack surface and opportunities for an attacker to exploit your environment and to be honest in a fullblown active directory setup which is a default installation there are already by default ways to escalate in that active directory if you haven't done any hardening active directory by default just spring it up I guarantee you a Ste attacker will be able to their privileges right out the box fully patched window ser so it's very important to actually bring up the basics as well because not everybody has it no super important um I tried to sprinkle in hey some uh visuals for volume one and volume two as you were uh laying the the foundation again but I don't know if you're up for it I'd love for us to be able to take some AMA I don't know question and answers if anyone has things in the chat uh we could try to build up maybe a queue for us if anyone has anything specific you'd like us to Banter about um but if you'd be willing slavy I think one of the coolest things would' be able to see some of the tricks that you've got up your sleeve uh for a demo for a showcase uh we were thinking in brainstorming just a bit ago kind of before we wanted to do this stream together thinking like what is what's meaty you know what has some substance that folks would really enjoy because I know a lot of folks like to see some of those sweet flashy fireworks uh but I think at least from what you teased telling me your ideas there's some really cool and really neat stuff so I very excited for whenever you're ready to start the show in tell I think we absolutely should that and of course it's going to be live so hopefully everything works um and for the second part of mass actually which we haven't discussed yet what we wanted to build this not not just on top of credentials but wanted to actually expand and make a bigger course which includes uh a little bit more than Basics and then we expanded by including different protocols that active director is using and um permissions abusing permissions how to discover Mis configurations we're actually building a lot more on just credentials because credentials are important once you have a usern name and password you can use them to authenticate in active directory but then what protocol do you use to authenticate with and why should you know about multiple protocols can't you just RDP to a system in theory you can but what if your uh customer has blocked RDP or network segmentation is blocking RDP connections you need to know about the existence of other protocols which can give you those uh remote code executions and that's actually what we're going to demonstrate uh just in here as well also a little bit of uh privilege escalation active directory how can you go from a local admin to domain admin if there's some overlaps so I think um I'm actually ready to start with the demos if you're uh if you don't have any questions no thank you so much I uh have a headset that's low on battery so I figured well okay uh thank you for the top cover and now we could totally segue to do some sweet showcase yep awesome so would you be willing uh to full screen and zoom in and do all the things so it's a ginormous text that people might be able to read even on the old Mobile screen absolutely you just tell me uh if you can't see or read something and I'll act on it right away cool so the one of the first things that I want to show you is because like literally one minute ago I asked you why would you need to know about the existence of multiple protocols can't we just RDP to everything that uh that exists and in theory you can but what if RDP is you can't reach it what we're going to discuss in this course is the different um uh protocols that exist that you can use to connect to Windows machines and one of these protocols which is one of my favorite ones because it tends to be a little bit less detected is uh using VMI if you have valid credentials of a user you can use VMI to authenticate and remotely execute commands against a system so for example in here I have already prepared uh something simple how do we authenticate from a Linux machine to a Windows machine using VMI it's uh building command in K Linux which you're using for all our Demos in the course and what we're demonstrating is that we have the credentials of a user called Alice in the domain Corb with the password slav1 to3 and we can try to authenticate against a remote machine in this case the IP address is denoting our domain controller if we just execute this command we'll see that we successfully get a Windows prompt and we are running in this sorry if I type it correctly host name we're successfully running on domain one by connecting over VMI very simple I just want to demonstrate that there's life outside RTP as well right the same thing can actually happen if you don't necessarily have the P text password but you have the password hashes of this user account we can execute exactly same command by using the password hash if we have obtained this password hash somehow of the user how if I copy paste the command again I get exactly the same result you can see that I have this Windows prompt and if I run commands it will tell me that I'm running on dc1 dc1 being our domain controller so credentials is not just passwords it can be hashes it can be um certificates as well certificates is something we have not yet discussed but they're going to come as a separate module in the future as well um John as you know back in the days back in the good old days uh responder was a very very popular tool and it seems to have things have really started changing uh are you familiar with this sponder have you used it yourself I'm not sure how much I have yeah I I have used responder um I think probably for the maybe limited or not to say I don't know guess I guess the cookie cutter use case that we all tend to know uh but it's like oh let me back slashback slash type in the SMB share that I want to hit to see if we could get the connection um but I I don't want to steal your thunder I'd let you right so responder is actually one of the tools that we are bringing up uh in the course and we're going to be using it for many different purposes the one so far before we get too far down the rabbit hole I'm sorry would you mind amping up the tech size just to smidge more I think folks are think worried uh oh it might be just a little bit blurry so the bigger we can get the better truth be told is this