Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more

The Cyber Mentor · Beginner ·🔐 Cybersecurity ·7y ago

Key Takeaways

The video covers various cybersecurity topics including NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more, using tools like Metasploit, CrackMapExec, and Incognito.

Full Transcript

how's everybody doing today hey you guys can finally see me how's it going i see mtx let's see gray see matt chloroschoo's here what's up floor shoe hi morse hey thanks closure what's up kev how's it going my people is my mic volume low it might be if i'm low i can crank it up i'm only a half half mass here all right i'll crank it up cheers can you hear me is that better i have volume issues apparently what's up everybody i see people are trickling in xtc how's it going brent hey ion i don't have a big boy voice did i borrow joe's headset no nobody wants to borrow joe's headset i don't think all right i'm gonna go ahead and get us on to the powerpoint so we can get onto the fun stuff if i can find the powerpoint all right welcome to zero to hero week nine you guys have made it through nine weeks this may be the penultimate week i have not decided hey nate dogs here i haven't seen nate dog in forever what's up mate doug alright so today's agenda quick housekeeping and then we're gonna go into 80 topics and resources and then finally we'll dive into our lab do some 80 exploitation continue that on and end with q a and ama i just thought you got arrested nate that's all that's all all right so housekeeping first thing on the agenda new beginnings for the cyber mentor uh many of you have already heard some of you already talking about it i put in my notice this week at my job and i am going to be starting my own venture so i don't know what that's going to look like yet don't have everything planned out but i'm trucking it on my own and and you know going to give it a try so wish me luck and in this venture ahead i'm sure you'll be seeing post about it uh coming in the near future and uh i also plan on i'm blogging about the experience so hopefully you guys uh may learn from my struggles on what it's like to run and operate a small one-person business so other than that let's talk about what's ahead no stream wednesday may 29th again no stream wednesday may 29th i said this last week i'll say it next week because somebody will forget and show up i will be out of town i will not be here on the 29th now we have the opportunity for two different paths we can either be doing an active directory part three next week or we can go right into maintaining access pivoting cleanup plus the legal stuff so i'm to leave it up to you guys and i'm going to i won't know until next monday what we're going to be doing fully i'll plan for both um we're at a situation where i have more that i could teach you i could teach you weeks and weeks of active directory exploitation the issue is i don't have a lot of time to to build out the labs so there are a couple hack the box machines that i'm going to ask you to upvote if you have vip i've already sent that on the email uh we'll talk about that here in a minute if you upvote those we'll have a third stream on ad and we're going to talk about um kerber roasting and we'll talk about gpp and see passwords we'll talk about eternalblue ms1710 so uh we have a lot to cover in another stream if we want to go that route next week still maybe the last week i don't know how much i have to cover in a maintaining access pivoting cleanup side of things plus the legal stuff we may just do a super long stream or we may do a special stream on like tuesday may 28th and just have some fun with a uh with a legal document we'll do something with it maybe play a drinking game out of it or something and get get me drunk before i go on vacation so uh we'll figure a way out to end the course with the with the bang and congratulations to all of you that have have made it this far so big big hats off to you who've been here every week i don't know if you realize but we started with probably i don't know 100 viewers on average and it's sexy in the beginning and consistently 50 of you have been here in and out every week i think the mailing list is somewhere around 500 so i know some people can't make it but the the ones who did show up in the first few weeks you know they didn't stick it out they didn't have that mentality to continue and you guys have continued so big hats off to you as well for for sticking it out all right so let's go ahead and move on first things first i am going to give you guys some important readings so i've already sent out some of this but these are very very important uh the first one here is this ad beginner common tactics it's the top five ways i got domain admin on your internal network before lunch it's from 2018 it still holds true fairly well for internal pen testing assessments let me pull this up here this is the article it's really good so if you scroll through it number one net bios and llm and r poisoning what did we do last week that's exactly what we did this is the number one method it will hold true's number one method for quite some time scrolling through it relay attacks you're gonna be covering relay attacks today that's why i asked you to download or install a fourth machine i know that's very ram intensive if you do not have the ram you'll just have to watch uh so i have a fourth machine that we're going to relay to and if we keep scrolling through what else has he got in here ms-17010 doesn't necessarily have to be an active directory environment but you're going to find this low hanging fruit all over the place so there's not much to show or to teach here but we do have a box and i'll cover that in a minute here that we can cover with this via hack the box and this is something that you should be looking for on every assessment this low-hanging fruit is is amazing so also kerber roasting kerberos thing's a big one see it on a lot of assessments and uh another box that we can cover via via hack the box again we'll talk about that here in a minute and i think mit m6 this is the one that i use that much but something worth reading and looking at his tactics i'm going to give you some extra homework tonight as well when it comes to relaying and you'll you're going to go on your own and do your own lab after what we've built out and you can uh you can go further with what we do you're going to get a proof of concept tonight and then i want you to take that further and explore what you can actually do with relaying i saw a sub come through thank you bammers brent i appreciate that all right back to our fun list so on that list as well we've got advanced active directory topics if you've never been to adsecurity.org or seamheart seen harm joy's blog you are missing out please do check those out as well we've got non-ad privilege escalations uh windows version is got milk very very good guide i will be posting this and i can submit the links if you need to please do take a picture uh if you need to as well but i will be putting this on with the videos and linux privilege escalations as well these are really really great great blogs so uh we can take a quick quick look at those and somebody asked why i'm using edge i'm only using edge because i don't want to show you all my fun tabs bookmarks and plugins that i use with chrome and firefox so 80 security this is a sean metcalf website full of posts that are above my head if i'm honest but there's some really really good stuff in here about learning active directory anything you want to know about active directory attacks and security this is the website i think harm joy is a close second he does a lot with active directory attacks he's got kerber roasting in here as well uh so worth a read if you want to go into some of this advanced stuff now when we talk about the privilege escalation we've got the got milk and i think i put this backwards uh the got milk is actually the linux and if i put that backwards i'm sorry i'm working on three hours of sleep tonight so i did put it backwards it's under windows but truly it is actually linux and switch the linux for the fuzzy security um so this is the the god guide you know this is the holy grail of linux guides and this is the holy grail of windows guides here for fuzzy security so take a look at these this is more common and what you're going to see in capture the flag environments the oscp type stuff when you talk about doing hack the box any of those type of things you kind of want to look at these tactics and start understanding uh you know what tools might be out there for these uh tools like like sherlock or there's like the uh the lin and noom.sh or privschecker.pi is another one for linux so some of these common tools that can do some of this automatically for you and look for some of these and we're going to talk about the meterpreter version of that tonight once we get into it but also just note both of these blogs and and if you ever pursue you know or do hack the box keep these in your back pocket as something to have for research right so we got a bunch of questions coming through uh let's see should we jo domain join the fourth machine you can if you want to get ahead of me but i'm going to be showing it do i share the presentation i can't share the presentation i will be sharing the links in the discord channel and i will be sharing the links on the youtube so okay back to our presentation so let's look at some common 80 attack strategies most of these which you just saw so we have llm and r mbtns poisoning we started that last week we cracked our hash offline now we are going to see what we can do with these hashes these offline cracked hashes so we're going to test the credentials against logins what i mean by that is typically we're going to look for you know smb and we're going to use ps exec for that or crap crack map exec with that uh but you know any aed login will work you check on any web pages that are out there that might be using active directory and allow you to log in you never know what you might find on top of that tonight we're going to be talking about relaying hashes so smb signing must be disabled for this and by default in most environments smb signing is disabled and a lot of admins don't like to enable it because it causes issues with speed so you'll find smb signing turned off most of the time we're going to go in and make sure that it's turned off in our settings tonight so you'll get to see where you turn it on and turn it off from from a defensive perspective some other common attacks we talked about kerber roasting the gpp c passwords and the ms-17010 all those can be taught next week we're also going to be covering token impersonation tonight i've got quite a bit i want to show you guys depending on our time limit so uh and then also some things to look out for is just low hanging fruit so an example of that is default credentials and i've told this story before but i've told it in the q a usually one of my favorite assessments that i've ever had i got domain administrator off of default credentials on a printer so you have full potential to find domain admin in the weirdest possible ways so just because there are no you're you're sitting there with responder you're not cracking any hashes you're finding that everything's patched doesn't mean that there's not something out there that is improperly configured or misconfigured and allows you to gain access so always look for the low hanging fruit you never know what you're going to uncover and to go into the other common attacks and the ones that i want to show you so let me go back and we're going to be on hack