Windows Pentest Tutorial (Active Directory Game Over!)
Key Takeaways
This video tutorial by David Bombal covers a Windows pentest, focusing on Active Directory and demonstrating various tools and techniques for penetration testing, including Mimikatz, PSExec, and RDP. The tutorial highlights different attack vectors, such as privilege escalation, lateral movement, and credential theft, and discusses the importance of understanding Active Directory and Windows security.
Full Transcript
this is going a little bit quick now but but it's it's just Soul game or for this domain so I mean we can we can play around for ages here because it takes a little bit of time because it needs to to create the profile here in Windows uh but we have a welcome and hopefully we will see a desktop pretty soon as well so with this we also I mean obviously we do men have been we escalator our privileges on clients and and everything right you can go ahead now start C and D we don't even need to start with this admin because we we are essentially domain admin here net user Mighty slash domain part of the domain admits yeah so today we're actually gonna do a pretty much a full scale simulated penetration test and I'm gonna go to the desktop and my pen test folder which I have some files in we have the cherry tree documentation here we have something called mimikats we're going to have a look at that a little bit later we have some enumeration script PS exec for possible lateral movement later and the PS logged on right so this is kind of some of the tools I like to carry around when I do a pen test so we're going to start moving cats and this is how it looks looks awesome right no uh no graphical stuff or anything it's just text so we just run who are my groups there on the domain controller with our golden ticket injected and we are now built-in administrators we have a lot of other things as well but we are also domain admin on Michael we are a group policy Creator owner we are schema adminster and Enterprise admins and this denied ROTC password replication group right High mandatory level we have access to everything just for everyone watching this is a simulated environment it's a lab it's not a real environment never hack networks that you don't own or have permission to attack so Remy that's what we're doing here right it's just a lab that you guys have created correct this is a lab that I created myself so it's running locally so whenever I need permission to attack something I just ask myself hey can can I attack this and yeah sure we can so we have we have no limitations here today which is which is always fun right hey everyone it's David Bumble back with a very special guest Remy welcome thank you thank you so Remy you got to tell us a bit about yourself I'm really excited about this video who are you firstly and what are we going to be covering I'm really looking forward to this so my name is Remy I've been working in offsetna for well I don't know seven years almost I started back in 2016. my background before offsec was mainly sis Administration I've been working in help desk I've been I've been doing a lot of stuff with technology right my whole life has been technology essentially so when I started in offsec I started as a student administrator a work that I worked as that for yeah about two years so I was helping a lot of students with uh mostly the pen 200 course I believed it was called pen testing with Cali or pwk back then right I had a lot of fun with that and went into some lead positions some technical management Etc and then eventually coveted hit right so we we couldn't do live trainings anymore offsec has been doing live trainings for for a long time and we created this virtual program that allowed us to do live trainings online right so I was a part of that and did demos and and had a lot of fun with students and I also did some live trainings in in real person uh on the pen 200 course a lot of fun as well uh meeting some students live that's cool and not only be on the camera that's great yeah it's nice yeah and now I work as a Content developer in avsec and I've been a part of the the pen 200 2023 upgrade that we released a couple of months ago and I also have experience in pen testing right I got my hands a little bit dirty somewhere last year to do some engagements here and there and try to learn some new things that we can incorporate into our courses right so for everyone who's watching there's a lot of content covered in this video so I've put timestamps below as always use the timestamps if you're only interested in certain parts Remy's doing an amazing demo but there's also theoretical parts to the video where you explain certain things uh because if you don't have that understanding it's difficult to follow along but just use the the timestamps to jump so what I'm really excited about is we talking about hacking Windows right and this is similar content to what's in the in the course right yeah so today we're actually going to do a pretty much a full scale simulated penetration test it's based on the pen 200 content it's not the exact same attack vectors uh or anything like that but it's on the same level right we're gonna Focus mainly on Windows and especially active directory because we're gonna pen test a domain right so we're gonna get a little bit of everything we're going to do some enumeration file transfers we're going to do some windows privilege escalation for example which is a kind of a tricky uh concept for for some of our students right and we're going to mainly focus on on active directory and we're going to do some devastating attacks to the organization and we are assimilating here so that's going to be fun offline you were talking about a golden ticket or something and that sounds like it's going to be a lot of fun yeah so so yeah we're going to do a do a golden ticket here and we're gonna do it as nasty as possible that is just nasty essentially we're gonna gain some persistence in this domain that we're pen testing hopefully if everything goes right and yeah it's hopefully it's going to be devastating and I'm glad this is a simulated pen test and uh and not a real one right because that would be not too good so so I've got some great news as well offsec have given me a discount Remy what kind of discount are we giving people for is it for the 200 course it's actually for uh for a product we call learn one okay so it's uh it's for it's potentially for a lot of courses right so the learn one is essentially um a product you can buy which will give you a whole year of access to to a specific course of your choosing it's very flexible to a learner not really any time crunch there I mean you have a year to to do the course and it's also going to give you access to prerequisites such as if you want to do the pen 200 course you're also going to get access to the pen 100 material right so you don't necessarily need to know pen testing whatsoever to get into this and it's also two exam attempts there we do want our Learners to to be certified and we are continuously adding content so you will get access to most of that as well so yeah so it's a it's a 10 discount right uh yeah it's a 10 discount yeah so for everyone watching use the link below if you want to get 10 off big thanks to offsec for sharing that I don't get any affiliate fees I don't get any money so just disclaimer this is just to hopefully help you I get nothing in exchange for this video but Remy we've spoken enough let's start with the demo absolutely all right so we're going to start our simulated penetration test here right now and as you can see I'm I'm sharing my screen we are logged into kala Linux which is the distro I like to use when I'm