Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat

The Cyber Mentor · Beginner ·🔐 Cybersecurity ·7y ago

Key Takeaways

The video demonstrates building an Active Directory lab, exploiting it with LLMNR poisoning and NTLMv2 cracking using Hashcat, and configuring Windows Server 2016 and Windows 10 Enterprise for cybersecurity purposes. The speaker uses various tools such as VMware Pro, Hashcat, and Responder to configure and test the lab environment.

Full Transcript

Kevin's here I see Matt's here I see Scott's here see Eric's here how's it going everybody Hey Girl hey my people how you doing Matt how you doing Scott hungry you got to eat before these things man what's up cool dad what's up cool two people Scott's tired Scott's old Scott's always tired give it one more minute let the people trickle in then we'll roll into this is stream time hey reckless finished project last night at least the project's done half glass full on that one there will be no Bitcoin exploitation attempts but you can do that and then write a blog on it and see if you go to prison too do a hacking course I don't do hacking courses come on Who am I all right guys no more stalling let's go ahead and get to the PowerPoint our favorite part of the day what's up brewery oh okay there we go didn't look like it one to work it's not week seven is week eight you can tell that I definitely didn't put a lot of effort into this PowerPoint as you'll see there's only three or four slides welcome to week eight of zero to hero so today's agenda I've got a little bit of a housekeeping very very quick housekeeping we're gonna build an Active Directory lab we're gonna do a little bit of ad exploitation tonight and then we're gonna do our AMA like always thank you not so pro for the sub I appreciate that alright housekeeping tomorrow night 8 o'clock Eastern that's the same time this is starting your favorite person Joe will be back Rory will be back he will be teaching us exploit development part two so we're gonna be doing more assembly focusing on system calls he's gonna be doing hello world an ASM he's going to be doing some egg hunting and a little bit more so if you are behind on the series for exploit development go to the YouTube channel and check that out do some catch up before tomorrow night it should be a good stream you guys liked him last time a lot and he wanted to come back and you guys want them back so Joe will be here other news and I'm going to repeat this on every stream leading up because you people will forget no stream on Wednesday May 29th so the goal right now is to have this course finished maybe by the end of this month I haven't figured it out we're gonna spend three weeks on Active Directory I think maybe two weeks and what we're gonna do is on Wednesday the 29th I'm gonna be out of town so we may do a double stream Monday and Tuesday of that week and wrap up the course that way we can we can knock it out by the end of May and then June we'll start fresh with something new I don't have everything planned out yet but but hopefully we can get it all done we can say we went zero to hero and wrap up those course so that's the goal for now that may change but do note again no stream Wednesday May 29th we don't need this slide yet that is for later all right so I sent out homework to you guys the homework was to just download a couple of ISOs ISO number one is this Windows Server 2016 I'm gonna copy this and paste this in the chat if you don't already have it if you're not on the mailing list also Windows 10 Enterprise and all you need to do is if you're watching this at a later time on a recorded video come into this area here for Windows Server 2016 it's an evaluation of 180 day so that's perfect for our lab just click ISO hit continue and then you enter in some information first name last name company name etc hit continue they may or may not send you an email really doesn't matter it'll automatically download the ISO so you can put in fake information if you'd like same thing goes for the Windows 10 Enterprise you're gonna say ISO enterprise you're gonna continue on that and download it so in a perfect world where we already have sent out the homework we're gonna say that that's already done and we're gonna just get started right away into installing these ices now I could have had you install these yourselves but there's a few I'd say two actually quirks about this that we need to note in order to get it installed so let's go ahead and just take a look at that now tonight I'm gonna be using my VMware Pro and I'm gonna say a couple of caveats about what we're getting into in this course that is that everything we're doing we're gonna be running three vm's at once if you do not have a lot of RAM or you don't have a super-fast computer this is going to be very slow for you so make sure that you keep the settings at two gigabytes of RAM and just let things run it's even a little slow for me because I don't want to stream run three VMs and keep my fingers crossed that's gonna work or not so we're gonna build this out together it may be hard to follow along if you don't have a super-fast computer if you don't just watch the stream sit back enjoy yourself and learn you know learn some lessons on how you would set up Active Directory and we're gonna cover the first part of the exploitation tonight with the LM an hour poisoning so sitting in workstation 15 Pro I'm gonna hit create new machine if you have just the regular workstation that the workstation player you're just gonna have to create a new machine open another workstation player create a new machine again and have all three running if you've been doing that already with the previous lessons when we did cap tricks you should kind of have a little bit of a hint on how to do this so we'll create the new machine and it's gonna say what kind of configuration do you want and we're gonna say typical and then I've already installed this once before so it's gonna say hey where do we want to grab that I so I'm grabbing the data center I so first so we're gonna install Server 2016 first we're gonna hit next now it's gonna ask you for a product key we're not going to put one in because this is a test ISO so we're gonna say Windows Server 2016 standard core you can have your name you don't have to put a password in here and just hit next it's gonna say you didn't enter a product key yes we want to continue okay it's gonna try to put it in my users Documents virtual machines if you've got space I don't have a ton of space on my my SSD so I've got some other SSDs that I'm gonna put this on to so I've already made a little directory for it I'm just gonna copy and paste put this under win server hit next okay maximum size 60 gigabytes is what I'm selecting you could select less I just leave it at default because what we're gonna do is we're gonna do something called splitting the virtual disk meaning that we're only going to take up the amount of space that we need two-sixty here bites you could also store it as a single file and that will take up the full 60 gigabytes but this allows for expansion and doesn't doesn't take up the full size I believe so what we're gonna do is just hit next on this and then we are going to make sure by default I believe power on this virtual machine is checked make sure it is unchecked and hit finish all right so now we're at the screen Windows Server 2016 let's go ahead and just hit edit virtual machine settings it