the box a couple times so if we come on to hack the box here and you have a vip membership come down to machines come down to retired may take a second to load and i have full faith that active is going to get voted in it's already got a lot of votes so if you want please direct your votes towards blue because that'll allow us to have a little bit more flexibility but if you search active active has 14 votes it's killing it this week uh let's check in on blue blue's got three votes blue needs some love so i mean blue is gonna be a box that takes us probably 15 minutes to go through and you know it's not going to be that exciting but it's still going to be a lesson for people who are new and to understand uh you know the ms-17010 exploit so i'd love to show you those two and maybe even get through the end of the course next week and we may just do a special capstone now that i'm thinking about it i may give you guys a capstone uh in the final final week of may so on the 28th what we'll do is we'll just take some of these old boxes and i'll walk you through the process of how i would enumerate it how i would attack it and i would try to pick the most realistic things so you can see it from a penetration testing perspective from an enumeration perspective and we can kind of start it from start to finish and see how i would attack in my perspective so uh please do upload these if you can if you'd like another week if you don't want another week with me that's fine as well we can we can end early so with that being said let's go back to the slides one more time and let's talk about certifications courses and training so i'm going to repeat that what you're learning for me is the beginner the basics everything you need to know i'm not going to be able to teach you i could do this for weeks now there are some great courses that are out there that can teach you some more advanced ad tactics i've already provided some blogs for you but if you're a certification video training lab kind of person there's quite a few of those as well so first one i'd like to show you is the elearn security ptx i've heard mixed reviews about it i actually have purchased this and i haven't gone through it yet so i cannot confirm or deny how those reviews are but i have heard that it goes kind of well with uh hack the box the pro labs which we'll get into here in a second so if we look at it hey thanks scratch i appreciate that so if we look at it here the ptx penetration testing extreme it goes into advanced tactics it's got social engineering uh 80 reconnaissance red teaming active directory red teaming sql server exchange and wsus there so some things to look at but a a good shout out goes to actually ptp which is kind of the competitor to the oscp a big shout out here because if we scroll down into let's see if it's uh sniffing man in the middle let's see if the labs are hold on i know it's in here somewhere if you look at lab 9 or actually sorry lab 11 they do have mbtns poisoning exploitation with responder they've got dns and smb relay attacks they've got different types of privilege escalation bypassing av etc so um this here this here is why i have been so adamant about elearn security and why i say you know like ptp is really out there because like if you're seeing the attacks that i'm teaching you they're really upping their game in terms of being relevant and staying with the times they update within every three years this is great great stuff so worth checking out i like i said i don't know about the ptx i have not taken it yet it's on my list to do um but it's definitely worth looking through this and it even teaches you things like wireless and programming uh you know some web apps so it's really cool that it goes over all these these tactics from a broad perspective um so worth looking into and worth uh you know purchasing if you have the the funds and the time to study it so somebody said their interface is nice too their interface is really nice very very nice would i recommend taking this after the ocp yeah i think it would still give you a leg up because the ocp doesn't have nearly any of this can i send the slides on the discord yes yes i've mentioned that i will send the slides on the discord uh do i recommend sand stuff we're going to save the questions for q a guys q a time afterwards so all right let's go into some other resources here so there's two pentester academy resources i'm hearing good things the attacking and defending active directory i actually purchased this and i'm in the labs now so far so good i think that it's actually a really good course the advanced version of that is the red team labs and i have both of those brought up here so i would start out with the attacking and defending active directory and then moving on to the red team labs now neither of these will give you a certification that is hr worthy if you're after it for the hr you're in it for the wrong reason same thing with elearn security these are for pure knowledge based uh learning there's these certifications really just don't don't do it for the hr so you've got this course here attacking and defending active directory like i said that's more of the beginner course and then the red team labs are their uh their more intense course and it's focused purely on hacking active directory so the last thing and i'll just skip the slide and go right to hack the box hack the box has two pro labs now these are probably the cheapest solution out of everything that i've shown you but this is going to be most of your of your research time is going to go into this if you come on the left side they've got the rasta labs and they've got offshore now i have heard very good things about both of these i've heard the most good things about offshore uh it was made by a guy named ben ben basis on an actual pen test that he went through and i've heard nothing but good reviews about it so it really emulates what a active directory environment is and a pentest is like for one of these and um you know just has some some crazy outside the box tactics that you really need to to learn and it's got all this checklist in here that you need to go through so um very very good environment from everything i've heard and it will challenge you so with that being said these are your options please do look into them i'll bring up the slide one more time so you guys can take a picture as i've stated i will send these slides out in the discord channel and i will be posting the links down in the description on the youtubes so here is the slide one more time i'm gonna grab a drink all right so that is it for the powerpoint now i'm done boring you guys with that this rostlas made by rasta mouse it sure is all right so where did we leave off last week we left off capturing the hash of the punisher right we captured his hash we went and cracked it and we we realized that his password was password1 with a capital p didn't have the greatest of security so we're going to run a scenario tonight something that we see quite often when it comes to pen testing and that is a situation where we leverage those credentials into getting getting domain administrator so we're going to need to do a few things so again we have our cali machine we have our windows server here we're just going to let that sleep and then we have our windows 10 machine from last time let's just go ahead and power this on if yours already isn't let's get logged in here okay so if we come into the c drive i've created a folder here because i was doing testing for this lab but i'm going to have you guys recreate everything i've already done and i will stall chat do whatever so you guys can catch up so please do create a scans folder this is emulating something i have seen in a real life environment plus some other situations that we're going to see now commonly users have a scans folder located somewhere on their computer it's got a user scanning to it or their own account scanning to it so what we're going to do with that is we need to share that folder out so that the folder has smb access and can be accessed by the printer or whoever it is that needs to access this folder so you're going to right click click on properties go to sharing and you're going to hit share and the settings i have for this is i'm just sharing it with the owner frank castle it should be your marvel frank castle account or whoever it is that's tied to your domain so hit share done now if you you may notice that he is a local administrator for me i've already made him a local ministry we're going to do that in a second but you may need to enter credentials in for your administrator hopefully you remember those from last week but once you have that shared out we're going to go ahead and make good old frank a local administrator for this machine this is also very very common in uh in environments working environments so let's go ahead and just right click on the start menu and we're going to say computer management we're going to click on local users and groups and we're going to click on groups now from here we are going to go to administrators double click on that you're going to say add and then all you have to do is type in the name of the person so fcastle you can just hit check names and it'll pull it in if it's in the active directory uh environment and then you just hit ok now i've already got frank in here as a local administrator for this computer thank you solely for the the sub i appreciate that all right so we've got frank in here and we've got him as a local administrator we've got a scan share that he can access via smb so what we're going to do is we are going to reboot this computer let's go ahead and just do that and okay so somebody asked well i'm gonna answer some questions while we wait somebody asked if i think sans courses are worth it uh like the audience was saying if you have the funds to pay for it or if you have work funds to pay for it then i think it's a good opportunity to go they also do have the work study program where you go work for a week and then i believe it's like fifteen hundred dollars or so to actually uh to actually take the course so things to consider but you can spend your money better elsewhere unless you're working one of those cush jobs that actually do pay for your sans courses now you can see that i'm stuck in the restart loop from hell so it may be a minute i rebooted this machine earlier and it took its sweet time so i don't wanna to force shut it down if i don't have to jeff says the military has a free program while we're doing this i'm going to bring up the chat so other people can see if they're watching you can't make a share why is that updates the bucks play in two minutes the bucks are going to lose i don't think so i think the bucks are going to win the series if i'm being honest password incorrect you forgot your own password man come on all right when you get to the login screen if you worked ahead of me this is why you are wrong when you get to the login screen please do not log in as frank castle we're going to perform two attacks today please log in as the administrator the domain administrator so marvel and we're going to log in as administrator hopefully you remembered your password from last week i will give you guys time i know i also ran into the update as well so windows forcing updates on us whenever they feel like feels bad right so we're logged in make sure when you get logged in you're logged in as an administrator i'll give it a couple minutes if you've got a question i'll i'll wait for you some of you to catch up and also i'm going to give some credit to windows defender because windows defender has caught