doing penetration tests the demo today is gonna be a mix between Technical and not so technical I'm gonna try to explain in a detailed way what we're doing but having a little bit of experience with Windows especially and have a high level overview of what active directories is is going to be a plus for this one because we're gonna do a pen test on a domain right are you running that in on in virtualbox or in VMware or something you said it's running locally right yeah so this is running locally on my computer now currently I'm using hyper-v in Windows so the whole environment we're going to pen test today is actually running in hyper-v so it's a virtual machine yeah so that that gives me the ability to to Really mess my Cali up and just revert it right that happens exactly a little bit too often so yeah but what I think is nice though is I mean what you're demonstrating is this whole infrastructure running on is it on a laptop and um people can replicate it yeah this is on a pretty pretty uh you know fully expect laptop yeah it's uh we're gonna see how many machines we are running in a cup player when we go into the enumeration currently I think it's running like seven machines plus the host itself so it's taking up a lot of resources but yeah it works pretty well and you don't necessarily need six machines or anything like that to to build this yourself either to to get started with active directory especially you need a server and a client you need a domain controller and just a normal client and and off you go right how much remember you got on that laptop uh 32 gigs I believe if it's not 64 I don't even remember now based on how well it runs now I actually think it's 64. yeah so you need a decent amount of ram but it's amazing what you can do but um again I keep distracting you go for it man as I mentioned before we are running a lot of vmc you don't necessarily need to run that many VMS to to get into this right yeah but we wanted to set up a cool scenario and I I think we did right so we're gonna dive into the demo and today we are not really gonna fall Focus too much too much on the enumeration perspective of the penetration test because that can eventually get a little bit dull to watch we're going to focus mostly on attacks yeah the attacks are always funny right enumeration is where you just discover what's out there is is that is that right yeah correct actually I have to say that my favorite part when it comes to penetration testing is in fact in uh information gathering believe it or not I really really enjoy it because you you kind of get to be this detective right okay I need to pull all of this together and we can do certain stuff with it but of course attacks you know that's that's really the cool part right so today we're going to focus on active directory as I mentioned before uh we're gonna find out what to do when we have some credentials uh the goal for the penetration test today is going to be to obtain domain admin in this domain I have running locally here we are going to take somewhat a targeted approach here because if we're going to do all the enumeration everything you do in a normal pen test we will probably be sitting here for a week or you know two weeks right uh Apprentice might even last for months so we need to condense this a little bit so it's going to be it's gonna feel a little bit more targeted but it's still going to be the same attack vectors as you can find in the real world right I have some really simple documentation written up here uh this is just used in Cherry Tree in Cali I wrote it up for this demo demonstration and we're going to do a penetration test a simulated one I just want to highlight that again on a corrupt.com domain and this is the same domain name you will see in the pen 200 Labs if you take the pen 200 course but it's not the same domain right this is running locally on my end and I have been been engineering some cool attack vectors that we're going to use specifically for this demonstration we're going to start in something that we call an assumed breach and assumed rate can be a lot of things right in many penetration tests when you start you might you know you go to the client and the client may give you a laptop and possible a username and a password as well that allows you to log into their system and they will they will hire you to do this internal penetration test right and this is known as a gray box penetration test they give you some sort of access they obviously they don't give you the password for the domain admin or anything like that that's up to you to find us a pen tester but that's really an assumed breach now in the demo we're going to do today we actually take this a little bit step further and I would say that we are towards the latter parts of the penetration test today so in this assumed reach we can say that we have compromised the user in the Corp domain whether you listen and Michael as you can see on my my screen here we have his password as well so we can log into the domain with this user and just for sure we can say that the attack Vector we use terrible social engineering right we tricked Michael here into giving us his username and password or maybe we found it on on some some you know paper he wrote it down on it could literally be everything right but the main part here is that it's an assumed breach but it's not a this is not a powerful user right it's just like a normal user this user is pretty pretty standard yeah it has no admin privileges nowhere in the domain and cherry tree is just like some kind of logging software or what is it yeah so so this is a kind of a you can use it for documentation it's the reason I use it in color now is because it's the live like installed by default but I like to keep my notes there I also use tool such as obsidian for example or OneNote I have also been kind of a sucker for notepad which can become a little bit tricky from time to time you'll just you just dump everything you find into notepad right and you know eventually especially when you Pinterest are a large organization you're gonna get a lot of information as well right so you want to find a tool that works for you but I like to to be able to like in here for example I've added notes so we have computer users and groups and sessions and that kind of stuff so in this case I'm gonna I'm just gonna go through what I personally like to start with when I'm in an engagement where I'm gonna enumerate a domain right I'm not saying this is the correct way I'm not saying this is what you have to do whatsoever you can do what you want as a pen tester it's important to find a methodology that works for you right there is no right or wrong answer here in this case we have enumerated the uh the machines in the domain and we can see we have a total of six machines so the domain is not like it's not huge the first machiner is a domain controller uh absolutely Central piece of the domain that is very important we have a file server web server we have a management server and we have two clients in the middle I have resolved the the IP addresses from their from their host name in case we want to do some scanning with nmap for example from Cali in case we are not able to resolve DNS here then we can Target them with a direct IP address maybe we will have to do that eventually I don't know we'll see and we also have four Windows Server 2022 machines there so four servers two clients and the clients are running Windows 11. I'm glad to see you using like latest version of software not some old thing yeah so when you enormate computers in the domain you might actually end up finding really really old artifacts that were created or or built when when the dinosaurs