Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting

Key Takeaways

what's up everybody so tonight we had some technical difficulties with hack the box we're having some issues getting you know pings coming back and in connection to the boxes when we do get connection to the boxes we had just just connects happening we eventually had a change VPN connections a couple times so what you're gonna see is a couple of hard cuts in videos I I did my best tonight to edit the video down to where it made the most logical sense as well as took out all the technical difficulties that we encountered so if you were a part of the livestream and you watched it live thanks for sticking with me you guys are awesome if you're catching it on the recording hopefully I did a good enough job to patch things up and you don't really notice the difficulties but if you do see some hard cuts just understand that we were having a lot of issues getting connection to hack the box so without further ado here is episode 10 part 3 of Active Directory exploitation all right it is 802 I am done stalling you guys don't have a lot of PowerPoint got a whole three slides for you press my handy-dandy new button boom alright so week 10 we are in the penultimate week next week is the last week so we've got some quick housekeeping tonight ad exploitation part 3 and QA AMA so I will talk about the ad exploitation real quick because I didn't really put it into what we're doing on the housekeeping we are gonna be covering tonight MMS 1701 0 very very popular exploit we're gonna be talking about Kerberos ting and we're also going to be talking about GPP and C passwords so I'll also cover a little bit of Metasploit will reinforce a lot of concepts that you've seen the last couple weeks and you're gonna just see more of the mindset of what I would do in a real internal penetration test so some housekeeping you saw behind me let me change the screen here I have Hugh lights in the background we're doing a test run this week subs only if you are a subscriber there are some special commands for you behind me that will allow you to change the color of my background now there is a two-minute timer on it but there is red blue green purple pink baby is baby blue and you can see the police is going off in the background for the subscriber but you can also do the police and the RGB as well so thanks for thanks deadly for the the sub I appreciate that so yeah I keep that in mind if you guys want to play at the colors while I'm talking you're more than welcome to play at the colors other than that let me take this off so there is no stream next Wednesday May 29th I will not be here again I will not be here so last stream the last stream is May 28th we're gonna be covering file transfers maintaining access pivoting and cleanup and then the second half of the night we're gonna be talking about the boring stuff which is legal documents you can need to know about and reporting will cover what a pen test report looks like and what what are some good resource for resources for building a pen test report so the important stuff to know other than that tonight's lesson is going to take probably an hour we don't have a lot on our plates so just sit back and relax and enjoy this final ad lesson and then we'll take it easy tonight and then next week if you guys want to come up for something next week I don't know what I'm thinking yet but maybe we could do some kind of drinking game or something fun that we can talk about in the discord but if you come up with something fun I'll I'll play along with you guys since it's the last week well we'll do something fun other than that let's go ahead and just dive right in so I am on hack the box right here I am on the tab if you go over the left side I clicked on retired and now you can see that last week I asked you to vote for blue which you did thank you and I asked you to vote for active which you did thank you I've gone ahead and just recently reset both machines on my network if you are on VIP you're gonna be able to follow along if you're not you're just gonna have to watch so with VIP there are different segments of the VPN so hopefully my resetting of the box is on a different segment of yours but you can see i reset active 12 minutes ago and blue is reset 17 minutes ago so for time-saving purpose is what we're gonna do is we're going to scan both of these and then we're gonna work on blue first and then work on active second so let's go ahead and just get our scans kicked off I'm gonna open up two new tabs here and get these blown up and then we are just gonna end map these suckers and blue sits at 1010 10.40 and active is at 100 ah IP is down nice so I've been having issues with active today being consistently up or down and it looks like looks like blue is down as well so we may have to give it a second may have to toggle connection hopefully you're having a little bit better luck than I'm having let me toggle my connection here alright so if you recall last time we said I gave you this link I've been giving this link throughout the course right and it's been the top five ways I got domain admin on your internal network before lunch we've talked about LLM in our poisoning and NetBIOS poisoning we talked about relay attacks we keep scrolling okay ms 1701 zero that's what we're gonna be talking about next this is what blue is about if you see it deals with eternal blue eternal champion turtle romance etc this was the shadow brokers exploit that was stolen from the NSA I believe and turned in to things like the wanna cry exploit the ransomware basically it's just a very very you know nasty exploit that transverses your system and this is one of those those things that sit out there unpatched on a lot of networks a mostly internal right if you see this on the external and it hasn't been exploited yet very unlikely but internal networks leave this all the time think about a machine that's running some sort of legacy software that can't be updated off of you know certain Windows version people are just lazy on their patching for whatever the reason this is still sitting out there and a lot of networks so let's see we're at ninety nine point nine nine so we're gonna review the scan and see not only not only what we're going to be X flooding but we'll talk about what we would see just from a pentester point of view what is interesting to us with this scan if you want to pull up I've also got the security bulletins here for ms 1701 zero if you scroll through it you know talks about that it's an SMB exploit talks about all the operating systems that are vulnerable it's pretty much most of them the initial exploit thing that came through or for like Windows 7 in Windows 2012 there's certain service packs that are exploitable like service pack 1 and you you start you know looking through these and you see oh windows 7 service pack 1 that is you know that's interesting maybe I should see if eternal blue or MS 1701 zeros on that right and use same thing with like Windows 8 or Windows 2012 I think it's r2 you you look through these and you say yeah see r2 on here and you just want to know you know what you can exploit so I'll show you how to confirm before we actually run an exploit that it might be vulnerable and what steps we're gonna need to take as well this thing really likes to sit at 99 let's see we're at over here as well 17 percent somebody asks how does it get infected if it's not exposed internally so the big way that the ransomware gets in is typically through fishing so if we're talking like wanna cry I've experienced wanna cry firsthand as a as a helpdesk person that was fun so I mean you you basically anybody who opens a malicious file that file is gonna download on the computer and then it's gonna start searching through the network right it's gonna look for SMB open if SMP is open it's gonna try to navigate to other computers through the network and exploit as many as it can it'll start encrypting the files and you know that's how