me in the last couple weeks doing exploits that i have never seen it catch me before uh so it's gonna be time to start upping my game so i'm i'm honestly really impressed by some of this uh so we're gonna actually have to turn off windows defender for the exploit we're about to run and this is an exploit that i run all the time in client environments uh whether or not they're using defender most likely not probably some form of av that's not catching this but defender is doing a really good job as of late catching catching these exploits all right so we are logged in as the administrator i'm going to go ahead and just get it going i'm going to type in defender go to windows defender settings we're going to click on virus and threat protection uh and i never know how to disable this there we go go to manage settings and we're gonna turn off real time protection if you didn't see that i will repeat it go to windows security click on virus and threat protection you're going to manage your settings and then you're going to turn it off here in the real time protection knight ins is saying don't disable it he's warning us for the bad things that are going to come all right so now we've got that disabled we can stay logged in doesn't really matter let's go ahead and hop over actually let's get the ip address of this machine to make sure that we are attacking the right machine sometimes these things do change it is one three four earlier it was one three eight so that's good to know okay so with your ip address in hand go into your terminal we're going to be living in metasploit i'm doing a stream next week don't spread lies gray's over here spreading spreading fake news all right so we should be at this msf5 screen i'm going to take my face away so you guys can see everything and we're going to be using a tool called ps exec so we're going to say use exploit windows smb ps exec just like this now what this does is if we are able to connect to a shared folder as an administrator or with execute privileges we can upload malware and gain a reverse shell this is important so there are two tools that we're going to actually use actually let's let's back off let's back off this would not be my first step let's back off just a little bit so actually let's do let's do this type apt install and then i want you to type crack map exec just like this and hit enter now i've already got it installed but go ahead and install it i'll give you another second you said you heard i was giving away a thinkpad uh you know nobody has sponsored my stream so if you call lenovo up and you get them to sponsor my stream i will give away that that thinkpad you can be my marketing outreach jeff that can be your job since you're going to be doing nothing else in uh in amsterdam all right let's say that we've got crack map exec installed so i'm going to give you a proof of concept here we could use the credentials we already have we're pretty much only going to log into one machine which would be our our machine so i'm going to give you an example a little bit different so crack mac exec what it does is it does a pass the hash or pass the smb account or whatever account you've got depending on what uh what's built in i don't know i only use it for smb i think it has more than that um so what we're going to do is we're going to say crack map exec and you'll understand more once i type in the syntax here we're going to say smb and then we're going to type in the targets so for me i'm actually going to type you could type an ip one ip address i'm going to type in a dot zero slash 24 and what it's going to do is it's going to sweep the entire network with the credentials looking for smb logins and it's going to come back and say hey i found a login or hey i didn't this is a tool by bypleader it is an amazing tool so we're going to just say username dash u for username administrator dash p for password and make sure you put quotations around it whatever your domain admin password was please remember that and then a dash d for domain our domain is marvel and then we're just going to hit enter on this that's going to go through all the ips and try to log and you can see that it actually poned multiple machines so when you're in a in an environment and you've stolen creds or cracked creds what you can do is you can take the creds and you can pass them around and see where you have access to from an smb perspective every single place where it says that i've got a login i'm going to go and try to get a ps exec shell and use that to see what information is on the computer and we'll talk about that here in a minute what we can do once we're on a computer now you see the domain administrator has access to all the machines that we have one being the domain controller the other one being the punisher the punisher does not have access to the domain controller which is why i showed you the domain administrator account so that you can see multiple logins at once so just know that this tool is one of the best tools you can have on an assessment when you crack credentials and it also works with hashes which i'll show you later i didn't get the past the hash to work i'm going to show you the techniques but i wasn't able to actually get it working but you'll at least get to see how to accomplish it in one second i've got to sneeze all right so now we passed it around we figured okay we we're going to try to log in we'll just pretend that instead of administrator this was frank castle oh thank you matt and we're gonna come back to our screen over here and we've got p.s exec up uh so somebody asked for logging in as domain admin to remove windows defender that is not the case there's another reason we're logging in for domain admin and i have not gotten there yet so just just bear with me the local admin of frank castle would be able to remove the windows defender as well okay so let's type in options and let's set our our host so my r host was the punisher machine which sits at 192.168.202.134. the share of admin is fine because we need to be able to connect to a uh a admin account to be able to exploit this anyway and now we need to set a few things we need to say set smb domain it's going to be marvel set smb pass and we're going to say password one set smb user fcastl okay and then down here it says exploit target and it gives us automatic um but that just tells us that there's some other targets in there so i like to say show targets and see what possible target options we have so it's got automatic it's got power shell native upload and mof upload i don't have a lot of success with the powershell version i actually have the most success with the native upload but when i'm doing this on an assessment i will run through every single target type but for tonight we're going to go ahead and just set the target to 2 so let's say set target 2 and then we'll say options again to make sure that we have done everything we needed to do um we've hit our required here required here and then we filled out everything we need to fill out here okay so let's go ahead and just say run and looks like we connected uploaded it didn't work we'll try running one more time uh okay let's try setting the target something else see if it runs and that works so here i go talking about powershell never working i bash powershell and then powershell comes through in the clutch uh this is what i mean by trying all your different targets i would stray away from using automatic you can try it um but i like to go through the targets one by one if i can because i don't know what it's picking when it's picking the automatic so now we are in a meterpreter session you can see it says interpreter session one opened we have a shell on this machine we can say get uid and see who we are we actually got a shell as system so typically i was looking for this to execute as a as frank castle and some of the times i run it it does come through for frank castle uh sometimes i run it it comes through as system so not sure why that is we could type in sysinfo and see what kind of info we have here [Music] hey thanks mikayla okay so we actually got an x86 meterpreter session and we've got an x64 architecture that's not the best situation to be in so let's actually let's background this type in background and it's going to background the session let's see if we can't upload um another a different payload so let's see if we can say let's look at options it might not show us okay it does show us windows interpreter reverse tcp let's see if we can get it into a 64-bit payload and we might not be able to so we could just say set payload windows interpreter double tab and there's actually not going to be um a 64-bit payload so these are all gonna run in as 32-bit and people are getting ahead of me yes yes yes um so we're here in a 32-bit situation right and it's always important to know what architecture you're on what interpreter shell you have can you improve that shell to get where you need to be uh so we cannot here we can't get any better so what we're gonna have to do is we're gonna go and say sessions okay we've got our session here we can just go back into session one to say sessions one we're back where we need to be now ruri is getting a little ahead of us and saying that we can migrate into a process so if we type in ps and you look through these processes here you can see all the process is running you can see the pid and the parent pid we have to be very very very careful of what we pick here because if we pick the wrong process and sometimes it's a guessing game you want to pick something that's running as system already uh and you want to pick something that's running as x64 and uh sometimes it bombs the it bombs the whole thing so rory is saying service host every single time but i'm not going to mess with it today i'm i'm going to leave it alone because i've got other lessons for you guys but if you're feeling adventurous you could pick one of these say example 1076 you could say migrate 1076. hit enter and try to go into it you may lose your session and have to reboot your machine so for for purposes tonight we're just going to go ahead and skip doing that i don't want to break the machine have to reboot and have to go through the process again but it is important to know uh what process you can or at least need to switch into it's important to know your architecture as well no balls yeah i've got no balls all right so let's type help let's see what all the fun things we can do with them interpreter session there's quite a bit right so you've got your core commands here um you've got file commands we can actually download a file from the computer we can upload a file to the computer we can navigate around make directories etc we've got networking commands we've got the fun ones we've got arp we've got route we could do port forwarding which we're going to talk about in a later video on how to pivot and use port forward we could see the ip addresses if we need to uh there's system commands kind of what we were just doing ps we can reboot it we can do a shell which i'll show you here in a second we can do we can do key scanning we can basically do key logging we can take a screenshot we can look at the webcam we can record the microphone uh we could take a picture of the webcam we can watch the video stream from webcam so when you have those little webcam covers this is a big reason why that you have those webcam covers uh we've got elevate commands here get system this is one of the first things that i try if i have a low session and the git system actually works on this one if you are if you're brought into a session as the administrator or not