1
00:00:06,660 --> 00:00:08,540
- [Narrator] All versions of Windows

2
00:00:08,540 --> 00:00:11,010
store passwords as hashes.

3
00:00:11,010 --> 00:00:14,390
And basically they do
that in a file called

4
00:00:14,390 --> 00:00:17,690
the Security Accounts
Manager or the SAM file.

5
00:00:17,690 --> 00:00:19,660
The operating system does not know

6
00:00:19,660 --> 00:00:21,780
what actual passwords because basically

7
00:00:21,780 --> 00:00:25,420
it stores only a hash of the password.

8
00:00:25,420 --> 00:00:28,620
So instead of using a well
known hashing algorithm,

9
00:00:28,620 --> 00:00:31,260
Microsoft created their own implementation

10
00:00:31,260 --> 00:00:33,670
that actually have developed over years.

11
00:00:33,670 --> 00:00:36,240
Now in the legacy implementations,

12
00:00:36,240 --> 00:00:39,020
Microsoft had a suite
of security protocols

13
00:00:39,020 --> 00:00:43,270
called the NTLM or the NT LAN manager.

14
00:00:43,270 --> 00:00:46,243
and basically they had two
versions NTLM v1 and NTLM v2.

15
00:00:48,100 --> 00:00:51,720
Since Windows 2000,
basically Microsoft shifted

16
00:00:51,720 --> 00:00:55,500
to Kerberos and basically for Windows

17
00:00:55,500 --> 00:00:58,210
domains authentication.

18
00:00:58,210 --> 00:01:01,380
Now, however, NTLM may
still be used whenever

19
00:01:01,380 --> 00:01:03,230
the client is actually
authenticated to a server

20
00:01:03,230 --> 00:01:05,700
via an IP address or if actually

21
00:01:05,700 --> 00:01:08,810
the client is authenticating to a server

22
00:01:08,810 --> 00:01:11,480
in a different Active Directory forest,

23
00:01:11,480 --> 00:01:16,480
configure for NTLs instead of
actually doing a transitive,

24
00:01:16,540 --> 00:01:20,590
inter forest at trust using Kerberos.

25
00:01:20,590 --> 00:01:23,320
In addition, NTLM may also be used

26
00:01:23,320 --> 00:01:25,020
if the client is actually authenticated

27
00:01:25,020 --> 00:01:28,570
to a server that doesn't
belong to a domain

28
00:01:28,570 --> 00:01:30,250
or if the Kerberos communication

29
00:01:30,250 --> 00:01:32,910
is actually blocked by a firewall.

30
00:01:32,910 --> 00:01:36,020
Now, you may ask, so what
is the Pass-the-hash attack?

31
00:01:36,020 --> 00:01:40,140
So basically, because password
hashes cannot be reversed,

32
00:01:40,140 --> 00:01:41,680
instead of actually trying to figure out

33
00:01:41,680 --> 00:01:44,980
what is actually the user's password,

34
00:01:44,980 --> 00:01:48,160
then the attacker can just use the hash

35
00:01:48,160 --> 00:01:50,610
that you can actually collect
from a compromised system

36
00:01:50,610 --> 00:01:51,880
and then use the same hash

37
00:01:51,880 --> 00:01:55,200
to login to another
client or another system.

38
00:01:55,200 --> 00:01:58,220
So in short, basically the
Windows operating system

39
00:01:58,220 --> 00:02:01,400
and Windows applications ask users

40
00:02:01,400 --> 00:02:04,210
to enter there passwords
whenever they log in

41
00:02:04,210 --> 00:02:08,260
then the system converts
the password into hashes

42
00:02:08,260 --> 00:02:11,110
and in most cases, use an action API call,

43
00:02:11,110 --> 00:02:13,600
the Lsa Logon User.

44
00:02:13,600 --> 00:02:16,010
And then a Pass-the-hash attack, you know,

45
00:02:16,010 --> 00:02:17,930
goes around this process and just sends

46
00:02:17,930 --> 00:02:21,270
the hash to the system to authenticate.

