1
00:00:00,270 --> 00:00:00,670
OK.

2
00:00:00,690 --> 00:00:07,320
Now let's configure our domain controller and we're gonna configure some policies create some users

3
00:00:07,590 --> 00:00:11,430
and just take a general look at Active Directory.

4
00:00:11,430 --> 00:00:14,640
So on your domain controller go ahead and log in.

5
00:00:14,640 --> 00:00:21,870
Remember here that this is the clunky password that we set up with a capital P at $ dollar lowercase

6
00:00:21,870 --> 00:00:24,170
W 0 R D exclamation.

7
00:00:24,180 --> 00:00:26,140
This should be your administrator password.

8
00:00:26,960 --> 00:00:32,050
So from here we are brought again to this server manager dashboard.

9
00:00:32,090 --> 00:00:38,780
Now let's go ahead and click on tools up here and we're going to select Active Directory Users and Computers.

10
00:00:38,780 --> 00:00:40,090
So go ahead and select that.

11
00:00:40,760 --> 00:00:47,820
And if we click into this marvel that local here you can see we have a few different o use.

12
00:00:47,830 --> 00:00:49,710
These are organizational units.

13
00:00:49,760 --> 00:00:51,750
Now we've got built in.

14
00:00:51,860 --> 00:00:54,550
We've got a bunch of built in security groups here.

15
00:00:54,590 --> 00:00:56,250
We have computers.

16
00:00:56,270 --> 00:01:00,000
If any computers are joined to the domain they will show up here.

17
00:01:00,050 --> 00:01:06,140
We've got our domain controllers which is Hydra dash DC and we've got other things here we've got manage

18
00:01:06,140 --> 00:01:09,480
accounts which you know have any foreign security principles or have any of those.

19
00:01:09,560 --> 00:01:11,600
And then users.

20
00:01:11,600 --> 00:01:13,740
So we've got security groups in here.

21
00:01:13,760 --> 00:01:21,350
I like to describe a new group and we can just like right click in here and say new and then say group

22
00:01:21,950 --> 00:01:23,960
or organizational unit actually.

23
00:01:23,960 --> 00:01:29,510
And then we can say groups something like this say OK.

24
00:01:29,600 --> 00:01:36,530
And then I like to take all these groups out of the users accounts and then kind of drag them over and

25
00:01:36,530 --> 00:01:42,560
say Yes that's fine copy these drag these over say yes that's fine.

26
00:01:42,610 --> 00:01:46,470
And now we've got it nice and cleaned out for our users area.

27
00:01:46,520 --> 00:01:49,880
Now note this little down arrow next to guest.

28
00:01:49,880 --> 00:01:51,380
You see a down there on account.

29
00:01:51,380 --> 00:01:57,940
That means that the account has been disabled so from here we have our administrative user.

30
00:01:57,940 --> 00:01:59,140
We could double click on that.

31
00:01:59,140 --> 00:02:05,320
We can provide all kinds of little properties descriptions etc. We can pick what groups this person

32
00:02:05,320 --> 00:02:06,710
is a member of.

33
00:02:06,760 --> 00:02:09,550
So you can see that the administrator is a member of domain.

34
00:02:09,600 --> 00:02:12,850
Happens which means that they are an administrator.

35
00:02:12,880 --> 00:02:18,040
Enterprise admins as well schema admins and domain users.

36
00:02:18,040 --> 00:02:23,590
So if you're a domain user that means you are able to log into the domain.

37
00:02:23,620 --> 00:02:29,230
So we're going to create a couple of domain users and we'll create another domain admin as well or two

38
00:02:29,560 --> 00:02:32,980
and just give an idea for what these accounts are going to look like.

39
00:02:32,980 --> 00:02:39,460
So first let's go ahead and just right click and we're going to say new and then we're going to say

40
00:02:39,460 --> 00:02:43,830
user and I'm going to go ahead first and create Frank Casserly.

41
00:02:43,920 --> 00:02:49,470
So I'm just gonna say Frank Castle and then you're gonna want to pick your naming convention here.

42
00:02:49,470 --> 00:02:54,360
So I'm just going to say f castle like this first initial last name.