um not system if you just type in git system and hit enter you will actually get the system now hash dump is one of the most important commands that you need to know is not going to work for us in this situation i can show you as rory said i have no balls but hash dump is not going to work uh in this situation because i have a 32-bit architecture interpreter shell and we are on a 64-bit machine so until i migrate that session over then none of these things are really going to work that well so i'm going to show you everything conceptually and we're going to go ahead and just kind of look around so one of the first things that i look for and what i try to do right away is i load up a tool called incognito now what we're about to do all you have to do is type load incognito and if you want to see the incognito commands you just type help it brings it down at the bottom the last loaded module uh will will show you exactly all the commands that it has for it so what we're about to do is called token impersonation and so let's talk about token impersonation so you have these things called tokens and basically they're just a temporary key right um and it allows you to get in and out of systems and networks without having to do to use your credentials so what we can do is we can replay those tokens and try to gain access to an account so there are going to be two types of tokens that we're going to see we're going to see delegate tokens and impersonate tokens the delegate tokens are for the type of logins that you actually physically log in the machine like we did with the administrator account or if you do like rdp or something like that the impersonate tokens are uh when you're like using a network drive or you've got scripts running or something like that so um it's basically a hands-on interacting versus not interacting so what we can do here is we can say we want to list the tokens so we'll do list tokens and then it'll want an option here if you just hit enter it'll ask for an option we can either do by group name or by username i like to do by group or by user i'm sorry because by group we'll throw in quite a bit of information for us so let's look at user first however it is possible that to look through the the group information and see if we have a member of domain admins for example that we can impersonate if you look through here we'd be looking for let's see from marvel so marvel domain admin does belong to one of these users that's sitting in here we know it's marvel administrator okay so again we say get uid and you see right now that we are authority system all we say is impersonate underscore token you can hit tab and then we're going to impersonate the token of marvel and there is escaping so we have to do two of these slashes here and then we'll just say administrator okay and it says delegation token available remember it's a delegation token because we were logging in as the administrator and we weren't an impersonate token because we were not doing something with like a network drive or a script so we physically logged in with the administrator that token is sitting on that computer until the computer is rebooted so now we have impersonated the administrator we could say get uid and it thinks uh it thinks we are the administrator we could type in shell and now we're at a command prompt we say who am i and it says your marvel administrator so every command that i run from this point on looks like i am marvel administrator i am doing impersonation here um basically this is a path to domain admin we have accomplished that we've stolen a domain admin account um and we can start getting malicious with it if we want we can change the password you wouldn't probably do that on an assessment unless you have the permission to do it you can try to run net commands and see now a good a good environment and they're starting to do this now would prevent net commands from being run um net commands that affect the domain from being run outside of a domain controller so we can try to run something like net group to see all the domain admins and you can see this command can only be used on a windows domain controller that's a good feature sometimes we can sit here and we can just add a new user to the domain admins and use that with a password that we know because at this point we don't know the password for the marvel administrator we just know that we are the marvel administrator right now so we can make an account if the net commands were available and create a new domain admin account with a password that we know and then just go log in the domain controller and plant a flag there as well so this is a very very nifty feature to know let's take a look at some other things though while we're in interpreter i do want to show you some things so we're going to hit control c and terminate this i need a drink because i've been rambling on now there are a couple of other tools that we can load in actually if we type in load and we just hit tab twice you can see all the other things here that we can load in we can load in powershell python mimikatz uh kiwi and i encourage you to go into an interpreter shell load all these and figure out what they all do so when we're on a 64-bit architecture we can load kiwi now we are not on a 64-bit shell so you're going to see it says loaded x86 kiwi on x64 architecture so this is not going to actually work um so if we look at it here and we can say help and one of my favorite commands for kiwi is just to dump the creds all right here on the top we say creds all running a system okay so we're still running as the domain administrator we could do rev to self and that should get us back to system this reverts back to who we were to begin with okay now we can try credzoll and you're gonna see that it doesn't dump anything there's it's not gonna dump anything because we're not running in the right architecture but do take a look at what is jumpable in here right kerberos you got the w digest you can do golden ticket attacks which we're not going to get to in this course but this is another common if there's a top 10 golden tickets probably in the top ten we've got wi-fi profile list and credentials uh the lsa sometimes has useful information in it so these are are good to look at now for a 32-bit system and a 32-bit shell we could load mimikatz and you can see that it doesn't like that we're running on a newer system this is typically for older systems we could say help again but we can start just typing in things like kerberos okay well we didn't get anything really useful out of here um and again it plays into the the issue that we're having so now that i've shown you everything i may go back once i get everything shown to you i'll go back in and uh and try to migrate to a process and if we if we fail the computer we fail the computer okay so from here um one thing that we can do that's useful as well is we can background right so i showed you that earlier by just doing it on my own we just type background and background this into a session if you notice now it puts us into it puts us back into an interpreter or a metasploit area so we can pick modules that sessions still running if we type in sessions it's still running in the background and what we can do with it is we can use that session in other places one of my favorite things to do on like hack the box capture the flag uh is to use a tool called the local exploit suggester uh suggester and that is a post command meaning we have already exploited so this is after the fact so we can search for that but i'll just type it out here we say use and it is post multi recon local exploit suggester like that okay and then we'll just type in options and you're going to see that it asks for a session and that's all it needs and now i don't know if this is actually going to work because of the mismatch we have but i do want to show it to you so let's just say set session 1 and i'll run it and now it's collecting local exploits for x86 windows that's really not the case right because we have 64-bit windows so this may give us some false positives here but what it does is it collects everything that may be an exploit and this leads to easy win a lot of times like i said on capture the flag or even if you're in a situation where you're not able to escalate to system for whatever reason in your environment what you can do is it suggested two different situations here right so we can try to run this exploit against the session this private keyer or this prives here it says it thinks it's vulnerable can't validate it and this one says it appears to be vulnerable so we would just say use exploit windows and we'd set the session again and try to run it now i'm going to go ahead and uh and take a peek here and see if we can't migrate this session so sessions one and then let's take a ps again you want to pick a number rory you feeling you feeling like uh you're going to win the lottery here we've got svc host on 728 i'll let you i'll let you pick buddy this is ruri's choice give me a number 10.76 we're picking 10.76 all right here we go for all the marbles people it's either gonna make or break our shell he did it he did it guys look at that always trust rory with your your process migrations beautiful beautiful sir today you win the internet all right sis info now you see we are on a 64 interpreter with a 64 architecture now we can do some fun stuff like hash dump oh [ __ ] look what we just did we dumped all the hashes so we have a local administrator account that is uh by default right this comes by default we actually never set a password or set that up i don't believe because we went in and we set up frank originally and this is not these are all local accounts these are not tied to active directory but we have hashes here so we can take these hashes and try to capture them we can also take these hashes and try to pass them around the network and we can use something like crack map exec to do that and i'll show you how to do that but let me let me tell you a a situation where this comes in handy now think about an environment and this has happened to me many times think about an environment where they have a lot of computers and they take the same image from every computer and they use it right they image the all their computers with the same image the same base image well that same base image is going to have the same administrator account so i don't even have to know a active directory account to log into that computer i'm sitting here logging in a system to every computer in that network it's only gonna be a matter of time before i get credentials or i do token impersonation or i find something um in a file that i shouldn't be seeing or i get onto like an it account and get all the passwords so this is this is win a lot of the times so there are two different ways that we can do this basically what we can do is we could use crack map let's go back up here if we hit tab up we'll delete marvel and i don't know if this is going to work so let's try it though let's capture this hash here you'll start from the a's and bring it all the way over just like that paste i'm going to keep the quotes around it we may need to remove the quote it might not recognize it as a hash it doesn't look it's recognizing it and again i wasn't getting these working but this is the methodology that you would use to try to log in see we try to pass this hash around and you don't even know need to know the password to do this right hey thanks eric i really appreciate that um so another method if we background here is we can actually use ps exec as well so what we would do is we'd say use exploit windows smb