47
00:02:21,270 --> 00:02:23,660
Now in the past, many of these attackers

48
00:02:23,660 --> 00:02:26,720
have used a tool called mimikatz

49
00:02:26,720 --> 00:02:29,040
and even malware actually has used a tool

50
00:02:29,040 --> 00:02:30,560
for quite some time

51
00:02:30,560 --> 00:02:32,930
and basically, what the tool is useful for

52
00:02:32,930 --> 00:02:36,730
is to retrieve password hashes from memory

53
00:02:36,730 --> 00:02:38,630
and that is actually very useful

54
00:02:38,630 --> 00:02:41,270
in a post exploitation activity.

55
00:02:41,270 --> 00:02:43,320
I'm actually even including the link

56
00:02:43,320 --> 00:02:45,510
where you can actually
download the mimikatz tool

57
00:02:45,510 --> 00:02:49,530
from the GitHub repository
that I'm actually showing here.

58
00:02:49,530 --> 00:02:52,637
Now, a metasploit also uses mimikatz

59
00:02:52,637 --> 00:02:55,270
as a meterpreter script to
facilitate exploitation,

60
00:02:55,270 --> 00:02:58,900
without the need for
you to upload any files

61
00:02:58,900 --> 00:03:01,830
to the compromised host as well.

62
00:03:01,830 --> 00:03:03,770
So you can actually also obtain

63
00:03:03,770 --> 00:03:05,530
more information about mimikatz

64
00:03:05,530 --> 00:03:07,520
and the metasploit integration

65
00:03:07,520 --> 00:03:09,770
from the link that I'm
showing in the screen.

66
00:03:10,780 --> 00:03:13,630
Now, as I mentioned to you before,

67
00:03:13,630 --> 00:03:16,860
modern Windows systems use Kerberos

68
00:03:16,860 --> 00:03:19,750
and LDAP for authentication.

69
00:03:19,750 --> 00:03:21,400
And to define Kerberos,

70
00:03:21,400 --> 00:03:23,710
Kerberos is an authentication protocol

71
00:03:23,710 --> 00:03:27,700
that is defined in RFC 4120.

72
00:03:27,700 --> 00:03:31,500
And that actually has been
used by Windows for many years

73
00:03:31,500 --> 00:03:34,700
and it's also actually used
in many different applications

74
00:03:34,700 --> 00:03:37,310
and other operating systems as well.

75
00:03:37,310 --> 00:03:38,970
Now talking about implementation,

76
00:03:38,970 --> 00:03:43,270
the Kerberos implementation
contains three basic elements,

77
00:03:43,270 --> 00:03:45,380
the client, the server

78
00:03:45,380 --> 00:03:49,800
and the Key Distribution Center or KDC.

79
00:03:49,800 --> 00:03:52,780
And that actually includes
the authentication server,

80
00:03:52,780 --> 00:03:56,790
and another server called
the Ticket Granting Server.

81
00:03:56,790 --> 00:03:58,690
And here I'm showing the steps

82
00:03:58,690 --> 00:04:01,200
in the Kerberos authentication.

83
00:04:01,200 --> 00:04:03,160
The first step is actually
that the client sends

84
00:04:03,160 --> 00:04:08,160
a request to the authentication
server within the KDC

85
00:04:08,240 --> 00:04:09,900
then the authentication server sends

86
00:04:09,900 --> 00:04:13,720
a session key and a
Ticket Granting Ticket,

87
00:04:13,720 --> 00:04:18,720
or TGT that is actually used
to verify the clients identity.

88
00:04:18,790 --> 00:04:21,710
Then the third step is that
the client actually sends

89
00:04:21,710 --> 00:04:24,850
the TGT to the Ticket Granting Server

90
00:04:24,850 --> 00:04:27,830
then the Ticket Granting Server generates

91
00:04:27,830 --> 00:04:31,145
and sends a ticket to the client.

92
00:04:31,145 --> 00:04:33,490
Then the client presents
the ticket to the server,

93
00:04:33,490 --> 00:04:36,193
and the server grants
access to the client.

94
00:04:37,130 --> 00:04:41,260
Now Active Directory uses
LDAP as the Access Protocol

95
00:04:41,260 --> 00:04:42,770
and by the way, LDAP stands

96
00:04:42,770 --> 00:04:45,653
for Lightweight Directory Access Protocol.

