Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson focuses on gathering information in the Windows network. Participants learn about the following command:

  • nslookup: used to identify and administrate DNS servers

This lesson also discusses the following net suite tools: - Accounts updates user accounts database and modifies password and login requirements

  • Config: displays or changes settings for the Server service
  • Group

Video Transcription

00:04
Hello and welcome to this latest post exploitation hacking can persistence and continued access. Course I'm just made Joseph Perry. And in this video, we're going to discussing gathering information in the Windows Network.
00:15
Good news. For those of you who are tired of gathering information, this will be our last gathering information video. So I suppose bad news for those of you who have been enjoying it,
00:24
um, in this video, obviously we're going to discuss some tools on how to snatch data off of Windows are off of a network using a Windows machine.
00:33
There are gonna be some similarities to Lennox, although we won't actually cover sniffing and scanning in this video because, well, we've already done so,
00:41
um,
00:41
one primary differences that Windows doesn't have many built in what really any built in tools
00:47
for gathering
00:48
efforts, scanning or sniffing. So if you wanted to do so on a whim, this machine, you would actually have to bring those along using t ftp.
00:57
But of the things we're going to do in this video, everything should be
01:02
natively on your windows build without any special downloading. Pft p Did you get nothing crazy like that? So Hopefully you'll be able to run all these commands that in trouble,
01:12
and we can go ahead and start.
01:17
So the first command we're gonna use the first land you can use inland in Windows is N s look up
01:23
is a really, really simple one. It's only got one slide devoted to it,
01:27
and it's look up is a D. N s look up.
01:30
It actually just goes out inquiries. Your D n a server.
01:34
It could be used for lots of things. It could be used to actually look up
01:38
Deanna's names. Obviously, here we say that it's used to identify and administrate Deanna servers, but you can actually use it to find mail servers
01:47
and things like that. However,
01:49
those aren't especially useful to us right now
01:53
in that a lot of it either has already been covered or
01:59
isn't going to be helpful.
02:00
But it is fair that you should probably check out in its look up. You know, try a few of the commands out, see what it's got. Ya. We see here the default server that he returned back with C. D. N s 01 Communist dot net
02:15
so you can use that to identify where will not necessarily where, but obviously what dina serve they're going through. You know who's
02:23
who. They're getting their service from that sort of thing.
02:25
Um,
02:28
it's really all Ennis, Look up is gonna be used for
02:31
next command. Well, next suite of commands will be net. And yes, there really is more net than what I showed you before.
02:38
Like is that it's a very versatile suite of tools. There's a lot of stuff.
02:43
Um, in this video, we're gonna go over seven of them,
02:47
uh, account config, group sessions, statistics view and start.
02:53
They're going to tell us pretty much everything we could ever want to know. And then quite a bit more about when doesn't it working?
02:59
So, you know,
03:00
as tiring as it might be to use net block over and over again, it is a handy Siris.
03:07
First, we're going to check out his net accounts from the help that accounts, updates the user accounts database and modify his password and log on the requirements for all accounts.
03:16
When used without options, accounts displays the current settings for password, log on limitations and domain information.
03:24
From this man, we could learn just a bunch about security practices. We're also gonna get a sense of how long we can actually access. Ah, user. So what I mean by that is, if you get a user's password, you you find out what the password is. We can use the net accounts to find out how long that password is. Good.
03:43
So if we get a password on, you know, the 12th and our debt accounts, query shows Oh,
03:49
well, you know, passwords expire on the 14th.
03:52
We know, You know, we've got to really dig in and get everything done in the next couple days. We don't have any sort of spare time.
03:57
If, on the other hand, we get, you know,
03:59
password requirements, they never have to change passwords. And they don't have to change passwords once in a great while.
04:04
First of all, that's something that you're gonna want to report to their security division when you're done with your pen tests and say, Hey,
04:10
you need to fix your standards. But while you're actually doing the test, it is very nice, because