were still walking the Earth right they might still be logged into the domain and obviously if find such a certain artifact that kind of sales up to be a possible attack Vector right looking at this I don't necessarily see any you know any interesting attack vectors just yet because this is all updated those machines actually have the latest patches and everything so we are probably looking for possible misconfigurations in this domain right that's the computers we can go to users and groups as well as I mentioned it's a very small domain we have the users here a total flow I think seven three of those are default the three you see on top here we have the built-in administrator for the domain the most powerful account and if we are able to get access to this one during our pentas we can do you know really cool stuff not very realistic maybe to get access to this particular account but you know who knows I've I've seen many weird things out there doing penetration tests so we have a guest account we don't necessarily care about that one for now but we have an interesting area this is also a default account care be tdt and this is a very very important account in the domain that is used during the Kerberos authentication process it's used to sign tdt tickets I'm talking a little bit more technical here now right but the care bgt account is very important for the authentication mechanism and we're going to have a look more specifically at what this account is doing eventually whatever you do as a CS admin make sure that no attackers get access to this account because at that point it's it's just game over like literally it's game over so we're gonna we're hopefully gonna see that game over eventually today right okay so we also have four non-default users in the domain here we have Michael Mary Emma and Jeff yeah we have access to Michael this is our starting point today and we'll see if we can get access to the rest as well at some point right a little bit further down here I did some really light group enumeration and those are by far those are not all the groups in ad by the way if this is just for them just a really partial view but I found them a little bit interesting right the reason here is enterprise admin is the most powerful group in the active directory and we can see that the administrator account is is a is a membrane and this is default I'm gonna get to why this group is such a powerful one in a couple of seconds here right looking at domain admins we see something interesting Jeff my name is Jeff he's a member there so just by looking at this our goal is to get domain admin in domain Jeff is a member of the domain admins group so if we at some point are able to get access to Jeff we would essentially be domain admin if we can impersonate him or log in as Jeff that that would literally just be kind of game over for the domain and the end of our engagement right the reason I said that Enterprise admins is more powerful is that in a domain right or in active directory you might have one domain or you might have several domains right so in this case corp.com we can refer to corp.com as kind of the root domain right and in this case it's really the only domain we don't have any other domains here so we don't necessarily care too much about whether we get access to this group or the domain admins group but if you have more domains let's say for example you have a subdomain called sales.corp.com and you have another subdomain called development.corp.com for example right so we have you have three domains you have the root Main and the two subdomains then the Enterprise admin will have full access to all the domains including the subdomains right so that's really powerful if you get access to let's say for example domain admin in sales.corp.com that does not necessarily mean that you are a domain admin in development.corp.com as well or the root domain so there is a domain admins for each domain but there is one Enterprise admins for the whole Forest essentially which gives you access to everything in the pwk course do you teach a bit of the theory of the stuff yeah okay we do correct we are mostly focusing on the domain admins there because we we don't want to over complicate too much here I just wanted to explain the the difference here right now right but the goal in pwk is mostly to get domain admin but you you essentially follow kind of the same methodology if if you target Enterprise admins for example right it's gonna be the same thing but if you are in a multi a multi-domain you know Forest you need to keep this in mind and we discussed already you you've done the hard work of discovering all of this stuff before this and before this video basically um and now you're just going to show how to leverage that information yeah so I'm going through this just to give some context to the attacks we're gonna do right because otherwise the attacks are just gonna be okay how did Remy do this why is it so so just a little bit of content no it's great I mean I think people would have the question how did you find this stuff but we'll cover that in perhaps a different video yeah I mean yeah I mean essentially you have a lot of different tools you can use to enumerate ID but yeah we can discuss that a little bit later I'm just presenting the information for now so we have also two non-standard groups here right we have something called local ADM FS which sounds really interesting and Mary is actually a member of that group right if we look at the naming convention there local ADM most likely has something to do with local admin privileges right and looking at the suffixer fs this corresponds pretty well with a file server that we have in the domain so we can do an educated guess now and say that okay if we are able to impersonate Mary at some point we might have local admin access to the file server in a domain there are many ways or more enumeration we could do where we could look at the description for the group for example we could enumerate something called group policies but those are out of scope for pen 200 so I didn't want to add more you know confusion stuff in there right now so Remy the a question that people may have is what's the difference between a local administrator or local admin versus a domain admin sorry so a local admin is an admin on that given machine only right so so let's for example we can go back to our computers here a domain admin would essentially be also an administrator all those machines yeah right yeah so you you can log in here with your domain admin account I really really don't recommend doing that by the way never do that just just don't now I want to write a login is root and administrator yeah we're going to see more that's a bad idea later right but essentially a domain admin has access to pretty much everything in the domain but the local admin may have access to like for example client of one here if I add the user Mary to the local administrators group on this particular machine only on cliento one then Mary's only going to be a local admin on that particular machine she's not going to be a local admin on management or webo to your right we're actually going to see a little bit more clear difference between a domain login and a local login when we start the attacks today so so hopefully that's going to make a lot more sense then the last group here RDP web uh Michael is a member there and taking an educated guess here we can probably say that Michael should be able to log in Via RDP to the web server right and again we can do more enumeration on this but this seems to be the Michael user seems to be rather interesting after all right lastly in the enumeration we have a tiny bit here we run