97
00:04:46,510 --> 00:04:49,810
The Windows LDAP implementation
supports Kerberos

98
00:04:49,810 --> 00:04:53,040
authentication and also LDAP uses

99
00:04:53,040 --> 00:04:56,520
an inverted tree hierarchical structure

100
00:04:56,520 --> 00:05:00,483
called the Directory
Information Tree or DIT.

101
00:05:01,730 --> 00:05:04,050
Now one of the most common attacks

102
00:05:04,050 --> 00:05:06,810
is the Kerberos Golden Ticket attack.

103
00:05:06,810 --> 00:05:10,000
An attacker can manipulate
Kerberos tickets

104
00:05:10,000 --> 00:05:13,260
based on available hashes
by actually compromising

105
00:05:13,260 --> 00:05:15,910
a vulnerable system and obtaining

106
00:05:15,910 --> 00:05:18,980
the local user credentials
some password hashes.

107
00:05:18,980 --> 00:05:22,030
Now, if the system is actually
connected to a domain,

108
00:05:22,030 --> 00:05:26,750
the attacker can identify a Kerberos TGT

109
00:05:26,750 --> 00:05:30,800
or KRB-TGT a password hash

110
00:05:30,800 --> 00:05:33,470
to get the golden ticket.

111
00:05:33,470 --> 00:05:35,160
Now, there's a very popular tool

112
00:05:35,160 --> 00:05:39,050
that can be used to perform
the golden ticket attack

113
00:05:39,050 --> 00:05:41,270
and many other types of attacks

114
00:05:41,270 --> 00:05:44,470
and it's actually used in
post exploitation activities

115
00:05:44,470 --> 00:05:48,800
and that tool or framework
is called Empire.

116
00:05:48,800 --> 00:05:52,200
Empire is basically a post
exploitation framework

117
00:05:52,200 --> 00:05:54,930
that includes a pure PowerShell,

118
00:05:54,930 --> 00:05:57,710
Windows agent and a Python agent.

119
00:05:57,710 --> 00:05:59,330
And basically it's a whole bunch of

120
00:05:59,330 --> 00:06:01,120
different PowerShell scripts

121
00:06:01,120 --> 00:06:04,036
that you can launch against a system

122
00:06:04,036 --> 00:06:06,690
to perform many of the false
exploitation activities.

123
00:06:06,690 --> 00:06:08,730
Of course, golden ticket is one of them

124
00:06:08,730 --> 00:06:10,620
but there are many other activities

125
00:06:10,620 --> 00:06:12,630
and many other things
that you can actually

126
00:06:12,630 --> 00:06:14,720
do within a compromised system

127
00:06:14,720 --> 00:06:18,670
to maintain persistence,
to compromise other systems

128
00:06:18,670 --> 00:06:21,376
to move laterally and to potentially

129
00:06:21,376 --> 00:06:25,870
provide a way to do ex-iltration of data.

130
00:06:25,870 --> 00:06:29,620
Now, we mentioned the
golden ticket attack.

131
00:06:29,620 --> 00:06:31,460
However, there's a similar attack

132
00:06:31,460 --> 00:06:33,240
that you probably gonna guess

133
00:06:33,240 --> 00:06:35,050
is called the Silver Ticket Attack

134
00:06:35,050 --> 00:06:39,000
and silver tickets are
actually forge service tickets

135
00:06:39,000 --> 00:06:42,210
for a given service on
a particular server.

136
00:06:42,210 --> 00:06:46,520
The windows Common Internet
File System or CIFS

137
00:06:46,520 --> 00:06:48,845
basically allows you to access files

138
00:06:48,845 --> 00:06:53,130
on a particular server
and the host service

139
00:06:53,130 --> 00:06:56,200
allows you to execute scheduled tasks

140
00:06:56,200 --> 00:07:00,420
or the SCH task.exc

141
00:07:00,420 --> 00:07:02,460
Also can allow you to execute

142
00:07:02,460 --> 00:07:05,090
the Windows Management Instrumentation

143
00:07:05,090 --> 00:07:09,620
or WMI on basically any given server.

144
00:07:09,620 --> 00:07:12,880
Now in order to create a silver ticket,

145
00:07:12,880 --> 00:07:15,220
you need the system account,

146
00:07:15,220 --> 00:07:19,410
which is actually the one
that is ending on $ sign.

147
00:07:19,410 --> 00:07:24,320
Now the Security Identifier
for the domain is also needed.