43
00:02:54,360 --> 00:02:55,910
Go ahead and hit next.

44
00:02:56,280 --> 00:02:58,090
And then here you're going to pick a password.

45
00:02:58,110 --> 00:03:01,650
I'm going to give him password one again just like I did before.

46
00:03:02,970 --> 00:03:06,060
And then I'm going to say the password never expires.

47
00:03:06,060 --> 00:03:07,190
This is bad.

48
00:03:07,290 --> 00:03:09,610
I'm not going to have them change the next log in.

49
00:03:09,720 --> 00:03:13,110
Not going to say the user can change the password should just be like that.

50
00:03:13,230 --> 00:03:16,030
Finish and then you go OK.

51
00:03:16,060 --> 00:03:18,580
So let's create a another user.

52
00:03:18,610 --> 00:03:27,310
I'm going to right click on administrator and I'm just going to say copy and here I'm copying a domain

53
00:03:27,340 --> 00:03:27,840
admin.

54
00:03:27,850 --> 00:03:29,190
And so what's going to happen.

55
00:03:29,200 --> 00:03:36,270
Let's create another user we'll say Tony Stark Tony Stark is going to be our domain admin we'll say

56
00:03:36,490 --> 00:03:43,420
Stark hit enter for next and we can give him a more complex password if you want.

57
00:03:43,780 --> 00:03:52,930
So I'm going to give him something like password 20 19 exclamation at Symbol pound sign.

58
00:03:54,520 --> 00:03:59,110
It's not great by any means but it's a little bit better.

59
00:03:59,380 --> 00:04:02,720
And then we'll the save password never expires next.

60
00:04:02,800 --> 00:04:05,090
Finish OK.

61
00:04:05,110 --> 00:04:08,580
Let's create two more users so let's create this user here.

62
00:04:08,890 --> 00:04:14,710
And we're going to right click on Frank Castle we'll say copy and on this one we're gonna give we'll

63
00:04:14,710 --> 00:04:23,060
say spider man we'll say Peter Parker and Peter Parker here OK.

64
00:04:23,200 --> 00:04:31,690
And then we can have a different password for Peter we can to say something like password two and then

65
00:04:31,690 --> 00:04:35,260
password two again OK.

66
00:04:35,270 --> 00:04:37,300
Password never expires.

67
00:04:37,310 --> 00:04:38,000
Good.

68
00:04:38,000 --> 00:04:38,540
Next.

69
00:04:38,540 --> 00:04:41,120
Finish in just to show you what's going on.

70
00:04:41,120 --> 00:04:43,760
So let's click into Peter Parker.

71
00:04:43,990 --> 00:04:50,440
You can see Peter Parker's just a member of domain users because we copy that property from Frank Castle.

72
00:04:50,440 --> 00:04:56,050
Now if you looked at Tony Stark you could see that Tony Stark is a member of all the same group as this

73
00:04:56,050 --> 00:04:58,750
administrator because we copied that from the administrator.

74
00:04:59,230 --> 00:05:04,250
So Tony Stark is a domain administrator which is exactly what we want right now.

75
00:05:04,420 --> 00:05:06,120
So we're going to create one more user.

76
00:05:06,140 --> 00:05:09,490
Let's go ahead and create a fake sequel account.

77
00:05:10,000 --> 00:05:15,670
So we're going to right click and we're going to copy Tony Stark and we're going to do a no no.

78
00:05:15,670 --> 00:05:20,010
We're gonna make this sequel service account a domain administrator.

79
00:05:20,020 --> 00:05:26,950
Now your service accounts should not be domain administrator accounts but I would say probably 70 percent

80
00:05:26,950 --> 00:05:31,690
of the time that I'm doing a penthouse the service accounts are domain administrators and I'll show

81
00:05:31,690 --> 00:05:38,560
you why here in just a few videos why is bad when what we can do to attack those service counts that

82
00:05:38,560 --> 00:05:40,360
are domain administrators.

83
00:05:40,360 --> 00:05:48,430
So from here let's just call the sequel service something like this and we'll just call this sequel

84
00:05:48,520 --> 00:05:51,180
service just like that.

