1
00:00:00,180 --> 00:00:03,450
OK so now we have our bloodhound open.

2
00:00:03,570 --> 00:00:04,650
It's a blank screen.

3
00:00:04,650 --> 00:00:09,630
We've got our file transferred over and we're ready to do some bloodhound reviewing.

4
00:00:09,630 --> 00:00:13,140
So let's go ahead and do upload data over here on the right.

5
00:00:13,140 --> 00:00:20,590
It's a little up arrow and then I have my file that zip in my home folder so I'm going to go here and

6
00:00:20,590 --> 00:00:22,410
I'm going to go file that zip.

7
00:00:22,420 --> 00:00:24,890
We're just going to upload this.

8
00:00:24,890 --> 00:00:28,590
You can see it's processing all of the Jason files that are coming through.

9
00:00:29,260 --> 00:00:33,670
And in just a second it will have us some nodes available.

10
00:00:33,670 --> 00:00:40,830
So now let's go ahead and click over here on the little hamburger and you can see that we've got nine

11
00:00:40,830 --> 00:00:47,610
users three computers fifty two groups three sessions 512 access control lists and five hundred ninety

12
00:00:47,610 --> 00:00:49,970
two relationships.

13
00:00:50,050 --> 00:00:51,700
That's a lot of numbers.

14
00:00:51,700 --> 00:00:56,140
So what we're looking at in years might be a little different because it's looking at sessions so based

15
00:00:56,140 --> 00:01:01,660
on who you have logged in at the time and mine have you know I've been just logging in kind of willy

16
00:01:01,660 --> 00:01:05,500
nilly on either Frank Castle or administrator or wherever.

17
00:01:05,740 --> 00:01:10,840
So the different sessions could be different versus how you been logging in.

18
00:01:10,840 --> 00:01:14,890
But the group should be relatively the same computer should be the same user should be pretty much the

19
00:01:14,890 --> 00:01:15,740
same.

20
00:01:15,760 --> 00:01:20,440
So we can go over to queries and they have some pre-built queries for us.

21
00:01:20,470 --> 00:01:27,740
So let's find all domain admins and we can look here and it says hey administrators of domain admin

22
00:01:28,100 --> 00:01:29,830
t starts a domain Amman.

23
00:01:29,860 --> 00:01:35,840
And if we drag this over just a bit sequel services the domain admin so right away we know all the domain

24
00:01:35,870 --> 00:01:36,730
admins.

25
00:01:36,860 --> 00:01:39,920
Let's find the shortest path to the domain admin.

26
00:01:39,920 --> 00:01:41,960
And it says domain admins at Marvel that local.

27
00:01:41,960 --> 00:01:43,530
Go ahead and select that.

28
00:01:43,670 --> 00:01:52,150
And it says OK well if we look at the Punisher dot marvel that local well administrator at Marvel that

29
00:01:52,160 --> 00:01:57,170
local has a session here well I was logged in as Administrator so the sessions here.

30
00:01:57,170 --> 00:01:58,970
What does that make you think of.

31
00:01:58,970 --> 00:02:06,330
Well OK token impersonation which we haven't covered yet but token impersonation is gonna be a big one.

32
00:02:06,530 --> 00:02:12,170
We can leverage attacks against this to try to compromise the administrator accounts with Mimi Katz

33
00:02:12,200 --> 00:02:13,650
but you're going to see as well.

34
00:02:13,650 --> 00:02:21,470
So you want to target boxes where there is a domain admin logged in and we can leverage this here we

35
00:02:21,470 --> 00:02:25,990
could say OK well I don't want to target Spider-Man Spiderman it's got nothing going on but the punisher.

36
00:02:26,120 --> 00:02:31,430
Now if I can get onto that machine I get that administrator account and then I'm a domain am and that's

37
00:02:31,430 --> 00:02:32,600
the shortest path for me.

38
00:02:33,590 --> 00:02:34,030
Right.

39
00:02:34,340 --> 00:02:37,130
So we can look through here now Domain Trust.

40
00:02:37,130 --> 00:02:40,570
There's nothing for us here there's no domain trust for us to do.

41
00:02:40,700 --> 00:02:45,430
We could look through unconstrained delegation and try to find information on that.

42
00:02:45,750 --> 00:02:48,250
And there's just a bunch of pre-built queries here.

43
00:02:48,410 --> 00:02:54,700
So we haven't talked about Kirby roasting yet but we will shortest path to curb harassing users or curb

44
00:02:54,700 --> 00:03:00,710
arrestable users so there's the care of TGT account which is a ticket granting ticket account and sequel

45
00:03:00,710 --> 00:03:01,870
service that we set up.

46
00:03:01,880 --> 00:03:07,340
Let's just look at sequel service so we can look through that and it's telling us hey you know the sequel

47
00:03:07,340 --> 00:03:11,240
service is part of domain admins that's not good right.

48
00:03:11,240 --> 00:03:17,540
And the Punisher has access Spider-Man has access and we'll talk about what Kirby roasting is here in

49
00:03:17,540 --> 00:03:19,390
just a few videos.

50
00:03:19,760 --> 00:03:22,220
So high value targets we can look at that as well.

51
00:03:23,390 --> 00:03:25,340
And this is insane right.

52
00:03:25,450 --> 00:03:28,900
But obviously the administrator is a high level target.

53
00:03:28,930 --> 00:03:34,870
So if we can if we can capture the administrators here or the actual administrator that lights up all

54
00:03:34,870 --> 00:03:42,550
the different paths here where it's red and you could see Frank Castle is an AB unto the Punisher which

55
00:03:42,550 --> 00:03:48,910
has a session with an administrator who is part of the administrators group who's part of the domain

56
00:03:48,910 --> 00:03:51,860
Ammons group is part of the enterprise admins group.