uh better uh maybe two more if you're willing and then I think we're okay heck yeah thank you I hate to be that annoying like I hope the letters don't jump out of my screen I look so silly when I have ginormous icons and a terminal way too zoomed in but it's I hope good great so what I was going to tell you about responder is that responder one of the main things we would use it for is to catch credentials on the network if you have network access it alone without having username and password you are in a great position to capture uh credentials that are flying on the network somebody might ask why the hell would credentials beying the network well I'm glad you asked that question because you see like I said windows by default is not designed to be secure it's designed to work in every possible case you can imagine Microsoft doesn't want their users to spend days configuring the Windows machine so it starts working by default it has many features and services enabled so of these features are Legacy protocols called net bios and um llmnr multicast which are broadcasting protocols trying to uh resolve names on your on your local uh Network local none um see these are protocols which were designed before DNS was a stable protocol and they used to be really useful back in the days they're not so useful these days because DNS should be taking care of all of that and when was the last we heard about DNS failing really I know there are some issues here and there but it's not really DNS issues from Network Engineers breaking something um but what Pro what respond is going to do is he's going to listen on the wire to capture these broadcasting protocols and it's important to capture this protocols or this packets coming in because they normally carry authentication information with them in most cases that is going to be username and users password hash I want to demonstrate you how responder works it's nothing new but the interesting part about responder in 2025 is that there's a new protocol which is becoming very popular which is working in exactly the same fashion as those net buyers back in the days and that protocol is mdns it is wildly used from what I can see in big organizations because mdns is being used to connect remotely to um for example whiteboards which are remotely accessible your machine in the environment is going to start broadcasting itself it's going to try to find chomecast or other casting devices by using that protocol and the casting between them and that is actually enabled in many organizations so responder is becoming more and more uh famous again it's resurfacing and I really like that because I love this too it has helped me to escalate my privileg over the years so many times so if I may regurgitate if that's okay just for my own understanding I have always used I think just the default way of using uh respond um SMB UNCC path whatever but it sounds like there is a heck of a lot more to be able to do with it and even one that's like more reliable now more than ever 2025 compared to the easy stuff back in the day is that right it's actually exactly the same okay exactly the same there's no difference it's just an extra protocol which carries which carries credentials so if we go back five six seven years ago I would go to my customers and I would ask them to uh disable net bias and lmnr as a finding h and they did so but now in 25 mdns is enabled by default on Windows 11 so if their images have not updated since then there's a good chance that this would still work because there's a new protocol which supports the same thing so I'll just start respond quickly uh on the interface where my uh K is listening on or running to listen for commands for those who haven't seen responder uh we have a whole module on it in the course you get familiar with everything that you see on the screen it's not necessarily important at the moment the most important things is the first three listeners or poisoners is that respond is going to try to poison this requests to try to capture credentials we have LMR net bias and the protocol that we just discussed DNS we're not going to see any events because my environment is empty there's no users connect connecting to anything so we have to simulate that activity to see that something's happening so I'll actually move into one of my U Windows machines to simulate a user activity that we can see that um responder is going to capture it I'll just simulate that I'm trying to access some share it doesn't matter which one and if I go back to my Linux machine we're going to see that some activity is coming in and there's a lot of poisoning happening we can see M mdns LMR are constantly uh coming up with some data and here we're going to see that we actually successfully captured the hash of a user Alice so if you go into responder logs at this moment we have a ntlm hat of this user depending on the version of the entm hash we have different options what we can use it if it's entm normal hash which is the same as password storage hash we can use it for pass the hash attacks if it's ENT in version two we have different options we can either try to crack the hash using hash cat or U other tools which we're doing in the course by the way so we demonstrate how to crack Pass passwords we also explain in detail what is a password hash how to generate it cavat with it and so on or the other option that we can use for the version two hashes is to relay this hash and relaying is something we actually discussed together um we can have respond listening and then anim relay Rel the hash to give us access to another resource in active directory the hash itself is not important the important thing is that we have multiple protocol now surfacing again after so many years that can um that can carry this pass hashes as well so very important if you're on an engagement you want to run responder back again is this something is responder something that you just kind of have up and running at all times when you're doing a test it's just like okay first instinct uh knee-jerk reaction first thing the checklist is make sure responder is going and then just let it go I actually do I have a separate machine only for responder oh wow an engagement out hookup that machine to the customer environment only to try to capture these hashes and in many cases uh okay many actually I can think of three cases the customer told me responder is pointless