what happens is they use this auto install floppy file for whatever reason so it's got those floppy device here using this auto install we're gonna remove that because that causes a lot of issues on install it's looking for a license and we don't have a license because we're just demoing this out so let's go ahead and remove that and then we'll hit power on this machine and get your fingers ready because you're gonna have to hit a key to continue or also they'll go through the boot menu try to pick C boot I don't know why that's the default boot method so make sure that you are booting into this first so if you've ever installed Windows before this is probably boring for you I apologize in advance we're gonna hit next and hit install now and we'll let this run okay we'll do a little bit of multitasking and I'm gonna come out of full screen here actually let this go into standard we're gonna go standard evaluation desktop experience because this gives us a GUI so make sure you click the desktop experience and hit next and once we get the actual install running we'll go ahead and move over to the Windows 10 okay accept your terms sell your baby whatever it is that we do we're gonna select Custom Install Windows only advanced we're gonna hit this little new button down here it's gonna audition for us just hit apply say okay thanks for the sub flood sec I appreciate that and we're gonna hit next okay so let's let this install this will take a few minutes not too long while this is installing we're going to multitask just a little bit we're going to create another virtual machine again we're gonna say typical and I've got this copied for the other ISO so select your Windows 10 ISO and it should come up same thing Windows 10 enterprise hit next hit enter again I have a server for this or a folder for this I should say hit next on this guy same thing 60 gigabyte file I'm gonna hit next again we're not gonna power on the virtual machine after creation because same thing here it tries to install that floppy disk and you can see things are starting to run a little bit slower and that's okay we've got time so let's go ahead and remove this floppy just again hit OK and we're also gonna power this guy on get our fingers ready hit our key bear to get it running close out of this okay your windows setup will automatically restart we're gonna try to multitask to just speed this up a little bit tonight I've only got one lesson planned so if we if we finish early we finish early everybody gets go to bed sooner or stay up and party whatever your prerogative is so on the Windows 10 side gonna go ahead and hit next install now MTX was complaining to me earlier that this was going to be boring and he wasn't going to be here to enjoy this but look he showed up the basics are important you've been up since 4:30 Jeff you live in that airforce life my friend all right if your windows setups ready accept the license terms hit next custom install again new on the bottom it's the same concept it's gonna create additional partitions for us cuz it's nice like that it's gonna run through the same installation server did all right so customized settings it's asking for a password I'm going to be making my password the insecure password it has to have some uniqueness to it and I'll type this into the chat in a second but it's capitalized P at $1 dollar lowercase W 0 Rd exclamation hit Enter so if you want my password if you want to use that that's fine if you want to use your own password do whatever but for this instance we're using password as I just sent to chat all right send all control delete we're gonna log in as the administrator let's let that build a profile here it shouldn't take that long Windows 10 is gonna be the one that's gonna be fun because it restarts and then Cortana starts talking and we all know how we feel about Cortana do we want to be discoverable share will be discoverable so we're gonna have to reboot most likely yeah in order to actually get the full screen on this that's fine okay this is still installing all right so we're gonna rename this server here in a second and do some settings and then we should be good to go so I right-click on the little windows icon and I go to system and we're gonna change the name up here I'm gonna say change settings and then just rename this computer change domain work group click Change we're just renaming the computer right now so I came up with a theme for this the theme I'm gonna be using is the Marvel Universe so we're gonna be calling the domain controller Hydra since they're a bunch of evil hacker people etc and we're gonna try to hack into Hydra and we'll create some fun people along the way but let's rename this Hydra let's use it as an excuse to reboot the machine and hopefully get to full screen on this sucker you can see how slow things are going that's okay restart now Windows 10 is gonna get stuck in getting ready for a while Cortana will just pop in when she feels like it pretty much what she does anyway all the accounts in your sans course were named at the Marvel characters that's awesome I'm not a DC guy I do like Batman though if I'm going too fast please please slow me down we've got nothing but time tonight MTX you're lost bro you're the one telling me that this was this was easy stuff why do we need this lesson I renamed the the domain controller to Hydra you can rename it whatever you like we're still not getting the full screen which is weird we may have to install VMware tools maybe don't know if it's worth it it's not worth it for tonight let's see this requires the full reboot we'll see we'll do a complete install install you guys didn't see that there is a VM up here and it says install VMware tools just do that reboot the machine MTX no more questions we'll get out of work group when we're out of work group your windows 10 should still be spinning you can install server 2016 faster than you can Windows 10 let that be a life lesson for you let's see if this worked heyo good job team all right so while we still wait for Windows 10 we are going to start working on our Active Directory somebody said their servers just finishing up its install I will go as slow as possible and drag this out just the tad if I can oh there's Cortana here to help we can stall just a little bit and we'll have your PC ready for all you plan to do use your voice or the keyboard along the way let's mute her like me to stay quiet just select the little micro there we go tick tock tick tock all right start with your region I'm in the United States we're gonna start the United States here just keyboard layout right yes skip the second keyboard layout I'm unsure how long this part takes we still have to log in go through the hello screen all that fun jazz oops didn't mean to bring that up alright so we're gonna go down here and say domain join instead that's just gonna let us create a an account so I'm just gonna name this one Frank for the account local account create a super memorable password alright well should we name it password one let's see if it lets us do that it does so password one with the capital P nothing insanely complicated that'll come into play later we have security questions that's fun what's your first pet's name Bob where did we grow up we'll say we grew up in Chicago and what's your childhood nickname will say our nickname was bobert if I could spell it do we want Cortana hell no we dont want kar Tana decline no activity history