1
00:00:01,630 --> 00:00:06,740
In this video we are going to enumerate the ended up using that Bogart ended up.

2
00:00:07,590 --> 00:00:16,970
So that was a protocol and it's correlated with direct access protocol used to add fetch and be the

3
00:00:16,980 --> 00:00:23,820
objects in the Active Directory, not only inaccurately, we also have buried the next version of that.

4
00:00:24,720 --> 00:00:25,440
Open it up.

5
00:00:25,710 --> 00:00:28,440
So whenever you see the appropriate name open.

6
00:00:28,440 --> 00:00:33,420
So that means you can assume that sort of visual learning on the set of it and would be set up.

7
00:00:33,420 --> 00:00:38,480
So said you can either indicate and you can fetch the information on the date, etc..

8
00:00:39,060 --> 00:00:41,870
And here I have my Windows Error Button 16.

9
00:00:42,740 --> 00:00:48,090
The domain name is technician in that call and I have this test run and test boot.

10
00:00:49,470 --> 00:00:53,970
So maybe third and that service will be running on this accurately.

11
00:00:54,420 --> 00:00:59,790
You can also ensure adapter is using the server manager on different port as well.

12
00:01:01,650 --> 00:01:10,340
We have the we should need the credentials for any of the user who this, uh, out of this equatorial.

13
00:01:10,860 --> 00:01:22,350
So let's assume that the user you found some credentials and you can go ahead and try to authenticate.

14
00:01:22,860 --> 00:01:28,350
So if you view the heritage and you can see there are so many options.

15
00:01:34,200 --> 00:01:42,660
So you can use minus any prison without any comments and freshman is minus which the host so this is

16
00:01:42,670 --> 00:01:53,040
the lab server and this one is you are right and B is for put and that would be another option B for

17
00:01:53,040 --> 00:01:57,330
bind and we'll be using the blue for the password.

18
00:01:58,110 --> 00:02:10,140
And this actually the band you need to specify an object to bind the connection to and from a connected

19
00:02:10,140 --> 00:02:10,680
object.

20
00:02:11,490 --> 00:02:14,490
We can query subtree from this.

21
00:02:14,850 --> 00:02:17,790
So here you can see there are some computers.

22
00:02:19,800 --> 00:02:24,130
So if you go ahead and bind for this computer, see?

23
00:02:24,150 --> 00:02:28,560
And so when it goes to computers and these years, go take this name.

24
00:02:29,070 --> 00:02:29,480
Control.

25
00:02:30,030 --> 00:02:37,290
Then you can only record from this down, but as well you can't quite see other uses, etc. So that's

26
00:02:37,290 --> 00:02:44,400
where we the binding to the main group, uh, root component that inspects that local.

27
00:02:46,380 --> 00:02:54,840
So let's go ahead and say there are the remaining comments and minus six for simple authentication.

28
00:02:55,410 --> 00:02:57,120
So there are two types simple.

29
00:02:57,120 --> 00:03:01,660
And so that will be using the simple ID message.

30
00:03:01,760 --> 00:03:04,710
Host So you can also do something like this.

31
00:03:05,820 --> 00:03:06,180
Com

32
00:03:08,820 --> 00:03:16,050
DC name if you don't know the name of this domain control, that's no problem.

33
00:03:16,050 --> 00:03:18,030
You can it with your IP address as well.

34
00:03:18,510 --> 00:03:20,790
So this is my IP address.

35
00:03:20,970 --> 00:03:26,970
And then we need to specify port that is 389 and then we need to specify the user name.

36
00:03:28,110 --> 00:03:31,260
So user name is like 69.

37
00:03:31,260 --> 00:03:32,490
So that's Pashtu.

38
00:03:32,850 --> 00:03:34,850
So I have occurrences of the text two.

39
00:03:34,860 --> 00:03:37,620
I can use W for the password.

40
00:03:43,800 --> 00:03:51,480
So you can also use capital W and you to plan for the past since you'll be coding many times.

41
00:03:51,510 --> 00:03:53,040
Let's put the password here.

42
00:03:53,700 --> 00:03:55,800
And the next option you need to do is.

43
00:03:56,220 --> 00:03:57,390
So where we want to buy.

44
00:03:57,390 --> 00:04:02,550
And that is this one our position that is one component.

45
00:04:02,880 --> 00:04:09,930
So it's a DC stands for the main component takes issue nine comma DC is a coastal marker.

46
00:04:10,080 --> 00:04:12,810
So this is the destination name for an object.