ps exec again like this let's look at our options okay we'll keep the machine because this is the machine we attacked we'll say admin or whatever here but let's say unset smb domain and somebody said to use that h you are absolutely correct i completely forgot to do that so one second that could be the whole issue entirely thank you solo i messed up my syntax see if it works still not getting it i don't know if this account is active it would probably be better to try it with the frank account we can try with the frank account let's grab frank instead of administrator and let's actually just point it right at 1 34. see if it works and not getting a response all right let's try let's try sweeping in the network again one more time with it it's not responding on 134 and that's okay it could be that it's actually connecting and it's having issues um so let's just kill that but that's one method that's one method right there to pass that that hash around uh the other method is with ps exec so we're in here right i unset the smb domain because we're gonna take that off uh let's set the smb user to frank and then let's set the smb pass as that hash there and try running this yeah we're getting host unreachable we may have lost the connection that's a rip just when we were getting our mojo that's okay we'll reboot it may have fallen asleep and i'm yeah it paused itself these machines man i don't have my settings on right so the machine pause itself all right let's try it again see we lost our our shell there as well oops okay it's back to life let's try crack map one more time 134 still got a log in failure and we could try with ps exec as well now that it's up access denied here we could try setting the target to something else so it's connecting but it's not it's not able to execute uh so question was asked we disabled windows defenders or anything else we created a scans folder and made the user domain admin but i think you're already past that if you're on the windows defender what's up sick in the mind all right everybody so this is just a a lesson i'm going to pause it here because we're already at 906. this is a lesson and what you need to take away from it is what happens with credentials from llm and r poisoning that we can do these ps exec attacks we can do token impersonation we can you know we can do pass the hash we don't even have to have the hash or the the account cracked we can pass the hash of what we gather for local local accounts and we can take the accounts with crack map exec as well and pass them around with the cracked password and see where we can log into smb majority of the time bad passwords along with smb are going to be the easiest way you're getting around a network and getting your win if you have long complex passwords and you don't have s p in your network uh you're you're going to make it a lot harder on us as a pen tester so with that being said many of you are asking about ntlm relay that is going to be the next thing we're going to cover and then we're going to call it a night so let's go ahead and do that now we're going to have to do some setup i've got 2016 server running we've got windows 10 running here and am i missing a 10 machine i've got let's see which one this is this is marvel administrator okay this is the other one so windows 10 machine we are logged in and who are we okay so yes this is the right one so we've got a uh we've got another computer here this is going to be spider-man's computer we've got peter parker i've just created a local account at this point for peter so what we're going to do is we're going to set up a relay attack now a relay attack is where we are capturing the llm and our hashes and instead of taking them offline and cracking them we're actually going to relay them to another machine and try to get information off of it so here's what we're going to do first things first we need to go on to the windows server so let's get there let's log in as the administrator and i've got all this open i'm just going to close it out we're going to redo it all okay so what we're going to do is we're going to come in here and we're gonna say we're gonna start typing gpmc.msc i'll give you a second to catch up if you need to okay let's click on that so from here you're gonna see default domain policy we're gonna right click on that and select edit from here we're going to be under the computer configuration and we're going to say policies and then we're going to click on windows settings we're going to come down near the bottom and select security settings okay and then we are going to select local settings local policies i apologize right up here and then security options so if you need that again we are in computer configuration policies windows settings security settings local policies security options now you're going to scroll down until you see microsoft client network client actually and you're going to see here it says digitally signed communications always and also if server agrees i just disabled both of those so you come into here and you say hey sign the communications no let's not do that we're bad admins right so we're going to say disable and we're going to hit ok we're going to also do the same for if the server agrees just say disable defines policy say okay you may need to reboot your uh your machines or do a gp update to actually push this policy by default i believe it's actually off i'm just enabling this here but for for the purpose of keeping up with you guys i'm just going to reboot both my machine my domain controller and the machines that we need to complete the attack so let's go ahead and just reboot thanks guys i am the best domain admin we're gonna reboot here as well make sure it picks up the policy oh it wants us to update and restart jerks man jerks let's reboot here all right before we reboot this machine we've got a couple things i'd like you to do so what we're going to do is we're going to right click we're gonna go into the uh system here i like to rename the pc what's up techno bro we're gonna name it spider-man because it is spider-man's computer we'll restart later we're also going to need to join the domain which let me pull up these domain server real quick log in [Music] his name should be tom holland i don't disagree with you all right let's pull the ip off the domain okay it's running at 137 okay somebody did message me last week and tell me how to get to the network i still don't know so i just type in network um and there's change adapter adapter options here going to right click on ethernet 0 go to properties double click on ipv4 and we're going to set dns so we are going to point it directly at our domain controller and since all of you homers wanted uh ones last time and i gave you eights i'll give you ones this time all right now that we've got our dns set up we're to say domain it's going to say access work or school click on that click connect set up a work or school account we're going to actually say join this device to a local active directory what's the domain name mine is marvel dot local okay and oh i forgot i don't have an account for a good old peter here so let's go into the server we're going to go to tools active directory users and computers go to users i'm going to right click on frank castle and just say copy we're going to take all of his policies we're just going to call this guy peter parker p parker first initial last name ncpa.cpl thank you i'll never remember that but i thank you password never expires we're going to make peter have the password of password 2. finish okay we've got peter there now let's go back here p parker password two standard account next and we're going to go ahead and reboot this computer of course of course we're hit with windows updates so let's take this as an opportunity to chat with each other about how awesome windows is somebody said policies included as updates yeah that is true hey thanks anonymous cheer happy to see you back will i do scammer streams in the future i don't know what kind of streams i'm gonna do in the future if i'm being honest with you i don't know where to go from here all right we're going to log in as mr parker actually let's let's login as the let's just make it easy and log in as the domain administrator we're going to speed things up a little bit i actually forgot to put marvel in front of that it's going to take just a second if i'm ahead of you guys let me know okay so we're going to have to make for this situation what we're going to do is we're going to make frank castle an administrator we're going to pretend that the account that we're relaying is an administrator or at least has access to this machine now you see that a lot of the times where improper configuration where a user has access i have this in a recent internal pen test i cracked a user password and the user happened to have access to you know just one server it was just one server but that server allowed me to navigate to the domain controller so you want as limited access as you can and least privileged right so what we're going to do though is we're going to demonstrate an environment where they're allowing their users to have some administrative privileges on multiple machines and that's how we're going to be able to do this relay here so let's go ahead and right click on this we're going to go into computer management again and we're going to go into local users and groups we're going to click on groups again double click administrators and we're going to add an administrator here of frank castle if i can spell it okay and apply that so now he's part of the local admins we're going to come in we're going to go to this pc we're going to go to the c drive we're going to right click and we're going to create a new folder we're going to call it scans same thing no different we're going to right-click on that go to properties sharing we're going to share this sucker okay we've got administrators have read write administrators built in have uh ownership just to make sure we're not missing anything we're gonna give f castle his own as well and we're gonna give him full read write and we're gonna share that so now this is sharing we should have smb open on the machine do i often see domain admin user accounts separated from it staff no i have seen that one time it made it a lot more difficult to exploit the environment but we still ended up doing it however they were doing a great job with that we were able to capture their like you know their base it accounts but their domain admin accounts had really really long password policy uh and it was it was fantastic to actually see an environment like that but you don't see that a lot all right we're going to go to cali now and we're going to find responder again i think it's in user share responder actually yeah so uh mine is in user share responder okay and we need to make an edit here so what we're going to do is we're going to g edit responder.com we're going to edit the configuration here we need to turn a couple things off we're not going to be starting an smb server nor are we going to be starting an http server so make sure again smb oops smb is off and http is set to off okay we're going to save that now we're going to fire up responder and that looks something like python responder dot pi and then we say dash i eat zero dash rdw okay the firewall should not need to be off for ps exec so okay here we are now let's talk about the situation again we've got the http server off we've got the smb server off we are sitting here listening for events to happen okay when a hash comes through like it did last time we're going to use another tool called ntlm