1
00:00:00,180 --> 00:00:07,140
So before we wrap up this initial attack vectors section I want to talk about the attack strategies

2
00:00:07,140 --> 00:00:09,540
that you might use when you're just starting out.

3
00:00:09,540 --> 00:00:16,980
Now we know the attacks how do we piece it together and my thoughts are that we begin the day with man

4
00:00:16,980 --> 00:00:22,680
the middle six or responder and we sit there and we've talked about this in the previous videos but

5
00:00:22,680 --> 00:00:25,210
we want traffic to be generated right.

6
00:00:25,230 --> 00:00:27,210
We need those users coming in.

7
00:00:27,210 --> 00:00:31,680
So 8:00 a.m. is a good time when users are starting to come in or even after lunch when they're starting

8
00:00:31,680 --> 00:00:32,820
to log back in.

9
00:00:33,000 --> 00:00:36,420
You're going to have to read both of these on an assessment because you're going to have to assess for

10
00:00:36,420 --> 00:00:36,650
Allah.

11
00:00:36,670 --> 00:00:40,410
Men are in the network and you have to assess for ITV 6 in the network.

12
00:00:40,440 --> 00:00:45,630
So either one is fine if you're looking for like a quick wind man the middle six is probably faster

13
00:00:45,630 --> 00:00:51,540
nowadays but I still like to start out with the responder to see how well the network is responding

14
00:00:51,540 --> 00:00:51,980
to us.

15
00:00:51,990 --> 00:00:52,290
Right.

16
00:00:52,290 --> 00:00:55,380
Are they giving us hashes are the hashes easy to crack.

17
00:00:55,380 --> 00:01:01,820
If so that's going to tell me that we're probably in for an easy assessment if I'm not seeing Elohim

18
00:01:01,870 --> 00:01:06,710
are enabled that I might be in trouble here they might have had a pen test before or they might you

19
00:01:06,710 --> 00:01:10,490
know know some of the common attacks and our have already prevented against that.

20
00:01:10,500 --> 00:01:15,390
So when you run those you're going to go ahead and run your scans to generate your traffic.

21
00:01:15,390 --> 00:01:19,090
Now chances are that you're gonna be running a NSA scan to do this.

22
00:01:19,140 --> 00:01:24,500
You might also be running an end map scan of some sort to get quick results as well.

23
00:01:24,510 --> 00:01:27,100
But most places run nexus.

24
00:01:27,180 --> 00:01:32,510
Now if your scans are taking too long if you have a big network which it can happen.

25
00:01:32,520 --> 00:01:37,430
What I like to do is I like to just look for Web sites that are in scope.

26
00:01:37,470 --> 00:01:38,980
And this is another thing that we can do.

27
00:01:39,000 --> 00:01:44,670
We're trying to be quiet as opposed to just like running scans if your goal is to be quiet in the network

28
00:01:44,910 --> 00:01:49,590
something that you can do is you can sweep the entire network for Web sites.

29
00:01:49,620 --> 00:01:50,050
OK.

30
00:01:50,060 --> 00:01:53,810
And I look with a tool called HP underscore version.

31
00:01:53,970 --> 00:02:00,030
It's just a module that you can search in medicinally and you just say hey here's my range I want to

32
00:02:00,030 --> 00:02:06,470
look and see if anything responds to HP version when I send out an HP request from my computer.

33
00:02:06,510 --> 00:02:10,830
I want to see if anything else response to that and that's going to be less likely to get picked up

34
00:02:10,890 --> 00:02:15,620
because you're making traffic on 80 and four for three which is very common.

35
00:02:15,630 --> 00:02:21,330
Right as opposed to port scanning every single device and network which is going to get picked up pretty

36
00:02:21,330 --> 00:02:24,290
easily by a good sin.

37
00:02:24,420 --> 00:02:27,790
So from here what can we do.

38
00:02:27,790 --> 00:02:35,530
Well we take those Web sites in scope and we can look at those log in and we can check those Loggins

39
00:02:35,530 --> 00:02:41,990
for default credentials and some of the things that we're looking for are like printers.

40
00:02:42,190 --> 00:02:45,670
I have gotten domain admin off of printer more than one time.

41
00:02:45,760 --> 00:02:51,520
So if you think about a printer what does a printer have a feature of typically has a scan feature in

42
00:02:51,520 --> 00:02:55,630
that scan feature is a scan to computer feature right.