148
00:07:24,320 --> 00:07:28,770
So the SID or the Security
Identifier for that domain.

149
00:07:28,770 --> 00:07:31,730
You also need the fully
qualified domain name

150
00:07:31,730 --> 00:07:34,590
and the given access service for example,

151
00:07:34,590 --> 00:07:37,283
you know, CIFS, HOST and so on.

152
00:07:38,440 --> 00:07:40,850
Now let's shift gears and let's actually

153
00:07:40,850 --> 00:07:43,023
go over what are
Man-in-the-middle attacks.

154
00:07:43,950 --> 00:07:45,590
Basically in a Man-in-the-middle attack,

155
00:07:45,590 --> 00:07:49,750
an attacker places himself or herself

156
00:07:49,750 --> 00:07:54,310
in line between two
devices or two individuals

157
00:07:54,310 --> 00:07:56,120
that are communicating with each other

158
00:07:56,120 --> 00:07:59,700
and basically does that
to each step or manipulate

159
00:07:59,700 --> 00:08:02,733
the data that is being transferred.

160
00:08:03,610 --> 00:08:04,930
Now a Man-in-the-middle attack

161
00:08:04,930 --> 00:08:08,850
can happen at layer 2 or at layer 3.

162
00:08:08,850 --> 00:08:11,440
Now attackers can actually perform

163
00:08:11,440 --> 00:08:14,700
Man-in-the-middle attacks
by using techniques

164
00:08:14,700 --> 00:08:18,460
like ARP spoofing and ARP cache poisoning.

165
00:08:18,460 --> 00:08:20,740
And basically that's
the same thing, right?

166
00:08:20,740 --> 00:08:23,970
So ARP cache poisoning,
also known as ARP spoofing

167
00:08:23,970 --> 00:08:25,780
is an example of an attack

168
00:08:25,780 --> 00:08:28,470
that actually can lead in
Man-in-the-middle scenario.

169
00:08:28,470 --> 00:08:31,790
Now an ARP spoofing
attack can target host,

170
00:08:31,790 --> 00:08:34,410
can target switches, can target routers

171
00:08:34,410 --> 00:08:37,400
that are connected to a layer 2 network

172
00:08:37,400 --> 00:08:41,170
by actually poisoning the
ARP caches of the systems

173
00:08:41,170 --> 00:08:43,680
that are connected to the subnet

174
00:08:43,680 --> 00:08:46,460
and then intercepting traffic

175
00:08:46,460 --> 00:08:51,360
that is actually intended for
other hosts on that subnet.

176
00:08:51,360 --> 00:08:54,200
Now in this example, the attacker

177
00:08:54,200 --> 00:08:57,540
is actually spoofing a layer 2 MAC address

178
00:08:57,540 --> 00:09:00,309
to make the victim believe
that the layer 2 address

179
00:09:00,309 --> 00:09:03,630
of the attacker is the layer 2 address

180
00:09:03,630 --> 00:09:05,980
of its default gateways.

181
00:09:05,980 --> 00:09:08,850
Now the packets that are
actually supposed to go

182
00:09:08,850 --> 00:09:10,830
to the default gateway
are actually forwarded

183
00:09:10,830 --> 00:09:13,100
by the switch to the layer 2 address

184
00:09:13,100 --> 00:09:17,540
or the MAC address of the
attacker on the same network.

185
00:09:17,540 --> 00:09:21,471
And then of course, intercept
packets, or, you know,

186
00:09:21,471 --> 00:09:24,600
look at packets that are in the clear.

187
00:09:24,600 --> 00:09:26,680
You can also potentially modify,

188
00:09:26,680 --> 00:09:29,600
you know, some of the
transactions as well.

189
00:09:29,600 --> 00:09:33,070
Now, what common mitigation
for ARP cache poisoning attacks

190
00:09:33,070 --> 00:09:35,470
that have been going on for many years,

191
00:09:35,470 --> 00:09:39,060
it's actually to use the
dynamic ARP inspection.

192
00:09:39,060 --> 00:09:40,840
And that's actually a feature

193
00:09:40,840 --> 00:09:44,250
that can be enabled in
many different switches

194
00:09:44,250 --> 00:09:47,963
to prevent spoofing of
the layer two addresses.