47
00:04:13,440 --> 00:04:21,330
Whenever you go here and attach to and web properties and to the reader and you can see that distinction

48
00:04:21,360 --> 00:04:25,800
that so you can see this distribution name starts from underneath.

49
00:04:25,800 --> 00:04:34,890
Now put directory to the row now and you can see that can only connect goes to Pashtu and this is in

50
00:04:34,890 --> 00:04:44,870
the name uses this is not an organization so this is normal uses and this use is in that position and.

51
00:04:53,890 --> 00:04:55,390
So that is the distinguished name.

52
00:04:58,430 --> 00:05:00,590
Oh, it's often this distinguished name.

53
00:05:11,130 --> 00:05:19,050
Now when you do, if you hit and run with all of these objects, there is so much in everything you

54
00:05:19,050 --> 00:05:21,510
can quite see.

55
00:05:21,720 --> 00:05:23,110
You can see there is so many cars.

56
00:05:23,320 --> 00:05:25,560
Now we are going to filter this.

57
00:05:28,280 --> 00:05:35,690
So religion applied the filter so these objects can be treated as object classes.

58
00:05:36,080 --> 00:05:45,200
So the there are some object classes like users, computer groups, etc. So like that you can see the

59
00:05:45,200 --> 00:05:48,230
object class is to use.

60
00:05:48,680 --> 00:05:50,750
So this is a case into the still you can

61
00:05:53,570 --> 00:06:00,280
type normal capital C as well and you can see maybe so much information about all this.

62
00:06:00,620 --> 00:06:03,240
And we're going to see some of the information about that.

63
00:06:03,620 --> 00:06:08,090
User object classes, start person organization, but a certain end user.

64
00:06:08,600 --> 00:06:11,870
So this is like hierarchy, I guess.

65
00:06:12,590 --> 00:06:18,110
And you can see all of the information number of remote desktop users.

66
00:06:18,290 --> 00:06:27,140
Object, gravity, you can do that and large parts of it are set and object said as well.

67
00:06:27,560 --> 00:06:28,580
And user principle.

68
00:06:28,580 --> 00:06:31,750
Now this is the big idea.

69
00:06:31,760 --> 00:06:34,640
And Saramago name is Rogan a name.

70
00:06:35,930 --> 00:06:40,280
So we can also, uh, get the attributes as well.

71
00:06:40,340 --> 00:06:48,320
So you can say some account name and here you can see you get administrator cash, default account,

72
00:06:48,320 --> 00:06:49,220
windows, currency.

73
00:06:49,610 --> 00:06:52,580
So this brother is the computer account.

74
00:06:52,820 --> 00:06:53,810
So you can see the ruler.

75
00:06:53,810 --> 00:06:59,090
And then that means the computer icon by default, converted accounts are also paid as a user accounts.

76
00:07:00,800 --> 00:07:03,620
So there are two computers, Windows and 16.

77
00:07:03,620 --> 00:07:10,580
And this is the part that the man controls and the KBC is compute is a part of this unit are computers.

78
00:07:12,750 --> 00:07:21,010
So you can put the space and you can go for destination M you can set in and obviously you get the the

79
00:07:21,330 --> 00:07:26,500
finish name so you can also get object said.

80
00:07:28,990 --> 00:07:32,440
And again, quoting your user principal now.

81
00:07:39,110 --> 00:07:42,710
You're also waiting for the computer as only the computers.

82
00:07:46,440 --> 00:07:46,820
Richard.

83
00:07:46,920 --> 00:07:48,900
Sam, I can name.

84
00:07:52,070 --> 00:07:54,200
So these are the only two computers.

85
00:07:54,710 --> 00:07:58,550
Now, what we can do is we can also perform some operations.

86
00:07:58,580 --> 00:08:05,180
There are some operators you can do order and greater than equal to return, equal to and not.

87
00:08:06,740 --> 00:08:11,000
So here you need to specify the operator that is end.

88
00:08:12,410 --> 00:08:15,770
And the first condition is of is equals to user.

89
00:08:17,540 --> 00:08:24,440
And the next one is you can specify object class is equal to computer.

90
00:08:24,890 --> 00:08:32,090
So what we're doing is we're getting every object that is user and computer now can gender.

91
00:08:39,300 --> 00:08:40,680
User and computer.

92
00:08:40,920 --> 00:08:42,720
So okay, user.

93
00:08:43,350 --> 00:08:47,970
Normally these are not computers, but these computers are also users.

94
00:08:49,260 --> 00:08:53,130
Now, what I will do is I will put an operator that is not.