relay x and we're going to use that to relay the ntlm hash we never have to crack this hash we're going to take the hash pass it to a an smb and try to gain access that way this is where smb signing is important if you have smb signing disabled which is in most environments this is a killer right so what we're going to do here is we're going to create a new tab and we're going to say locate and we're just going to find i don't know where it's at it's going to be a different folder ntl relay x dot pi okay it's going to be in the impact folder so we're going to say uh cd opt impacted examples okay now we're going to fire up ntlm relay they say python ntlm relay x dot pi actually i got ahead of myself we have a target that we need to specify in a text file here so bls i've got a target.txt if we go in here and we just say cat target dot text it is 138 i don't know if it's 138 but we're gonna have to make a file for it so give me one second so we say command ipconfig it is 138 still so make sure you have a file with your address for the machine of peter parker okay so we're going to say python ntlm relay x dot pi dash tf target.txt i like to put in smb2 support fire that guy now that guy's gonna sit there listen for the ntlm relay and then it's gonna relay it to the machine that you're choosing now remember how we did this last week we're gonna fire a hash off to ourselves let's go ahead and log in as actually frank to frank's machine and pray that this works live demonstrations are always the hardest says he can't get to the uh the hack me that's not good actually i wonder if that dns issue just caused it to relay it did not there was poison okay uh let's try let's try just pointing it so point it towards your attacker machine let's go back to cali wherever that is am i not on one two eight oh wait it happened it did happen actually in the the initial okay so we did relay we did relay so if you come in here it takes the connection from 134 and it attacks 138 you can see that marvel f castle succeeded with authentication fcastle had access to 138 now automatically it comes in here and it says what can we do well it's gonna dump the local sam hatches now we have the sam hash for administrator and for peter so we're gonna go in and we're gonna try to log in with this hash on the computer to gain access we're also going to try to pass these hashes around to see what we can do we're going to try to take this offline and crack it if we have to to gain access to the machine now this is an example of ntlm relay my challenge to you and i said i was going to challenge you to do something you can take this further you can actually get a full shell from this doing something called smb relay same concept uh just a different little bit different tool set so that is my challenge to you if you're doing this lab and you have successfully relayed now take it and see if you can get a shell you're going to have to do some googling figure things out try a little bit harder you know whatever the fun lingo is but that's my challenge now is to to try to get a shell off this either with the meterpreter or with using empire uh and see how far you can get but this is the proof of concept that we can actually access the machine and dump the local sam file so very very cool technique to use especially if you're not getting anywhere with the actual responder the password cracking so rory's giving out hints he says empire is the thing he uses for this yes empire is likely the way to go if you look up most articles on how to do it empire is going to be in there you may find one or two with interpreter but it does not hurt to learn empire so that is my challenge that is it and this lesson is officially over right at 9 30. so again if you guys want to see round three of this i am happy happy happy to do that um please just up vote on active and upvote on blue we'll do that it'll probably be half of a week next week and what we'll do we're half of a session and then we'll dive into whatever whatever we're missing i don't remember what we're missing uh we'll probably start into our pivoting lab where we may cover the legal stuff and do a pivoting lab then um i got to figure out how i want to do that so i really do want to do a capstone we'll we'll see if we can do a capstone or we'll just do capstone lessons for a couple weeks after the course ends and that way you guys can get a feel for what my enumeration process is and how i really look through things so that'll be fun somebody's asking up vote where you have to have a vip membership to hack the box i will pull it up one more time on hack the box if you come into here you go into machines and retired and then you say find active active is up to 15 votes thank you guys let's check on blue blue is up to nine votes look at you guys you guys are awesome all right so it looks like we're going to be doing part three next week so next week we're going to be covering gpp passwords and c passwords uh next week we'll be covering kerber roasting which is super important and we'll also be talking about ms-17010 so you guys put in the work i will do it so with that being said the schedule is going to look something like probably half half of the session next week on part three and if we do a maintaining access pivoting cleanup that's probably only half a session worth of stuff as well um so tentatively we're probably aiming for the 28th being the last stream in the course if somehow i figure out a way to end it all next week and then we could do a capstone after that we'll do that as well so and thank you guys for all the kind words coming through appreciate it we are in the home stretch i can retire blue and active blue and active all right so your boy is on uh 30 minutes or three hours of sleep so i'm going to give you 30 minutes of q a tonight i'm going to cut it a little short so we'll do do hard stop at 10 o'clock so i can get some sleep i've got a lot that's been on my mind with this whole new job thing or a new business venture or everything else and just really uh really haven't had a lot of time to to sleep because i'm just go go go lately so how entry level does hack the box get it is it can be fairly entry level for a beginner if you want my advice come into the retired boxes first if you have if you have vip if you don't have vip that's fine but vip is worth the 13 bucks and let me show you come into the retired boxes first because they already have the write-ups and look for the ones that are rated the easiest all the greens on the left like this granny looks pretty easy uh what else nibbles looks pretty easy poison looks pretty good it's got some in the middle um but you want to avoid like smasher right or big head you want to avoid these ones but a lot of the times you can click in on something like let's say like granny here let's click it on her and it does take some time to click through you get to see some information how realistic it is um you know some things about it if it's more ctf like as opposed to a realistic how much enumeration you're gonna have to do uh people give that information out now the nice thing is a lot of these boxes come with a pdf write-up they're not the best write-ups in the world they're not step-by-step but they're pretty close they don't go fully into mindset but they tell you how to get there so that's one way of looking at it you can also of course do the ipsec walkthrough watch those and you know take it from there another way of seeing how easy a box is is to check uh the first blood and see you know how long it took somebody to get the root and user accounts uh two and a half hours is not that long the shorter if you see the ones that are like five or six minutes you can guess that's probably a really really easy box uh so the shorter the time frame the the lower the difficulty rating the easier it is okay back to the webcams uh so do you see yourself exploiting windows more than linux when pen testing yes windows 99 of the time so cancel netflix and use the funds for hack the box i don't know if i'd go that far i like my netflix my eyes look bloodshot that's just because i'm high gray that's all i smoked a lot of weed before this that's not true please don't drug test me by using an empire payload i am not using an empire payload you would use an empire payload for uh smb relay or somebody provided the dash e to execute a payload on smb relay x you could in theory set up a meterpreter handler a meta play handler if you know how to do that and run meterpreter exe as well so food for thought but those are the advanced more advanced tactics that i want you to kind of go out and explore for yourself my new job drug testing already i don't have a new job i am my own boss in two weeks hopefully so i won't drug test myself that would just be a waste of funds unless i'm going to charge that to expenses i do need some expenses i was thinking of buying a 2080 ti and just charging it as a business expense you know for for hash cracking purposes not gaming purposes at all hash cracking purposes sugar daddy how was my very first pen test on the job scary man it was scary uh so my very first pen test was an external and that's typically where you start out uh and it's probably the most familiar in terms of methodology for what you're looking for like from uh if you've done the oscp or if you've done a lot of hack the box and externals is where it's uh you know the most like like i said familiar um so you know i had guidance i had somebody to like go and ask questions to but the one thing that i did and i recommend to anybody that's starting out a new job if you have access to them go and read all the previous pen test reports that you can and gain information on what people are finding what the common findings are if you have a document that has all the common findings that you've found previously uh that's also very valuable to like just read through and get an idea of some of the things that people are finding and what they're looking for that way when you run your scans and your you know your environment you start navigating around you start seeing things like oh yeah i know that's a finding so the more familiar you are with it the better it is but it really just comes to taking it slow enumerating and also really helps to uh with your first few pen tests if somebody else really is the lead and they do the pen test and then you also do the pen test and you come back and you compare notes uh that's that's another way you can learn because they can say hey let me show you where you missed this or what we're looking for the methodology catching up on questions do you use or send a dropbox to a customer like a pony express uh we send a laptop to customers that phones home to a vpn network as soon as they plug it into their network so we basically just rdp into a cali machine and we have a full cali interface that's sitting on the network so pretty straightforward you have the benchmark on hash cap for that perfect it's 2080 ti this we need this expense what 960 was 500 khs your friend ran in it was 2.9 nice that's dirty that is dirty i've got a 1080 right now and it is it is going to i think it's gonna break i got it um i got it used and i think they knew it was broken like one of the fans is basically anytime i boot a game up that's intense it sounds like it's gonna spin off i've still got the rma which is kind of why i want to go and just buy a 2080 and then when i ship it the rma is like 20 business days so that's a long time without a graphics card because the only other graphics card i have in the house is the 970 and i don't want to back date to that so i'm looking to buy it buy the 2080 and just call