1
00:00:00,090 --> 00:00:03,510
So to begin this attack we need a few things here.

2
00:00:03,570 --> 00:00:08,100
We need man in the middle six are going to go ahead and just say and my team six and we're going to

3
00:00:08,100 --> 00:00:11,260
say it domain name my domain here is Marvel dot local.

4
00:00:11,430 --> 00:00:18,060
So we'll do a domain a marvel that a local will spin that up and we're going to just start getting replies

5
00:00:18,060 --> 00:00:21,570
coming in from different devices in our network.

6
00:00:22,110 --> 00:00:22,590
OK.

7
00:00:22,590 --> 00:00:27,260
So from here what we need to do is also set up a relay attack.

8
00:00:27,720 --> 00:00:32,390
So now that relay attack is going to look something like this NPL and relay X stop pie.

9
00:00:32,400 --> 00:00:33,910
This should look familiar.

10
00:00:33,930 --> 00:00:38,480
We're going to do a dash six because we're only going to work with IP six.

11
00:00:38,550 --> 00:00:44,960
We're going to do a dash T for our target and our target is going to be V L that secure.

12
00:00:44,970 --> 00:00:48,030
This is why we set up that certificate we could have done all that.

13
00:00:48,060 --> 00:00:52,700
Most environments have that certificate running so it's important to do all that secure.

14
00:00:52,710 --> 00:00:55,260
And we're just going to point this right at the Domain Controller.

15
00:00:55,260 --> 00:01:02,010
So whatever your domain controller IP addresses mine sitting at one forty four This w h word is going

16
00:01:02,010 --> 00:01:10,290
to use a W pad so I'm going to call this fake w pad dot Marvel dot local and then we're going to do

17
00:01:10,290 --> 00:01:15,780
a dash L and I'm just gonna call this loop me dash L is for loot.

18
00:01:15,810 --> 00:01:22,240
So we set up loot we can dump out some information that'll be useful to us and we'll see how that works.

19
00:01:22,280 --> 00:01:28,200
So let's go ahead and just hit enter on this and this is still getting some spoof replies but we're

20
00:01:28,200 --> 00:01:29,370
going to speed this along.

21
00:01:29,370 --> 00:01:33,620
So I'm going to go ahead and go over to my Windows 10 machine.

22
00:01:33,630 --> 00:01:41,300
I'm just gonna reboot this sucker and this is going to allow us to see this in action.

23
00:01:41,300 --> 00:01:47,960
What's happening is ITV 6 is sending out a a reply right.

24
00:01:47,970 --> 00:01:51,930
And it's saying Hey who's got my who's got my DNS.

25
00:01:51,930 --> 00:01:54,660
And it sends it out about every 30 minutes I believe.

26
00:01:55,050 --> 00:02:00,210
So what we're gonna do is we're just going to speed it up by shutting a computer down and then restarting

27
00:02:00,210 --> 00:02:00,670
it.

28
00:02:00,840 --> 00:02:04,380
It's going to actually go ahead and make this go a little bit faster.

29
00:02:04,740 --> 00:02:10,110
So we're going to try to authenticate when we restart it's going to try to authenticate first as the

30
00:02:10,140 --> 00:02:11,190
Punisher machine.

31
00:02:11,190 --> 00:02:17,330
You could see this by the Punisher dollar sign and you could see that it's enumerating the relay credentials

32
00:02:17,340 --> 00:02:20,310
it's going to take a while on large domains that's fine.

33
00:02:20,970 --> 00:02:23,360
And it's just succeeding right now.

34
00:02:23,370 --> 00:02:26,870
It's trying to see what kind of privileges it has right now.

35
00:02:26,880 --> 00:02:33,120
So might take a minute and it's dumping any info into the loot Dir.

36
00:02:33,570 --> 00:02:36,890
So if we open this up let's see if there's anything in here right now.

37
00:02:37,320 --> 00:02:42,900
We can go ahead and just say yes and there's this loot me folder so we can see in the loot me.

38
00:02:42,900 --> 00:02:44,610
And this is so exciting.

39
00:02:44,670 --> 00:02:52,590
So look at all this here domain computers domain computers but operating system by just domain computers

40
00:02:52,590 --> 00:02:58,260
domain groups domain policies domain trusts domain users by a group.

41
00:02:58,290 --> 00:03:04,860
Now I love this because we can come in and we could say something like Firefox I want to see the domain

42
00:03:04,920 --> 00:03:12,090
users by group and we can just look at the Domain users by group and I'm right after the domain admins

43
00:03:12,750 --> 00:03:14,350
on top of that.

44
00:03:14,610 --> 00:03:20,580
You know when you have a crappy kind of admin going on.

45
00:03:20,580 --> 00:03:22,800
What about the sequel service that we set up.

46
00:03:22,950 --> 00:03:28,590
And remember when we put in the description that password is my password 1 2 3 0.

47
00:03:28,950 --> 00:03:34,470
You know people think that these descriptions aren't visible.

48
00:03:34,470 --> 00:03:38,090
And look we we it's visible to us and we barely did anything right.

49
00:03:38,100 --> 00:03:41,770
We just succeeded with an account we succeeded with a computer.

50
00:03:41,770 --> 00:03:49,260
The computer was capable of accessing this domain controller via L that s logging into it and dumping

51
00:03:49,260 --> 00:03:51,090
out any useful information to us.

52
00:03:51,570 --> 00:03:52,770
That's scary right.

53
00:03:52,770 --> 00:03:54,850
We have all this information our hands now.

54
00:03:54,870 --> 00:03:57,000
We can see who the domain administrators are.

55
00:03:57,210 --> 00:04:04,680
And in enterprise admin who are the users are who do we need to attack in this environment for this

56
00:04:04,680 --> 00:04:06,750
to work in our favor.