you get ransomware so it can self a navigate through a network and that's in terms of infection that's one way of doing it if we're talking an internal penetration test as long as you're on the network regardless of how we got on so we've been assuming internal network access for three weeks now so regardless of how you're in the network these are one of the easiest machines to to drop let's see what it came back with this really didn't do a good job your scan is likely gonna look way different than my skin is typically when I've scanned this before and run this before it gives us quite a bit of information on on what's behind not only port 139 in port 45 but it'll say what service type we're running it'll say you know it even tells us to think the name yeah like Harris PC you would see more than that for some reason it's picking up that like there's a for de NAT firewall I don't know what's going on with a hack the Box tonight but this is all this is probably not gonna happen to you I'm just getting unlucky so typically we have some script results down here that'll tell us a little bit more also the information that it picks up it should be picking up some sort of Windows information in terms of OS the SMB is gonna tell that out so really that's we're going to look at there's another thing on here - where SMB was unsigned if you see that that's obviously a finding because you can do relay attacks like we talked about last week unfortunately it's not it's not working out for us so what we're gonna do is we're going to pretend that we saw the scan and the scan came back with some information and we have deduced that there may be a potential exploit here so one of the things you should do and if you're running nessus neces this is going to do this for you but you should always do this anyway just as a backup check is if you see SMB open on a network you should be checking to see if is exploitable or at least potentially vulnerable to MS 1701 zero this is like I said one of the most common and easiest attacks in order to get system okay so here is the script we ran and map - P n 4 4 4 5 here's script and then it spits out hey looks like it's vulnerable to this remote code execution right and if we were to rescan we would probably see more of the in map this time around and we do we get it back our hey we actually got back our scan for active as well cool so we've got this scan here saying it's vulnerable so at this point if we're a pen tester we've got a couple options depending on what the what the client has told us right if the client says hey you have free rein go ahead do whatever you want or if the client says hey you know what before you run any crazy exploits please let me know because an exploit like this may actually take down a system it may mess things up depending on what the systems doing at the system some sort of critical infrastructure where it can't go down you might not want to run the exploit right so it's important to know on these these rce exploits that you're probably better off being safe than sorry and you don't want to take something down that's critical and have a client pissed off at you so you call the client up the client says ok fire away and that's kind of where we're at here with this exploit so if we come in and we say let's go back into medicine lake and I don't think I'm thinking guys this stream is not gonna make it to the live cut so what we're gonna do I'm probably just going to piece together a couple of my old streams did I have on these topics and throw them in as a as they you should have been there for the live [ __ ] show and we'll we'll just call this a special night so we've got MSF five all right let's say search ms 17 zero and zero and we are looking for exploit windows SMB MS 17 0 1 0 eternal blue right here so you just copy this bad boy and paste it we're gonna set the our host to 10 10 10 dot 40 and then we are gonna run this now a couple things to note first thing note is this might not work on the first try or the second try it might take a few tries to actually work you know this is very very tricky exploit to get running of course it runs on the first time gets us win next thing to note it puts us right into a command shell so if you are a meterpreter fanboy like I am this is not the best situation we can approve upon this right so this is just a generic payload we can say Who am I and it puts us in as authority system which is great but let's control C out of this and just say yes and let's say options again this time we can see the payload option says generic shell reverse TCP and we're just gonna say how about we say show payloads and see what's available to us we've got 43 payloads but I'm gonna use a windows 64-bit meterpreter so let's just say set payload windows 64 meterpreter and then let's just double tab just our options reverse TCP is probably the best bet here always good to double-check our options as well once we set the payload we want to make sure that our l host is still holding true our L port is also still holding true sometimes it resets these down to nothing or if you've got an exploit running which is sometimes the case already on a port it might default to this 4 4 4 4 and you might want to set it to something else all right so now let's go ahead and run this again let's see if we get lucky twice in a row on the first fire and sometimes we can crash the machine especially there's a bunch of us in the same network doing this fingers crossed that we don't do that and we may fail our first one here so we failed the first one that's okay it's gonna try again with different groom allocations and see if it works is there still an ama there's still an ama all right we got a session so this is a two-point concept prove both of my points don't worry if it fails you might even get it failing three times through you might need to rerun it again so rerun it a couple of times to make sure that it's a false positive and is failing and also second point here is we can always improve our shellcode on these 64-bit machines so now we've gotten retur pradesh l we say sis info on this alright we've got the 64-bit meterpreter we've got the 64-bit architecture perfect and now we can also look around one of my favorite things to do is to say hash dump okay we just dumped the hashes for the administrator and the harris account so like we talked about last week I would take these hashes and try to pass them around right we can use crack map exec we can try with PS exec in the network to see if we can get in anywhere so definitely definitely critical one of the you know first experiences I had on a pen test with with eternal blue was getting a hash dump like this and then passing the administrator hash and getting access to pretty much every machine because they were cloning machines so it's always worth trying crack map exec and passing the hashes around like we did last week to see where you have access to of course we can shell into this and we can look around the file system you know we could say we could CD to whoever users and then Seder and see who's in here okay administrators in here who does administrator what do they have on their folders right we'd say they're okay with maybe go to the documents you know you'll come up with with ways to search for sensitive files and have keywords and stuff like that but these are the things you're looking for like what can I find on the system what kind of access do I have you want to see you know who it's talking to what the ARP table looks like of course there's not going to be another one in this network that's chained to but you want to see that through the art you want to say route print and see what the routing table looks like Nets that's another good one to look at so if we go that's that - you know we can look at all the connections that are coming in and going out right so we talked about it a little bit last week about dual homed two machines for example if this PC for some reason had two Nicks and one NIC was