Post Exploitation (part 4) Setting Up a Domain Controller
Video Activity
This lesson covers using the SMBexact command to set up a domain controller. Participants learn step by step instructions on how to access admin passwords in a system and then create a new domain admin. Participants learn how to obtain hashes from the domain controller which can be used to crack passwords and perform password strength testing.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson covers using the SMBexact command to set up a domain controller. Participants learn step by step instructions on how to access admin passwords in a system and then create a new domain admin. Participants learn how to obtain hashes from the domain controller which can be used to crack passwords and perform password strength testing.
Video Transcription
00:04
all right. I gave you an option to set up a domain controller when those 2008 and attach it to a window. Seven. So the optional thing. If you didn't do it, you can just watch.
00:15
And
00:16
you're gonna run into a lot of domain. So it is worth knowing how to do this order stuff getting doing. Adnan is really a goal. So I used a tool called s and the exact which I showed you how to install in the setup instructions. So s and be exact.
00:34
And goto one system in new Marais shin. And then we do seven removed log invalidation.
00:43
So I'm just going to give it a window seven, which I'm not entirely sure what one do Sevens. I p address is
00:51
75.
00:55
All right, so
00:57
you can give it a long list. Of course I mentioned previously got, like, one Lubell admit you consider it
01:03
probably to a lot of other systems in the network. So just give it a list here file
01:10
and you turn a do Georgia to just some non domain admin user from the domain. You can give it. Ah, has shall We can't do that. passed the hajj.
01:22
Well, as we did, like many cats or something we could of plain text as well. Doesn't tool called responder you can use. I didn't show it in this class.
01:30
So listen. Well, responders not gonna work with this unless it's playing text. Who's it gonna be net into? LM
01:37
But, I mean, there are different ways to get password, Hodges. Besides what we've looked at in this class,
01:44
and you continue your pin testing education, you run into different tools and techniques that you may like.
01:49
But Georgia choose password. I think both sick one
01:56
and the domain is gonna rebuild the for Georgia to is not
02:00
a domain admin that she is able to love again.
02:06
Did you want to look for dough, man in a prize processes? So this is gonna look for logged in administrators, so it looks like it worked. Remote access is identified,
02:17
so we will be able to log in.
02:20
However,
02:22
if I come back over to you
02:23
when seven on switch users
02:34
until it I want bulbs and administrator,
02:39
um, whatever you set your password to
02:45
for your dear man.
02:46
Well, again.
02:53
Now, if I do this again now, what do mean and run it again?
02:58
You see the same? Yes.
03:02
And it did find Administrator logged in.
03:07
So now we can go back to main menu, choose Obtain Hatcher's. So we know that domain admin is Logan. We should be able to get the doom an advantage,
03:17
not just hash, but hopefully plain text passwords
03:21
don't workstation and server has is
03:24
I can give it that saying
03:28
credentials.
03:31
I'm not totally sure Georgia to has enough privileges, but yeah, I worked the local hatches fore cash, Trager's or the last four domain users. So there will be an M s cash format. We could do that with medicinally as well. We can ask it for its M s cash.
03:51
Generally. Tell my clients to other, turn that off or keep the number that it saved. This Louis possible that those bite a fault. Save 10 of the last
04:00
users who logged in there probably aren't tendo 1,000,000 users and also says it has three passwords of memory so logged in users. Awesome. That says those are located at log as in be exact and Dodgers.
04:16
So I'll go back to Maine, many on exit like a log
04:34
on DDE.
04:36
That whole house is my host. So we've got our local Hodges just from a hash dump.
04:44
We've got some cash ones again. These are gonna be M s cash format. So,
04:48
um,
04:51
your hash crackers will know how to deal with them. You always have to give them, like, with the hash cat. You have to do the die, Jim.
04:59
And from memory, we were able to get
05:01
well past 123 and like my local one on and then Georgia to. But Georgia to is not a domain admin.
05:13
So from there we can
05:16
exceed this into P s exact
05:19
and become a local of men. Or if we had a session on there, we could do our incognito
05:28
right
05:29
sessions. There's six, and we do live in code. Your
05:38
list
05:40
Hogan's, does you?
05:43
We're currently not system.