look at all this stuff it wants to just spy on us with guys you know any of this hit accept turn that all off and hit accept okay well let Cortana do her thing and it's gonna go through this whole screen so while it's doing that let's uh let's install sorry I went to my Kali go to server 2016 let's start working on setting up our domain so first thing we're gonna do is we're going to say we're gonna be in the server manager that should have popped up on start you're gonna say add roles and features it's gonna give you this little wizard just hit next on this page we're gonna be doing role-based or feature-based installation hit next and it's going to ask you to select a server from the pool we're gonna be selecting Hydra all right now what kind of server roles do we want well we're going to be installing Active Directory domain services so we're gonna check that box and say add features and that should be it so make sure again you check this box and hit add features but this is where if you wanted to add like a DNS server DHCP you want to add is for example remote desktop you can come in here and add these features okay we hit next it's gonna add your policy management some dotnet framework it looks like we can just hit next on that next on the domain services and then we are going to just hit install so this is going to take a second to install and then we're gonna have to promote the server here in a second should name the controller red skull and use Hydra for domain yeah a good idea we're just gonna use Marvel for the domain alright looks like we are done here we're installed I'm just gonna hit close you see we've got a little notice up here and post deployment configuration promote this server to a domain controller we're gonna click that right and then we have some options add a domain controller to an existing domain we don't have one we don't have an existing forest so what we're gonna do is create a new forest and we're going to call this marvel dot local hit next might take a second okay Windows Server 2016 perfect we're gonna have any directory services restore mode we're just going to use password again because we're terrible admins okay hit next leave DNS delegation blank hit next it's gonna generate the NetBIOS name it should be Marvell takes forever to fast I will slow down where are you stuck Morse help me help you sir thank you for the cheer anonymous cheer install the server earlier per YouTube video windows is just now finishing that's fine we're we're not touching Windows 10 yet so Windows 10 should be logged in like this we're just touching Windows 2016 the server 2016 all right so with Marvell here once it populates in the NetBIOS domain name we're gonna hit next it's gonna give us the paths for the sysvol and stuff here in a second the NTDs may be okay so leave these on default just hit next we're gonna go ahead and just accept all these options so we're just reviewing the options this is going to populate we're just going to hit install someday all right so basically all it does is a prerequisite check to make sure that you can make this a domain we pass that check we hit install it does the installation this will take a little bit of time and then we can join join our domain controller with our Windows 10 machine so tonight there's only going to be one lesson in terms of exploitation we we're not going to exploit too much we're gonna carry on into more exploitation next week is this only possible with Windows 10 enterprise no this is possible with Windows 10 Pro as well I just don't think Windows 10 home you can join the domain so whichever ones you can join a domain with I believe Pro and above okay you're gonna get signed out it's gonna restart the machine Congrats although you got your your cert in a week that's pretty impressive I enjoy the e WPT that's a good one I have to take the WPT X exam in one week I'm just thinking I'm gonna delay it because I don't have time somebody said education can join domain that sounds believable I'll take it as I believe it so let the supply the settings and you guys can ask me questions while we're waiting we don't have to have dead air if you've got AMAs or I'll start picking AMAs all right I've got AMAs from the cybersex longe that that I can pull from so you guys didn't hear the news the cyber sec longe Devi has stepped away to focus on family so he handed over so server ownership to me a couple days ago I'm running that server as a mentor capacity really it's run by the mods over there prior to his stepping down we were going to be doing an AMA tonight and that did not happen because it would be weird to AMA me as coming in as an owner so instead I'm going to take some of the questions and turn them into a video but I'm also going to pick some of these questions tonight if we've got a little downtime while we wait and just answer some of those somebody just asked why are we doing Server 2016 instead of 2019 there's no real reason Server 2016 is just more common right now so we absolutely could do the same things on 2019 I don't know what the little differences or nuances are between 2019 I've got to play with it yet so 2016 is more common it's even really more common to see like 2012 still in a lot of environments so it's better to use an outdated server when we're teaching this the stuff at least for the next three or four years you're going to be seeing way more of 2016 than you are 2019 that's just how it works so when we spun up Server 2016 and made a domain controller didn't install Active Directory services by default that is correct well we didn't make it a domain controller we made a domain controller when we when we turned on Active Directory services so up until that point it wasn't a domain controller we promoted it to one Windows Server 2016 is bare-bones by default yeah you have to configure it how you want to configure it terminal asked am I going to Def Con this year I am NOT going to Def Con with one caveat I apply to speak at besides Las Vegas if I get into besides Las Vegas I will stay through the weekend and hang out do Lobby Khanna Def Con and just chill because I know a lot of people I know we're gonna be there so I'd like to definitely meet up with some friends and just have a good time but so if I get into besides Las Vegas as a speaker then I will absolutely come out if not then it is what it is all right somebody asked discount bin Laden asked where do you get your news from I mainly get my news from Twitter or any of the communities that I'm in so really like being in a part of quite a few discs or channels or being a part of that SEC just joining those kind of channels that have categories for news but Twitter is a really big one even news outlets are really big for cyber news Ars Technica is not a bad place to get your news at as well so it just depends but mainly it's Twitter and communities have I ever been DEFCON yes I have been to DEFCON I've been there one time I am open to going back one more time for somebody to change my opinion on how I felt it could have been the company that I was with but as far as as far as it was I didn't enjoy myself that much I'll answer a couple more questions any tips for security analyst interview I will get you that after the fact ask me that again I've got links for that and then we'll talk and then somebody said ewp t2 ec PBT to OSTP is that a good path yeah that's fine however you want to do it solo I think all those starts would be