sitting on a 10.10 dot ten network and the other one was sitting on 10th and 11th for example we might be able to see that the 10.10 data Levin is talking into a whole different network that we had no access to and we're gonna talk about that in more depth next week when we talk about pivoting so that's a pivoting situation where we want to go into a you know a different network how do we investigate these higher ports so these higher ports if you look at what we're doing like the four four four four here those are established from us connecting so we opened a portal there and these other ones who's to say what they are we'd have to see you see a lot of high ports like this going out of like four four three and other you know like Internet address is these could be other people shells for all we know they may have just put in like other you know it's hard to say without being able to to go into the machine so we want to look at those things of course control see we can load some extra modules as well we can load incognito which is my favorite and we just say list tokens - you for user okay and if we're on a domain network we may catch a domain administrator who had logged into this account remember we talked about the tokens and how they worked last week obviously there's no domain account here to login to because we're not doing that but something to look for if we're using 64-bit architecture we can load Kiwi Kiwis awesome one of the best commands is creds all again we talked about this last week no creds here but we type in help there's more than just the creds all we can talk creds Kerberos golden ticket attacks come through this we could do Wi-Fi list that there was Wi-Fi profiles so there's a lot of things that we can we can get just off of Kiwi so these are some things to look for things we've talked about it should all be coming together right this is just a very very simple exploit but the post exploitation is really the most important like we we own this machine in two seconds and there's a reason it's on the top five lists like I said it's on most major networks since we owned it so fast we need to be able to make sure we enumerate around everywhere right we're looking for sensitive files those hashes work in those hashes lead us can't we impersonate a domain admin what kind of net commands can we get access to etc so every little computer has a piece to play in the final picture it's just seeing how that piece fits into the puzzle what's the difference between me me cats and Kiwi Kiwi is a 32-bit right so if we say load or sorry me me cats is 32-bit me me cats it's gonna say hey you're loading on to newer architecture right OS so we want to actually use it on some older architecture kiwis the newer and better me me cats alright so we're gonna call this one a day this one was just gonna be a 20 minute box that's turned into 45 minutes again I'm very sorry guys even I struggle you know so let's go ahead and kill this one and let's go ahead and talk about the results from this machine here called active now active is one of the favorite boxes I have encountered in the hack the box labs because it is realistic it's very realistic so if we look at it there are some signs that what we are up against is likely a domain controller you can see that it's running DNS it's got Kerberos which is an authentication system we've got 139 open we've got LDAP up and for Active Directory right that should be a pretty big sign that we're running a domain and the domain here is active htb we can go through all the ports here it's very very similar that like I said up a domain controller so when we see this we look down here SMB and common to domain controllers SMB signing is enabled and required most of the SMB relay or the ntlm relay is done other than domain controllers sometimes you're lucky and it's turned off but Microsoft got smart and enabled that for Windows Server I don't even know what versions on word but it's as of late been running this just fine so this looks like 2008 so god knows how long it's been doing that and other things that we could look at right if we we can maybe dump LDAP information that's a little bit more advanced and outside of the scope I've seen that done and some hack the box without credentials but typically you're not going to have access to that without credentials but that's something to think about and to study like if you get this box back on an assessment and say for example it's the only box you're gonna want to look through each single one of these ports and say what's interesting to me right the first thing that's always interesting and in my behalf is always 4 4 5 and 139 because the more time you spend in pen testing the more time you have to realize that SMB is behind a ton of exploits so do note that looks like they may have some sort of HTTP API going on I would investigate everything that says it's open and probably not TCP wrapped so definitely worth looking into so here first thing we're gonna look into is going to be 4 4 5 so we're gonna do is I'm going to go in and use a tool called SMB client so it's gonna look something like this we're just gonna say SMB client we're gonna do - el I think it stands for list don't ask me what it stands for I don't really know and we're gonna list out the contents of the directory it's gonna ask for a password we're gonna try hitting Enter and it says anonymous log and successful this is a finding so this finding is that we shouldn't have an animus login right you shouldn't know what sort of SMB shares are out there so we've got these these shares here we're able to see those we would absolutely list this on our report now what we can do with these shares depends on how critical you know this finding becomes right now it's just a low finding close up the anonymous login so from here we'd want to see what folders we can actually connect to now the juiciest folders might be something like the C share or the remote admin we can see if we can connect to those folders so they're connect to a folder are we just say SMB client we do the character escaping just like I'm doing here and we'll just say something like admin dollar sign and try to connect hit enter and then says access denied even though we have anonymous logging successful so imma cheat a little bit and tell you that the one that works here is the replication folder we hit enter enter again we are successful okay so we have an SMB login here we are in this replication folder now if we type help we can see a full list of commands of what we can do it's very very similar to Linux we can say LS and see what's in here okay it looks like there's a folder called active htb we could say CD active HT v LS again okay policies scripts DFS are private and it's called replication so it looks like it's probably a backup of something right and a backup of what who knows but we can figure that out for ourselves let's CD back a share instead of digging through all these files there's an easier way to do this so let's just say we want to download all the files and folders that are here what we're gonna want to do that with something called M get but before we just do an M get we're gonna say recurse on because we want to download all the folders recursively and to save some time we're just going to turn off prompts so we're just gonna say prompt off and now all we have to say is M get with an asterisks like this and it's gonna start downloading stuff okay and we only grabbed like 8 files here if we look through the files that were grabbing looks like we grabbed GPT 2 ini GPE 2i and I a dot INF file and then I see ok I see this groups XML this is something that is really well known to me and this is something that is likely going be paydirt for us so let's explore what's in the group's XML and then we'll talk about why it's so relevant so I'm just gonna say by ok I guess there's no by here just ctrl C if we LS in this folder or we say CD I think should just be active it should have the same folder structure