in our environment because we have the same both net bias and LMR and then I come up with mdns carrying those credentials and gotcha moments right that's great to hear very cool good um we have very limited time so if you don't mind I'll move ahead with othert something else as well I wanted to move into a Windows environment and demonstrate something which is super cool but also at the same time super SC carry and I want to demonstrate uh demonstrate the same thing across multiple versions of Windows because at some point Microsoft actually managed to fix this and I want to also discuss how do we bypass newer versions of Windows as well can you see my screen it should be showing a Windows image just before I start clicking stuff I want to make sure that everything is visible yes I can see your screen and if I may uh I did see one cool question come through hey is this going to be uploaded to YouTube or do we need strictly the course to get the info uh the stream the live stream and its VOD will be accessible on YouTube uh we'll make sure that hey we'll have that kind of accessible and available for anyone but if you'd like more of the fun in-depth stuff and be able to play with some more of this yourself uh would totally recommend the course I think that's hopefully fun sorry anyway I think we might now end up having issues with the visuals uh if you're able to rightclick the toolbar of Powershell does that let you amp up the text and the properties it should I know it's a little bit of f yeah clunky but that way you'll have maybe not that big I don't know whatever you [Laughter] need cool should be better so what I want to demonstrate in here is that we're running on a system server one and we are the user Alice and the organization or the domain Corp um Alice is one of our domain admins so Alice is connected to a server code server one now what I want to outline is that in many organizations that they go to I would see that uh it's very common practice to assign uh local admin permissions to Consultants or to few of your employees because what is the impact to have access to only one server that test server that nobody's using what is the issue of having one developer having local admin rights only on that one server like there shouldn't be any issues right I'll actually carry out this connection with RDP instead so we can demonstrate the the issue sign out repeat it from a from a Windows machine instead I'm very interested in the RDP angle here because I feel like that often gets overlooked um and like we know again the like classic use case vanilla oh use it to RDP but can you do other weird Shenanigans and stram stuff with so we want to demonstrate how RDP can be uh Abus here as well right so I'm to use Alice I'm connecting to this uh server one machine I'll just turn it again so we can see that I'm connected it um RP to server one nothing fancy I a domain admin and then at the same time one of our users has been given uh local admin R to this machine to Showcase even better case I just authenticate as the local administrator of this machine not even a domain user right I'll just login with the account administrator which is only administrator of this machine it has no rights in our uh domain at all from this account if we go to task manager we will see that Alice and administrator are connected to this machine and they both have an active session if the session were disconnected we'll see that the status in here is disconnected but both users are connected to the same machine administrator is a local user only on the server one and Alys is a domain admin our environment so how can we from a local user with administrative rights on this machine escalate and become domain admin in that domain we can actually hijack this session which is mindblowing how can a local user compromise domain admin that should never be possible be the case right uh in task manager by default Microsoft so nice of course there's many ways you can steal the password to files and so on they techniques that we're discussing in the course but we're only demonstrating one of them in this live stream Microsoft by default has this building connect Con connectability in the task manager if you try to connect from one user to another user it will ask you to authenticate as that user before the connection is successful which makes sense you should not be able to change your context but actually if you're running as the system user on this machine you can connect to any hanging RP session without having to provide password so what I'm going to do now is since I'm running as this user administrator I'm going to escalate my privileges system and switch to Alice by hijacking the graphical interface so we can visually see that we hijack the RDP session right I didn't know you could do that over RDP or at least like using that as the vessel that in my mind I feel like I parallel it to like the Su command in Linux like on the Linux end once you become root okay cool I'll switch to whatever user I want uh but system on Windows through RDP is kind of cool it is pretty mad because without having the password or the credentials we're not dumping Els we're not touching anything crazy in this machine we can hijack that user get the graph graphical interface and we can execute and do anything we want as that user so if you look into my command prompt at the moment you will see that I'm running as user administrator and I will execute PS exac as a mean to escalate my privileges to the system user by specifying the flag - s and - I for interactive session that I want to spawn a new command prompt as this user once it starts and I who am I again I will see that now I'm running as NTI Authority system so now I'm I'm no longer the administrator of this machine I am running as the system user on the machine I'll start Task Manager now from this command prompt running as system user which means that the process task manager will also start as the user system and in this case if I go to Alice and I click connect my session just changes now I I'm hijacking that session right I actually just became Alice I can run anything I want I can add myself to the main I can do anything uh in the case and somebody just wrote a comment uh Le Frank thank you for the comment will we will you kick somebody from the RP session when you do this hijack um yes they'll lose connection if there's somebody actively running in here