PS logged on on the servers and we found on web O2 here which is a domain server that Corp Mary is actually logged in based on our enumeration marriage should be a local administrator on the file so too right enumerating computers users and groups and sessions usually are an eye-opener for what you can potentially do right and I wrote up this highly theoretical by the way we need to prove if this is going to work or not I have an attack path here so the goal now is to start with Michael we're gonna try to RDP into webo 2 as Michael if we are successful in doing that that would actually count as a lateral movement attack in the in the in the domain it doesn't have to be some super fancy you know the PSI sick or you know evil winner or that kind of stuff to do lateral movement if RDP is open and you can use it boom lateral movement right lateral movement is just where you're moving from one machine to another right essentially yeah you obtain credentials and you just move around like like a madman where you can right you want to get access to as much as possible essentially so my plan here if we are admin we don't know that yet right if we or if Michael is an admin on fi on web or two we're gonna try to steal the credentials from Mary which is logged in on on Weber 2 right if we are not local admin we will have to escalate our privileges after escalating the Privileges we can try to steal marriage credentials again because in order to steal those credentials we need a local well it doesn't necessarily need to be a local admin we need to be an administrator or we need to be system on the machine because we need to tap into a specific process in order to steal those credentials right so we may have to do some escalation here with Mary if you know the Stars line and everything is fine and we should be able to access file sub 2 as local administrator and then who knows what happens right we we cannot we we cannot possibly tell right now and I wish I could see into the future but I can so I don't know if any of this is gonna work uh but this is a highly Theory uh theoretical attack path now and something I kind of cooked up in my head just based on the information we have gathered but I love that you've given us sort of like you've logged the details of what you've discovered and then you've come up with an attack paths which is great yeah yeah that's great yeah so that's it for the enumeration part for now right we we just went through you know some documentation and now it's time to to finally do some some hacking right so I'm gonna minimize uh my cherry tree here now and I'm gonna open a terminal in Cali and I have some long commands today which I have documented so for everyone watching I put the commands below to a GitHub link where you can you know just copy the commands so don't worry about trying to like copy them while we while you're watching the video so Remy thanks so much for sharing the command center and it'll obviously make the video quicker so again use the link below sorry Remy to interrupt carry on no problem at all no problem I also need to do some explanation here on what we're actually doing in order to to connect to this machine right so we're using a built-in Tool uh RDP client called X3 RDP in this case which is installed in Cali you don't necessarily need to use this you can use your own personal preference like you know our desktop there are so many clients out there but you should be able to connect with most of them right so what's more important here is that we are using the username Michael which we you know we found this password and username right so username Michael the password is my lead password is a very very nice password right yeah uh so so Michael is probably very leader and and this is downfall yeah yeah yeah we're gonna prove him wrong right yeah so the main the main important part here is the Slash dcorp.com and this kind of goes a little bit back to where we talked about local admin versus domain admin and that kind of stuff because Michael he probably does not have a local user account on the machine we're connecting to this is the IP for webo 2 by the way so if we don't specify the domain here Michael will not be able to log in we need to specify the domain name uh the rest there this is just me doing some funding and resizing to to make this look good so this is not necessarily something you need to you know connect the RDP to a machine those parts are the most important models and we're going to use those many times today so let me go ahead and click or hit enter here and hopefully we will be authenticated somewhere and it seems that we are all right so we're logged into this Windows machine right and I don't necessarily like graphical user interfaces too much so I'm going to go ahead and just start command prompt here as a true hacker right I was going to say what what is this what's a GUI come on yeah well what is it like who knows right we are in command prompt now and we can start looking at some some commands right we can type hostname for example this shows that we are indeed logged in on the Machine level 2. so we are logged in on web or two here and who are we who am I right simple commands we are Michael so we can see that here what's important to note is that we have this prefix here called Corp this tells us that we are connected to thecorp.com domain we are not logged in locally on a wemble 2 machine if it's set available to you here we would be a local account on the machine but we're not we are in the domain right and so what this this is the lateral movement thing where you were able to jump from one machine to another and log in with this user which you know someone fished these details or we found it online or something right yeah so once I actually did RDP here that would count as lateral movement technique in active directory uh because we are not connecting to the laptop we were given to the client anymore we are we are connecting somewhere else with some credentials we found and anytime you move from one machine to the other a it kind of counts as a lateral movement and if all the haters that might say well this is dumb because it's too easy but this is the stuff that happens right people's credentials are leaked this has happened or yeah this happens trust me and I'm gonna have to agree that this was a really simple attack right now but we are going to get more complex down the line right so we start light and we we end I'm not gonna say nightmare but it's going to be a little bit more tricky we're not just gonna RDP it's like what Jeremy said in the last interview it just gets better and better right so yeah yeah that's the goal here right okay so yeah as as a recap we are logged in November 2 as Michael I'm doing a lot of CLS by the way just to clear my screen so like this and just to show the user accounts on the local machine if I do net user for example we can see that there is no Michael user here and this further illustrates that we are not plugged in with a local account this administrator account is the local administrator for the Bible 2 machine this is not the same administrator account as the domain admin right there are many many many administrators in this in this network and who knows maybe this one is is interesting for us I mean I don't know we'll have to we'll have to see right I know that there can be a little bit of confusion about okay am I local or or or am I in a domain right the best way to figure it out who am I and you will see the the domain here if you see the hostname for the machine you are logged in locally so clearing the screen again and our goal now if we go back to the territory documentation and look at the attack paths we have RDP into