so we say active policies actually this would probably better to just do in a GUI form documents downloads active and we say it was policies policies 3 1b machine preferences groups and then we open up this group's that XML okay so it might be a little hard to see so let's talk about what this GPP is this groups XML is so groups dot XML is related to something called GPP it's also group policy preferences is what it stands for an easy way to remember this on a pen test if you ever listen to rap there's a song called are you down with OPP well just think to yourself are you download GPP and make sure that you search for GPP right so you've got this group policy preferences and what it did was it allowed domain admins to create domain policies using embedded credentials right so the credentials are right here in this file you see username active htb and then we've got services TGS here just take a granting service and we'll talk about the ticket granting services here in a second and then you see this thing called the C password this is what we're after and there's actually a great article by rapid7 that I've got up here it's called pen testing the real-world Group Policy pwnage it talks a little bit about GPP and what it does probably better than words I can put it in two but basically you were able to store the username pass when you created it right for for an account to do some sort of action and say file-sharing or whatever it is through group policy this was up until a few years ago so these key is just stored in the sysvol folder right and what you can do is there is actually a Metasploit module which i want to show you we won't use it tonight because we have no need we've already got the file but I run this on every single internal assessment and you would not believe how many times the C password or the GP P it just shows right up so if you search GP p does the groups that XML file exists on an active domain it exists on some active domains this is for all their domains but sometimes even when they migrate they leave that file in there and we're gonna talk about that too so if you see the post windows gather credentials so as long as we have some sort of access on a session we could say use post windows gather credentials GPP look at the options so we need a session right it could be a PS exec whatever session we get once we have a session we can run this we may be able to get the domain administrator password just from this so very very important to try to run this on any any internal assessment that you can so another thing to note though we have set this up in the past for clients as what's called a canary account basically what we're doing is we put in an account that has a GP PE or C password and it's never been used but it is sitting there as a honeypot right so when an attackers in your network and they're looking for this low-hanging fruit because GPP is low-hanging fruit we say okay they find the file they see the username credentials and as soon as those username credentials get activated then we know an attackers on the network right so just because this is low-hanging fruit your competition might be using it as bait so always think about that as well but typically on pen test it's something that we'd grab right away okay so let's talk about how we can exploit what we just found so let's open up this file we've got the C password here I want you guys if you're following along to copy the C password and what we're gonna do is say GPP decrypt it's built into Kali and then we should just be able to paste this password here we get a warning but don't worry about it the cipher is deprecated so what we're gonna do is we're just gonna copy this and we are going to let's just paste it somewhere that we can have it right okay so what this means now is we have a account we've got this domain here active htb we've got this service ticket granting service account here so what can we do with this well we can use again crack map exec try to push it around right see see what we can do with it we can try to go back into the SMB client try to log in with this account and see if we can get into admin folder you know I could use PS exec on this machine that was the first thing I tried when I did active was to say okay does this have access to to the share folder and administrative privilege so I try PS exact PS exec doesn't work either but be thinking about the same process for everything you're doing so PS exec you know crack map exec etc whatever we can do with these credentials we're gonna try to get in anywhere and everywhere that we can well we're in a one box network right now so another tactic that we're gonna talk about and tactic number four on this list is Kerberos sting so we are going to talk over roasting let me minimize everything and bring out my handy-dandy pen so I can explain this as best as I can there's probably going to be somebody out there who is a domain guru and going to correct me on this because you people like to correct me all the time when I say something wrong so sorry in advanced if I if I miss misquote this right so let's talk about my best interpretation of what Kerberos thing is and before we can do that let's talk about Kerberos so Kerberos is just an authentication protocol right it uses tickets so it's using tickets as a form of communication and authentication so let's assume a situation and this is how it typically is that is a huge [ __ ] thing all right let's clear that let's try that again all right we've got this machine here this is our server our server is also considered a KDC right it's a key distribution center because we're giving out keys all right we also have another computer here we'll just call that the client right so we've got the client in the server well let's say the server or the client wants to authenticate right so it's gonna come to the server and it's gonna say hey server you got those tickets can I get a ticket it's gonna ask for a TGT a ticket granting ticket now the server is gonna check the credentials and if the credentials are good it's gonna send back over encryption which is called TGS ticket granting service is going to encrypt a secret key remember key distribution center it's going to send back a secret key that gets stored on the client so this client has the ticket stored here until the ticket expires now let's add a pawn to this story let's say that there is a service that we want to connect to right come down here we'll just call this service and the service can be whatever we want can be sequel can be anti virus you name it but let's just call this a sequel service ok services have what we call SPNs these are service principle names so to connect as a client we need to ask for permission to connect to the service we need to know we say hey ESPN I've got my ticket I'm going to take this and can I can I please connect to this sequel service and we get a session key back from the server if we have the credentials right or the ticket at least to connect so the thing to know about Kerberos tting is that with any valid ticket or TGT we can request for a TGS ticket for this SPN so lots of acronyms right if you're military former military you're probably following along just fine but there is a lot of little letters here just know that if we have a valid ticket we can request via the SPN here at least to attempt to get a TGS right so we're gonna see what that looks like there's actually a tool that does that for us how did I do you domain people did I do okay all right let's pull this back up and this is part of the impact it the impact right the whole thing we've been using this entire time what we installed in the beginning I told you would be important this toolkit so impact it is awesome so let's go ahead and locate what we're gonna be running it's called get like a tight get user SPNs you see we have a few the one we installed them getting the course was the opt-in packet I'm gonna use that one so I'm gonna CD to opt-in packet examples all right