would be a really good way to break into the the industry yeah you can p.m. me if you if we're friends if not just add me add me Eric and we'll we'll go from there I've got links for you alright so we are back into back into this so let's all control the lis with our little three buttons up here now you see that we are Marvel slash administrator we are on the domain I left my caps lock on after you promoted the domain controller you did something what did you do so when I hit promote you are going to name your root domain you're gonna hit add a new forest name your your root domain you're gonna add a password after that where it says to add the the dsr m and then you're pretty much gonna just next next next through all of that and hit install all right so now we should be on our domain so we can come into tools in here and we can say Active Directory users and computers click on this if we click on the forest of Marvel dot local and you say domain controllers you can see the Hydra is now acting as our domain controller we also have users down here so we've got an administrator looks like a default account has been disabled guest account has been disabled you can tell by the little logo next to them so what we'll do is we will at least I think it's disabled what we'll do is we're gonna right clicking on this users group here we're gonna say new and we're gonna say user so you guys should know what Marvel character I'm a fan of that is my man Frank Castle and what we're gonna do is we're gonna say F Castle first initial last name hit next we have to set a password for him let's make it something kind of basic let's also make this password one PA SS wo Rd one if it lets us do that capital P rest is lowercase and then a one will say password never expires because we're bad admin finish techno bro hey techno bro how are you doing man alright so we've got Frank Castle let's go over to our Windows 10 machine and let's install our VMware tools while we're at it to make this nice and pretty and I think it's a little different you can't just right-click on system to change the but you guess you can here so we can rename the PC so I'm gonna name this well he's the Punisher right well just call we'll call it the Punisher for his PC name and will reboot everything when we have the opportunity to here in a second do a complete install on the VMware tools setup we'll restart later on this one close out Thank You Tecna I appreciate it okay finish and we're going to reboot should give us a new new view on things and a new computer name thought my computer just froze there it was the mouse stuck on the screen he wasn't going anywhere we're stuck in the VM but the mouse wasn't moving so that was fun all right let's go ahead and type in Frank's insecure password a password one okay and now we're gonna join a domain which it's a little different I just type in domain it says access work or school I click on that and then we hit connect here and I don't think this is gonna work join this device to local Active Directory domain I don't believe this is gonna work we're gonna try it though so we'll say Marvel dot local hit next it's not gonna find it okay so we got to do one other thing in here so let's go into the server 2016 do command prompt and we're gonna say IP config now my address is 202 dot 133 whatever your address is just copy this we're gonna go right click on the little internet icon open your network and Internet settings and that's gonna get in the way we may have to just cancel this I never know how to get there let's say change connection properties and then I think I hit back and it just takes me yeah that's how I know it used to be an easy right-click go to the adapter settings change adapter options right here and then you come to this Ethernet 0 you right-click you say properties go to ipv4 double click on it and we're going to use a DNS server again IP address is 202 dot 133 for me well I'll do the old 8.8.8.8 on here hit okay okay it may or may not work we may have to flush the DNS close out of that actually let's see if we can fullscreen there we go and we're gonna say domain again access work or school hit connect join this device to a local Active Directory domain let's try this one more time there you go so now we get the pop-up so our user is F Castle our domain is going or our password is password one okay so he's gonna be a standard user and next and we're gonna restart somebody said 1.1.11 true somebody say control net connections from command as a shortcut I've never used that one I'll have to try that so this should start rebooting if it's nice let's just give it a nudge and when we come back we should have marvel and Frank Castle meaning that we have officially joined the domain we are on our Active Directory environment and now we can start doing some malicious things let's make sure that that is true I'll give you guys a minute to catch up as well okay again Marvel F Castle let's go ahead and login good ol Frank's logging in he's gonna have his profile built for the first time we've all seen this screen too many times in our lives I'm sure all right well this is going let's go ahead and go back over to Windows Server 2016 and what we're gonna do is we're gonna create our first scenario and this is going to be one of the things we focus on a lot in this in this lesson over the next coming weeks is we're gonna be focusing on SMB because SMB is one of the most exploitable things that we're gonna have now for where ll M&R poisoning it doesn't have to be SMB we're gonna get into what exactly it is here in a second and we'll talk about some techniques that I've used on pen tests that are kind of outside the box something to think about so let's close out of this close out of this so in your server manager you're gonna come over to file and storage services over here we're gonna say shares and what we're gonna do is we're gonna open up a new folder here let's go to this PC let's go to the C Drive and we're gonna right click and make a new folder we're just gonna call this folder Hackney okay so we're gonna create a task up here under shares we're just going to say new share it's going to be an SMB share quick we're gonna select the share location under custom path and we're gonna select that Hackney folder hit next share name is Hackney Hydra Hackney will be the path to the share allow access based enumeration displays only the files and folders of user has permission to access so that the user doesn't have permission let's go ahead and set that we're not gonna encrypt it just gonna hit next hit next you can see that it's doing the if we go to customize permissions you can see that it has administrators and Marvell users have read and execute status so we'll hit OK hit next and we're gonna hit create and it created it just like that so we go back we go back over to our Windows machine we're gonna add that share so just go to our folder if you go into [Music] where's the button maybe I need to be this PC there we go we click on this PC you say map a network drive we'll just call it Z Drive you can put it whatever Drive you want say hydro cool you can do it either way okay reconnect it sign in hit finish and now we have access to this Hydra Hackney folder our lab setup is complete give me one second I'm gonna drink some water and then we're gonna go on to a little bit of exploitation and then wrap it up for the night all right so what we're gonna be talking about tonight is