43
00:02:56,080 --> 00:03:00,690
Well a lot of times an admin will make that user.

44
00:03:00,700 --> 00:03:05,260
That has to be able to scan from the printer to the computer via SMB.

45
00:03:05,380 --> 00:03:09,580
They'll make that user domain admin and that's overly permissive.

46
00:03:09,580 --> 00:03:15,640
And what we can do is we can go in and we can dump those credentials into clear text get with the passwords

47
00:03:15,640 --> 00:03:21,630
are for the S&amp;P user or they might even be using individual user accounts.

48
00:03:21,640 --> 00:03:23,350
There's so many different things that they do.

49
00:03:23,350 --> 00:03:29,170
And I've seen weird varieties but printers are a big one in a lot of people don't secure their printers

50
00:03:29,170 --> 00:03:32,990
because they're just like it's just a printer Why do I need to change the password on it.

51
00:03:33,280 --> 00:03:38,070
But it's a really big one to start thinking outside the box on a Jenkins instances.

52
00:03:38,080 --> 00:03:43,030
If you have any developers Jenkins sometimes is wide open you can use that to get a shell in their machine

53
00:03:43,030 --> 00:03:43,680
as well.

54
00:03:43,810 --> 00:03:48,070
And there's just a lot of different things so you're going to look through the Web log ins you see if

55
00:03:48,070 --> 00:03:53,860
you see some sort of log in go research that page look up what the default credentials are look up if

56
00:03:53,860 --> 00:03:55,960
there's any known vulnerabilities for what's running.

57
00:03:56,200 --> 00:03:58,240
And just enumerate that network.

58
00:03:58,240 --> 00:03:58,590
OK.

59
00:03:58,600 --> 00:04:03,280
So while we're looking for initial attack vectors we're looking for hashes with the responder.

60
00:04:03,370 --> 00:04:08,560
We're looking to get that loot back from man in the middle six or maybe even strike gold and get an

61
00:04:08,560 --> 00:04:10,710
account created on the domain controller right away.

62
00:04:11,200 --> 00:04:16,810
And if that happens if you if you get domain admin in like two hours and you're sitting there for a

63
00:04:16,810 --> 00:04:18,640
40 hour assessment guess what.

64
00:04:18,640 --> 00:04:22,600
Chances are you're probably going to have to go back and try it a different way and find as many parts

65
00:04:22,630 --> 00:04:23,470
as possible.

66
00:04:23,800 --> 00:04:30,460
So just keep thinking about how you want to do that but look for a responder look from an 6 look around

67
00:04:30,460 --> 00:04:38,020
the network and sweep around with your your end map and look for any SMB that's open with the S&amp;P signing

68
00:04:38,020 --> 00:04:43,450
disable and start picking out targets for your SMB really attacks as well.

69
00:04:43,450 --> 00:04:47,260
So maybe that's something you might attempt in the afternoon you try to capture hashes in the morning

70
00:04:47,620 --> 00:04:51,940
and then you start relaying hashes in the afternoon and you could spend just one day doing that and

71
00:04:51,940 --> 00:04:54,740
then spend another day focusing a man on the middle six.

72
00:04:54,790 --> 00:05:00,610
You want to give your client the best comprehensive coverage that you can and try to find all the low

73
00:05:00,610 --> 00:05:05,860
hanging fruit if it's their first assessment or try to find those unique ways in if it's not their first

74
00:05:05,860 --> 00:05:06,400
assessment.

75
00:05:06,430 --> 00:05:08,650
So remember it's a timed assessment.

76
00:05:08,650 --> 00:05:09,810
We only have so much time.

77
00:05:09,820 --> 00:05:14,680
If it's a really really bad environment then we need to get all the critical findings out of the way.

78
00:05:14,830 --> 00:05:20,170
If it's a tougher environment it's been pen tested before it might take us all 40 hours to find any

79
00:05:20,170 --> 00:05:24,110
way in or we might not even find a way in at all and that's OK as well.

80
00:05:24,130 --> 00:05:28,790
So the last thing I want to say is to start thinking outside the box.

81
00:05:28,870 --> 00:05:34,390
So when you have an environment sometimes you're going to run into weird things I've run into environments

82
00:05:34,390 --> 00:05:36,190
where there was no SMB.

83
00:05:36,190 --> 00:05:40,510
I've run into environments where there was an element ah and you just have to start looking around at

84
00:05:40,510 --> 00:05:42,500
what's available to you.

85
00:05:42,580 --> 00:05:49,630
And one story that I can think about is that I was in this very small medical environment and there

86
00:05:49,630 --> 00:05:58,540
was maybe 20 machines and there was no SMB in this network no Elam and ah I could not get leverage anywhere

87
00:05:59,350 --> 00:06:07,120
and then I found by listening in the middle I found some clear texts coming through on a password.

88
00:06:07,150 --> 00:06:07,350
OK.

89
00:06:07,360 --> 00:06:13,750
The password was going for a map and the eye map was just running in clear text and I took that password

90
00:06:13,750 --> 00:06:19,930
and I started passing that password around and I got into a phone system and in that phone system I

91
00:06:19,930 --> 00:06:25,960
had the ability to change some stuff I could change you know where the phones were redirected and forwarded

92
00:06:26,380 --> 00:06:29,650
and then I started thinking OK well what can I do with a phone system.

93
00:06:30,280 --> 00:06:36,580
So I started looking at their Microsoft Outlook and their outlook had a password reset functionality

94
00:06:37,090 --> 00:06:45,190
password reset functionality went to their office phones Guess who controlled the office phones I did.

95
00:06:45,250 --> 00:06:52,300
So what if I said I want to reset the user somebody I know that's an admin I want to reset their password

96
00:06:52,990 --> 00:06:57,190
and with that reset I want to forward that to my phone.

97
00:06:57,190 --> 00:06:59,530
And so the office phone is going to.

98
00:06:59,530 --> 00:07:05,470
So when it rings up I say Yeah I'm the user here's my here's my code code or token or whatever they

99
00:07:05,470 --> 00:07:06,560
send you.

100
00:07:06,560 --> 00:07:12,600
And go ahead and let's change that password and you bypass the multi factor authentication there.

101
00:07:12,610 --> 00:07:15,720
So thinking outside the box is a big one.

102
00:07:15,790 --> 00:07:21,350
You're going to run into situations where these initial attack vectors might not work for you.

103
00:07:21,460 --> 00:07:26,290
And just enumerating and seeing what's out there is the most important you might not have a situation

104
00:07:26,340 --> 00:07:32,530
and where responder works or a man in the middle six works or S&amp;P relay works.

105
00:07:32,590 --> 00:07:36,630
You might have to look at what ports are open on these machines.

106
00:07:36,670 --> 00:07:40,540
You might have to look around and really focus the Web sites first.

107
00:07:40,540 --> 00:07:45,700
That's my big one if you're struggling focused web sites and just see what's out there and try to get

108
00:07:45,700 --> 00:07:50,410
your leverage and start thinking outside the box and just enumerate enumerate enumerate.

109
00:07:50,410 --> 00:07:52,120
The more you enumerate.

110
00:07:52,120 --> 00:07:56,020
I've been harping on this the entire course the more you enumerate the better attacker you're going

111
00:07:56,020 --> 00:07:56,590
to be.

112
00:07:56,710 --> 00:07:58,420
Don't just focus on the exploit.

113
00:07:58,450 --> 00:08:03,410
Focus on as much information as you can gather and you're gonna be super successful.

114
00:08:03,460 --> 00:08:05,630
So that's my spiel for this.

115
00:08:05,680 --> 00:08:08,860
We're going to go ahead and move into post compromise enumeration.

116
00:08:08,860 --> 00:08:14,830
We're going to talk about using power shall a tool called power of you and we're gonna talk about bloodhound

117
00:08:14,830 --> 00:08:15,430
as well.

118
00:08:15,460 --> 00:08:19,570
We'll do a little bit enumeration and then we'll get into some post compromise attacks and that's where

119
00:08:19,570 --> 00:08:24,310
a lot of the real fun begins and we can start leveraging some of the stuff we've done in this section

120
00:08:24,610 --> 00:08:29,530
and really utilizing that to move upwards so so far we've kind of just moved laterally.

121
00:08:29,530 --> 00:08:36,130
We're going to start moving upward now and really take over that domain AB and learn some cool tools

122
00:08:36,160 --> 00:08:39,770
and techniques and then we'll be well on our way in the course.

123
00:08:39,790 --> 00:08:41,770
So I'll catch you over in the next section.