so now we LS there's a bunch of stuff in here but we're going to be using that get user SPNs pi we're just gonna say Python get user SPS dot pi all right first things first we need the account the account was active TB and it was service ticket granting service right next we need to say dcpip we need to know the IP of the domain controller well lucky for us this is the domain controller and last we need to request the ticket so we're gonna request the ticket ah we need a password so we come back in here we copy this guy we paste and we get this wonderful thing back here so we see that we have captured something here for the administrator right we've got this long hash and it's a krb five t.j.s so what can we do with this well we can take this offline and try to crack it and see what happens and we're gonna do just that so have your handy-dandy hash cats ready I'm going to load mine up now give me one second as I am NOT prepared as you guys are okay so then I run hash cat we're gonna say - ash help we are looking for kr b5 which is 13100 if I am not mistaken here you go it's under Network protocols 13100 Kerberos five t.j.s TGS sorry okay so we know our module is 13100 if you've been following along week to week you should know how to run hash cat now write the hash cat 64 DFC we're gonna do a module of 13100 I name this file Kerberos dot txt and all I did was copy this entire line all the way down to the end put it into a file I'm gonna run this through rock you I've got a brand new 20 atti that we're gonna push this through I haven't actually run any hash cracking on yet so let's just hit enter and see what happens and it took us not that long at all so we went through where is it 77% of the list Melissa's 14 million passwords long so that's pretty good all right so it's cracked you can see that it's cracked Ticketmaster 1968 is the credential so we're gonna take that and I'm going to paste it in here okay and now let's load up Matt Metasploit we actually have it loaded and we're gonna do is we're just gonna search for PS exec we're gonna use exploit windows SMB PS exact it's number 11 on my screen if you don't see it let's talk options okay so we've got SMB domain remember that is active htb SMB user is administrator SMB pass is that Ticket Master pass be helpful if I hit the word set in front of that let's try running it and see if we get lucky I'm kind of indifferent on the I never said in our house sorry guys alright let's try again see if we get lucky okay so it's selected PowerShell let's look at our targets so we're an automatic let's try a native upload instead so we see that we authenticated we uploaded a payload it's creating it's deleting and it's hanging let's try target three might have to go back to target two and pray oh my L host is not good good good job on that one so as pointed out thank you very much the L host got pointed to my machine and not not the Kali machine or the the IP address that's here so let's set the L host if yours did that also set yours I think mine's 36 oh no it's 21 now all right so set target back to two and run again there we go thank you techno bro all right so we've got a shell sis info on the shell 64-bit meterpreter 64-bit architecture get the UID we are authorities system we have full access on this PC again same concept here right we would load incognito with tokens see what tokens are out there we would do a hash dump dump the hashes pass them around see what information we can get from that this is one of the more realistic boxes like I said in terms of teaching you to two common internal tactics Kerberos things is obviously one of the more common that's gonna lead you somewhere but AGP PC password is something you should be checking on pretty much every assessment because that does lead to easy win you would be surprised how many companies have their passwords stored or even if they've migrated or updated somewhat in an older password that is similar to what their current password is so any password that you can get is absolutely relevant so with that being said in this stream being all kinds of screwed up we still finished 11 minutes past schedule so that's not terrible I am going to change my screen over to IRL and we can we can talk shop for as long as you guys want to probably heart stopped at 10 but that is that is it for Active Directory I don't think this video is going to be making it on to the youtubes so groups that XML is was patched in 2014 I believe so it depends if it's patched but our our to 2012 r2 you wouldn't see it in 2016 but you see a lot of 2012 you see a lot of 2008 so GPP is still very common was i running Windows command prompt no I was running it off my computer so I run I run my hash cat sorry I'm losing my mind I run my hash cat off of the graphics card I cannot run it off the VM even with - - force mic my CPU is too new I guess it does not even compatible so yeah I might cut it off or edit it I have to figure out what I'm gonna do with with it that was just a mess absolute mess do I still think that the OSC fee is go to in terms of HR related certs setting the ECP PT boats debating more Euler inserts I think that the OSC fee is the HR gatekeeper I think that you learn security is way more relevant so if you want to spend the time and the money to get pass HR I think it's probably a worth the $1200 investment or whatever it cost you're gonna learn way more in elearn security your wife says I'm sympathetic I don't know if I'd go that far but I appreciate that what type of credentials are good for entry-level pentesting jobs the outside world plenty for a military exit in a couple years I mean it's not necessarily credentials but if you could start working on certs now that'll definitely help just the more knowledge the better you maybe even talked to Jeff so cyber dude Jeff is exiting the military here in the next year or two and he's been you know to self studying following along to these sorts of things working towards internships etc so if you're not part of that SEC check out vet SEC at better insect comm slash slack there's a group of us about five hundred almost six hundred now that are all focused on cyber security and our XR current military so you may have come from there I don't know but worth looking into as well does no display model doesn't leave remnants or write to disk on targets so you saw the Metasploit try to clean itself up when we just ran it it does its best to to leave remnants or not really from mints I should say but it's not always a guarantee right let me let me switch back so you see here we're uploaded the payload created it and then deletes the payload sometimes it doesn't delete this payload sometimes it tries and it fails and there's always little bits and pieces of you left behind if you say PS like you're you're in here we exploited something right to gain access so you're tied into one of these system services you have you know you have your parent PID that you're tied to somewhere but there's always forensics etc that you leave behind in logs or whatnot it does its best to clean up but it isn't perfectly clean up if you're getting errors on the get SPN part of in packet purge or impact it we talked about it in video 1 if you did do that I have no idea what's going on but purge the Kali in packet go download the in packet install it off of github it's literally pip install period or something like that once you download it so it's pretty straightforward OSAP or EJ PT for bug bounty hunters I would say neither for bug bounty hunting you would be looking at you would be looking at like their whopped course web application penetration testing or the whopped x the extreme version of that i wouldn't say i mean unless you're doing bug bounty on hosts then then that'll be useful like the ej PT or whatever to start out with but you're better off just reading you know bug bounty write-ups and studying web app because that's mostly what what bug bounties are I don't know if there's a way to pass the Kerberos hash