it a business expense at some point i've ever pen tested citrix environments um one time was it does it affect my methods no i don't think it affected my methods am i quitting uh yeah i'm i'm leaving my job and just starting up my own thing nate you got two [ __ ] cats come on you love those cats don't lie don't lie buddy i don't know what that is a brutalist i should i feel like i should know what that is let's let's google it or send me a link because apparently that's a lot of different things that's cool this tara hash that's actually really cool let me see if i can pull it up doo doo doo thirty two thousand dollars yeah let me just expense that oh okay well the brutalist is only twenty five five i guess that's better yeah fairly reasonable guys i think they're destroying everything at 3am so we're down to one kitten nate and she wakes me up at least five times during the night if not more and it's so hard to be mad at her because like she'll wake me up just to give me love and purr and she's not as destructive but she is uh she's annoying but it's hard when she's just being sweet like she's being as sweet annoying so i don't know how to handle it all she wants to do is cuddle scotch tape on the paws the paws let me grab her hold on hello she was at the door waiting for me she's gotten a lot bigger hi baby hi baby i need pictures nate i know last time you sent me pictures the uh they were looking huge man they were looking really big thanks matt i appreciate that you uh you like my kitty so so was anybody able to follow along with the lab i'm seeing some people say that they uh that they were having issues i just want to see if like if somebody figured out windows defender will re-enable itself that is accurate statement do you offline crack the intum hashes to build word list for future use uh so i'm using the word list already so if i'm cracking them i'm not adding them to the word list so that makes sense because i've already got a word list that's finding them unless you're you're talking about storing them yeah that's that's different never mind i misread that that's correct you you store it in your pot file and yeah you would strip out the username so matt if you're getting access denied that's either a incorrect password most likely or a permissions issue how good is hack the box for preparing for oscp um i think the hack the box machines for the most part are harder than the oscp machine so if you're knocking out hack the box at a successful rate you're probably going to destroy the labs in the oscp if you want my opinion you did most of what lab sick in the mind my lab or the oscp or what were we talking about oscp yeah well they've updated the exams because of the the whole cyber sick situation so they're uh probably trying to make it a little tougher which which is good they have a name to uphold right uh but i wish they would improve their labs um a little off topic how did you find the eu opt exam i thought that you upped exam was okay i thought it was semi-challenging it i finished it in two days i had some previous web app experience already so take that into account uh but i the experience was really well like i didn't just find the admin or whatever i needed to do you know right away um the the exploits and everything i need to find took a little bit of time so the fact that i had a hunt for it was really a good thing what will my next adventure be that once i went in your pocket for your followers once zero to heroes over ah i don't know what zero to hero what's after zero hero i need a break so i can definitely stream once a week that's still the goal um but the lesson planning and everything else is killing me because i've got certifications and things that i need to take care of so i've been slacking on that now i can sit here for two or three hours on a wednesday night and cover hack the box or cover topics whatever um pretty much no issue it's it's when i get to having to do this lesson plan this lesson plan just for tonight took me like at least 24 hours and that's just working hours so the amount of effort that i'm putting in to this is just that's why i asked you guys to upvote hack the box because hack the box already has a couple of machines that are ready it would literally kill me if i had to do another one like another lab build out for this so uh in terms of in terms of what's next i'm not sure haven't haven't thought that far ahead i'm just trying to trying to get through this one i've not tried wizard labs what's my day job my day job is a penetration tester for the next 13 days i don't know my last day is the next the next uh nine days sorry mtx you asked me the same question three times now we are having a maintaining access pivoting and cleanup lesson do you remember do you remember this lady mtx remember where it says maintaining access pivoting and cleanup plus the legal stuff i'm not skipping anything we are we are ending the course at the end of at the end of may so i will make sure that i finish this out completely through what i what i said i was gonna do it will be done hey thanks paul i appreciate that and thanks mike yeah i i agree it's it's a fine line to teach what i'm what i'm learning um without duplicating the material so that would also go into lesson planning and doing a lot of that it just depends on on the time frame for that so uh somebody asked sorry there's a lot of questions coming through how do i plan on finding contracts or clients so um my first client is going to be my old job because they they need me and i kind of still need them so that's good i'll have work there obviously it's not going to be at the bill rate that i want to bill moving forward but it's going to be some steady income to stay afloat and get revenue under my belt right as a as a llc or actually as a incorporation but um in terms of finding clients it's going to be seo it's going to be you know hopefully using some of my name recognition and and driving clients to me there have been recently in the past few weeks clients coming to my company because of me and they want pentest from me so that has been a part of motivating factor as well it's just that like if i'm driving people like that i'm you know my brand's working so i definitely need to just work on a good website which i have in the works get a good blog going good seo and just try to drive clients organically you know referrals word of mouth etc so i've got i've got plans to get clients and it's just gonna be it's a slow grind i'm gonna have to to you know do some things on the side to make extra money uh until i can get that steady steady revenue so i don't expect to break even for some time so american dad or family guy that is a really really tough question so i don't know i i like both i think american dad's more consistent i think family guys kind of tapered off towards the end but american dad's been more watchable lately um i run through the american dab when i go to sleep i pretty much leave it on so uh so i looked at errors and emissions i have not purchased it yet it was as low as 60 bucks i still have to figure out 60 bucks a month i still have to figure out what i want like how much i want um for now i have to you know just decide uh what it's worth but i was gonna wait till i got my first client i didn't expect to have one as soon as i have uh so i don't know i don't know exactly what i'm gonna hold i still got a little bit of research to do that that was one of the things i was procrastinating a tad i do have a spreadsheet of everything where i've mapped out you know what i would need to make to break even and it's it's quite a bit more than what you make now because you don't realize all the extra little benefits that add up and the social security taxes that add up and just these these little details so uh no if you if you want my email for that that's my email the website is not up just just as a for a warning if you go to that website right now it's just some some random image i put put on there and it's pretty terrible so i got the logo done the website mockup is done we're really really close uh in terms of in terms of having that up and running so i'm probably one or two days away from having the website fully up so i've got a mutual nda like a a basic basic nda set up i don't have it i haven't passed it through legal yet yeah be cool i appreciate that yeah i've got like generic ideas of what i want to do for for the documents i just haven't gotten as far as writing them all out yet that's really what i i didn't intend to start until until june so i've got a little bit of leeway um really it's just been mapping all these things out and purchasing stuff so get good liability insurance yeah i'm gonna have to ah let's see yeah that sounds good brent i appreciate that so for any of you i will share this i'm going to share this anyway i do plan on making this into a video or something at some point um so if you're if you're considering starting a company you have to take some things into consideration and let me go to screen only so these are some of the finances that i was starting to work through um so basically what funds do you have right uh so i've got you know 81 in the cash in the bank 11 in cash savings uh my monthly expenses are around three grand but i added another grand because you never know um so about four grand in expenses i've got about five months till i'm broke if i earn no nothing else five months time broke if i don't want to go broke i have backup funds of a credit card at 4 interest that's 22k and again a 35k credit card that's at 24 interest uh so if you take a look at some of the things that you have to consider i was making a base salary of 1400 they were also giving me 1500 or 4 140 k they're giving me a tech fee of 1500 a year bring your own device of 1200. uh the 401k match was 5600 uh health insurances were another 1440 liability insurance was 720 and then the big whopper is the social security match now this health insurance number is low it was the cost differential here that that is me going on my wife's insurance versus what i was paying already if i was going on my own insurance it would this would be a lot freaking higher um so there's a little bit there i do have the errors and emissions down here as what i need to um add into this situation with insurances i've got liability already but it's probably a little bit more so yearly business expenses i got the nessus license the business license the website cost email my utilities mileage depreciation phone they're actually all in my monthly expenses so i've got those yearlies around 3k for now until i start accounting for those and then sunk cost i paid a grand for my website 276 for registration this is actually increased a little bit because there's some more uh what did i buy i bought a website design court filing i bought email which i have in there a logo i bought uh adobe systems is a monthly fee i bought business cards so it starts adding up that i haven't added in here um and then we've got break even revenue so somewhere around 165 it's probably closer to 170 and then i've got weeks to break even meaning weeks meaning 40 hours of work at my bill rate so if i charge 300 bucks an hour about 14 weeks if i charge 250 an hour about 16 and a half weeks uh so these are the kind of things that you like really need to think about financially and where you're at uh do you have the money to do it are you gonna go broke uh what kind of money do you need to earn just to stay afloat and even though you're making you know like i'm what i'm making doesn't mean it's just stops there it's somewhere really equivalent closer on the 170 side so you have to account