ll M&R poisoning or also known as NB TNS poisoning so your L M&R that's your link-local multicast name resolution your MB TNS is a little bit older but that is your NetBIOS name service so basically what they're used to do is they are used to identify hosts when a DNS fails and a big flaw of Ln R and M be TNS is that both of services utilize a user's username and their hash their Windows password hash typically ntlm be two sometimes ntlm v1 so when it gets responded to it sends over a hash and we're gonna take a look at what that might look like in a man-in-the-middle situation here in a second I've got a little nice little infographic but also it's just a way to you know connect to like a share just like we're doing now you using this name resolution so what we do as an attacker and let me pull this up somebody said repeater your clothes it's responder but what we do as an attacker it's got this nice little graphic here so this is a classic man-in-the-middle attack what's going on is across the network there's all this traffic back and forth and these hashes are flying back and forth and sometimes there is a mistake or something that generates or triggers this this action right so what happens is when these hashes go out typically they're going out to a known share or known device sometimes however they don't know where to go or there's a mistake that happens and if you're sitting in a man-in-the-middle you can say hey you send it to me when there's a broadcast message and let's take a look at how this looks so for example there's a share out there right that we say Oh it's gonna be hack me right and we just created hacked me but this says hey can you connect me to hack em we typed in the wrong share name well the server's not gonna know what the share name is right it's never heard of hack em before it's heard of hack me so if it doesn't know what the heck you're talking about the victims gonna say okay well if the server doesn't know then does anybody know so now we're gonna send out a broadcast message with our hash well not with our hash yet sorry we're gonna send my broadcast message [ __ ] does anybody know how to connect to this hack em and me as a hacker sitting in the middle is gonna say I do I don't know what hack em is but I'm gonna lie to you and I'm gonna say I know what it is just send me your hash and I will connect you to that hack and folder and the victims computer is just gonna say okay here's my hash so this becomes dangerous right there's a couple of different attacks and we're only going to talk about one attack today we'll talk about the second attack the first beginning of next week so attack number one is we take that hash we run hash cat against it and we try to crack the password if the password is not complex or long then we're probably probably cracking it pretty fast we're using that to navigate around the network and see what sticks and we'll talk about those techniques as well tonight what we're gonna be doing is learning how to capture the password and also how to crack the password so we'll be doing that another idea though is instead of taking that hash and cracking it offline another thought is you can take that and do something called relaying and try to send it to a server and use the hash to authenticate to a server via SMB without ever knowing what the password of that account is so that's called ntlm relay and we'll cover that next week so in order to do what we're gonna be doing is we're going to set up a man-in-the-middle listener with a tool called responder now if you have been following me since week one in Week one we uninstalled in packet and installed our own version of in packet so if you're all caught up this should work just fine if you are not caught up this might not work you may have to purge in packet we're not gonna go back that way if you just go watch week 1 video and catch backup please do so so let's go ahead and minimize this and we're gonna go into our Kali machine I'm going to show you how to set this up and I'm going to talk about strategy here too so let's just open up a terminal let's make this bigger for you guys and we're gonna say locate capital R on this responder dot pi ok so it should be in your user share responder folder let's just CD to that alright so what I typically do is first thing I and this is a scenario we didn't cover let's let's talk about the scenario of what we're in with our network right now the scenario is last week we exploited a machine and we got on to the network we were inside the network doing internal commands well let's say now that we are we are continuing on from that point we're on the we're on the network we're via VPN or let's even say that we gain physical access we've plugged in the machine unknown to anybody else and just walked away so we have remote access to this machine and we're just sitting on their network no privilege at all right just our own road computer so we're going to take this ro computer and we're gonna try to escalate privileges in a way that I would in a penetration test so the very very very first thing I do before I run scans before I do anything I turn on responder and because because these scans and map nessus whatever you run what that does is that that starts generating traffic those scans generate traffic you know what responders listening for is traffic so if there's a lot of traffic going across Network the better it is for you because maybe something screws up sends a hash of your way and you just gain all the hashes right that's the that's the end goal now the best time to run responder is typically in the morning when everybody's coming into work or when everybody's getting back from lunch around one o'clock so those are your two best target times you can let it run all day and see what it captures and typically I do but definitely if you're doing an internal penetration test you want to get this sucker running as early as possible so you can get all the hashes that you possibly can when people are coming into work and logging in generating traffic making noise somebody asks what's the name of the attack that I just explained so it is known as I'll type it out here ll M&R or mb t NS poisoning like that now I can never remember the full command so I'm gonna cheat just a little bit alright so we're gonna fire up responder here and we're gonna treat this just like an internal penetration test so we're gonna say python responder dot pi you're gonna do a dash i for your interface capitalized if i can capitalize you're gonna say e 0 and then switches of our D and W you wouldn't see this responder in the OS sepia all because this isn't an internal technique typically the OSC P is capture-the-flag external technique this is focusing on Active Directory your setting should look very similar to this so if you didn't catch this responder dot PI - I eat zero - RDW and you come in here you should have LM and r mb TNS and it's doing DNS poisoning as well and it's got all these different servers on so we're not just doing SMB we all but we're not just doing SMB we're listening on HTTP HTTP W pad IMAP pop3 you name it we're poisoning it except the auth proxy by default we're not and then we have options if we want but these are off by default that's absolutely fine all right so we're listening for events now you might start see some events come across in my household if I you know if I did things or some something starting to talk there's one right