there maybe not that I've come across police so Veta we clean up as best as we can we'll talk about cleaning up next week what we can do to clean up so your one week ahead of me yes it's better to start on externals than internals absolutely externals are like what you're gonna see doing hack the box or osep or any of that stuff it's it's all enumeration and then just trying out ways to exploit thinking outside the box internals more about technique and attack types so you saw if you're falling along with this course you saw we didn't spend that much time on externals we spent on internal external I can only show you so many tools the rest of its gonna be on you to do the research right so I can say hey look at this you want to dig into this this this and this but it's up to you to do the googling and researching and trying out the exploitation but the internal we've got so many things to look for so many different techniques it's easy way easier to spend a lot more time on just play hack net and remove the logs yeah guys we're stuck in police mode right now Matt advise if you're working at fortune 500 and trying to get the pen testing team I'm gonna be here another three years if you're gonna be doing internals first then start studying internals learn as much as you can there's some Red Team labs out there we covered last week a bunch of resources for internal pen testing so let me just go look for that stuff and start studying you know any experience with rapid7 I haven't encountered a lot of rapid7 we try to set it up for just doing like a dummy sock assessment but we ended up going a different direction because the company wasn't using rapid7 anyway and they got really annoying with their sales I agree purple is the best background color don't how many guesses per second I don't um we can see if we could figure that out so I mean hold on we did what here it took one second to run through 11 million passwords that's pretty good if I'm reading that correctly one second eighty five twenty five KHS a second hey it was a business expense I had to buy it guys I had to buy it honestly though I was telling you guys last week my I had a 1080 TI that I bought used and it every time I powered on a game or anything it would just shake the whole system would shake so IR I made it cuz it's still under warranty but the RMA policy for MSI is twenty to thirty five business days and they don't pay for shipping so I spent twenty dollars had to do my own box everything ship it out and then I'm not gonna see it for probably two more months so I wasn't gonna run on a 970 I just decided it twenty eighty is gonna be good for a business expense need it for a hash cracking rig or something right I kept the receipt let's say that I had to use the fire I command ovm and engagement yet I haven't I have switched to using to using burp suite on Windows as opposed to use using in my Kali Box I would not be opposed to try the commando so you actually wanted to do a video or a livestream on the commandos suite and just see if it's cool or not so maybe that's something we can do here after zero to hero play around with it because I have not had the chance to touch yet is there a bug bounty for ad or internal I haven't seen one so I have seen some I've seen some programs that like cynic will allow you to do pen tests on like a contract base this is just for at least as far as you know the u.s. I don't know if they do it outside the US but you can for certain projects they'll say hey we need somebody in this location or to fly to this location and do a pen test so that's more of an hourly rate but they are a bug bounty company so I haven't seen many internals typically I see external I see mostly web app but there's mobile so it just depends can I talk about becoming entrepreneur oh hey I'm this one sorry a thanks Pete I appreciate that do I ever use PowerShell and assessments I do not I'm trying to get better at that because everybody says it's the way to go so I've got I've got the red team not the red team lab the active directory labs that has some PowerShell commands in it I'm running through that and I'm running through PTX I've got to finish my web app course though before I can get into that so for most assessments you don't need it when you start getting advanced into red team stuff you're definitely gonna need it because it's more about querying instead of like knocking on the front door if that makes sense you're gonna make less noise so things to think about night Jeff all right I talked about becoming an entrepreneur and cybersex what what do you want to know specifically and I will talk about it you tell me and we'll talk have I done any Bluetooth radio captures for Bluetooth keyboards I have not are you talking like like bluejacking I haven't done any of any Bluetooth anything I would actually like to learn that I like wireless a lot I'll be pretty cool maybe we can do a bluejacking video I can learn how to do it and put together how would you go about starting your own consulting product company do your research obviously if we're if we're assuming that you already have the talent the next step is to you know do the research on everything that you're gonna need done I could bring up my spreadsheet again we can talk about it so I don't actually know what half some of these numbers I wrote down I don't know what they mean anymore all right so I'll tell you some of my examples and this is repeat from last week so people watch this last week I'm sorry alright so you need to know you know how many funds that you have saved up right and what your monthly expenses are gonna be are you gonna be doing this while working a job are you not if this is assuming not working a job at all right so I have about five months until I go broke without earning any single penny before going broke I do have a couple credit cards one obviously is better than the other because it has lower interest by a lot so I've got $22,000 credit card that if I absolutely needed to cash out on or do whatever you know I could could use that and push his number up higher you have to consider some things like I've got my salary that I get right on base but there's a couple other things I also get there's a 401k match that I'll be losing money on health insurance this is actually kind of cheap because I anticipated going on my wife's insurance typically health insurance is about three to four hundred dollars a month so anywhere from thirty six hundred to forty eight hundred dollars a year liability insurance I've got a seven twenty I don't know if that's actually accurate it might be a little more because you want this airs and emissions in insurance to cover your ass in case you screw up probably at least a million dollars is what I've been hearing I haven't purchased this yet I'm about to start 1099 in here shortly so I'm gonna need my own personal liability insurance and I'll need a company liability insurance I'm gonna be a cheapskate and not buy this until I have a client to actually work on the other important thing to know is that Social Security your company likely covers half of your social security costs when that goes away the first I don't know a hundred and something thousand dollars is tax at full rate I believe whatever calculation I did here I'm looking at somewhere around 10 grand extra that my company wasn't paying for or was paying for that I'll have to be paying for on top of that for a pentester you need a neces license you need burp suite a website annual cost a email and this is gonna go up this is per user I'm going to at least two users utilities mileage phone I include that in my expenses for now eventually this will have to get broken down into more costs but they weren't really included in my salary estimate so I'm not going to include those either web design is a sunk cost I paid for somebody to do the website design business registration legal that's a sunk cost as well it's a one-time thing on top of that so I've got my salary equivalent business expenses sunk cost it's about 165 that it's probably closer to 170 because I don't have Hardware included yet I don't have yeah I don't have my hardware that I'm gonna be doing so laptops or servers that I'm gonna have to buy you know so this number is probably closer to 170 especially with the unknown airs and emissions and you have to think about marketing costs that you have to do as well so there's that I think I just bought business cards I've been put into accounting what else do I have an accounting I've got filing I spent 136 bucks on a logo that I haven't put in there I have Adobe systems for my PDF whatever that I pay monthly business cards I do put in here I spent 50 bucks I figure I'll spend $50 a year if I hand them out I got 500 I've still got liability insurance over here at $60 a month I really do think it's gonna be more than that so that was personal I'm sure as a corporate it's gonna be more to do what do I have this has already answered all this so I was needed website branding did that insurance did that things I need to know payment terms so how are they gonna pay or is it typically a net 30 that's usually how it is you typically you bill a client as soon as they sign an agreement with you saying you're gonna do the work you build them for half the work and then you build them for the second half of the work when it's done you might do something like a it's like a 2/10 net 30 so if they pay within 10 days like it's due within 30 days but if they pay within 10 days in cash then you'll give them a 2 percent discount on the total price that's just an incentive to get a company to pay sooner right I didn't know at first if I wanted to do an LLC or an S Corp that's things that you're gonna have to research you're gonna have to know your pricing structure what are your competitors pricing how can you beat them what's gonna differentiate you from a competitor I need a bank account still having done that and then I have all the documents I need to run through a lot of this is still similar but there's just like sales documents you need to know like like a nondisclosure agreement what's your pre call plan I'm gonna look like when you're talking to somebody do you have a master service agreement are you gonna have a statement of work is there a questionnaire for them to fill out about their infrastructure do I have a sample report that I can send them recommendation letters again I need a pricing spreadsheet even if it's for mice before I start a pen test or a gig you need like a work breakdown structure that's gonna say hey this is the amount of hours I'm gonna allocate to each job this is my bill rate this is how much I should earn on this of course you need an RA this is things we're going to talk about next week but like an ro e to actually be able to engage the client so that's important and then I've got all different types of pen test reports and compliance and all these other things I don't know if I'm gonna do or not definitely pen testing I'm not sure on compliance yet here's that 210 at 30 on the billing and the invoice you need to have an invoice as well so there's a lot that goes into it and there's stuff I'm probably still missing but you know you kind of learn as you go and you just keep keep doing your research think about how you're gonna supplement income right what where where's the money gonna come through when you don't have clients how because like this is gonna take time to build up SEO and get a blog going get my name out there get traction with Google advertising or whatever it is so what am I gonna do in the mean time it's gonna be bug bounty hunting 1099 work you know etc so street corner yeah street corner is a good suggestion too so things to think about hopefully that answered your question okay going back what does my computer setup look like to use multiple computers with different OSS that are connected or just one my computer is just one big rig that I run lots of bm's off of for what it's worth so mostly I have a laptop that I run VMs off of too but I hardly ever boot that anymore use some of my main work computer but typically I'm running off of this the computer is not allowed at all have you done anything sniffing mobile networks or other our feed signals the only our feed hacking I've done is with a boss cloner you've never seen a boss phone or just it's basically clones an are fit badge and you can use it straightforward as I can you can say you have a mobile app for it you get close enough to somebody you steal their you know you clone their badge and then you're able to go produce one later on and use it how do you find talent to work along with you in the beginning do you have recommended working for a company X amount of years so in terms of finding talent to work with you that just comes with you know with industry so there I wish I wish that I could have had a partner to come with you know it takes some of the risk off your back it helps but that doesn't mean to say that you can't have friends who are in the industry that come with you to meetings just says like representation you can pay them to come to meetings you can pay them to if you've got a big enough pen test you can pay them as 1099s or whatever to help you do work so you can leverage people in other ways even if you don't have one to leverage for your business but if you're going to leverage somebody for your business you should know who they are can you get along with them can you get along with them in a business setting and how how do you guys counter each other if you're both the same person it's not gonna work out but like if somebody's really sale or good at sales and somebody's really good the technical side maybe you'll work out so you need somebody that complements you as well so in terms of working for X amount of years for a company I don't I don't think that's important there's the I've said this before but there's like this pay your dues mentality and I found a lot of that coming in through you know trying to get to pen testing a lot of people were like oh you got to work in in networking for this many years or helpdesk for this many years and that's just not true you move up when you're ready if you're putting in more work than the guy who's been working there for two years that's you you you know if you did the work and you've learned what the same guy learned you know in two years that you did in a year then you did it in a year everybody's different so I don't believe in you have to stay somewhere for X amount of years you stay until you're no longer the dumbest person in the room and then when you're the dumbest person in the room you move off so somebody asked if I would go for a cloud certification because it's popular I mean the AWS certs are paying a ton of money but the AWS certs are so dry I mean if you are interested in the cloud if that's your thing then I mean there's great resources out there I would always recommend getting a cloud certification because everything's going towards the cloud I just I am fighting that as long as I can fight that but more power to you because AWS pays a ton of money so definitely worth thinking about recommendations on network versus web pentesting terms of pay job opportunity cetera okay so let's think about this theoretically well maybe not but in my experience you need to have network pentesting to be a decent web pentester in my opinion you still need the fundamentals because you the enumeration everything ties into place you don't have to be one for long but I feel like the good web pentesters know how to do network pentesting you don't have to be an expert by any means but to have those fundamentals and concepts there is really important now there are jobs and things are shifting towards web app pentesting strictly web app pentesting most of the work that i do lately is all web app pentesting so with that being said you got to think about it if you have a client let's say we've got a client and they want to do an internal external assessment