1
00:00:00,590 --> 00:00:03,200
‫So we've now seen how to exploit a vulnerability.

2
00:00:04,130 --> 00:00:09,530
‫Now I'd like to show you, how are you going to exploit a system, even though that target system has

3
00:00:09,530 --> 00:00:11,720
‫no exploitable vulnerability?

4
00:00:11,990 --> 00:00:12,890
‫You, you're scratching your head.

5
00:00:14,120 --> 00:00:20,300
‫Pass the hash is a hacking technique that allows an attacker to authenticate a remote server or service

6
00:00:20,780 --> 00:00:25,550
‫by using the underlying NT, TLM or LENDMAN hash of a user's password.

7
00:00:26,150 --> 00:00:30,680
‫Instead of requiring the associated plaintext password, as is normally the case.

8
00:00:31,610 --> 00:00:33,980
‫So this is how that mechanism works.

9
00:00:35,270 --> 00:00:43,100
‫On systems or services using in TLM authentication, users passwords are never sent in clear text over

10
00:00:43,100 --> 00:00:43,640
‫the wire.

11
00:00:44,060 --> 00:00:50,240
‫Instead, they are provided to the requesting system like a domain controller as a hash.

12
00:00:51,400 --> 00:00:59,230
‫Native Windows applications ask users for the clear text password, then call APIs like LSA log on user

13
00:00:59,560 --> 00:01:03,220
‫that convert that password to one or two hash values.

14
00:01:03,550 --> 00:01:11,200
‫The Elm and or anti hashes and then sends that to the remote server during NT TLM authentication.

15
00:01:12,320 --> 00:01:17,780
‫Analysis of this mechanism has shown that the clear text password is not required to complete network

16
00:01:17,780 --> 00:01:19,190
‫authentication successfully.

17
00:01:19,820 --> 00:01:21,260
‫Only the hashes are needed.

18
00:01:22,100 --> 00:01:28,340
‫So if an attacker has the hashes of a user's password, they do not need to brute force the clear text

19
00:01:28,340 --> 00:01:28,910
‫password.

20
00:01:29,450 --> 00:01:35,090
‫They could simply use the hash of an arbitrary user account that they have harvested to authenticate

21
00:01:35,090 --> 00:01:38,690
‫against a remote system and impersonate that user.

22
00:01:39,690 --> 00:01:45,330
‫In other words, from an attacker's perspective, hashes are functionally equivalent to the original

23
00:01:45,330 --> 00:01:47,310
‫passwords that they were generated from.

24
00:01:48,830 --> 00:01:55,580
‫The P.S. exact module is often used by penetration testers to obtain access to a given system that you

25
00:01:55,580 --> 00:01:57,170
‫already know the credentials for.

26
00:01:58,370 --> 00:02:02,390
‫It was written by wind tunnels and has been integrated within the framework.

27
00:02:02,990 --> 00:02:11,240
‫Wind tunnels were established in 1996 and acquired by Microsoft in 2006, and the name became SIS internals.

28
00:02:12,330 --> 00:02:17,910
‫Now, because we're able to use hash values instead of passwords, Metasploit piece exact module is

29
00:02:17,910 --> 00:02:20,640
‫used to perform past the hash attacks.

30
00:02:21,910 --> 00:02:27,490
‫Now, what do we need to use Metasploit piece ExAC the following.

31
00:02:28,340 --> 00:02:34,820
‫Target IP, it's also possible to use more than one IP address or an IP address, block and pro version.

32
00:02:36,050 --> 00:02:38,960
‫The username of a valid user on the target system.

33
00:02:39,980 --> 00:02:42,680
‫A password or the password hash of the user.

34
00:02:44,070 --> 00:02:46,230
‫A share on the target system.

35
00:02:47,160 --> 00:02:52,890
‫Administrative shares on a private network such as a network of a company are always enabled because

36
00:02:52,890 --> 00:02:58,830
‫the system administrators understandably don't want to visit a computer to manage, and the output of

37
00:02:58,830 --> 00:03:01,740
‫the Metasploit piece exec will be the interpreter session.

38
00:03:02,580 --> 00:03:05,640
‫Well, the output will be the payload we use.

39
00:03:05,730 --> 00:03:11,430
‫But if we have a chance to have him interpreter session, it's better to take the interpreter session.

40
00:03:12,810 --> 00:03:19,260
‫So check out this scenario, you exploited a system in the scan network and succeeded to activate a

41
00:03:19,260 --> 00:03:20,220
‫mature operator session.

42
00:03:21,060 --> 00:03:23,700
‫Not necessarily, but just, you know, work with me here.

43
00:03:24,570 --> 00:03:28,260
‫So you obtained a valid username and user password hash values.

44
00:03:29,080 --> 00:03:33,820
‫Computer users are prone to use the same password in different platforms.

45
00:03:34,030 --> 00:03:35,800
‫I mean, what do you do?

46
00:03:36,300 --> 00:03:42,130
‫You have different passwords for each of your credentials Facebook, laptop, Gmail, Instagram, etc.,

47
00:03:42,130 --> 00:03:42,580
‫etc..

48
00:03:42,850 --> 00:03:48,190
‫Well, I mean, I can't blame you because there are a lot of platforms asking for our passwords.

49
00:03:49,070 --> 00:03:53,270
‫But what if there are other computers which are logged in with the same password?

50
00:03:53,690 --> 00:04:00,080
‫Remember, we don't need to crack the passwords if elm or anti-Islam authentication is used on the network.