95
00:08:58,200 --> 00:09:03,810
Now here we are trying to fix are the users, but not computers and heat and power.

96
00:09:05,040 --> 00:09:09,420
And you can see we did not get windows to the 16 and naked we see here.

97
00:09:09,570 --> 00:09:11,700
We are getting only the usernames.

98
00:09:12,240 --> 00:09:13,950
So user user accounts.

99
00:09:20,160 --> 00:09:22,970
You can also change this to order.

100
00:09:22,980 --> 00:09:29,280
So we are getting users are not computers so I think what are the information.

101
00:09:41,430 --> 00:09:46,290
So we get all the information that is either user or not computer.

102
00:09:47,550 --> 00:09:48,930
We can remove this one.

103
00:09:50,910 --> 00:09:53,280
We are getting either user or computers.

104
00:09:53,970 --> 00:09:55,170
So we are getting both.

105
00:10:01,330 --> 00:10:07,660
You can go ahead and prioritise and go back to the router and you can see the.

106
00:10:10,670 --> 00:10:18,710
There are some important attributes, so you can try to get them as well.

107
00:10:20,380 --> 00:10:23,240
Well, let's go and see the groups.

108
00:10:24,050 --> 00:10:26,780
So object class is equal to group.

109
00:10:28,520 --> 00:10:30,680
And here you can see there are so many groups.

110
00:10:32,450 --> 00:10:41,180
So particularly we can also use we are interested in admins, but we're also interested in only admins.

111
00:10:41,570 --> 00:10:42,060
Right.

112
00:10:42,080 --> 00:10:47,210
So I'm going to be another filter that is.

113
00:10:49,900 --> 00:10:52,960
We can also use the wild card as an object.

114
00:10:53,830 --> 00:10:58,310
So that's a name as equals to starter admin.

115
00:11:01,240 --> 00:11:07,870
When you hit enter and you get only the groups that have the name admin select, you're going to see

116
00:11:07,990 --> 00:11:09,520
only the administrators.

117
00:11:11,890 --> 00:11:20,950
Now what I want to do is I want to set the users for the particular group to be in the segments.

118
00:11:21,070 --> 00:11:25,360
So you need to copy this or distinguish the name of this being segments.

119
00:11:29,900 --> 00:11:30,140
Now?

120
00:11:30,250 --> 00:11:31,130
No, this one.

121
00:11:31,490 --> 00:11:40,070
Now, what we're going to do is we are going to change this object class is equal to user and the next

122
00:11:40,070 --> 00:11:47,060
move there is that the user should be the member of and paste the distinguished name here.

123
00:11:57,940 --> 00:12:01,420
And he tender and there are no you lose under the instruments.

124
00:12:02,110 --> 00:12:09,130
You can go and change this to domain administrators.

125
00:12:14,150 --> 00:12:15,440
So Berman admins.

126
00:12:25,210 --> 00:12:27,850
And here you can see the administrator.

127
00:12:28,990 --> 00:12:33,250
You can also call for remote desktop as well.

128
00:13:10,870 --> 00:13:11,110
Okay.

129
00:13:11,170 --> 00:13:13,150
They are in the building one.

130
00:13:21,210 --> 00:13:23,620
And you're going to see that these two years are so young.

131
00:13:24,440 --> 00:13:24,720
Young.

132
00:13:24,720 --> 00:13:29,710
But if you've got the credentials, you can probably be into the.

133
00:13:33,230 --> 00:13:41,840
So in order to compile that juicy part, uh, let's first right click on this.

134
00:13:47,160 --> 00:13:55,890
If you go to I do read it and search for user account control and you will get the attributes of that

135
00:13:56,160 --> 00:14:03,490
object and you can see there is a hexadecimal number when you are coding in this and it upsets me,

136
00:14:03,540 --> 00:14:05,000
we get the integer.

137
00:14:05,370 --> 00:14:10,110
So I will show you how to decode that as well.

138
00:14:10,830 --> 00:14:14,640
First, let's focus on this normal account and don't explain password.

139
00:14:14,670 --> 00:14:19,110
And here you can see want the greater Kerberos three ID.

140
00:14:19,500 --> 00:14:28,680
So you want to go very far by icons that have this vertical propagation and then you can perform this

141
00:14:29,100 --> 00:14:30,120
instead of parachuting.

142
00:14:31,650 --> 00:14:34,200
So first, let's fetch this user account control.

143
00:14:43,390 --> 00:14:55,980
The object class is equals to user and SAM acronym and user account control.