they'll lose the connection but in nearly 99% of organizations worldwide most people are just disconnected right the session continues to execute because they don't want their Windows to uh to be closed next time they login um so what they do is they normally click the X and the session doesn't end of course they don't have the RDP application running but all the processes and the session in the back end is still running so they can connect to it and see all the everything that is there um in most cases I would only use this on a disconnected session I don't want to alert users of course that we're compromising the right but if you go to an organization which has multiple it admins the likelihood of seeing a running session which is disconnected is nearly certain so this is uh this was exciting this is one of my favorite tys I just hide I just changed my context from one user who had only one local admin right into becoming basically domain admin so what is the impact of giving local admins to one server well this is the impact an attacker can actually escalate and escalating active directory almost certainly means that you're going to be run somewhere heav true enough yeah so well this is really cool I think you're blowing a couple people's mind here uh some questions was like wait a second this is I was this patch some time ago I thought this was patch this still tends to work does this work over other I guess non-native RDP clients because it's still their session it's still their login but like if someone were to use xree RDP or our desktop uh you're still gonna have a Windows log in are you not no you're not the reason why this works is because ring as the system user on the server and then you can essentially hijack any of the sessions that exist under RDP with uh with Windows 2019 servers Microsoft somehow silently managed to fix this so even if you're ring as a system user unless you're coming from a local console you will actually be prompted to enter the pass disc account and while they fixed this they actually introduced a new capability called RDP shadowing which is amazing which is basically doing the same thing you can again hijack the session by using RDP Shing and if you want we can go ahead demonstrate that yeah please this is fun we are demonstrating this in the class as well because if you end up in an older version of Windows sure enough you can carry this you can hijack the account but if you're a newer version like in this case where our domain controller for example is rning Windows 20 22 server I just want to make sure it's 22 or 25 uh it is running Windows 22 so it will be fixed if we try to carry out this attack we can also just actually try it so we can show how yeah please it reacts but it's not going to work in the same way as it does I also need to connect another user so I can hijack try to hijack the session I will just start a PSD administrator as well so we have another session that we could potentially hijack administrator of the domain Corp just for quick context chat I'm sorry I know we're moving quick to be able to kind of experiment and play and Tinker so I don't know if we're going to have everything super big and zoomed in yet but I hope you can make enough sense out of oh the RDP client or a terminal here in there um but if you need us yeah if you need us to amp up the tech size please please please don't hesitate to say the word so what I want to show you here is if I look at task management on domain control at the moment I have the domain administrator administrator the default account active directory and Alice both connected and we're discussing earlier disconnected sessions I can just show you what disconnected session looks like if I click you see that I'm connected dc1 as the administrator account if I exit this session uh now it's going to be shown as disconnected but a user can reconnect and all the windows everything will still be opened they don't have to reopen everything if the session has still existed and I guarantee you in every organization by default by default in directory sessions don't expire so if it admin clicks X and not sign out the session will be active and you can you can hijack it um so this is what we can see when nobody is connected the session is disconnected and we are currently running as the user Al so our session is still connected there's no status on it now if I escalate my privileges again with PS exac to become a system and run task I'll just close on run task manager this new Windows Server I go to users try to hijack the administrator account that actually worked and I know why it worked because I was I was connecting from a local session that was bad example if I was connecting from an RTP session as well this will pop up with enter the administrator password so it it's not going to work in that in that case okay I can actually yeah I can demonstrate by doing two RP sessions but uh to save time I think I want to show something else instead cool yeah this will be a presentation of um yeah enter your password so I said uh there's a new feature which is RDP shadowing and if you have used one of these remote control uh programs like team view log me in you know they're very popular actually with Windows one Microsoft release their own as well which is built-in that can be used if you have used one of these team viewer sessions you actually able to control this the screen and you can view it and what Microsoft uh enhanced RDP with is giving you the ability to control an RDP session so I can hook up to any active session and then control it so instead of um hijacking the session itself what we're going to do is we're going to modify the operating system to allow control of sessions and then just hook up to an existing session and uh we can actually demonstrate that so uh we'll first perform some RDP connections so we have something to hijack from our workstation one I will connect to domain controller once with the administrator and once is Alice just I want to make sure that we have sessions running and it doesn't matter which one do we use to hijack the other really I just want you to be prepared we have a lot of really awesome some questions coming in the queue uh every like this is so cool how do you do what about in this so this will be fun I love it so what I want to show you is instead of looking at task manager which users are connected we can also do query user in command