85
00:05:51,290 --> 00:05:52,350
OK.

86
00:05:52,400 --> 00:05:58,360
And we'll hit next and then on this we're going to give it a password.

87
00:05:58,380 --> 00:06:07,320
I'm going to give it a password something like my password and we'll just call it one two three pound

88
00:06:08,130 --> 00:06:10,650
my password.

89
00:06:10,650 --> 00:06:18,540
Actually I'm messing this up so I'm going to give you a syntax capital M capital Y lowercase password.

90
00:06:18,780 --> 00:06:25,490
One two three pound capital M Y lowercase password.

91
00:06:25,740 --> 00:06:28,260
One two three pound.

92
00:06:28,300 --> 00:06:35,840
Go ahead hit next and finish that so if you needed that one more time I'll open up a notepad and that

93
00:06:35,840 --> 00:06:37,780
is my password.

94
00:06:37,820 --> 00:06:40,460
One two three pound.

95
00:06:40,560 --> 00:06:47,960
All right now I'm going to open up the secret service user and in the description let's say that I forgot

96
00:06:47,960 --> 00:06:57,260
the password or just say password is and then we'll just say something like my password.

97
00:06:57,260 --> 00:06:59,600
One two three pound.

98
00:06:59,600 --> 00:07:06,920
Now you'll see why this is bad later on but a lot of domain administrators like to put passwords of

99
00:07:06,920 --> 00:07:11,540
their service accounts in the description because they think that they are the only ones that can read

100
00:07:11,540 --> 00:07:12,260
them.

101
00:07:12,350 --> 00:07:13,160
Not true.

102
00:07:13,160 --> 00:07:15,080
We'll see how we can read this later on.

103
00:07:15,470 --> 00:07:16,410
But for now.

104
00:07:16,430 --> 00:07:19,660
Well the safe password is my password one two three pound.

105
00:07:19,670 --> 00:07:22,850
And we got a few users in here and we've kind of got this setup.

106
00:07:22,880 --> 00:07:24,850
So this is good to go.

107
00:07:24,860 --> 00:07:27,070
Let's go ahead and do a couple more things.

108
00:07:27,080 --> 00:07:30,940
So let's go ahead and set up a file share.

109
00:07:31,640 --> 00:07:32,990
So click on this down here.

110
00:07:32,990 --> 00:07:39,580
And if I click on that to fast file and storage services under server manager and then we're going to

111
00:07:39,580 --> 00:07:44,730
click on shares right here and then there's a task up here at the top.

112
00:07:44,730 --> 00:07:54,220
Go ahead and just say new share and we'll just select SMB share quick share location is Hydra D.C. that's

113
00:07:54,220 --> 00:08:04,290
fine C drive and we'll just say the share name is going to be hacked me something like that OK hit next

114
00:08:05,740 --> 00:08:14,360
next next we're just going to use all defaults create and clothes.

115
00:08:14,370 --> 00:08:17,980
So now we have this C shares Hackney share.

116
00:08:18,150 --> 00:08:19,510
Why do they just do that.

117
00:08:19,530 --> 00:08:27,060
Because most domain controllers have file shares and we've talked about this before but we wanted to

118
00:08:27,060 --> 00:08:33,450
open up one thirty nine for forty five so that we have S&amp;P enabled on this domain controller.

119
00:08:33,450 --> 00:08:38,520
So if we were to scan against it we would see that there is one thirty nine for forty five and we can

120
00:08:38,520 --> 00:08:43,580
leverage some attacks against this and we're going to enable that on our machines as well when we're

121
00:08:43,590 --> 00:08:49,020
searching or having file shares on our on our personal user computers as well.

122
00:08:49,050 --> 00:08:51,720
So for now this is good.

123
00:08:51,720 --> 00:08:54,720
And we're going to do a couple more things.

124
00:08:54,720 --> 00:08:59,050
So let's go ahead and let's open up a command prompt.

125
00:08:59,070 --> 00:09:03,240
So go ahead and just type and command and run that as an administrator

126
00:09:06,440 --> 00:09:11,490
and we're going to create what is called an SBN service principal name.