webbo too if you're our admin we're going to try to steal marriage credentials because she is also logged in on this machine right if not we will have to escalate so so far on this point our theater Theory proves true right we were able to RDP that's good and let's see what we can do do more here now I'm gonna do here my slash groups here so I typed who are my groups here in the command prompt because I want to learn a little bit more about this Michael user right and this will give me an overview over local groups on the machine that I'm a member of and also the domain groups so in this case we see that we are a part of everyone that makes sense right because we are a user actually on the machine now we are a part of the built-in users we are a remote desktop users the the ones you see here are pretty standard right not nothing really special about those permissions and we can see that on the on the right side there as well well-known group right we also have Corp backslash RDP web we already knew that this is a ad group in this case we actually see the security identity fire for the domain itself add the relative ID for this group which is 1607. now this make note may not make a lot of sense right now but this this security identifier is going to play a crucial role eventually when we're going to be a little bit more devastating to the to the organization right but looking at this we do not have any reference to administrator or anything so it really seems like we are not the local admin on this machine based on this because then it would probably say built-in administrators here right we can potentially try to start command prompt as administrator but we are getting a UAC prompt here which asks us for credentials and if we were logged in with a local admin here we would essentially just have to click yes or no on this prompt in this case we need to enter credentials and this tells me okay we are not very likely we are not our local admin on the machine looking back at our attack path we wanted to steal Mary's hash right that's kind of our our goal here but we cannot do that unless we are local admin on the machine in this case when need to do something called privilege escalation and that's essentially you go from one user and you elevate your privileges on the machine right and that can often be a little bit tricky both for Linux and windows it's not necessarily my favorite field of expertise either but as a pen tester you just simply have to do it from time to time that's that's just the way it is often a pen test as well when your hand they handed this laptop you're most likely a low privileged user there and one of the goals from the client might be to escalate the Privileges can you escalate our laptops we need to look into some some ways to escalate our privileges here and for the last couple of years there's been more automation when it comes to this kind of stuff right back in the days when I started as a hacker we we essentially had to write our own scripts to enumerate this and that like okay I want to enumerate all the users I want to enormate services and you you kind of type a script to do that for you and output you know the details right nowadays we have tools such as wind peace for example it's a really really great tool that will essentially go through the machine check for permissions on on different folders check for anomalies right in Windows and point you towards okay hey this might be something worth checking a little bit closer you get that from GitHub or somewhere yeah you can find it on GitHub you also can find pre-built executables for it so win peace exe be careful though you want to make sure that you're downloading the correct file exactly just be careful in general when you're working this kind of field never trust anyone right so but yeah windps is a great tool it's going to iterate through everything on the machine for you and kind of point out the anomalies I'm more of the the manual guy when it comes to this kind of stuff and while I like automated tools I also like to know how to do stuff myself right I don't want to put all my trust in this okay I'm gonna run this tool and hope that it's gonna give me something and if it doesn't I'm gonna just deem that okay this is the this system is secure right I just don't want to go down that path as I mentioned in the beginning here we are doing a simulated test and we I'm not going to enumerate the entire window system right now because that's just going to take too much time but if you are like me you like to do things manually you might browse through the file system look at okay how many users has a profile here what kind of applications are installed right if there is a vulnerable service for example you might be able to find an exploit for it and just boom you can exploit it and possibly elevate your privileges at the same time so in this case we're actually gonna we're gonna do this manually and this is going to be somewhat targeted right I'm gonna start Powershell on the web O2 machine and I'm going to run a rather long command here in this case we are running something called getsim instance and same stands for common information model for enumeration purposes I would really compare this to wmi which is the Windows management instrumentation but Sim is is going to provide you with Crossfire cross-platform the capability and it also has some enhanced remote capabilities for system admins and that kind of stuff right so it's kind of the new hot thing to use we don't necessarily need to use it but I'm trying to stay at least a little bit up to date on the new tools we are using right so in this case we are going to use get net Sim or get SIM instance on the win32 service which is uh which is a wmi class that provides information about services on the machine we're going to ask for the name so we we pipe this into select right we're going to select the name we want to see the state of the service whether it's running or disabled and that kind of stuff the path name which is the the path to word executable for the service is what execute what executable is is being executed when the service starts right and the start name who actually starts the service because this plays a vital role if we want to escalate our privileges in this case we pipe all of this into bear object whereas state is going to be like running because first we're gonna enumerate the running services and yes we should probably know right Disabled Services stop services and that kind of stuff as well because we might be able to to use those for for something evil as well but let's start with running we need to start summer right David so let's hit enter and be amazed on the output we receive here this can be a little bit intimidating especially if you're if you're new to Windows privilege escalation right we have received a lot of information here and by default there is a lot of per or a lot of services running in Windows as well and many of those are default yeah it's it's actually rather insane now I want to give an example right away on why exactly I'm doing this okay why is remember looking at the services what's his goal here right just as an example we can look at the the spooler service here right the name is spooler and we can see that the running executable for this one is spool sv.exe so when a spooler service starts it's gonna run this executable air right this is the path for the executable for for the service looking at the right side this one is being started as local system I'm not saying the spoiler service is vulnerable here right but if we are able to replace this exe file with some malicious code and that txe file is being executed by local system what's going to