there the punisher just did something the punisher just sent out LM in AR for something or mdns so you just saw an event come through no that's not a hash that's just an event so you'll see a bunch of events and occasionally you'll get a hash so let's look at if we can trigger another event here ah it may have been actually locking itself I have no idea what just caused that my password is incorrect that's not good oh it's administrator I'm locked out on the domain I want to be on sorry I want to be on this guy so if we come into here and we go into our PC and we just try to access this hackney let's see if that generated anything yeah so we just we just try to connect to Hydra and you're gonna see that we sent we send something to Hydra here so you're seeing these events come through and now what we're gonna do is we're gonna push this along for proof of concept if you're sitting in a network eventually you're gonna get something coming your way but because we're not sitting in a network we're just gonna we're gonna force it along just a little bit so what I want you to do is go to file new tab make it really big for you guys and just say ifconfig and copy your IP address one 92168 202 dot 1 2 8 copy I don't know this gonna paste over but I'm gonna cross my fingers and say let's do it all right up in the bar here we're going to just put the IP address in and hit enter we're going to try to connect to the share of a our computer instead of our hacker machine and just hit enter it's not gonna be able to to get into it but if we go back there we go it just sent a [ __ ] ton of hashes it skips them once it are you got one and you can see now it says hey we got an ntlm version to hash we've got the username of F Castle and then you can see it's got the username the domain and then this is the hash this is the ntlm be to hash let's copy this bad boy shall we just paste it into a file for now okay let's talk strategy hey Gabe thank you for the sub I appreciate that okay so strategy here strategy time you saw me point this maliciously at myself right we went in there we typed in the IP address it's probably gone now it is because it didn't resolve so we can do this on a pen test we can absolutely do this on a pen test one place that I really love to use this is if you find default credentials say like on a printer or anything that has has configuration abilities thank you burnt toast I appreciate that so if we find this anywhere that has configuration abilities and it allows us to store credentials sometimes you'll see like a printer let's give an example a printer and it has an SMB share now you can't see the username and password for the SMB share it's typically it's hidden right it's a bunch of asterisks or whatever but sometimes it says hey what server or what computer do you want to send this file to and you say ok here's the IP address and a lot of times it has this test button if you've ever set it up you can test the SMB share connection before or you can just save it even both of work you put in the IP address of your computer instead of the computer it's set to and guess what the credentials for that SMB share user fly over to you now a lot of times people aren't using lease privilege and those SMB shares have escalated privileges and are giving you instant win the same thing happened not that long ago on another server I don't remember what it was it was some sort of VPN that I was able to log into bad already with default credentials but they had a basically a domain account just sitting on their server that I pointed to myself was able to crack it in the password was like Starbucks something or another so it went down really fast it wasn't uh it wasn't complex at all and we'll get into defenses here in a second but when you're running responder and you're navigating around the network if you're finding things like that those are situations where you just say aha I can point this to myself and capture this hash all right now we have two options we've got the hash let's go back and try to crack it so I'm gonna save this file out actually what I'll do is I'll copy this and this isn't gonna work I'm gonna show you how to potentially get it to work for your system it could take a long time so let's let's do this I'm gonna come in here and let's just go and say we're gonna say G edit hash text I'm gonna paste that in there and say that now if you LS actually let me locate RockYou dot txt all right so something I've done on this computer that you may not have done already and this is I'll talk for a minute so you guys can have time to do this if you type in locate rocky text typically you have a user share wordless rocky xgz it's a zip file open your folder navigate to that list - the zip and unzip it it is a large large password list if you've done any sort of basic hacking you've probably seen this if you haven't it comes built in a Kali by default it's not the one that I run I use one of the larger SEC lists I'll have to dig it up but it's like in the billions as opposed to I think this is maybe in the millions of wordless so go ahead and just get that unzipped and then I've got mine sitting in the rock u dot text here but I'm gonna use hash Kat online machine I'm pretty sure unless something's changed so what we're gonna do though is we're gonna say hash cat and then we shoulda say m actually let's do a - - help so I could show you what we're doing so you need a - M it's a basically a code right and these are all your M's if you come into here yeah these are still ends so all of these are the different type of hashes these are modes I guess the M stands for mode all different kinds of hashes if you come down into network protocols ntlm v2 is here it's under the mode of 5600 so we're gonna be using 5600 for this one so please say hash cat - M 5600 and then typically it wants your hash and then it wants a password list so we can say root and then we could say rock you text and hit enter we're gonna run into an issue first issue is if you're running on the VM you're not gonna be able to run this without using a - - force so if you're following along on a machine itself with Kali installed directly good for you you win the Internet so you could try - - force mine will not work I am on a 9000 series i seven and it worked on a 7000 series it does not work on this anymore so if you're on a newer version of a CPU you may run into this issue so the alternative anyway and let's talk about this strategy - I'm on a gaming computer I'm got a 1080 Ti if you try to run this on the VM with the - - force it's gonna take a while to go through rocky a text if you are doing labs or anything any type of type of passer cracking and you have anything of a decent it doesn't have to be anything expensive a decent graphics card it's gonna go through this rocky list really fast so something to think about when I was doing the OS CP labs it was taking me hours to run through rock you I had a 970 at the time and it would take literally seconds to run through Rocky Oh so something to think about there so I'm gonna do is I'm gonna copy this hash over and I'm just gonna put it in that same hash file give me one second here and I'll I'll bring up my face you guys have something to look at I know you guys like it get to my hash cap folder paste that almost done can I share the SEC list yeah I'll share it at some point you saucy minx thank you Wow so I'm running hash cat 4.2.1 for Windows you can run whatever