57
00:03:52,030 --> 00:03:57,070
And you can kind of look through here and see all the different memberships and all these unique graphs

58
00:03:57,100 --> 00:04:01,480
look at this look at the complex complexity that's going on here.

59
00:04:01,480 --> 00:04:02,340
Right.

60
00:04:02,440 --> 00:04:05,870
And this is just nine users three computers.

61
00:04:06,160 --> 00:04:08,660
Imagine a network and how complex this is.

62
00:04:08,770 --> 00:04:14,740
And imagine having to try to figure this out for yourself where we can just click a button and we know

63
00:04:14,740 --> 00:04:20,620
all the domain happens or we can just click a button and see where the domain admin has a session.

64
00:04:20,620 --> 00:04:23,050
This is amazing stuff here.

65
00:04:23,050 --> 00:04:28,120
So when you're doing an assessment and you've got compromised and you're on a machine you might as well

66
00:04:28,120 --> 00:04:34,690
run bloodhound and gather as much data that you can out of that machine out of that network and see

67
00:04:34,690 --> 00:04:40,300
where your next movement is and really start to target your paths especially if you're in a timed assessment

68
00:04:40,330 --> 00:04:43,370
or you don't know your next step re next move.

69
00:04:43,390 --> 00:04:46,900
This is a great tool really great tool to use.

70
00:04:46,900 --> 00:04:51,880
And again just like power of you this just scratches the surface there are pre-built queries and custom

71
00:04:51,880 --> 00:04:56,380
queries that you can write and define here and kind of make your own idea to leave that up to you as

72
00:04:56,380 --> 00:04:58,940
well to do research on those honestly.

73
00:04:58,990 --> 00:05:04,550
Me I use pretty much what's in here as the prebuilt and that's enough for me.

74
00:05:04,600 --> 00:05:10,000
But if you want to go more deep here and go into custom queries you're welcome to do that as well.

75
00:05:10,000 --> 00:05:17,330
But this is a nice overview of what bloodhound is capable of and how you can enumerate with it so that's

76
00:05:17,360 --> 00:05:18,490
it.

77
00:05:18,590 --> 00:05:21,550
Hopefully this was informative for you.

78
00:05:21,680 --> 00:05:26,990
I just wanted to provide a quick overview of a couple tools that we can use the numerator in process

79
00:05:26,990 --> 00:05:28,480
never changes right.

80
00:05:28,520 --> 00:05:34,010
Once we have an account on a network we're going to enumerate we're going to enumerate before we get

81
00:05:34,010 --> 00:05:34,450
an account.

82
00:05:34,490 --> 00:05:36,640
We're gonna try to find access once we get access.

83
00:05:36,650 --> 00:05:39,980
We're going to re enumerate we're going to see what information we can learn.

84
00:05:39,980 --> 00:05:46,100
Once we've gathered that account and then again every time we have access to a new machine we don't

85
00:05:46,100 --> 00:05:50,060
know what stones that's going to uncover as you're going to see in the next section.

86
00:05:50,060 --> 00:05:55,940
One machine to the next can be a huge difference based on who's logged in and what information that

87
00:05:55,940 --> 00:05:56,610
has on it.

88
00:05:56,630 --> 00:06:02,690
You don't know if that information on there has maybe a text file with documents or passwords in it

89
00:06:03,350 --> 00:06:07,700
you don't know if there's a administrator logged into that computer and then we can impersonate that

90
00:06:07,700 --> 00:06:08,680
administrator.

91
00:06:08,690 --> 00:06:12,860
There's so many different things that change from machine to machine enumeration is important.

92
00:06:13,130 --> 00:06:17,540
And the tools and techniques all the way through this course that you've learned already you know and

93
00:06:17,540 --> 00:06:21,670
map digging around just looking around for information is important.

94
00:06:21,740 --> 00:06:27,590
And then just adding these two tools here to your arsenal gonna make you significantly better as a pen

95
00:06:27,590 --> 00:06:27,980
Tester.

96
00:06:27,980 --> 00:06:32,420
And I'll give you something to talk about in an interview as well you can say look I use power of you

97
00:06:32,480 --> 00:06:40,580
and I use that to look through for users groups I look through policies group policies computer policies

98
00:06:41,330 --> 00:06:46,610
you know and you be able talk to those and you could say look I use bloodhound and I I look at that

99
00:06:46,610 --> 00:06:51,950
to look at the administrators in the network what administrators are and what machine what's my shortest

100
00:06:51,950 --> 00:06:56,390
path to the domain admin what are my high value targets.

101
00:06:56,480 --> 00:06:59,930
And you could talk through that as well an interview and you're gonna sound like you know what you're

102
00:06:59,930 --> 00:07:03,350
talking about and it's going to make you is going to set you apart from other people.

103
00:07:03,380 --> 00:07:04,680
Honestly it's going to set you apart.

104
00:07:05,030 --> 00:07:10,460
So take these two tools that I'm showing you and play around with them get better and you're going to

105
00:07:10,460 --> 00:07:12,200
see a big difference.

106
00:07:12,200 --> 00:07:16,930
So from here we're going to talk about post exploitation attacks.

107
00:07:16,970 --> 00:07:22,190
So once we have compromised one account what can we do with that account and how can we leverage that

108
00:07:22,280 --> 00:07:26,720
into other compromises and eventually own this whole network here.

109
00:07:26,720 --> 00:07:31,820
So I'm excited to move forward and cover these next sections so I'll see you over in the next section

110
00:07:31,820 --> 00:07:33,680
when we start talking about these attacks.