05:47
Well, I would have to get through all that bypass USC stuff, but we could
05:53
become the well, I'll do it. Why not?
05:57
Used exploit local wonders Local.
06:01
You know, she
06:18
really still aren't gonna work because it
06:21
already uploaded at once, which is really silly. And somebody should fix it.
06:32
You know, whatever reason is not a writer,
06:39
So
06:45
All right, let's see CPS exact. Then use
06:49
Well, kind of do the same thing. I mean, it would make more sense to do it like that. But whatever.
06:55
Exploit windows? Yes. And the
06:58
yes execs. Always good to have more than one way. They do things. If you've noticed from watching with Bumble around to this class and make things fail all the time and then fix them. So we show our options and I shut s and b User Thio Administrator
07:15
Cash be cash to build the country three and be remain.
07:25
Oh, bsec and such are hoes too.
07:38
So now we are domain admin. We are still in the Windows seven box. We could have done this on the doorman controllers. Well,
07:46
um, and then we could do
07:48
We're typically like to use if you want to create a new domain admin, which you certainly don't have Thio at this point, since we have domain have been credentials. But if you would use the token,
08:01
this is another way. Like the domain admin token is on there. Another thing you could do is impersonate the token and then out of users, users or three past
08:13
0123
08:16
Ah,
08:22
access is denied,
08:24
but I'm loved in this determined alarm system. Right?
08:31
All right. Does that make me a system?
08:35
LPs? Exactly. Do. It was, like, now actually needs He wasn't in abba.
08:41
So I really need to be ableto buy a house you see
08:45
doing Tell me there
08:46
overtime system now. All right, so in cars,
08:50
you know,
08:54
on and again here.
09:03
Person night
09:03
again.
09:05
Oh, thanks.
09:15
You ready
09:16
on? But if I drop into a shell, do again. If you already have the password, which we do, this isn't necessary. Or even the hat for past the hash would pass the house into the domain controller.
09:31
But you do have the option now that you are domain admin. Or if you did it, there's something like this and you didn't do
09:37
you're doesn't be exact. You instead just found the token. You could add a new one.
09:43
The Net users three
09:46
a cold. 123
09:50
Glad man
09:54
in that group.
10:01
Great.
10:03
Uh,
10:09
so then Georgia three is now a domain admin as well. So you just need the privileges of a demand administrator. And you can, if you like, create a new one.
10:20
I'm not entirely sure what The
10:24
76 That's on both networks. Originally, I was gonna pitch it to it, but that's a bit much really exit. Let's just go back into us and be a ***
10:41
on and do obtain hashes
10:43
from the domain Controller
10:48
76 on DDE.
10:52
You name a administrator?
10:56
123
11:00
Humane is bulbs.
11:03
And I see this a lot of people actually move the
11:09
I know that when we can just leave,
11:11
Um, but they'll actually move stuff around. So this one right here is what Shejust, the NT D s stop debt that I said move it to other drives
11:24
You could honestly, just like
11:26
trying different tribes. If you want to be lazy about it,
11:31
um,
11:33
you could also probably ps exact to it and signed it,
11:39
so this will actually pull the domain passwords. Well, password hash is so this will give me more,
11:46
has just to potentially crack. If you're doing any, like password strength
11:50
testing, this would be the way you would get him
11:56
so we could get all the password. Hash is for our domain.
12:01
And, of course, we actually now have demon administrator access. So we can they have
12:09
remote desktop? Certainly log into the domain controller with P s exact into the domain controller at this point. And we have access to every system in the domain
12:20
has administrator. So I mean, I typically like in
12:24
classes like this don't show
12:26
because it's really hard to set up. The demand controller will not really hard, but it's hard to a handout. Domain controllers, I guess. You know, I hand out virtual machines if I'm on site and then bring, like,
12:37
why
12:39
back many that has captured the flag network owner? Then we can do it. But
12:43
just like online classes
12:46
really difficult to hand out. Don't Megan Drillers. You never know what I P addresses. They have tohave, and they have to be such a static. So a lot of times people, Mrs and online classes, so you don't see it.
12:58
So if you did set up your domain controller, you could get a feel for how to do their main stuff,
13:05
which is definitely gonna be relevant. Most people are gonna have doing
Up Next
Similar Content
