1
00:00:00,110 --> 00:00:00,470
OK.

2
00:00:00,480 --> 00:00:03,210
Let's talk about our first attack.

3
00:00:03,210 --> 00:00:05,670
So this is called l m and r poisoning.

4
00:00:05,670 --> 00:00:13,890
Now what is L M and R so l m and r is what is known as link local multicast and name resolution.

5
00:00:13,890 --> 00:00:18,960
And when you say that all we have to do is think about it is it's basically DNS.

6
00:00:18,990 --> 00:00:23,170
So it's used to identify hosts when DNS fails to do so.

7
00:00:23,370 --> 00:00:29,580
And this was previously known as M B T N S which was net bios named service.

8
00:00:29,580 --> 00:00:39,840
And the key flaw here is that when we respond to this service it actually responds back to us with a

9
00:00:39,900 --> 00:00:44,490
username and a password hash and it's really bad.

10
00:00:44,510 --> 00:00:45,350
OK.

11
00:00:45,480 --> 00:00:49,970
So we're going to take a quick overview and look at what it looks like.

12
00:00:50,040 --> 00:00:54,780
We're going to see how the attack is ran and talk through some of the strategies and then we're going

13
00:00:54,780 --> 00:00:58,830
to go ahead and actually do a live demo in the next video so you can follow along.

14
00:00:59,400 --> 00:01:06,380
So let's take a look first at an overview so let's say we have a victim up here in the corner.

15
00:01:06,380 --> 00:01:12,170
You see the victim machine and it reaches out to the server and it says hey I want to connect to this

16
00:01:12,440 --> 00:01:13,460
hack em server.

17
00:01:13,490 --> 00:01:19,310
Well really the server name was hack me but the user just happen to type in something wrong which is

18
00:01:19,310 --> 00:01:26,600
causing a DNS issue in that DNS issue goes out we can't resolve it DNS and the server says hey I have

19
00:01:26,600 --> 00:01:29,470
no idea really what you're talking about here.

20
00:01:29,540 --> 00:01:32,970
And so we go out and we say hey broadcast a message.

21
00:01:32,990 --> 00:01:35,330
I'm going to send this out to everybody.

22
00:01:35,330 --> 00:01:43,080
Does anybody know what this hack M is or where I can go to connect to it and us listening in the middle.

23
00:01:43,160 --> 00:01:44,900
Is this the man in the middle attack.

24
00:01:44,960 --> 00:01:49,850
We're going to say hey I know exactly where that computer is relying and we're going to say just send

25
00:01:49,850 --> 00:01:54,510
me over your hash and I'm going to get you connected and the victim just going to say Here you go.

26
00:01:54,770 --> 00:01:55,580
Here's my hash.

27
00:01:56,300 --> 00:02:00,520
So that's really what element our poisoning is we're sitting in the middle listening for these requests

28
00:02:00,530 --> 00:02:04,530
and when their class happens we're just waiting to get a response to us.

29
00:02:04,560 --> 00:02:09,530
We're going to run so called responder and we'll talk about that here in a second.

30
00:02:09,540 --> 00:02:12,980
So a responder is part of the impact tool kit.

31
00:02:12,980 --> 00:02:19,400
Now we brand impact with several things in this course already we installed it way earlier and we even

32
00:02:19,400 --> 00:02:25,880
used it in some of the box walkthrough is when we use the S&amp;P client and the P.S. exact and the w my

33
00:02:25,880 --> 00:02:28,490
exact that's all part of impact.

34
00:02:28,520 --> 00:02:33,740
And we're gonna be using impact for some other attacks as well as we go through some of these common

35
00:02:33,740 --> 00:02:35,540
Active Directory attacks.

36
00:02:35,540 --> 00:02:37,630
So we're going to run a tool called responder.

37
00:02:37,630 --> 00:02:40,170
It does exactly what we just described.

38
00:02:40,250 --> 00:02:46,730
It responds to these requests and we just run this tool and we load it up and we're just sitting there

39
00:02:46,730 --> 00:02:47,510
we're listening.

40
00:02:47,510 --> 00:02:52,480
Now my strategy is that I run this tool first thing in the morning.

41
00:02:52,490 --> 00:02:56,410
So if my assessment starts at 8:00 I'm running this first thing.

42
00:02:56,540 --> 00:03:01,190
The best time to run this is first thing in the morning or right after lunch because people are coming

43
00:03:01,190 --> 00:03:03,520
back from lunch and you need a lot of traffic.

44
00:03:03,550 --> 00:03:09,440
So I will actually start this up before I start up any end map scans any NSA scans anything at all.

45
00:03:09,440 --> 00:03:11,520
This is one of the first things that goes up.

46
00:03:11,600 --> 00:03:12,810
Why do I do that.

47
00:03:12,830 --> 00:03:17,520
Because the end map scan and the NSA scan is going to generate some traffic as well.

48
00:03:17,570 --> 00:03:22,110
And then it might actually get some traffic talking back to you from other machines.

49
00:03:22,130 --> 00:03:25,880
So we're just waiting for those responses and trying to capture hashes.

50
00:03:25,880 --> 00:03:33,670
So let's say here that we run responder and then with running responder an event occurs now here.

51
00:03:33,670 --> 00:03:38,650
All I'm doing is I am pointing this at our attacker Michigan IP address.

52
00:03:38,650 --> 00:03:39,880
Not to worry about that too much.

53
00:03:40,240 --> 00:03:44,740
But just think of this as somebody typed in the wrong network drive.