144
00:14:59,310 --> 00:15:01,770
So you can see it misses the decimal number.

145
00:15:04,420 --> 00:15:05,650
Our father knew this.

146
00:15:05,660 --> 00:15:06,840
That control.

147
00:15:07,330 --> 00:15:08,260
Now you can.

148
00:15:15,710 --> 00:15:16,940
You can search for this.

149
00:15:17,420 --> 00:15:22,490
By default, every user will have a fight over and here to concede the fight for a bit.

150
00:15:22,490 --> 00:15:25,160
So there is a tab for this.

151
00:15:49,550 --> 00:15:56,570
So if you go to this website and where you can see the chart here.

152
00:15:57,650 --> 00:15:59,820
So these are the, uh.

153
00:16:01,840 --> 00:16:03,850
Values for this aspect.

154
00:16:03,850 --> 00:16:12,430
Blue flag, the flag and their values and S.R.O. second shared with dignity has the 514 So that means

155
00:16:14,650 --> 00:16:23,590
it should have the normal icon and five plus five progress to that issue that is again desirable.

156
00:16:23,920 --> 00:16:29,860
So we know we can drag into the categories so that state has the value for voting, which is the combination

157
00:16:29,860 --> 00:16:32,800
of normal icon and icon visible.

158
00:16:34,120 --> 00:16:43,660
So in that way if you are in convert or any flag like so let's take the example for this.

159
00:16:44,290 --> 00:16:49,480
We know that the user have this flag, the ID said.

160
00:16:50,020 --> 00:16:57,080
So we are going to copy this one which is 42 x 60,003 42.

161
00:16:57,400 --> 00:17:09,820
Now if you go to this 42 X and see what is near to this, which is less than that, 42 likes this 141

162
00:17:09,820 --> 00:17:10,780
that's 94 of them.

163
00:17:11,080 --> 00:17:12,610
So that means you can.

164
00:17:16,330 --> 00:17:23,190
Or you can assume that this flag is set and if you subtract this 41 legs from this vertical X, you

165
00:17:23,190 --> 00:17:27,630
get some value and you can go and search for remaining numbers.

166
00:17:28,020 --> 00:17:33,080
And it is below that one and this one is below that one.

167
00:17:33,090 --> 00:17:35,970
And you can assume that flag might be set.

168
00:17:38,880 --> 00:17:45,420
So this is an interesting, uh, the domain controller we have about 53480.

169
00:17:45,900 --> 00:17:47,670
That is some prostrated.

170
00:17:48,030 --> 00:17:49,800
So you can see a delegation.

171
00:17:55,800 --> 00:18:00,030
So you can also use the PowerShell for this, but I use it this.

172
00:18:00,030 --> 00:18:01,050
I do not get any.

173
00:18:03,930 --> 00:18:08,250
I like this flex value.

174
00:18:08,580 --> 00:18:12,060
Flex in the spring strings.

175
00:18:18,840 --> 00:18:21,720
I have only one script and this one.

176
00:18:22,080 --> 00:18:33,570
So the script will take the integer as a parameter and tries to convert this one again to its list.

177
00:18:34,020 --> 00:18:47,250
And for each of us, it is trying to train to divide the number by two and with a particular value if

178
00:18:47,250 --> 00:18:48,500
it's ten.

179
00:18:48,510 --> 00:18:54,480
So it will try to and assume that this flag is set.

180
00:18:56,640 --> 00:19:04,440
So it's basically like dividing the number with two and taking the flags, checking the corresponding

181
00:19:04,440 --> 00:19:04,830
flags.

182
00:19:05,100 --> 00:19:06,330
So let's start with this one.

183
00:19:07,440 --> 00:19:13,980
I already copied the code and so this in my decode, you will see that B is one.

184
00:19:16,420 --> 00:19:25,300
So if it's a partial education policy bypass and we career USC and you need to parse the number and

185
00:19:25,300 --> 00:19:31,900
here you can see it, it will go and do the operation and it will show the facts for us.

186
00:19:32,110 --> 00:19:36,670
Normal recount, bond expert password and biometric ID.

187
00:19:37,300 --> 00:19:44,830
So you can see we got the user are gone with this and so you can go and do the Kerberos.

188
00:19:45,310 --> 00:19:45,560
Yes.

189
00:19:45,580 --> 00:19:52,300
It appears to know how to find this user account means you can just waiting for the bar.

190
00:19:56,490 --> 00:20:00,780
You can go for the user account can which is greater than 40 likes.