okay you get one internal external assessment here let's say that client makes web apps as well like they have internal web apps external let's say it's a bank or a hospital God knows how many different applications they have you're gonna be testing multiple web applications for just one company so there's more opportunities in my opinion on the web web side than there are on the network side of things there's more money in my opinion on the web app side than there is the network side the nice thing about the web app work right now is that web app work is most of the time I'd say greater than 90 percent of time that I ever see it's fully remote like no travel whatsoever and it's really good money because I feel like it's a lot more complicated than the network been testing but that you might find an web app person as I say says the same thing about network been testing but it's way more in demand and I think there's a lot of people focusing on it right now as well so things to think about in college computer science versus IT major networking for career in Pentos in computer science all the way computer science will open so many doors if you change your mind and don't want to go into pen testing you can go somewhere else but I Chih networking limits you down a very strict path do you think USA is the best country to work in IT security in terms of job opportunities and salaries I don't know what to compare that to I don't know I like I make a good salary but like I talked to people in England and they say that the salaries in the US are insane and England has a high cost of living so I mean we have a high cost of living too in some areas in some areas it's not bad at all so I mean the money's pretty good it's pretty much pen testings pretty much six figures all around need water [Music] pen tester lab more web app or Network focus I honestly don't I've never used pen tester labs if somebody else can answer that everybody saying webapp there you go alright calling hard stop in seven minutes we're gonna stop at 9:50 I think is the web application hacker's handbook still relevant for web pentesting yes it is the concepts don't change and without pen testing that drastically over time everything that it talks about is for the most part still pretty pretty up to date there's some things in there that you're gonna want to brush up on some newer concepts that have come around but still definitely worth is a starting foundational book so the kind of gaming router am i running I'm not running any gaming router unfortunately how do I plan on charging for small mid large internal pentose I have no idea it's it's all gonna be based on sitting down with companies in determining their size so based on the amount of work is gonna be the the charge so and what they want right like do they just want a quick assessment the outlay of the land or do they want like you know to get down on the weeds so if they're only want to target a few certain machines even though they're a large client that differs then somebody's saying hey I want to report on all thousand of these machines tell me what you find so Congrats Matt I'm passing the osep I'll owe you a beer sometime so I haven't done a lot of fishing assessments I know that we use we use Go Fish tied to an AWS server we used to have somebody running the the fishing assessments but I've read some of our reports and some of the ones that we've done a really cool the one that I could think of right off the top of my head is they had this one where they mocked like one of their login pages and they sent you know an email that said hey something is wrong with your outlook you can't retrieve this message you have to look at the online version or something like that it looks pretty legitimate they send the email they open it up they go to their Outlook login page they type in the credentials the credentials send off to one page but this page actually redirects and logs in as the user for Outlook so they have no difference they think that they logged in to Outlook so really cool little proof of concept to actually redirect short lesson on effective social engineering guest speaker yeah we can talk about a guest speaker for social engineering it's a hot topic I set up NEC to type infrastructure for assassins we did one C two one C two infrastructure well we send it up for for cobalt but there's one test like I we have cobalt available I just don't ever use it any assessments that really stumped me outside of the domain admin on a printer I mean there's not not every pen test is a win I well at least on the external side I it's not it's not always a win so so yeah I mean I guess I guess there's pen test this dump you there's just somewhere like you know with the the scope the way it was if there's no social engineering and there's everything's patched or they give you a limited surface that's frustrating some companies just give you a couple IPS for compliance sake and they say you can't do anything really except scan it and exploit what you find so in terms of in terms of stumping I don't know but in terms of frustrating yeah there's a bunch I mean there's definitely there's definitely ones out there you always wonder right like you always wonder it's always in the back of your mind did I miss something is there somebody's going to come through and something next time that was there you know you look at other reports that were done by pen testers before you and you find stuff that they didn't find and so it's always in the back of your mind but when the middle fans lit looks like a creepy faces on my PC I don't know what that is any Wi-Fi stories no my Wi-Fi stories are all boring man just walking a perimeter and trying to crack Wi-Fi nothing exciting unfortunately you know get how companies do that when they pay for it though cuz they just want to check a box that's all it is they don't truly truly care about the assessment it's for compliance sake of one way or another all right last question does the blue team actively try to shut you down assessments um typically no so if they shut us down they'll bypass it they'll like send us an email or we'll send them an email and say hey you're blacklisted us can you please let us through or you know like in those instances but typically they're they're aware that it's going on so sometimes you'll get a like a managers like I'm not gonna tell anybody I just want to see you know if they they notice anything in those situations yeah if they catch us they catch us but they're still gonna let us through so we can finish the pen test I'll take one more question did I ever crash a server short story is yes it was a QA server we crashed it pretty much every night and we were doing like overnight pen testing web app pen testing on a QA environment and we just ran sequel map running sequel was showing that sequel injection was high confidence in burp suite and we were testing it with sequel map every time we ran sequel map we knocked that entire server offline so but thankfully it was a QA they weren't mad they would just turn it back on in the morning but some servers are fragile yeah thanks guys yeah sorry about the the connection in the beginning I don't know what we're gonna do we'll uh I'll have to edit the video make it look fancy or something cut out 30 minutes and just say that there were technical difficulties but that is it for me I think gonna get out here 10 minutes early I think put up a 30 minute technical difficulty screen I should I should I mean I could put a little note down on the bottom with I always timestamp them now so I could put a note down the bottom and just say please don't watch the first 30 minutes unless you've got nothing else going on in your life but I'll probably just edit it out but next week last week remember Tuesday not Wednesday Tuesday the 28th same time 8 o'clock we'll be back we'll have our last stream we'll do something fun give me some drinking ideas or something so night everybody thanks for showing up I appreciate it