happen right we're actually going to have command execution as local system on the machine a local system is the highest privilege you can have you can have on a Windows machine right let's say if we are able to replace this one with for example a reverse shell that connects back to us in a listener we have in Cali we're going to get a system shell and we have full control over the box right so that's the goal there looking for for you know weak permissions essentially so looking at the output here we have a lot of services but we can see that many of those are pointing to C colon Windows system 32 here we have SVC host exe for example we have a lot of default Services here and we we don't necessarily want to try to replace SVC house exe right and we are essentially looking for anomalies here I like to stay away from whatever where I see see colon Windows system 32 and as I mentioned before we need to start somewhere so so let's look for some anomalies here right browsing up a little bit we actually have one here it's it can be a little bit tricky to see but we have a MySQL service running here called xampp well actually the service is called MySQL right but we can see the executable for it this is not the standard service in Windows xamp is something some C submin has installed on the machine at some point and this is kind of is sailing up to be one of those interesting ones right especially if you look on the right side here because this service is also running with local system so again if we are able to replace this exe file with a malicious code it's gonna execute this local system and we can do a whole lot of stuff right so this one is interesting going a little bit further up here on the top we can see Apache 2.4 is also running and we can see the path executable which is also exam so in this case it seems like the the system installed example the machine using it to to to serve some sort of web application with mice database on the back end right and this one is also running as local system now the goal for us we don't know if this is going to work yet by the way but the goal is essentially to replace this exe file but in order to do that we need to have the correct permissions right and we need to find out those permissions so I'm going to go ahead and copy this and I'm going to clear the screen and I'm going to use a user tool which is called I I'm not sure if I pronounced this correctly but I call it eye cackles this stands for integrity Access Control access list it's a very fancy word right for something that does something fairly simple it's installed in Windows by default and it can essentially be used to well the technical correct term would be to enumerate the access control list on a binary or a folder right we can use this to enumerate binaries and folders the permissions there and we're gonna point this to I copy the the folder earlier but I think I might remember it it's gone from my clipboard now but exam Apache been Apache or httpdexe was it right httpd like this so we can point this tool to this particular file and see the permissions so that was a good point for the previous tool was that is that also built into Windows or did you have to install something to run that no that's built that's built into Powershell the getsim instance is is a Powershell Command right so you haven't installed any malicious software yet it's just using the built-in tools at the moment yeah yeah we are leaving of the land as we like to call it yeah so running the tool here we are now specifying an HTTP deexe file and we can see the first occurrence of a user here right NT Authority system we can see an eye here this simply means that the permission that NTA Authority system has is being inherited from the parent folder here right so this is this is probably the same permission of being Apache example and the C drive itself because the entity Authority system is the most privileged account and we can see the affair that means full access and it's the same for administrators no surprise really because an admin would be able to to do modifications on this file but if we were a system or admin we wouldn't even be in this situation right because we didn't we wouldn't necessarily have to escalate our privileges we would be able to to achieve our goals but we are just essentially a built-in user here and the built-in users they also inherit the permissions from the parent folder but in this case we have no full access we have R which means read permissions and X means executable permissions right so we are not able to replace the cxe file with the permissions we have here we can launch the file but what what is that going to do right yeah start the web server I mean it doesn't really it won't help us so we need to look a little bit further I'm going to run the same on the SQL xampp let's see MySQL bin MySQL D file as well like this and here we kind of see something really interesting right away the built-in users which we are a part of has this F right so we have full access there it's actually listed twice here because the C submin did something really strange here trying your dumb dumb and also a little bit strange I will have to to arrest myself here because I set this up right of course but we can blame Jeff the domain admin my name is yeah in in the in the system here so we have two occurrences here we have two built-in users they both have the F so that they have full access the I on this one means that it's inheriting permissions from the parent folders right this one just means that we have full access to this particular file so this tells me that the suicide bin has actually logged into this machine first given full access to well I don't know what's first right but they might have given full access to the MySQL the exe file to the built-in users and then afterwards given full access to the whole structure right I mean I don't know but there are two things going on there and of course we have the NT Authority system and the administrators that they still have full access right and to further further like set this a little bit in stone we can do the who are my groups again right and looking at this as a whole now we we are running here mys Michael we are a part of the built-in users and looking here we have full access to this MySQL deexe file and we can actually replace the file if we want to it's crazy that you as a standard user can get all this information right it is it's actually a little bit scary about the normal users can get also with ad enumeration there are so many things you can you can query the domain controller for Via ldap as long as you're just connected to the domain it's uh it's kind of mind-blowing in this case I mean I'm I'm I've said many times now we're going to replace this file but in an engagement even though this webo 2 server is within the scope I don't think it would be a good idea to just go ahead and replace the MySQL file right because the service is eventually gonna crash if we try to restart this service and it's going to start with a malicious exe file then MySQL server is not going to be available anymore right this might be a critical a piece of component or or a critical component rather for the organization right if they lose access to their database you know we make awesome Mayhem before you do this in a penetration test if you're a serious penetration tester you will contact the client you will lay down this scenario okay this is what we can do what we can see here is that actually prove enough that we are able to to replace this file and we don't necessarily have to go ahead and do the attack itself in order to progress through the pen test a little bit we might have to do that but instead