04:15
if they don't have requirements, users don't just change passwords. Users like all people, are lazy, and you can usually bank on that laziness
04:25
to ah,
04:27
continue working your way through a system.
04:31
So here you see the output Fernet accounts first thing, and this is
04:35
pretty much what it's gonna look like. I cleaned it up a little bit, but this is pretty close to identical to the actual output of the command. So forced user, log off how long after time expires? Never. What that means is if a user is logged on
04:48
and their password expires, they don't get booted. So if I log onto this machine
04:56
and then I never, ever come back to it,
05:00
then you know, there
05:03
the password will remain the same, and the access from that password will remain the same for ever. So long as I'm logged on, I'm going to stay that way.
05:13
So that is kind of a handy thing. If you do gain access and you know the passwords going to expire, just make sure whatever you're doing doesn't get booted off the system and you know you'll have full access.
05:24
Ah, here is the minimum password. Agent days is zero.
05:28
What that means is password could be changed constantly without any input.
05:32
Without any restriction. You can change the password every 10 seconds if you want to.
05:38
Ah, that's the minimum password. Maximum password is 42 days.
05:43
Ah, that's just exactly what it sounds like. The match One password ages. How long the password remains. Obviously, it's kind of tricky.
05:49
Um, if you go, if you'll help on the system and you see your maximum password ages 90 days
05:56
Ah, you know, Law of Probability says you probably got some time. If you hop on, it says 12 days. First of all, you need to talk to their security guys because that's way too short.
06:05
Um,
06:06
but second of all, you should probably work quickly because you're coming up on it one way or another.
06:12
Ah, it may surprise people to hear me say that
06:15
you know,
06:15
any degree of security for passwords is to secure,
06:18
but it should be understood that password management password rules can be too restrictive if you require their users have eight special characters four capitals for lower case and three numbers and have to change their password every three days.
06:32
The passwords are going to be actually much, much weaker
06:35
because now they've got to basically come up with some tricks. Some a medic,
06:41
Um, some programmatic way of picking their new password. That's where you get things like keyboard walks and home ro passwords and things like that,
06:50
which are very, very easy trivially easy
06:54
for a hacker to guess. So if I were to look at this information and see that the pastor in ages really short
06:59
Ah, the password length was really long.
07:01
All of this other stuff. Then I'm going to know that the passwords are gonna be ridiculous. And I can start looking for
07:08
specific patterns that are commonly used in creating passwords,
07:12
and it will actually serve to weaken your system. Overall,
07:15
Um, speaking of which was here the minimum password length zero. So you can have password free accounts. You also have an account whose password is the letter? A.
07:25
If I see that that again,
07:28
I'm going to revert to super common words that you know 1000 most common passwords make up roughly
07:34
80% of all passwords used. The 10,000 most common passwords make up 98 point something percent of all passwords used,
07:43
so you're pretty well safe. If you see that there's a minimum password length of zero, and their restrictions are very heavy.
07:48
Then you're pretty much safe just using a 10,000 words,
07:53
uh, dictionary attack, and you're probably going to get at least one of them.
07:59
There's no password, history maintained, which means that they can reuse passwords immediately
08:03
and again. As soon as user finds that out, they're password will never change. So if it's got a maximum password age of two days, but the password history maintenance is never is none.
08:16
Your password. Probably stay good for a very long time. Just cause most users were going to say, Oh, well, gotta rewrite a new password. Nope.
08:24
Then they'll just keep the same one. Lockout threshold is never, which means you can keep trying over and over and over again to get the password. It's never gonna lock you out. It's never going to stop you from trying a new password.
08:37
If it did, if they changed that, you would see you know the like adoration. Here, 30 minutes would take effect like an observation window, etcetera.
08:46
But since they don't walk out, you don't really care about that extra fields. They don't matter to you.
08:50
And then the last thing we see here is the computer's role, which is work station.
08:54
That's handy, obviously, because it's a quick way to indicate. Okay, I hopped onto a workstation, I hopped onto a server. I know what the