57
00:04:06,750 --> 00:04:08,180
Now let's do one more thing.

58
00:04:08,190 --> 00:04:17,130
Let's go ahead and go into our windows 10 machine and we're just going to say password exclamation like

59
00:04:17,130 --> 00:04:22,080
this and you're going to see what's going to happen.

60
00:04:22,140 --> 00:04:29,130
So let's go ahead and my mouse will come back to me we'll go ahead over here in here shortly it should

61
00:04:29,130 --> 00:04:33,330
attempt to log in as this user and we'll see if it works.

62
00:04:33,390 --> 00:04:34,140
And there it did.

63
00:04:34,140 --> 00:04:38,840
And it's so fast it just blazed through let me go ahead and control see.

64
00:04:38,940 --> 00:04:43,930
So what just happened here an ad they logged into a computer.

65
00:04:43,940 --> 00:04:44,690
That's what happened.

66
00:04:44,690 --> 00:04:46,000
That's it.

67
00:04:46,010 --> 00:04:49,010
And you can see the administrator logged in somewhere on this network.

68
00:04:49,070 --> 00:04:50,960
It succeeded.

69
00:04:51,080 --> 00:04:52,340
It targeted all that.

70
00:04:52,670 --> 00:04:53,480
OK.

71
00:04:53,480 --> 00:04:59,240
And then it comes through and it tries to make a new user for us first it sets up an access control

72
00:04:59,240 --> 00:05:00,620
list for us.

73
00:05:00,620 --> 00:05:02,300
And that's awesome.

74
00:05:02,300 --> 00:05:08,180
And then it tries to create a new user and then it says hey adding new user and here's a user name and

75
00:05:08,180 --> 00:05:09,140
here's a password.

76
00:05:09,920 --> 00:05:11,200
OK.

77
00:05:11,330 --> 00:05:18,260
Now we own this domain because what it's going to do is it's going to try to go in and it's going to

78
00:05:18,260 --> 00:05:21,910
try to grab all this information for us.

79
00:05:21,940 --> 00:05:24,280
And it's it's amazing what we can do.

80
00:05:24,380 --> 00:05:28,940
So let's say this information out and just see how it works.

81
00:05:28,940 --> 00:05:30,080
Another thing.

82
00:05:30,230 --> 00:05:30,860
Look at this.

83
00:05:30,860 --> 00:05:33,710
Let's go ahead and go to our domain controller.

84
00:05:33,770 --> 00:05:38,750
If we go to our domain controller here and we go to our users and groups let's refresh it.

85
00:05:38,750 --> 00:05:40,390
This is before the attack.

86
00:05:40,430 --> 00:05:46,550
Let's go ahead and do a refresh really quick if I can find the refresh button or all this refresh from

87
00:05:46,550 --> 00:05:47,240
here.

88
00:05:47,690 --> 00:05:55,250
And now look the NF SMG whatever this user is now in here and there are domain user but they set up

89
00:05:55,250 --> 00:06:00,680
a policy for us to have exclusive privileges with that access control.

90
00:06:00,680 --> 00:06:07,880
And what happens is if we actually control see and we just see these dot dot we Alice it puts this ACL

91
00:06:07,880 --> 00:06:12,500
pone restore here so we can actually restore the ACL to what it was before.

92
00:06:12,740 --> 00:06:19,160
But as of right now it's allowing this user through and a special ACL that was created with this with

93
00:06:19,160 --> 00:06:20,440
this attack here.

94
00:06:20,450 --> 00:06:25,680
So this is a fantastic attack and this isn't the only thing that it can do.

95
00:06:25,730 --> 00:06:27,290
It does so much stuff.

96
00:06:27,290 --> 00:06:30,330
I'm going to actually link down below.

97
00:06:30,380 --> 00:06:32,560
Some amazing things that you can do with this.

98
00:06:32,590 --> 00:06:36,290
And I want you to read up on this because it's so fantastic.

99
00:06:36,410 --> 00:06:37,910
So I'm going to put this in here.

100
00:06:37,910 --> 00:06:44,630
Paste this real quick and just scroll down a little bit and show you this blog post and this is one

101
00:06:44,630 --> 00:06:50,210
of the ones I use all the time so you can run this man the middle six with what is called the delegate

102
00:06:50,210 --> 00:06:58,460
access and say for example that you can't get an administrator to work maybe this computer succeeds.

103
00:06:58,460 --> 00:06:58,790
Look at this.

104
00:06:58,790 --> 00:07:01,670
I caught W. 10 dollar sign succeeds.

105
00:07:01,730 --> 00:07:08,450
You can still add a new computer not just a user a new computer with the user name and password and

106
00:07:08,450 --> 00:07:12,640
you can utilize that to attack the computer that authenticated you.

107
00:07:12,820 --> 00:07:16,910
You can impersonate users on that computer that you use to set that up with.

108
00:07:17,390 --> 00:07:18,530
It's an awesome attack.

109
00:07:18,530 --> 00:07:24,860
It's called delegate impersonation or delegate access and it is it's amazing.

110
00:07:24,860 --> 00:07:29,210
So I do recommend checking this out again I'll put this down in the resources below.

111
00:07:29,210 --> 00:07:30,370
Great blog.

112
00:07:30,410 --> 00:07:32,990
So that is it for this attack and the next video.

113
00:07:32,990 --> 00:07:37,100
We're going to cover how to actually defend against this attack and what you can do.

114
00:07:37,130 --> 00:07:39,460
It's fairly simple but we'll still cover it.

115
00:07:39,500 --> 00:07:40,760
So that's it.

116
00:07:40,760 --> 00:07:42,460
I'll catch you over in the next video.