of bringing the whole system down maybe you can work with a client and they can give you the admin access instead of you giving yourself the admin access on a web or 2 server Yourself by breaking it right because this is a proof that we can actually conduct this attack I mean that whole point is it's a penetration test you're not hacking you're trying to trying to help the client yeah yeah exactly and you're not really helping the client if you jump on the for on the first vulnerability you find and you just crash the whole system not really yeah that's not the goal right but as I said I'm the creator of this lab and I talk to myself earlier here is it okay if I if I mess it up a little bit hell yeah right so you got snapshots so you're good I have snapshots so I can always just revert back so already saving Remy permission to hack Remy yeah no problem right so we're going to do this attack I'm going to go ahead and clear the screen now because this is a little bit messy I'm also going to minimize the RDP window because we're going to go back to Cali now I'm going to open a new terminal and let's call the previous terminal web O2 RDP right just to keep it a little bit clean here and I'm going to go to the desktop and my pen test folder which I have some files in we have the cherry tree documentation here we have something called mimikats we're going to have a look at that a little bit later we have some enumeration script PS exec for possible lateral movement later and the PS logged on right so this is kind of some of the tools I like to carry around when I do a pen test and I've added it to the pen test folder now because we may have to download them from the from the cal machine later right so I'm gonna create a c code here and hopefully create an executable that we can use in in Windows right now a lot of your viewers now David is probably gonna arrest me but I'm gonna use Nano for this that's okay uh I don't want to spend 30 minutes trying to understand how to enter text into VI right so yeah you're gonna start a war I'm gonna start the war now but yeah so so I arrest me if you want right I I just I do I'm just not capable of using VI I need to use the Nano here so for everyone watching Remy's in the states right yeah right I mean it's a normal country yeah for sure so I'm gonna create a file here called aduser.c which is just gonna be a C file essentially I'm gonna do a copy and paste you now with the source code because I don't want to type this out on the Fly here so essentially this is uh as simple as it gets right we are including a standard Library here we have a main function right we are declaring an integer uh named I and the variable is used to store the return value of system here right so this is you you don't need to know a lot of C to to understand this you you don't necessarily even need to know C at all you can copy this right we're essentially asking the system air to Run net user this is like if we are on a Windows system it's a window system as admin we could type this out in a command prompt right so net user Mighty this is gonna be the username might is my my handle on Discord by the way if you wanna if you want to say hello there and the password in this case we have a super weak password in a penetration test if you're allowed to do this attack pick a stronger password right be a responsible penetration tester and we have the slash ad there so this command is hopefully when it's being run a system as we think it will be it's going to add the user to the to the local local box web or two with this password then once this is run we're gonna run net local group and we're going to try to log or add the user Mighty into the administrator's group right so this is the way you would do it if you were an admin on a b
Original Description
Get your 10% discount here: https://www.offsec.com/review/david-pwk-2023/
Disclaimer: I was NOT paid for this interview. I wanted to make this video because it affects many of you watching and is a major topic on the OSCP exam. However, OffSec did give me access to Learn One for one year so I could see the course content. This has helped me prepare for the interview. Hopefully I'll be able to make more content covering what is in the PEN 200 course in future :)
// GitHub Code //
Commands: https://github.com/davidbombal/Ethical-Hacking/blob/main/Windows%20Pentesting%20with%20OffSec
// Documentation //
Changes: https://www.offsec.com/offsec/pen-200-2023/
Course: https://www.offsec.com/courses/pen-200/
// Offsec //
Twitter: https://twitter.com/offsectraining
Website: https://www.offsec.com/
LinkedIn: https://www.linkedin.com/company/offsec-training/
// Remi's SOCIAL //
LinkedIn: https://no.linkedin.com/in/remi-solberg-8991b910a
// David's SOCIAL //
Discord: https://discord.gg/davidbombal
Twitter: https://www.twitter.com/davidbombal
Instagram: https://www.instagram.com/davidbombal
LinkedIn: https://www.linkedin.com/in/davidbombal
Facebook: https://www.facebook.com/davidbombal.co
TikTok: http://tiktok.com/@davidbombal
// MENU //
00:00 - Coming up
01:31 - Disclaimer
01:57 - Remi Solberg introduction & background
03:37 - Jump to a timestamp (check in description below)
03:57 - Simulated full-scale penetration test demo // Hacking Windows
05:12 - OffSec Learn One discount!
06:22 - Penetration test demo
09:38 - Documentation & enumeration // Prepping for penetration test
23:25 - Penetration test demo // Accessing users
30:10 - Privilege escalation
37:44 - Using ICACLS (Integrity Access Control Access List)
43:59 - Privilege escalation (continued)
52:14 - Getting around obstacles // Social engineering
53:23 - Privilege escalation (continued)
57:19 - Stealing credentials
59:11 - Using Mimikatz tool // Kerberos and NTLM Authentication (theory)
01:07:33 - Mimikatz to
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from David Bombal · David Bombal · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
RYU SDN Controller Part 4: Graphical User Interface (GUI): Practical GNS3 SDN and OpenFlow
David Bombal
HPE Network Protector SDN Application Part 1 - Introduction
David Bombal
HPE Network Protector SDN Application Part 2 : DNS Interception using OpenFlow
David Bombal
HPE Network Protector SDN Application Part 3 - Lab Setup using Physical Switches
David Bombal
HPE Network Protector SDN Application Part 4 - Demo of malicious websites blocked
David Bombal
HPE Network Protector SDN Application Part 5 - Demo OpenFlow table interception flows
David Bombal
HPE Network Protector SDN Application Part 6 - Demo of Physical Switch configuration
David Bombal
HPE Network Protector SDN Application Part 7 - Demo Service Insertion Tunnel / GRE Tunnel
David Bombal
HPE Network Protector SDN Application Part 8 - Demo SDN OpenFlow Reporting
David Bombal
HPE Network Protector SDN Application Part 9 - Demo switches interception of DNS traffic
David Bombal
GNS3 Talks: GNS3 version 1.5.X Appliance Tips
David Bombal
CCNA 200-125 Exam: AAA demo: TACACS+ with GNS3
David Bombal
GNS3 2.0.0 beta 2 install
David Bombal
CCNA #012: Learn SNMP with GNS3, Wireshark and Solarwinds NPM - CCNA 200-125 exam
David Bombal
CCNA #013: Spanning Tree CCNA Exam Questions: Know the answer? CCNA 200-125 exam
David Bombal
GNS3 2.0.0 beta : GNS3 VM integration with GNS3 GUI
David Bombal
CCNA #018: Routing exam questions: Who wins? OSPF, EIGRP or RIP? Sure? CCNA 200-125 exam
David Bombal
CCNA #019: Spanning Tree CCNA Exam Questions: Root Bridge, Root Port and more: CCNA 200-125 exam
David Bombal
GNS3 Download, installation and configuration - GNS3 1.5.3 and Windows 10
David Bombal
CCNA #023 EIGRP Neighbor Troubleshooting (DUAL Issues) for the CCNA 200-125 Exam
David Bombal
GNS3 2.0 Architecture and schema Part 1: What is the GNS3 Controller?