you like I know at one point they were saying hash cat 3 was like the best if you wanted to run in on Windows but I haven't had any issues with this so go into command I'm gonna run command as admin and then I'm gonna come back to the screen all right so CD users the desktop hash cat all right hash cat 64 dot X E is what we're gonna be running same thing - m 5,600 if you don't get hash cat running you can also use John John the Ripper will work on ntlm B two hashes as well so n 5,600 got a Hatch's dot txt in here somewhere and then rock you dot Tex okay so it's gonna start firing this off its gonna take a second to load up the device kernels in memory and then it's gonna fire through this and try to attack this hash and that was it it went through 6.4 percent of the list that fast and it also cracked the password which was passed forward one so now we've got the password for the user Frank Castle and we're gonna try to use that at some point as an attacker to navigate around the network now I'm going to leave it here for now I'm gonna leave it here only because I don't want to go further we're gonna talk about all kinds of strategies next week's really gonna focus on on hacking ad somebody asked about thoughts in a DBS for cracking your other hosting services they have hosting services out there that chain a bunch of graphics cards together or have that kind of computing power if you want that to just log in and use for a crack box you're more than more than welcome to do that kind of strategy I just have one locally that I like to use let me share my word list hold on let me just get that open you guys can look for it and that way I don't have to google it and find it and everything else give me one second all right the word list I use bring this over it's called real unique UN IQ real UN IQ that's it it's a 15 gigabyte word list and it cracks quite a bit of passwords not the most effective we've got we've got some custom lists that we use internally that I can't share with you guys with custom rule sets and everything and those work even better but if you're looking for like a basic basic list this is a good one to start with all right let's talk one more thing let's talk about defense strategies let me bring up the PowerPoint so I can talk this through with you real quick I so defenses if you want to prevent this you can disable LM an hour poisoning a lot of admins do not like to do this so there are other options as well but if you want to know how to disable LM and are here are the defenses for that also you'll have to disable MBT NS so we will navigate to those files in their proper locations and turn off disable NetBIOS over tcp/ip and disable the dns client and the group policy editor so if you don't want to do that and you are thinking of other defenses then what are our options here well we can require nak we can do network access control so if you can't get on to the network this act tak can't be performed right there's obviously there are bypasses to nak so it's not the latest and greatest but it's one form of prevention the other thought is to require strong passwords greater than twelve characters in strength or in length is what is said here and limit comment word usage honestly the longer the password the better if you've got a 440 character password even if it's just a sentence we're not going to we're not gonna be able to crack that really it's hard to crack anything over 12 we have cracked 14 and 15 if you're using some kind of common word usage one that came up recently was a Bible verse so don't think it looked creative like it was a Bible verse had a space in the password I was impressed but it still fell down these very very common words like that they'll fall so the longer the better I think mine's 20-something characters my co-workers in the 40s so just just think of those strategies for defenses so with that being said we are going to hit the break button on this we are gonna be done for tonight maybe we can even go early next week we are going to focus more on the attacks and what we can do we may even build our lab a little more I don't have the lesson plan completely finished we need to scan the network as well that's something we haven't done we haven't run an map but I'd rather wait till next week to actually get a feel for what's out there and then we'll just continue to build upon it there's also some some things that I don't have set up that I don't know if I'm gonna be able to set up so like for example ms 1710 or eternal blue I don't know if I'm gonna be able to like set that up but that's something that you really commonly see in it doesn't necessarily pertain Active Directory environment so it definitely pertains to things you would see in an internal environment all the time all right let me get back on stream start answering some of these questions but ever considered doing a stream on Stack Overflow as we did one last week and we are doing is it is Rory here are we doing a stack overflow tomorrow is that considered stack still I think we're still on stack we have a stream on overflows tomorrow night hey Rory's here yeah we're doing a stack overflow tomorrow night as well so we've officially done two streams tomorrow's gonna be the third on stack overflows so worth looking at the history the VOD on on here let me pull it up really really quick

Original Description

Zero to Hero: 0:00 - Welcome 2:37 - Lesson overview 5:00 - Downloading our ISOs 6:35 - Installing Windows Server 2016 and Windows 10 16:30 - Renaming Windows Server 2016 19:00 - Installing VMWare Tools on Server 2016 21:15 - Finishing Windows 10 install 24:20 - Installing Active Directory Domain Services / Downtime Q&A 39:20 - Creating our first domain user 40:40 - Installing VMWare Tools on Windows 10 / Renaming Windows 10 43:05 - Joining Windows 10 machine to domain 48:30 - Setting up a SMB share 51:30 - LLMNR/NBT-NS poisoning overview 56:00 - Using Responder to capture NTLMv2 hashes 1:07:00 - Cracking NTLMv2 hashes with Hashcat 1:15:10 - LLMNR poisoning defenses Q&A / AMA: 1:18:50 - Will you ever do a stream on stack overflows? 1:21:03 - What is the success rate of LLMNR? 1:22:10 - Problems with turning LLMNR off? 1:23:10 - Can you place the mitigation slide back up? 1:23:45 - How much should you spend on a password cracking rig? 1:24:45 - Cobalt vs Metasploit vs Empire - your favorite? 1:26:00 - How do you obfuscate Meterpreter? 1:26:40 - Does Veil still work? 1:28:42 - host-apd or eap hammer? 1:29:40 - Has a customer ever intentionally prevented you from doing your job? 1:30:50 - Favorite podcasts? 1:31:30 - Do you put exploited users in a report? Worried about their firing? 1:32:50 - When is your Many Hats appearance coming out? 1:33:10 - HackerOne? Bug bounties? 1:35:40 - Are you married? 1:35:50 - Bug bounties continued 1:37:50 - New unconstrained delegation exploit? 1:39:40 - OWA spraying and lockout 1:41:20 - Favorite bug bounty? 1:42:44 - Ever crashed anything on a test? 1:43:50 - Funny pentest stories? 1:47:20 - Opinion on the cloud and future pentest demand? 1:49:40 - What are you looking for when you hire a pentester? 1:53:18 - Is pentesting looked down upon? 1:54:10 - I want to be a pentester because it's intense, is that a good reason? 1:55:37 - What is the OSCP good for? 1:56:35 - Thoughts on practical assessments for job hiring? 1:58:10 - SOC or
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from The Cyber Mentor · The Cyber Mentor · 36 of 60

