1
00:00:00,150 --> 00:00:00,470
All right.

2
00:00:00,480 --> 00:00:06,960
Picking up right where we left off so we now have our targets that text screen cap targets that text

3
00:00:07,440 --> 00:00:12,760
and we've got the Spider-Man computer sitting here at 142.

4
00:00:12,780 --> 00:00:16,240
And remember our other computer is sitting at one forty one.

5
00:00:16,440 --> 00:00:23,490
And we're going to relay our credentials from responder from one forty one to one forty two and hopefully

6
00:00:23,490 --> 00:00:25,050
get something good back.

7
00:00:25,110 --> 00:00:32,100
So we need to set up a responder so let's go ahead and go to get it and we're gonna go edit the Etsy

8
00:00:32,400 --> 00:00:36,270
responder and responder DOT COM file.

9
00:00:36,330 --> 00:00:38,110
This is the config file.

10
00:00:38,310 --> 00:00:48,260
And remember we need to turn off SMB and we need to turn off H TTP here so your setting should look

11
00:00:48,260 --> 00:00:49,450
like this.

12
00:00:49,520 --> 00:00:55,090
Go ahead and save that and then we're going to run responder just like we did before.

13
00:00:55,090 --> 00:01:03,040
So we're going to say responder capital I like this ether net zero and then already WB just like that

14
00:01:03,940 --> 00:01:04,750
should hit enter.

15
00:01:04,750 --> 00:01:11,500
Once you're ready and if we scroll up just a tad it should look just like the picture did before where

16
00:01:11,500 --> 00:01:14,710
we have a few more reds mixed in with these greens here.

17
00:01:14,740 --> 00:01:20,140
SMB server is off HDP server is off.

18
00:01:20,250 --> 00:01:22,110
So now we're listening for events.

19
00:01:22,110 --> 00:01:23,500
Now we're going to set the relay.

20
00:01:23,520 --> 00:01:25,680
So let's go ahead and open up a new tab.

21
00:01:25,680 --> 00:01:27,230
I'll make this a little bit bigger.

22
00:01:27,930 --> 00:01:32,090
And we're gonna use NTA M relay X stop pie.

23
00:01:32,220 --> 00:01:37,830
We're gonna set that target file with the dash T F and that is Target stock text and then we're just

24
00:01:37,830 --> 00:01:46,090
going to say SMB to support and so look just like that hit enter and now the server has been started.

25
00:01:46,120 --> 00:01:48,270
We are waiting for a connection to happen.

26
00:01:48,370 --> 00:01:50,800
So let's go ahead and trigger that connection.

27
00:01:50,890 --> 00:01:57,080
So I'm going to open up my Punisher machine and I've already got it signed in.

28
00:01:57,090 --> 00:02:02,580
So Punisher is online here make sure your Punisher is online and your spider man machines online.

29
00:02:02,850 --> 00:02:06,660
And I'm going to just go ahead and point this right at my attacker machine again.

30
00:02:06,690 --> 00:02:10,310
So 9 2 1 6 8 fifty seven one thirty nine.

31
00:02:10,470 --> 00:02:13,410
This is the same thing we've been doing with responder just this time.

32
00:02:13,410 --> 00:02:16,020
It's going to relay instead of capture hash.

33
00:02:16,380 --> 00:02:17,760
So go ahead and hit enter here.

34
00:02:17,760 --> 00:02:21,930
It's gonna say there's an error but look at what's happening here.

35
00:02:21,960 --> 00:02:22,680
Beautiful.

36
00:02:22,740 --> 00:02:23,630
OK.

37
00:02:23,730 --> 00:02:27,760
So we come in here and you can see it's connected a couple of times.

38
00:02:27,780 --> 00:02:30,250
Let's make this bigger you see.

39
00:02:30,310 --> 00:02:30,700
OK.

40
00:02:30,700 --> 00:02:31,410
It comes in.

41
00:02:31,420 --> 00:02:35,100
It says Hey I'm receiving this connection from one forty one.

42
00:02:35,110 --> 00:02:37,760
Let's go ahead and attack our target of 142.

43
00:02:37,900 --> 00:02:40,170
And it's going to authenticate it's going to succeed.

44
00:02:40,180 --> 00:02:41,170
Why.

45
00:02:41,170 --> 00:02:44,170
Remember SMB signing is disabled.

46
00:02:44,170 --> 00:02:45,990
Here it is enabled but not required.

47
00:02:46,000 --> 00:02:49,210
That is considered the same exact thing.

48
00:02:49,210 --> 00:02:49,510
OK.

49
00:02:49,540 --> 00:02:50,370
So it succeeds.

50
00:02:50,530 --> 00:02:59,050
And and most importantly Frank Castle f castle here is an administrator on this computer because this

51
00:02:59,050 --> 00:03:01,380
user is an administrator on this computer.

52
00:03:01,390 --> 00:03:02,030
Guess what.

53
00:03:02,050 --> 00:03:03,670
We dump the Sam.

54
00:03:04,090 --> 00:03:11,350
So we've dumped the same hashes and now we have these hashes these wonderful hashes OK and we can copy

55
00:03:11,350 --> 00:03:12,640
these hashes.

56
00:03:12,640 --> 00:03:13,690
We could take them off line.

57
00:03:13,690 --> 00:03:18,880
We could try to crack them and we can try to move laterally with these hashes.

58
00:03:18,880 --> 00:03:25,530
What I want you to do is copy these hashes and we'll save them for later we'll talk about this again

59
00:03:25,530 --> 00:03:32,950
or revisit hash cat work on cracking these will also work on passing these around in later section.

60
00:03:32,980 --> 00:03:38,890
So for now just know that we have dumped the same hashes which is just like the shadow file on a Linux

61
00:03:38,890 --> 00:03:39,740
machine.

62
00:03:39,880 --> 00:03:42,730
And there are things that we can do with these hashes.

63
00:03:42,730 --> 00:03:48,600
So we're all building up into gaining shells getting access doing more cool stuff.

64
00:03:48,730 --> 00:03:51,970
But here we've got some access to this machine.

65
00:03:51,970 --> 00:03:57,960
And now we can start trying to move laterally with the access that we have or even move vertically.

66
00:03:58,030 --> 00:04:00,430
So from here that's it.

67
00:04:00,430 --> 00:04:06,580
I just wanted to show you this quick demonstration of how this could be potentially vulnerable.

68
00:04:06,580 --> 00:04:08,740
And this is an easy attack to pull off.

69
00:04:08,920 --> 00:04:12,370
And it's by design again no settings really changed right.

70
00:04:12,370 --> 00:04:15,640
This is just how default Windows environments are.

71
00:04:15,640 --> 00:04:22,810
So this is a very common occurrence especially if the environment has a lot of local admins and you

72
00:04:22,810 --> 00:04:28,900
have a lot of local admins on the same machine or the same user or a local app and on a lot of different

73
00:04:28,900 --> 00:04:30,150
machines.

74
00:04:30,160 --> 00:04:36,880
So from here we're gonna make another video and the next video is going to cover improving upon this.

75
00:04:36,880 --> 00:04:39,570
Just one example of how we can improve upon this.

76
00:04:39,640 --> 00:04:44,830
We can actually take this and get a shell out of this so I'm going to show you how to do that and we'll

77
00:04:44,830 --> 00:04:50,440
improve upon it then we'll talk about how we can prevent this or talk some defenses and then we'll move

78
00:04:50,440 --> 00:04:51,420
on to the next attack.

79
00:04:51,460 --> 00:04:53,520
So I'll catch you over in the next video.