David Bombal
GNS3 2.0 Architecture and schema Part 2: Emulators and virtualization
David Bombal
CCNA #028 VTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
CCNA #029 VTP & DTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
CCNA #030 VTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
GNS3 : How to download Cisco IOS images and VIRL images. Which is the best? How do you get them?
David Bombal
GNS3 ASA setup: Import and configure Cisco ASAv with GNS3
David Bombal
GNS3 switching setup and options: Cisco and other switching options in GNS3
David Bombal
GNS3 switching setup and options Part 2: GNS3 unmanaged built-in switch
David Bombal
GNS3 switching setup and options Part 3: Router on a sick with GNS3 unmanaged built-in switch
David Bombal
GNS3 switching setup and options Part 4: Etherswitch Router for Cisco Dynamips Part 1
David Bombal
GNS3 switching setup and options Part 5: Etherswitch Router for Cisco Dynamips Part 2
David Bombal
GNS3 switching setup and options Part 6: Etherswitch, Wireshark, 802.1Q, InterVLAN routing
David Bombal
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 1: GNS3 Switching Part 7
David Bombal
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 2: GNS3 Switching Part 8
David Bombal
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 3: GNS3 Switching Part 9
David Bombal
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 4: GNS3 Switching Part 10
David Bombal
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 5: GNS3 Switching Part 11
David Bombal
GNS3 Nexus (NX-OSv) switch setup and configuration Part 1: GNS3 switching options Part 12
David Bombal
GNS3 Nexus (NX-OSv) switch setup and configuration Part 2: GNS3 switching options Part 13
David Bombal
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 6: GNS3 Switching Part 14
David Bombal
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 7: GNS3 Switching Part 15
David Bombal
GNS3 Cisco CSR 1000v setup and configuration Part 1: GNS3 NFV
David Bombal
GNS3 Cisco CSR 1000v setup and configuration Part 2: GNS3 NFV
David Bombal
GNS3 Talks: Use the NAT node to connect GNS3 to the Internet easily!
David Bombal
GNS3 Talks: GNS3 2.0 RC1 is now available
David Bombal
GNS3 Talks: GNS3 2.0 Portable Projects - easily export and import GNS3 projects
David Bombal
GNS3 Talks: Multiple clients sharing projects in real time, plus console session shadowing!
David Bombal
CCNA #035 NAT Troubleshooting Scenario 1 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
CCNA #036 NAT Troubleshooting Scenario 2 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
GNS3 Talks: ESXi, GNS3 VM and KVM support Part 1: leverage servers and the cloud
David Bombal
CCNA #037 OSPF Troubleshooting - can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
GNS3 Talks: ESXi, GNS3 VM and KVM support Part 2: leverage servers and the cloud
David Bombal
CCNA #038 NAT Troubleshooting Scenario 3 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
CCNA #039 - OSPF DR, BR and DROTHER Election - do you know the answers?
David Bombal
CCNA #040 NAT Troubleshooting Scenario 4 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
GNS3 Talks: Arista vEOS GNS3 import and configuration Part 1
David Bombal
CCNA #041 - OSPF DR, BR and DROTHER Election - do you know the answers?
David Bombal
GNS3 Talks: Arista vEOS GNS3 import and configuration Part 2
David Bombal
GNS3 Talks: ipterm: Linux, Docker, Python, SDN and more! Part 1
David Bombal
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
New Spirals Ransomware Demonstrates How Fast Modern Cyberattacks Can Escalate
Medium · Cybersecurity
How to Detect Malicious Traffic for Free
Medium · Programming
How to Detect Malicious Traffic for Free
Medium · DevOps
Career Opportunities After Completing a Cyber Security Diploma Course
Medium · Cybersecurity
Chapters (17)
Coming up
1:31
Disclaimer
1:57
Remi Solberg introduction & background
3:37
Jump to a timestamp (check in description below)
3:57
Simulated full-scale penetration test demo // Hacking Windows
5:12
OffSec Learn One discount!
6:22
Penetration test demo
9:38
Documentation & enumeration // Prepping for penetration test
23:25
Penetration test demo // Accessing users
30:10
Privilege escalation
37:44
Using ICACLS (Integrity Access Control Access List)
43:59
Privilege escalation (continued)
52:14
Getting around obstacles // Social engineering
53:23
Privilege escalation (continued)
57:19
Stealing credentials
59:11
Using Mimikatz tool // Kerberos and NTLM Authentication (theory)
1:07:33
Mimikatz to
🎓
Tutor Explanation
DeepCamp AI