1 Buffer Overflows Made Easy - Part 1: Introduction
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
2 Buffer Overflows Made Easy - Part 2: Spiking
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
3 Buffer Overflows Made Easy - Part 3: Fuzzing
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
4 Buffer Overflows Made Easy - Part 4: Finding the Offset
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
5 Buffer Overflows Made Easy - Part 5: Overwriting the EIP
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
6 Buffer Overflows Made Easy - Part 6: Finding Bad Characters
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
7 Buffer Overflows Made Easy - Part 7: Finding the Right Module
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
8 Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
9 HackTheBox - Sunday Walkthrough (Re-Up)
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
10 Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
11 Networking for Ethical Hackers - Network Subnetting (Re-Up)
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
12 Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
13 Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
14 HackTheBox - Fighter Walkthrough (Re-Up)
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
15 Beginner Linux for Ethical Hackers - Navigating the File System
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
16 Beginner Linux for Ethical Hackers - Users and Privileges
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
17 Beginner Linux for Ethical Hackers - Common Network Commands
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
18 Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
19 Beginner Linux for Ethical Hackers - Controlling Kali Services
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
20 Beginner Linux for Ethical Hackers - Scripting with Bash
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
21 Beginner Linux for Ethical Hackers - Installing and Updating Tools
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
22 Cracking Linux Password Hashes with Hashcat
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
23 Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
24 Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
25 Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
26 Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
27 New Zero to Hero Pentest Course, New Website, and 2K Subs?!
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
28 Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
29 Zero to Hero Pentesting: Episode 2 - Python 101
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
30 Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
31 Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
32 Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
33 Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
34 Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
35 Installing Windows Server 2016 on VMWare in 5 Minutes
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
37 A Day in the Life of an Ethical Hacker / Penetration Tester
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
38 Active Directory Exploitation - LLMNR/NBT-NS Poisoning
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
39 Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
40 Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
41 Writing a Pentest Report
Writing a Pentest Report
The Cyber Mentor
42 Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
43 The Complete Linux for Ethical Hackers Course for 2019
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
44 Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
45 Popping a Shell with SMB Relay and Empire
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
46 Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
47 Pentesting for n00bs: Episode 2 - Lame
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
48 Pentesting for n00bs: Episode 3 - Blue
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
49 Web App Testing: Episode 1 - Enumeration
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
50 Pentesting for n00bs: Episode 4 - Devel
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
51 Pentesting for n00bs: Episode 5 - Jerry
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
52 Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
53 Pentesting for n00bs: Episode 6 - Nibbles
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
54 Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
55 How NOT to Approach a Cybersecurity Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
56 Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
57 Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
58 Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
59 Pentesting for n00bs: Episode 9 - Grandpa
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
60 Top 5 Internal Pentesting Methods
Top 5 Internal Pentesting Methods
The Cyber Mentor

This video teaches how to build an Active Directory lab, exploit it with LLMNR poisoning and NTLMv2 cracking, and configure Windows Server 2016 and Windows 10 Enterprise for cybersecurity purposes. The speaker uses various tools such as VMware Pro, Hashcat, and Responder to configure and test the lab environment.

Key Takeaways
  1. Download and install Windows Server 2016 and Windows 10 Enterprise
  2. Configure Active Directory lab using VMware Pro
  3. Exploit Active Directory with LLMNR poisoning and NTLMv2 cracking using Hashcat and Responder
  4. Configure network security settings and implement defense strategies
💡 LLMNR poisoning and NTLMv2 cracking can be used to capture and crack Windows password hashes, and defense strategies such as disabling LM and NTLMv2 poisoning and requiring strong passwords can be implemented to prevent attacks.

Related AI Lessons

Chapters (44)

Welcome
2:37 Lesson overview
5:00 Downloading our ISOs
6:35 Installing Windows Server 2016 and Windows 10
16:30 Renaming Windows Server 2016
19:00 Installing VMWare Tools on Server 2016
21:15 Finishing Windows 10 install
24:20 Installing Active Directory Domain Services / Downtime Q&A
39:20 Creating our first domain user
40:40 Installing VMWare Tools on Windows 10 / Renaming Windows 10
43:05 Joining Windows 10 machine to domain
48:30 Setting up a SMB share
51:30 LLMNR/NBT-NS poisoning overview
56:00 Using Responder to capture NTLMv2 hashes
1:07:00 Cracking NTLMv2 hashes with Hashcat
1:15:10 LLMNR poisoning defenses
1:18:50 Will you ever do a stream on stack overflows?
1:21:03 What is the success rate of LLMNR?
1:22:10 Problems with turning LLMNR off?
1:23:10 Can you place the mitigation slide back up?
1:23:45 How much should you spend on a password cracking rig?
1:24:45 Cobalt vs Metasploit vs Empire - your favorite?
1:26:00 How do you obfuscate Meterpreter?
1:26:40 Does Veil still work?
1:28:42 host-apd or eap hammer?
1:29:40 Has a customer ever intentionally prevented you from doing your job?
1:30:50 Favorite podcasts?
1:31:30 Do you put exploited users in a report? Worried about their firing?
1:32:50 When is your Many Hats appearance coming out?
1:33:10 HackerOne? Bug bounties?
1:35:40 Are you married?
1:35:50 Bug bounties continued
1:37:50 New unconstrained delegation exploit?
1:39:40 OWA spraying and lockout
1:41:20 Favorite bug bounty?
1:42:44 Ever crashed anything on a test?
1:43:50 Funny pentest stories?
1:47:20 Opinion on the cloud and future pentest demand?
1:49:40 What are you looking for when you hire a pentester?
1:53:18 Is pentesting looked down upon?
1:54:10 I want to be a pentester because it's intense, is that a good reason?
1:55:37 What is the OSCP good for?
1:56:35 Thoughts on practical assessments for job hiring?
1:58:10 SOC or
Up next
Cyber security threats @FameWorldEducationalHub #cybersecurity #threats #shorts #ytshorts
FAME WORLD EDUCATIONAL HUB
Watch →