191
00:20:07,900 --> 00:20:15,700
So you used use greater than the equal to so let's say user account control greater than Ecuador.

192
00:20:15,820 --> 00:20:18,160
So by equipping a saint, you must.

193
00:20:19,840 --> 00:20:23,350
Now, what you can do is you can copy this one, which is.

194
00:20:26,050 --> 00:20:27,490
Don't record the organization.

195
00:20:27,490 --> 00:20:28,180
Copy this.

196
00:20:28,810 --> 00:20:34,410
So if you need a flag, you said that should be the value greater than this, right?

197
00:20:35,620 --> 00:20:41,350
That means if there is any other flag set along with this one, I will see you're going to add the number,

198
00:20:41,380 --> 00:20:42,460
but not this.

199
00:20:43,030 --> 00:20:45,700
So that should be greater than or equal to this flag.

200
00:20:48,390 --> 00:20:49,700
You know it tender.

201
00:20:49,740 --> 00:20:52,530
And you can see that it's just one and two.

202
00:20:52,770 --> 00:20:59,820
So you can see this quality, uh, for testing my account, the backbone to put identification.

203
00:21:03,950 --> 00:21:11,240
Now the next thing is we are going to search for servicemen supporting them.

204
00:21:12,710 --> 00:21:21,660
So if the servicemen name you said something, so that means they are going to might be providing the

205
00:21:21,680 --> 00:21:25,190
services for them so that servicemen spending is not checked for this one.

206
00:21:25,730 --> 00:21:27,680
I think I said for this one.

207
00:21:30,280 --> 00:21:33,580
So we can see some temporary splinters.

208
00:21:34,400 --> 00:21:38,350
That balloon now hoping that this one you can just fetch.

209
00:21:42,800 --> 00:21:45,320
Using a service principle

210
00:21:48,170 --> 00:21:49,340
so you can drink this one.

211
00:22:13,100 --> 00:22:16,700
Then we also got solutions for names for the computers as well.

212
00:22:16,820 --> 00:22:18,380
So what we're going to do is.

213
00:22:22,130 --> 00:22:29,660
We are going to see not object crashes because to computer.

214
00:22:41,080 --> 00:22:43,510
Our what we can be used to getting some police here.

215
00:22:50,040 --> 00:22:54,510
User inspired name is equal to star shamans.

216
00:22:54,780 --> 00:22:55,770
There should be something.

217
00:23:02,450 --> 00:23:04,910
So did not deserve Prince William's serviceman's vote.

218
00:23:05,210 --> 00:23:11,480
So in front of that and also I had that Sarvis prince part name.

219
00:23:16,350 --> 00:23:16,680
Okay.

220
00:23:16,680 --> 00:23:24,660
We were wondering Gonder and the remaining users, uh, categories and post one.

221
00:23:24,810 --> 00:23:26,460
You can see this one.

222
00:23:26,580 --> 00:23:32,490
You can try to block airbrushing and get the hash for this icon.

223
00:23:39,420 --> 00:23:48,360
Now another thing is you can also get the operating system information as well.

224
00:23:48,870 --> 00:23:56,940
Object class is you can still computer and get a code name and operating system.

225
00:23:57,030 --> 00:24:03,580
So this should give you the idea of what operating system the computers are running.

226
00:24:03,600 --> 00:24:06,940
We can see Windows Server two and 16 and DEC is not.

227
00:24:07,020 --> 00:24:08,610
So you can go and try and.

228
00:24:10,470 --> 00:24:14,130
So this is very very important one operating system.

229
00:24:20,000 --> 00:24:25,760
And you can also Bourbon Street operators are also.

230
00:24:30,660 --> 00:24:32,790
Like if you have dined here.

231
00:24:36,040 --> 00:24:38,020
So we have only one thing.

232
00:24:40,690 --> 00:24:45,700
So we had a real run through their objectives also at national theaters as well.

233
00:24:47,140 --> 00:24:48,580
So this is.

234
00:24:52,510 --> 00:24:58,190
And therefore we can do the same on the stellar end or as well.

235
00:25:09,140 --> 00:25:14,300
So I think that's are the basics about this enumeration.

236
00:25:15,620 --> 00:25:20,870
So you can also use that to guarding equity.

237
00:25:22,070 --> 00:25:34,610
So this is similar syntax to the absurd, but you can run this on, on this box, you should run on

238
00:25:34,610 --> 00:25:44,600
the like you can log in with the with this credentials, with the have an item and get the publisher

239
00:25:44,600 --> 00:25:46,170
from running and then be as quiet as.