promp uh maybe I can make it a bit bigger so if a query user I'm going to see that there's two users connected Alice and administrator they're both on RDP sessions and they're both active now for shadowing RDP to work the session has to be active um but if the session is active then it's a little bit too easy so I want to show you how we can get this working even with an inactive session so what I'm going to do is I'll actually disconnect the session of the user administrator I'll just keep it running there you go so if I run this Square user again and we're going to see that the state of this administrator session now is uh disconnected now I am the user Alice I'm connect to this machine I'm local admin how can I hijack the administrator account um the way that you can do it I'll just show you that it doesn't work by default so I'll use my Windows machine which is Windows 10 to try to RTP hijack the session it will fail just so we can confirm afterwards that it actually work works so if you run the mstsc um RDP client and what we want to do is we want to Shadow a session and while we are shadowing we don't want to consent prompt so the user doesn't need to click yes I allow the shadowing and we're going to get control over the session and the session is running on the device in our case on dc1 would you mind amping up the text super quick because I I think a ton of people would be super interested in that command uh it looks like SL Shadow and then yeah I will hopefully it's better now yeah so we need to Shadow a session and the session that we're going to Shadow is a number that we need to provide and that number we get from our um query user from the domain controller with our RDP the one that we want to hijack is session id2 where the administrator is running so if I provide two this will fail for many reasons uh so to get this working what we need to do is modify the back end of This Server we want to allow RDP shattering because by default this is not allowed but if you're local administrator on the machine you can add a register key where this is actually going to be allowed so I said there's two reasons why this uh failed the first one is because the registry key itself is not there so we need to add it and the second reason why the command failed is because the session is disconnected if you heard me just a couple minutes ago I said this only works with active sessions so I'll add this register key I need to B admin to be able to execute it so the key is deleted it create I know we got small text for a moment so just quick uh air cover uh this is a regge ad command so old school cmd.exe utility to be able to just tweak the registry same way you would do with regge edit in the goey uh it is modifying hklm HQ local machine so you will need admin privileges because that does need to be systemwide which is why I had to open up another Powershell exactly and R the command the command execut successfully we're setting creating a new Rec dword setting it to the value two and the volue in this case means that the server is going to allow RDP shadowing without consent and it allows you to control the session as well so if we try again now it's still going to fail because if you look at our sessions the session is still disconnected so we actually we need to force this administrator account to have an active session and the crazy thing about this is that again if you're system on this machine you can force the session to become active so if we do the same exercise with PS exac to escalate our permissions to system so hang on after an RDP session has disconnected you could still tell it to reactivate even what yes that is crazy right um maybe people knew this and I just didn't I'm totally okay to be a fool here but can anyone clue me in is did anyone else know that zombie RDP session in fact that that is what it is actually if the session is disconnected you can hijack it you can control it you can do many things with it um so if I run who am I now I'm going to bring as user system and what I'm going to do is I'll execute a command where we're going to change the session if you remember the session I'll just do it here query user so we can see the sessions the session number two is disconnected so what we can do is we can execute TS con with the number of the session and send this to destination console which will force this session to actually be console enabled and if I do query user again now the session is actually active all right G to write that one down so now we have configured the backend server to accept RDP shadowing and we have enabled the session itself to be active so from any other machine now I can try to hijack this second early possession as you can see there we go this is the actual domain controller we hijacked I did not even have to provide anybody's credentials now that's wild no administrator know all is nothing I just say if the server allows Shing you just specify which uh um session you want to hijack and then Microsoft gives you the ability to basically control that session which is mind-blowing so even though they fixed the previous issue they intr

Original Description

Slavi Parpulev teaches all about the inner-workings of Active Directory -- and how it can be taken advantage of by attackers! Learn more from Slavi at: https://justhacking.com
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

This video teaches the basics of Active Directory security, including credential capture, privilege escalation, and RDP session hijacking, and provides practical steps for exploiting and defending against these vulnerabilities.

Key Takeaways
  1. Bring up the basics of Active Directory
  2. Hardening Active Directory
  3. Demonstrate privilege escalation in Active Directory
  4. Showcase remote code execution through other protocols in Active Directory
  5. Use Responder to catch credentials on the network
  6. Simulate user activity to capture credentials
  7. Use the captured NTLM hash for pass the hash attacks or relay the hash to gain access to another resource in Active Directory
💡 Active Directory's default settings and legacy protocols can be exploited by attackers to capture credentials and escalate privileges, highlighting the importance of hardening Active Directory and implementing secure password policies.

Related AI Lessons

Up next
You Think Your Card Declined by Mistake? It Might Be a 2026 Scam
Tolulope Michael
Watch →