your your total overall income um into these things as well so food for thought for those of you looking to get into this there's a lot of a lot of things going on behind the scenes hey thanks nabs i appreciate it i am not in california i am in north carolina very very far away i was the side of the country thanks vita i appreciate it i guess another thing i should add in there too as a note like hardware cost i haven't included hardware costs at some point i'm going to have to purchase a laptop that i'm going to be able to send off to clients if i want to do remote work i'm going to have to spin up a vpn does that going to require a server probably how am i going to run that it's probably going to require a firewall as well so i don't have that uh marketing costs i'm gonna have to advertise i'm gonna have to um i'm gonna have to purchase ads like google ad space etc so this number again is definitely probably even closer to 175 so yeah policy as well accounting costs you forget who was an accountant though i was an accountant i got a lot of this a lot of this information down but i absolutely will take it to an accountant so plus there's quarterly filings that i have to do uh there's there's a lot behind the scenes and some places have um some states i haven't checked the policy in north carolina yet some states require you to file a uh a minimum or that you have to pay a minimum tax even if you take a loss so i think like a minimum might be like 800. get off the desk yeah air is in the mission it's basically your cover your ass insurance so ama time is technically actually over my heart stop was at 10. you guys got me rambling a little bit and i got kitty pictures that came in what all right nate you can't send me pictures that you've already sent me it doesn't work like that my friend yeah thanks guys any last question i will take one more question if i checked out any other boutiques to reference no i need to um i'm working on putting together my business plan in terms of uh competitors so i got to figure out what their pricing is which is kind of hard to figure out i think but um that's definitely a goal of mine and thank you skyfall and i appreciate the sub yeah i'm tired i'm super tired yeah 250 an hour is pretty reasonable so i will tell you that we charge over 300 in some cases way more than that but in the beginning i don't expect to have a very high bill rate i've never taken spectre ops training sorry man i've heard good things about them nothing but good things about them so but i am seven minutes past my deadline you guys got me on a tangent i really enjoy talking to you but i am so tired so i will catch everybody on the flip side we will have 80 version three next week so look forward to that uh look forward to wrapping up the course by the end of the month we're two weeks out guys so congratulations for making it this far love you too grannies love you too bye guys

Original Description

Zero to Hero: 0:00 - Welcome 2:00 - Week overview and additional AD resources 22:52 - Additional lab buildout 32:50 - Loading Metasploit's psexec 34:00 - Sidetrack -- Using CrackMapExec 38:10 - Getting a shell with psexec 41:10 - Fun with Meterpreter pt 1 47:25 - Token Impersonation with Incognito 52:33 - Fun with Meterpreter pt 2 1:01:10 - Pass the hash techniques 1:07:15 - NTLM relay and lab setup Q&A / AMA: 1:31:47 - How entry level does HTB get? 1:34:00 - Do you see yourself exploiting Windows more than Linux when pentesting? 1:34:57 - Did you use an Empire payload? 1:35:15 - Business adventures 1:36:17 - How was you first pentest on the job? 1:38:04 - Do you send dropboxes to customers? 1:38:30 - Discussing graphics cards 1:39:45 - Citrix pentesting 1:40:40 - Graphics cards part 2 1:42:20 - Discussing cats! 1:45:30 - Do you store cracked passwords for later use? 1:46:40 - How does HTB prepare for the OSCP 1:48:00 - Thoughts on eWPT? 1:49:00 - What's after Zero to Hero? 1:50:25 - What is your day job? 1:50:45 - What's next in the course? 1:52:25 - How do you plan on finding clients? 1:54:10 - Family guy or American Dad? 1:54:40 - Errors and Omissions insurance / business talk 2:07:32 - What do you think of spectreops training? ________________________________________________ Readings: https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa https://adsecurity.org/ https://blog.harmj0y.net/ https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ https://www.fuzzysecurity.com/tutorials/16.html Courses: https://www.elearnsecurity.com/course/penetration_testing_extreme/ https://www.pentesteracademy.com/course?id=47 https://www.pentesteracademy.com/course?id=44 https://www.hackthebox.eu ISOs: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016 https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise ❓Info❓ ____________________________________
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from The Cyber Mentor · The Cyber Mentor · 39 of 60

1 Buffer Overflows Made Easy - Part 1: Introduction
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
2 Buffer Overflows Made Easy - Part 2: Spiking
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
3 Buffer Overflows Made Easy - Part 3: Fuzzing
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
4 Buffer Overflows Made Easy - Part 4: Finding the Offset
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
5 Buffer Overflows Made Easy - Part 5: Overwriting the EIP
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
6 Buffer Overflows Made Easy - Part 6: Finding Bad Characters
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
7 Buffer Overflows Made Easy - Part 7: Finding the Right Module
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
8 Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
9 HackTheBox - Sunday Walkthrough (Re-Up)
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
10 Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
11 Networking for Ethical Hackers - Network Subnetting (Re-Up)
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
12 Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
13 Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
14 HackTheBox - Fighter Walkthrough (Re-Up)
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
15 Beginner Linux for Ethical Hackers - Navigating the File System
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
16 Beginner Linux for Ethical Hackers - Users and Privileges
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
17 Beginner Linux for Ethical Hackers - Common Network Commands
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
18 Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
19 Beginner Linux for Ethical Hackers - Controlling Kali Services
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
20 Beginner Linux for Ethical Hackers - Scripting with Bash
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
21 Beginner Linux for Ethical Hackers - Installing and Updating Tools
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
22 Cracking Linux Password Hashes with Hashcat
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
23 Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
24 Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
25 Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
26 Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
27 New Zero to Hero Pentest Course, New Website, and 2K Subs?!
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
28 Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
29 Zero to Hero Pentesting: Episode 2 - Python 101
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
30 Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
31 Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
32 Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
33 Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
34 Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
35 Installing Windows Server 2016 on VMWare in 5 Minutes
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
36 Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
37 A Day in the Life of an Ethical Hacker / Penetration Tester
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
38 Active Directory Exploitation - LLMNR/NBT-NS Poisoning
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
40 Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
41 Writing a Pentest Report
Writing a Pentest Report
The Cyber Mentor
42 Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
43 The Complete Linux for Ethical Hackers Course for 2019
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
44 Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
45 Popping a Shell with SMB Relay and Empire
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
46 Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
47 Pentesting for n00bs: Episode 2 - Lame
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
48 Pentesting for n00bs: Episode 3 - Blue
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
49 Web App Testing: Episode 1 - Enumeration
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
50 Pentesting for n00bs: Episode 4 - Devel
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
51 Pentesting for n00bs: Episode 5 - Jerry
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
52 Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
53 Pentesting for n00bs: Episode 6 - Nibbles
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
54 Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
55 How NOT to Approach a Cybersecurity Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
56 Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
57 Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
58 Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
59 Pentesting for n00bs: Episode 9 - Grandpa
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
60 Top 5 Internal Pentesting Methods
Top 5 Internal Pentesting Methods
The Cyber Mentor

This video teaches various cybersecurity techniques and tools, including NTLM Relay, Token Impersonation, and Pass the Hash, using Metasploit and other tools. It's essential for beginners in cybersecurity and pentesting.

Key Takeaways
  1. Load Metasploit's psexec
  2. Use CrackMapExec for pentesting
  3. Get a shell with psexec
  4. Perform Token Impersonation with Incognito
  5. Use Meterpreter for fun
💡 NTLM Relay and Token Impersonation are powerful techniques for exploiting Windows vulnerabilities.

Related AI Lessons

Chapters (31)

Welcome
2:00 Week overview and additional AD resources
22:52 Additional lab buildout
32:50 Loading Metasploit's psexec
34:00 Sidetrack -- Using CrackMapExec
38:10 Getting a shell with psexec
41:10 Fun with Meterpreter pt 1
47:25 Token Impersonation with Incognito
52:33 Fun with Meterpreter pt 2
1:01:10 Pass the hash techniques
1:07:15 NTLM relay and lab setup
1:31:47 How entry level does HTB get?
1:34:00 Do you see yourself exploiting Windows more than Linux when pentesting?
1:34:57 Did you use an Empire payload?
1:35:15 Business adventures
1:36:17 How was you first pentest on the job?
1:38:04 Do you send dropboxes to customers?
1:38:30 Discussing graphics cards
1:39:45 Citrix pentesting
1:40:40 Graphics cards part 2
1:42:20 Discussing cats!
1:45:30 Do you store cracked passwords for later use?
1:46:40 How does HTB prepare for the OSCP
1:48:00 Thoughts on eWPT?
1:49:00 What's after Zero to Hero?
1:50:25 What is your day job?
1:50:45 What's next in the course?
1:52:25 How do you plan on finding clients?
1:54:10 Family guy or American Dad?
1:54:40 Errors and Omissions insurance / business talk
2:07:32 What do you think of spectreops training?
Up next
You Think Your Card Declined by Mistake? It Might Be a 2026 Scam
Tolulope Michael
Watch →