127
00:09:11,630 --> 00:09:14,440
And don't worry too much about what we're doing right now.

128
00:09:14,450 --> 00:09:18,100
We're going to talk about this way more when it comes time.

129
00:09:18,230 --> 00:09:21,320
And we're going to talk about the attack related to this.

130
00:09:21,320 --> 00:09:28,250
We're setting up an attack for Kerber roasting and that is an attack that attacks services.

131
00:09:28,370 --> 00:09:28,640
OK.

132
00:09:28,670 --> 00:09:30,010
So we set up the Secret Service.

133
00:09:30,020 --> 00:09:35,030
We're going to attack the sequel service but we have to set up a service principle name which will cover

134
00:09:35,030 --> 00:09:36,920
a bit later on in the course.

135
00:09:36,920 --> 00:09:44,540
So first let's go ahead and get that set up so we're gonna say set SBN And then we're going to do a

136
00:09:44,540 --> 00:09:45,540
dash a.

137
00:09:46,760 --> 00:09:53,940
And we're going to say Hydra DC or whatever you named your domain controller.

138
00:09:54,350 --> 00:10:00,650
And then we're gonna say sequel service whatever you named your sequel service should be the same as

139
00:10:00,650 --> 00:10:01,430
mine.

140
00:10:01,490 --> 00:10:07,120
Dot Marvel dot local like this and then we'll pick a port.

141
00:10:07,600 --> 00:10:19,710
I'm picking 6 0 1 1 1 and then we're going to say Marvel like this and then we'll say sequel service.

142
00:10:19,870 --> 00:10:22,950
So again set SPF and dash.

143
00:10:22,990 --> 00:10:31,210
A hybrid AFDC which is the computer name sequel service stop Marvel dot local port of 6 0 1 1 1 and

144
00:10:31,210 --> 00:10:38,590
then Marvel sequel service hit enter and then it's going to say checking it registering it and updated

145
00:10:38,590 --> 00:10:40,010
that object.

146
00:10:40,120 --> 00:10:40,810
Perfect.

147
00:10:40,810 --> 00:10:42,850
Now let's make sure that it is set.

148
00:10:42,880 --> 00:10:47,550
So we're gonna say set SBN dash capital T.

149
00:10:47,920 --> 00:10:57,280
And we're going to say Marvel dot local like this dash Q And then a wildcard forward slash wildcard

150
00:10:58,600 --> 00:11:06,480
hit enter and down at the bottom you could see that the sequel service has been set hydra a DC sequel

151
00:11:06,480 --> 00:11:10,240
service stop marvel that Local 6 0 1 1 1.

152
00:11:10,380 --> 00:11:11,290
Perfect.

153
00:11:11,610 --> 00:11:11,960
Okay.

154
00:11:11,970 --> 00:11:17,210
So now we have set up our users we have set up our Kerber roasting attack.

155
00:11:17,220 --> 00:11:19,310
We have set up our SMB shares.

156
00:11:19,410 --> 00:11:21,470
There's one last thing we need to do.

157
00:11:21,540 --> 00:11:22,550
Let's close that.

158
00:11:22,650 --> 00:11:31,150
Let's come in here and let's start typing in group policy so we've got group policy management here

159
00:11:31,570 --> 00:11:38,270
right click and run as administrator and you could see that we've got the forest here of marveled that

160
00:11:38,270 --> 00:11:39,220
local.

161
00:11:39,380 --> 00:11:44,990
Go ahead and drill down into domains and you see marvel that local here I'm going to go ahead and right

162
00:11:44,990 --> 00:11:53,810
click and say create a GPO in this domain and link it here in this GPO is going to be called disable

163
00:11:53,960 --> 00:11:56,820
Windows Defender.

164
00:11:56,820 --> 00:11:57,200
All right.

165
00:11:57,770 --> 00:12:09,740
Now hit enter and I realize that some of you are going to be wondering why we're disabling Windows Defender.

166
00:12:09,870 --> 00:12:11,660
So let's talk about this.

167
00:12:11,700 --> 00:12:18,330
There are many courses out there that show you antivirus evasion and bypassing and I think it's great.

168
00:12:18,510 --> 00:12:21,830
And it is important to know those topics.

169
00:12:22,020 --> 00:12:28,500
The reason why we're not going into that in this course is because it changes so significantly so quickly.

170
00:12:28,650 --> 00:12:34,200
A lot of these attacks are still going to work regardless of the antivirus that you have.

171
00:12:34,200 --> 00:12:36,320
Most of these attacks are going to work.

172
00:12:36,330 --> 00:12:40,960
So what is important is to know the fundamentals of the attacks.

173
00:12:41,010 --> 00:12:48,090
If I show you a the invasion today within two to three months it's going to be obsolete and I hate to

174
00:12:48,090 --> 00:12:55,020
have that in of course and then have people get upset or frustrated that it's getting detected because

175
00:12:55,020 --> 00:12:56,600
it's always changing.

176
00:12:56,610 --> 00:13:01,920
So I'd rather show you the foundations and the fundamentals and then let you learn the A.V. bypassing

177
00:13:02,040 --> 00:13:05,120
as the techniques come up as the time changes.

178
00:13:05,130 --> 00:13:11,160
Remember being good penetration tester is about sticking with the times and staying up to date as long

179
00:13:11,160 --> 00:13:12,080
as you're staying up to date.

180
00:13:12,080 --> 00:13:17,790
You're going to be fine knowing the foundations and the basics are way more important at this stage

181
00:13:18,060 --> 00:13:22,380
than any Avey evasion or crazy fun technique like that.

182
00:13:22,380 --> 00:13:23,660
So please bear with me.

183
00:13:23,670 --> 00:13:26,900
We're gonna get through this and we're going to disable defender.

184
00:13:26,940 --> 00:13:32,850
We're gonna work on all these attacks learn the basics and then you can improve upon that from there.

185
00:13:32,850 --> 00:13:40,600
So go ahead and right click on this disable Windows Defender here and select edit and then we're going

186
00:13:40,600 --> 00:13:44,670
to navigate in this computer configuration right here.

187
00:13:44,770 --> 00:13:51,280
We're gonna click on computer configuration and we're going to go into policies and we're going to go

188
00:13:51,280 --> 00:14:00,200
into administrative templates and we're going to select windows components down here and then if you

189
00:14:00,200 --> 00:14:04,340
scroll all the way down there's going to be a Windows Defender

190
00:14:06,990 --> 00:14:15,600
and we've got Windows Defender right here on antivirus and we're gonna click on that and then we're

191
00:14:15,600 --> 00:14:24,080
going to turn off Windows Defender antivirus DoubleClick and it is going to select enabled here OK.

192
00:14:24,090 --> 00:14:29,990
And then we are going to apply and select OK.

193
00:14:30,020 --> 00:14:36,270
Now let's also go into Windows Defender exploit guard and see if there's any protections that we need

194
00:14:36,270 --> 00:14:42,770
there's not defend a smart screen no detections that we need either.

195
00:14:42,770 --> 00:14:45,680
So as of right now we are good.

196
00:14:45,680 --> 00:14:48,240
We've got defender turned off.

197
00:14:48,380 --> 00:14:50,600
We have the policy enabled.

198
00:14:50,600 --> 00:14:59,390
So once we actually join our domain pieces to the domain we will have no windows defender enabled on

199
00:14:59,390 --> 00:15:00,410
them which is perfect.

200
00:15:00,410 --> 00:15:02,360
That's how we want to attack this.

201
00:15:02,360 --> 00:15:09,480
So now let's go ahead and close this and we have successfully configured this part of our course.

202
00:15:09,560 --> 00:15:14,880
What we're going to do next is we're going to finish setting up our pieces are user pieces we're going

203
00:15:14,880 --> 00:15:19,460
to join them to the domain and we're going to enable some file shares on those and then we ready to

204
00:15:19,460 --> 00:15:21,680
start attacking those some very very excited.

205
00:15:21,680 --> 00:15:24,200
Once this lab is built we're going to be ready to roll.

206
00:15:24,200 --> 00:15:27,500
So I'll see you over the next video when we join our pieces to the domain.