54
00:03:44,740 --> 00:03:50,920
And this is just one example by the way a wrong network drive is just something failing to do DNS right.

55
00:03:50,950 --> 00:03:53,520
So we're trying to access is network drive can access.

56
00:03:53,530 --> 00:03:56,970
We're just sitting here listening in the middle for the ease of the demo.

57
00:03:56,980 --> 00:04:00,780
We're going to point this out ourselves but that does not always have to be true.

58
00:04:00,970 --> 00:04:06,670
Once that happens an event occurs OK the event occurs and it says listening for events.

59
00:04:06,670 --> 00:04:08,040
Look what comes through.

60
00:04:08,140 --> 00:04:16,630
We get here a until M.B. to hash right here and we get the IP address of who we captured and the user

61
00:04:16,660 --> 00:04:17,360
who we captured.

62
00:04:17,380 --> 00:04:22,120
So you see here Marvel's slash f Castle this is our Frank Castle user.

63
00:04:22,120 --> 00:04:24,210
And this is their password hash.

64
00:04:24,220 --> 00:04:27,430
Now there's a lot of things that we can do with this hash and we're going to run a couple different

65
00:04:27,430 --> 00:04:32,320
attacks with it but the first attack we're going to talk about is just taking this hash and trying to

66
00:04:32,320 --> 00:04:39,350
crack it so we can take this hash and we're gonna run it through a tool called hash cat and you can

67
00:04:39,350 --> 00:04:45,050
see here that we actually crack the password to be password one which is what we set it when we first

68
00:04:45,050 --> 00:04:45,920
set up the lab.

69
00:04:46,880 --> 00:04:50,280
So that's really it all we're doing here is we're listening.

70
00:04:50,300 --> 00:04:52,100
And the man in the middle situation.

71
00:04:52,310 --> 00:04:54,620
And this is very very common.

72
00:04:54,620 --> 00:05:01,220
So what happens here is if passwords are weak and guesses well then we're going to be able to crack

73
00:05:01,220 --> 00:05:05,100
these passwords with any sort of decent password cracking rig.

74
00:05:05,540 --> 00:05:12,820
And for example I'm using a 28 DTI which is pretty latest and greatest pretty powerful right now.

75
00:05:12,860 --> 00:05:18,410
There are some rigs out there that will stack like four to six of these 20 eyes or even better but you

76
00:05:18,410 --> 00:05:19,790
don't necessarily need that.

77
00:05:19,850 --> 00:05:26,990
When I was first starting out I was using a 970 graphics card and it was doing just fine for cracking

78
00:05:27,320 --> 00:05:30,590
the better the graphics card the better your cracking speed will be.

79
00:05:30,650 --> 00:05:35,660
You don't have to have the latest and greatest to perform a lot of these tasks right now and chances

80
00:05:35,660 --> 00:05:40,490
are when you go work for somebody they're gonna have a cracking rig anyway.

81
00:05:40,520 --> 00:05:47,000
So not something you have to worry about too too much but to understand this attack the less complex

82
00:05:47,150 --> 00:05:52,070
the password the better off we are because we're gonna be able to crack these passwords and then once

83
00:05:52,070 --> 00:05:56,690
we have a cracked password account there's a lot of cool things that we can do to leverage that to actually

84
00:05:56,690 --> 00:05:58,610
get on to a machine.

85
00:05:58,610 --> 00:06:04,070
So we're going to cover that as well as we get into this and get deeper as to what can we do to get

86
00:06:04,070 --> 00:06:04,840
access.

87
00:06:04,910 --> 00:06:07,730
Once we have a password and how can we leverage that.

88
00:06:07,760 --> 00:06:13,910
So from here just your big takeaway is we're doing man the middle listening were listening for any sort

89
00:06:13,910 --> 00:06:18,980
of event where we can take over in place of DNS and we're going to respond to these is the tool called

90
00:06:18,980 --> 00:06:19,760
responder.

91
00:06:19,760 --> 00:06:22,630
We're going to pull down these hashes take them off line and try to crack them.

92
00:06:23,000 --> 00:06:28,880
If the passwords are weak or and when I say weak I mean like less than 14 characters.

93
00:06:28,880 --> 00:06:33,440
The longest password that I've ever cracked is 19 characters and that was a Bible verse.

94
00:06:33,440 --> 00:06:39,920
So I always tell clients that just because your password is long does not mean that is good your password

95
00:06:39,920 --> 00:06:47,540
should be non common words or long sentences or something greater than 14 characters but also complex.

96
00:06:47,570 --> 00:06:50,440
So the longer and the more complex the better.

97
00:06:50,570 --> 00:06:58,850
But honestly I will take a 40 character sentence without any complexity at all over a 14 character password

98
00:06:58,850 --> 00:07:04,970
that has some complexity capital letter exclamation point etc. because we could still crack these and

99
00:07:04,970 --> 00:07:11,940
you're gonna see that later on us cracking a pretty lengthy password but still a guest evil password.

100
00:07:12,260 --> 00:07:14,010
So that's the takeaways from this.

101
00:07:14,030 --> 00:07:16,260
Let's go ahead and move on to the next video.

102
00:07:16,280 --> 00:07:20,510
Well we're going to actually talk about performing this we're going to perform this live and see how

103
00:07:20,510 --> 00:07:22,620
to do it and then we'll talk about the fences as well.

104
00:07:22,970 --> 00:07:24,710
Let's go ahead and jump over there.