09:03
role is, what this computer is for,
09:05
and it can kind of give you a sense of how much time you really want to dedicate to you. Because if you're trying to take down their server and you see workstation, yeah, you miss down it long enough to drop a back door so you can pivot through it later. But you're not gonna x feel every bit of data from you know what, Maybe a thin client machine or what have you? You're not going to spend too much time,
09:24
so it's a good way to move quickly and get quick information. Net Config Server
09:30
Ah, this is obviously the next net command we're gonna be running. This is from the help pages as it displays or changes settings for the servers service, which is just one of my favorite names for anything. The server service.
09:41
Uh, what it really is is it's It's the command line property page from your computer s when you open, like system and you, right click on computer properties. That's what this is. It shows your name operating system,
09:54
a bunch of info like that which will help you to identify
09:58
the computer and oftentimes give you information about the network at large.
10:03
So here we see the output server. Name is slash slash Perry of Easy, which is what we've been seeing.
10:09
Um, obviously, if you saw this and you were on a corporate machine, you might know. Okay, this machine belongs to a specific person. That's probably an important person. Most machines don't get named for an individual
10:22
unless the system is unless the whole network is done like this. In which case,
10:28
it's weird. But, you know, however, they want to set it up, so they want to set up
10:31
server comment,
10:33
Perry.
10:35
So that's probably that's usually gonna be a name,
10:37
um, or some bit of information about the machine
10:41
software version. Windows seven Ultimate.
10:45
So, in this case,
10:46
you know,
10:48
you can use the software version.
10:50
I kind of know what sort of exploits or what sort of tricks you have. That might work obvious. If you're already on the system, you've probably exploited your way in. It's always worth knowing what your surface area is for future attacks. It's not uncommon for people locked down exploits that have been stable for very, very long. You know, things like shell shock. Shellshock was a vulnerability and
11:11
Lennox for decades. And then I was suddenly got locked down, and I'm sure that someone, somewhere was very upset to see that their favorite isolate got picked.
11:20
So it's good to know things like version, even though it might seem obvious, because it may be helpful in the future.
11:26
We see that the server service is active on these five locations. The server service is exactly what it sounds like. It's a Windows service. So Windows
11:35
ah, higher level, so to speak. Windows Program,
11:39
which is accepting input or accepting connections and dealing with those connections in various ways.
11:46
I was here Net bios. SMB.
11:48
Most of this is going to be related to Net bios in one capacity or another
11:54
for watching this video. You don't really need to know what that bios is, but it is worth a Google. If you're curious, it's very important. Windows Protocol that does a lot of useful stuffs server hidden? No. That means that anyone from across the server can across the network can see this server if they
12:11
look for it. If they take any effort to look, we see 20 maximum logged on users from across the network.
12:18
This is actually kind of a useful trick for dos ing or for degrading network service. If you want to distract us, this admin
12:24
Ah, if you have Okay, maybe for an actual server is probably closer to 1000 or 10,000 or whatever.
12:33
But you know the maximum number of logged on users and you see that there are people using this
12:37
for various reasons and there will be on a server.
12:41
Where you can actually do is drop a quick script that will connect to these all these ports that you see here Ah, whole bunch of times. And Philip, it's logged on.
12:50
That way it's going to start kicking people. It's gonna start refusing connections, and you're gonna really upset us. Admit
12:56
which can be useful if you want to distract them and have them looking
13:00
at this server while you go to do something on another server or what have you
13:03
toys were trying a maximum open files procession. 16 3 84 But it's not really worth worrying about Idol session time. 15 minutes. So this, combined with the Mac select on users, is a good trick.
13:16
Like I said, if you log on than anyone who's idle for 15 minutes is going to get booted, and when they go and try and reconnect later on, it will refuse them.
13:24
And bam, you just
13:26
not necessarily Dustin Network, but certainly upset.

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor