1
00:00:06,522 --> 00:00:07,752
- Powershell is an excellent tool

2
00:00:07,752 --> 00:00:10,268
for post exploitation,
and lateral movement

3
00:00:10,268 --> 00:00:11,534
through the network.

4
00:00:11,534 --> 00:00:13,864
If you're able to run
commands on the machine,

5
00:00:13,864 --> 00:00:15,633
Powershell is your friend.

6
00:00:15,633 --> 00:00:17,457
The previous lessons showed various ways

7
00:00:17,457 --> 00:00:19,051
of getting on the machine

8
00:00:19,051 --> 00:00:20,683
through capturing credentials,

9
00:00:20,683 --> 00:00:23,610
web attacks, buffer overflows, and more.

10
00:00:23,610 --> 00:00:25,454
You often find yourself
with limited access

11
00:00:25,454 --> 00:00:28,267
to a machine, and the need
to elevate privileges,

12
00:00:28,267 --> 00:00:31,771
or search for sensitive
information on the network.

13
00:00:31,771 --> 00:00:34,315
We're gonna spend some
time talking about Empire.

14
00:00:34,315 --> 00:00:38,482
Empire is a Powershell and
Python exploitation framework.

15
00:00:40,478 --> 00:00:43,289
You can use it to run an incredible amount

16
00:00:43,289 --> 00:00:46,526
of exploitation modules
on Windows machines,

17
00:00:46,526 --> 00:00:49,751
and other machines running
Powershell or Python,

18
00:00:49,751 --> 00:00:53,207
and it really is an amazing tool to use

19
00:00:53,207 --> 00:00:56,654
for any of your post
exploitation activities.

20
00:00:56,654 --> 00:00:58,430
Let's take a quick look at some

21
00:00:58,430 --> 00:01:01,338
of the breakdown of the
different details within Empire,

22
00:01:01,338 --> 00:01:03,650
before we jump into a demo.

23
00:01:03,650 --> 00:01:05,113
First you have listeners.

24
00:01:05,113 --> 00:01:08,059
An Empire listener is basically a service

25
00:01:08,059 --> 00:01:09,739
that's listening on your computer

26
00:01:09,739 --> 00:01:11,459
for victims to connect to it.

27
00:01:11,459 --> 00:01:14,243
So once you're able to
run the Powershell command

28
00:01:14,243 --> 00:01:16,325
on your victim machines, they'll connect

29
00:01:16,325 --> 00:01:18,463
back to your listener,
and you're gonna be able

30
00:01:18,463 --> 00:01:21,574
to take full control over their systems.

31
00:01:21,574 --> 00:01:22,935
Next are stagers.

32
00:01:22,935 --> 00:01:25,728
Stagers are various macros, and DLLs,

33
00:01:25,728 --> 00:01:27,817
and scripts that you can actually run

34
00:01:27,817 --> 00:01:30,695
to make the initial
connection to the victim.

35
00:01:30,695 --> 00:01:33,778
So, a stager may be USB capabilities.

36
00:01:35,639 --> 00:01:37,673
Some information on USB drives

37
00:01:37,673 --> 00:01:39,431
to actually plug into a machine,

38
00:01:39,431 --> 00:01:41,492
and autorun on the victim machine

39
00:01:41,492 --> 00:01:43,492
to actually connect back to you.

40
00:01:43,492 --> 00:01:46,877
Or, it might just be
a command that you run

41
00:01:46,877 --> 00:01:49,501
on the system, or maybe it's macros

42
00:01:49,501 --> 00:01:51,862
that you can put within a Word document

43
00:01:51,862 --> 00:01:54,185
to execute your Powershell commands,

44
00:01:54,185 --> 00:01:56,852
so the victim connects
back to your system.

45
00:01:56,852 --> 00:01:57,870
And then there are the agents.

46
00:01:57,870 --> 00:02:00,744
The agents are basically
all of your victim machines

47
00:02:00,744 --> 00:02:03,380
that you have full control over.

48
00:02:03,380 --> 00:02:05,753
The modules are all of
the different scripts

49
00:02:05,753 --> 00:02:08,999
and commands that you run
on the victim machine,

50
00:02:08,999 --> 00:02:11,753
so they vary from taking screenshots

51
00:02:11,753 --> 00:02:16,141
of the victim's Desktop,
to turning on their webcam,

52
00:02:16,141 --> 00:02:19,579
to capturing their passwords for memory,

53
00:02:19,579 --> 00:02:21,449
and capturing their
passwords on their computers,

54
00:02:21,449 --> 00:02:23,746
to uploading and downloading files

55
00:02:23,746 --> 00:02:25,647
from their computer.

56
00:02:25,647 --> 00:02:29,110
So there's an incredible amount
of modules within Empire.

57
00:02:29,110 --> 00:02:31,923
There's over 200 modules that you can use

58
00:02:31,923 --> 00:02:34,504
to run various scripts on that computer,

59
00:02:34,504 --> 00:02:37,624
and the networks that that
computer is connected to.

60
00:02:37,624 --> 00:02:38,969
And then there's the scripts section.

61
00:02:38,969 --> 00:02:40,871
The scripts section is basically

62
00:02:40,871 --> 00:02:42,860
for you to create your own scripts

63
00:02:42,860 --> 00:02:46,457
to bring into the Empire framework.

64
00:02:46,457 --> 00:02:49,686
Okay, let's take a look
at Powershell Empire.

65
00:02:49,686 --> 00:02:54,378
The fully functional Powershell
exploitation framework.

66
00:02:54,378 --> 00:02:57,812
So we can download that
straight from GitHub.

67
00:02:57,812 --> 00:02:59,145
Completely free.

68
00:03:00,292 --> 00:03:03,343
You can see, it's
Powershell and Python now.

69
00:03:03,343 --> 00:03:06,819
We're gonna concentrate
on the Powershell side.

70
00:03:06,819 --> 00:03:09,264
And we're gonna run through
the installation process.

71
00:03:09,264 --> 00:03:12,264
So here's how you download the tool.

72
00:03:14,193 --> 00:03:16,871
And, here's a quick
description of what it is.

73
00:03:16,871 --> 00:03:20,058
But, we just talked about
the different parts of it,

74
00:03:20,058 --> 00:03:22,854
so let's run right
through the installation.

75
00:03:22,854 --> 00:03:27,021
So, all we have to do is
use the git clone command.

76
00:03:28,189 --> 00:03:31,939
And we start downloading
the whole framework.

77
00:03:34,103 --> 00:03:38,124
And now we're gonna go into the directory.

78
00:03:38,124 --> 00:03:41,300
And there is a setup file within this

79
00:03:41,300 --> 00:03:45,217
that we can use to finish
up the setup process.

80
00:03:46,448 --> 00:03:49,698
So, install.sh is what we're gonna run.

81
00:03:53,202 --> 00:03:55,256
We're gonna spend some
time on Powershell Empire,

82
00:03:55,256 --> 00:03:58,531
just because this is the
way attacks are going,

83
00:03:58,531 --> 00:03:59,738
using tools that are already

84
00:03:59,738 --> 00:04:01,640
built into the operating system,

85
00:04:01,640 --> 00:04:04,390
so they won't set off any alerts.

86
00:04:05,471 --> 00:04:08,082
Now that we've run
through the installation,

87
00:04:08,082 --> 00:04:09,713
we're gonna back up a directory,

88
00:04:09,713 --> 00:04:11,880
and run Powershell Empire.

89
00:04:13,208 --> 00:04:15,958
Or as they call, just Empire now.

90
00:04:18,567 --> 00:04:20,552
After the intro graphic, you could see

91
00:04:20,552 --> 00:04:24,049
that it shows there
are 267 different types

92
00:04:24,049 --> 00:04:26,757
of attack modules that you can use

93
00:04:26,757 --> 00:04:28,981
within this one framework.

94
00:04:28,981 --> 00:04:30,695
Half of those are Powershell,

95
00:04:30,695 --> 00:04:32,615
the other are Python.

96
00:04:32,615 --> 00:04:35,109
If you just type the question mark,

97
00:04:35,109 --> 00:04:36,990
there are a list of
commands that you can do.

98
00:04:36,990 --> 00:04:38,507
So anytime you get stuck,

99
00:04:38,507 --> 00:04:39,541
and you wanna know what to do,

100
00:04:39,541 --> 00:04:41,253
you can just type in the question mark,

101
00:04:41,253 --> 00:04:44,947
and it'll tell you exactly
what commands you can run.

102
00:04:44,947 --> 00:04:48,664
It's basically like the
Metasploit framework look and feel

103
00:04:48,664 --> 00:04:51,112
to the command line interface.

104
00:04:51,112 --> 00:04:52,984
We also talked about Recon-ng,

105
00:04:52,984 --> 00:04:55,019
in the reconnaissance lesson,

106
00:04:55,019 --> 00:04:56,816
where it has a similar look and feel

107
00:04:56,816 --> 00:04:59,678
to the actual command line.

108
00:04:59,678 --> 00:05:01,902
So you can see, we can
go to the agents menu,

109
00:05:01,902 --> 00:05:05,224
the listeners menu, which
we discussed what they were.

110
00:05:05,224 --> 00:05:08,114
And there is different modules
that you can run as well.

111
00:05:08,114 --> 00:05:09,878
The very first thing that we need to do,

112
00:05:09,878 --> 00:05:12,051
is setup a listener.

113
00:05:12,051 --> 00:05:14,525
So, we can see, we type in listeners,

114
00:05:14,525 --> 00:05:16,082
and it brings us to the listeners menu.

115
00:05:16,082 --> 00:05:19,547
It also mentions there are no
listeners currently active.

116
00:05:19,547 --> 00:05:20,717
So we're gonna create our listener

117
00:05:20,717 --> 00:05:24,088
for our victim machines
to connect back to,

118
00:05:24,088 --> 00:05:26,659
so we can control those various options.

119
00:05:26,659 --> 00:05:30,250
We're gonna kick off
the uselistener command.

120
00:05:30,250 --> 00:05:31,760
And you see there's various types

121
00:05:31,760 --> 00:05:33,141
of listeners we can create.

122
00:05:33,141 --> 00:05:36,224
We're gonna create the HTTP listener.

123
00:05:37,116 --> 00:05:40,831
So it's basically gonna
do this over the web.

124
00:05:40,831 --> 00:05:44,355
If you type in info at any section,

125
00:05:44,355 --> 00:05:47,358
it'll give more details
about what you can do here.

126
00:05:47,358 --> 00:05:50,143
So, on HTTP listener, we typed info,

127
00:05:50,143 --> 00:05:53,446
and here are the different
command options we can set.

128
00:05:53,446 --> 00:05:57,305
So we set a name for the
listener, called testListener.

129
00:05:57,305 --> 00:05:59,110
The Port is really important here,

130
00:05:59,110 --> 00:06:01,095
because if you're already
running a web server

131
00:06:01,095 --> 00:06:05,331
on your computer, probably
over port 80 or 443,

132
00:06:05,331 --> 00:06:08,605
we're gonna wanna set a
different port value for here,

133
00:06:08,605 --> 00:06:11,607
so the two tools do not
override each other.

134
00:06:11,607 --> 00:06:15,411
So, here we're setting it
to port 8080, instead of 80,

135
00:06:15,411 --> 00:06:17,974
since we do have a web server running.

136
00:06:17,974 --> 00:06:19,702
Any option that you wanna change,

137
00:06:19,702 --> 00:06:20,883
you use a set command.

138
00:06:20,883 --> 00:06:24,703
So, we're gonna set the
name to listenertest,

139
00:06:24,703 --> 00:06:26,451
and that changes the name.

140
00:06:26,451 --> 00:06:30,032
You can see here,
listenertest is now the name.

141
00:06:30,032 --> 00:06:33,737
We can switch the name
right back to testlistener.

142
00:06:33,737 --> 00:06:35,243
This is just for our own purposes,

143
00:06:35,243 --> 00:06:36,845
for keeping track of
the different listeners

144
00:06:36,845 --> 00:06:38,806
we have on the system.

145
00:06:38,806 --> 00:06:42,125
You can see the full value of the URL

146
00:06:42,125 --> 00:06:46,292
that we're serving up, is
the http://, our IP address,

147
00:06:47,615 --> 00:06:49,805
:8080, which is the port.

148
00:06:49,805 --> 00:06:51,354
There's also the KillDate.

149
00:06:51,354 --> 00:06:53,918
This one's interesting here, because,

150
00:06:53,918 --> 00:06:56,696
basically we're setting up
a listener on the network

151
00:06:56,696 --> 00:07:00,257
to listen to any of our zombie machines

152
00:07:00,257 --> 00:07:03,182
that we take over, to connect back to us,

153
00:07:03,182 --> 00:07:05,152
but the KillDate basically says

154
00:07:05,152 --> 00:07:07,724
we can set a date where, on this date,

155
00:07:07,724 --> 00:07:10,594
we're gonna basically release
all the victim machines,

156
00:07:10,594 --> 00:07:13,158
and stop our listeners.

157
00:07:13,158 --> 00:07:14,771
The WorkingHours are the same.

158
00:07:14,771 --> 00:07:18,114
If you want to try to
avoid any administrators

159
00:07:18,114 --> 00:07:21,001
from finding out that you're
taking over their machines,

160
00:07:21,001 --> 00:07:23,430
you can set working
hours for your exploits.

161
00:07:23,430 --> 00:07:27,693
So, you can say it only
runs during the day,

162
00:07:27,693 --> 00:07:29,776
or maybe you only want
it running at night,

163
00:07:29,776 --> 00:07:32,760
depending on what type
of work you're doing.

164
00:07:32,760 --> 00:07:34,221
The CertPath that you have there,

165
00:07:34,221 --> 00:07:36,410
is if you wanna have an HTTPS listener,

166
00:07:36,410 --> 00:07:39,299
you will have to set a certificate path.

167
00:07:39,299 --> 00:07:40,701
And the Launcher, you can see it's gonna

168
00:07:40,701 --> 00:07:43,014
use some type of Powershell command.

169
00:07:43,014 --> 00:07:44,397
So if we hit the question mark,

170
00:07:44,397 --> 00:07:45,779
we can see, here's the options

171
00:07:45,779 --> 00:07:47,458
that we can run.

172
00:07:47,458 --> 00:07:51,164
We're gonna type execute, so
we can kick off our listener.

173
00:07:51,164 --> 00:07:54,187
And so now we see, Listener
successfully started.

174
00:07:54,187 --> 00:07:56,013
If we type in listeners command now,

175
00:07:56,013 --> 00:07:57,904
we can see that we have our testlistener,

176
00:07:57,904 --> 00:07:59,834
which is an HTTP listener.

177
00:07:59,834 --> 00:08:03,355
You can see the exact location of it.

178
00:08:03,355 --> 00:08:05,834
We don't have a KillDate set.

179
00:08:05,834 --> 00:08:08,663
So it'll listen as long
as we have it active,

180
00:08:08,663 --> 00:08:10,383
until we kill it manually.

181
00:08:10,383 --> 00:08:13,648
So if we type in the question mark here,

182
00:08:13,648 --> 00:08:15,395
it gives us various options.

183
00:08:15,395 --> 00:08:18,141
We want to create a
launcher for this listener.

184
00:08:18,141 --> 00:08:19,897
Basically what we need to do now,

185
00:08:19,897 --> 00:08:21,750
is, when we create the launcher,

186
00:08:21,750 --> 00:08:23,862
it's gonna create a Powershell command

187
00:08:23,862 --> 00:08:26,396
that we need to run on the victim machine,

188
00:08:26,396 --> 00:08:30,563
in order for it to connect
back to our Empire setup here.

189
00:08:31,483 --> 00:08:35,566
And, so we'll take full
control over the machine.

190
00:08:38,768 --> 00:08:41,886
So we type in launcher, and then,

191
00:08:41,886 --> 00:08:44,999
one nice thing about Empire
is it has tab autocomplete,

192
00:08:44,999 --> 00:08:48,887
so you can type launcher,
then you hit tab,

193
00:08:48,887 --> 00:08:52,718
and it brought up either
powershell or python as options.

194
00:08:52,718 --> 00:08:55,128
We're of course using Powershell,

195
00:08:55,128 --> 00:08:57,635
so we're gonna pick powershell.

196
00:08:57,635 --> 00:08:58,902
And then tab autocomplete.

197
00:08:58,902 --> 00:09:00,428
It picks the listener.

198
00:09:00,428 --> 00:09:02,252
And up pops the Powershell command

199
00:09:02,252 --> 00:09:05,276
that we're gonna run on the other host.

200
00:09:05,276 --> 00:09:07,367
So if you run that command on the host,

201
00:09:07,367 --> 00:09:09,108
that machine's gonna connect back

202
00:09:09,108 --> 00:09:12,025
to our Powershell Empire framework.

203
00:09:13,062 --> 00:09:15,577
So you may ask, how would
we get another machine

204
00:09:15,577 --> 00:09:18,044
to run that command?

205
00:09:18,044 --> 00:09:19,196
Well there is various ways.

206
00:09:19,196 --> 00:09:21,819
We can send them a phishing email,

207
00:09:21,819 --> 00:09:23,833
and try to get them to click on a link.

208
00:09:23,833 --> 00:09:27,833
We can give them a USB
drive, or a malicious CD.

209
00:09:29,574 --> 00:09:32,110
Or we can create a malicious Word document

210
00:09:32,110 --> 00:09:33,299
to send to them.

211
00:09:33,299 --> 00:09:34,692
Once they open up the Word document,

212
00:09:34,692 --> 00:09:38,742
it'll launch this Powershell
command, within macros,

213
00:09:38,742 --> 00:09:41,400
if they enable macros.

214
00:09:41,400 --> 00:09:43,905
But for demo purposes,
we're just gonna serve up

215
00:09:43,905 --> 00:09:46,488
a website that has the command,

216
00:09:47,332 --> 00:09:50,433
and allow them to manually
run the command on the system,

217
00:09:50,433 --> 00:09:52,200
just so you can see how a victim machine

218
00:09:52,200 --> 00:09:54,397
will connect back, and
we can take full control

219
00:09:54,397 --> 00:09:56,548
over their machine.

220
00:09:56,548 --> 00:09:59,591
So we're gonna serve up
a web server over here

221
00:09:59,591 --> 00:10:01,460
on our local machine.

222
00:10:01,460 --> 00:10:04,420
And we're gonna create this
file called empire.txt.

223
00:10:04,420 --> 00:10:08,606
And we're just gonna put that
Powershell command in there.

224
00:10:08,606 --> 00:10:11,464
If we look and see the file contents here,

225
00:10:11,464 --> 00:10:14,269
you can see it is our actual full command.

226
00:10:14,269 --> 00:10:15,335
And now we're gonna start

227
00:10:15,335 --> 00:10:17,486
the Apache service on our computer.

228
00:10:17,486 --> 00:10:19,683
So now we have a web server running.

229
00:10:19,683 --> 00:10:22,113
And you can see the empire.txt is there.

230
00:10:22,113 --> 00:10:25,310
Now let's go to our
victim Windows 7 machine.

231
00:10:25,310 --> 00:10:26,730
We're gonna type in that website,

232
00:10:26,730 --> 00:10:29,853
and you can see, here's
the Powershell command.

233
00:10:29,853 --> 00:10:31,163
Now during penetration tests,

234
00:10:31,163 --> 00:10:33,556
I had the opportunity
to run these commands

235
00:10:33,556 --> 00:10:36,263
on machines through various ways.

236
00:10:36,263 --> 00:10:38,756
We've talked about the phishing method.

237
00:10:38,756 --> 00:10:41,090
There's also times where you might

238
00:10:41,090 --> 00:10:43,855
be able to partially break into a machine,

239
00:10:43,855 --> 00:10:46,055
and you can run commands on the machine,

240
00:10:46,055 --> 00:10:50,557
but you cannot take full
control completely yet.

241
00:10:50,557 --> 00:10:52,045
But if you can run certain commands,

242
00:10:52,045 --> 00:10:54,695
you can send it a
Powershell command to run,

243
00:10:54,695 --> 00:10:58,077
so it can actually connect back to you.

244
00:10:58,077 --> 00:11:01,702
So, in here, just for demo purposes,

245
00:11:01,702 --> 00:11:04,871
we are going to just manually
run the Powershell command.

246
00:11:04,871 --> 00:11:07,233
I'm just gonna open up
a command line window.

247
00:11:07,233 --> 00:11:08,807
Run the Powershell command.

248
00:11:08,807 --> 00:11:10,826
You can see the Powershell command

249
00:11:10,826 --> 00:11:13,703
is set to specifically remove the window,

250
00:11:13,703 --> 00:11:15,795
so once it runs, it's not gonna

251
00:11:15,795 --> 00:11:17,207
keep the window on the screen,

252
00:11:17,207 --> 00:11:18,628
because that would be suspicious

253
00:11:18,628 --> 00:11:22,398
to see a command window
appear on the Desktop.

254
00:11:22,398 --> 00:11:24,542
It's set to automatically remove that.

255
00:11:24,542 --> 00:11:27,816
The actual Powershell
command is Base64 encoded,

256
00:11:27,816 --> 00:11:31,425
so you cannot see exactly
what it's running.

257
00:11:31,425 --> 00:11:34,315
And now, we go back to
our Powershell Empire,

258
00:11:34,315 --> 00:11:38,222
and we can see that listener
and agent actually connected.

259
00:11:38,222 --> 00:11:39,890
So, that Windows 7 machine,

260
00:11:39,890 --> 00:11:41,868
we ran the Powershell command on it,

261
00:11:41,868 --> 00:11:45,035
and it connected to our Empire system.

262
00:11:46,055 --> 00:11:49,336
So now, even though the
Windows 7 doesn't know,

263
00:11:49,336 --> 00:11:52,461
we have taken full control
over that computer.

264
00:11:52,461 --> 00:11:54,867
So you can see if we type in back,

265
00:11:54,867 --> 00:11:56,566
you can see we have one listener,

266
00:11:56,566 --> 00:11:59,649
and one agent currently active.

267
00:11:59,649 --> 00:12:01,923
One of the great things about this tool,

268
00:12:01,923 --> 00:12:04,619
is that it's running completely in memory,

269
00:12:04,619 --> 00:12:07,482
so it's not tripping
any type of antivirus.

270
00:12:07,482 --> 00:12:09,395
They don't even know that we have control

271
00:12:09,395 --> 00:12:10,900
over their computer.

272
00:12:10,900 --> 00:12:13,339
We're just completely
running in the background.

273
00:12:13,339 --> 00:12:16,092
So, we have full control
over this machine,

274
00:12:16,092 --> 00:12:18,962
and we wanna look and see
what type of agents we have.

275
00:12:18,962 --> 00:12:20,913
So if you just type in agents,

276
00:12:20,913 --> 00:12:24,496
you can see that it
has a Powershell agent.

277
00:12:25,473 --> 00:12:27,124
It sets a random name for it,

278
00:12:27,124 --> 00:12:29,689
and you can see the IP
address, the machine name,

279
00:12:29,689 --> 00:12:32,404
the username, it gets kind of cut off

280
00:12:32,404 --> 00:12:34,556
because we don't have
enough room on the screen.

281
00:12:34,556 --> 00:12:37,272
And you can see exactly when it connected.

282
00:12:37,272 --> 00:12:38,902
We probably want to rename this system,

283
00:12:38,902 --> 00:12:42,343
because that name doesn't
make any sense to us,

284
00:12:42,343 --> 00:12:46,176
so we'll just call it
our victim test machine.

285
00:12:49,024 --> 00:12:50,146
And so now you can see,

286
00:12:50,146 --> 00:12:53,146
we renamed the system to victimTest,

287
00:12:54,114 --> 00:12:56,349
which makes a little bit more sense.

288
00:12:56,349 --> 00:13:00,323
And, we have full control
over this computer.

289
00:13:00,323 --> 00:13:03,080
You could see that we're
running on that machine,

290
00:13:03,080 --> 00:13:07,091
on the Windows machine,
using the Powershell process,

291
00:13:07,091 --> 00:13:09,341
and the process ID is 3316.

292
00:13:10,777 --> 00:13:12,929
So, if the individual looks and sees

293
00:13:12,929 --> 00:13:15,243
what types of processes are
running on their machine,

294
00:13:15,243 --> 00:13:17,794
all they're gonna see is
that Powershell's running.

295
00:13:17,794 --> 00:13:19,444
They're gonna see the process ID.

296
00:13:19,444 --> 00:13:20,406
They're not gonna know that

297
00:13:20,406 --> 00:13:23,545
this is actually a malicious
Powershell instance.

298
00:13:23,545 --> 00:13:24,898
And the great thing about Powershell

299
00:13:24,898 --> 00:13:26,626
is that it's built into Windows,

300
00:13:26,626 --> 00:13:28,806
so it's not really that suspicious

301
00:13:28,806 --> 00:13:31,753
that it would be running
on the Windows machine.

302
00:13:31,753 --> 00:13:34,969
So, if you use the interact command,

303
00:13:34,969 --> 00:13:36,253
you can interact with an agent,

304
00:13:36,253 --> 00:13:38,462
and run various commands on the agent.

305
00:13:38,462 --> 00:13:41,227
So we're gonna interact with victimTest,

306
00:13:41,227 --> 00:13:43,394
which is what we named it.

307
00:13:45,901 --> 00:13:47,831
And there's various
things that you can run

308
00:13:47,831 --> 00:13:49,523
on the system.

309
00:13:49,523 --> 00:13:51,625
Now that we have full
control over the system,

310
00:13:51,625 --> 00:13:54,042
we can do a variety of tasks.

311
00:13:54,956 --> 00:13:56,118
So you can see, we can have

312
00:13:56,118 --> 00:13:58,593
the victim machine download a file.

313
00:13:58,593 --> 00:14:00,112
We can see what types of processes

314
00:14:00,112 --> 00:14:01,484
are running on the machine,

315
00:14:01,484 --> 00:14:04,076
or we can completely
kill certain processes.

316
00:14:04,076 --> 00:14:06,622
So, a malicious individual may try

317
00:14:06,622 --> 00:14:08,854
killing some important processes.

318
00:14:08,854 --> 00:14:09,816
Of course, you'd never do that

319
00:14:09,816 --> 00:14:11,793
in any scenario where we're actually

320
00:14:11,793 --> 00:14:14,901
trying to find the other vulnerabilities.

321
00:14:14,901 --> 00:14:17,283
Mimikatz is one we're
gonna concentrate on.

322
00:14:17,283 --> 00:14:21,832
Mimikatz is basically where
it takes the passwords

323
00:14:21,832 --> 00:14:25,635
and pulls them from memory on Windows 7

324
00:14:25,635 --> 00:14:29,369
and earlier versions of Microsoft Windows.

325
00:14:29,369 --> 00:14:31,242
When somebody's logged into the machine,

326
00:14:31,242 --> 00:14:33,437
it stores their passwords in memory,

327
00:14:33,437 --> 00:14:35,073
so you can use it for logging

328
00:14:35,073 --> 00:14:37,972
into various other systems on the network,

329
00:14:37,972 --> 00:14:39,219
using that same password.

330
00:14:39,219 --> 00:14:41,725
It won't keep prompting
you for that same password.

331
00:14:41,725 --> 00:14:44,039
So, now that we're on the machine,

332
00:14:44,039 --> 00:14:45,403
we can just look in memory, and see

333
00:14:45,403 --> 00:14:48,266
what passwords are sitting around.

334
00:14:48,266 --> 00:14:51,080
You can see, we can also take screenshots.

335
00:14:51,080 --> 00:14:53,413
So if we type in the sysinfo command,

336
00:14:53,413 --> 00:14:56,831
it's telling us exactly
information on this system.

337
00:14:56,831 --> 00:14:59,467
So, and we also just
type in the info command,

338
00:14:59,467 --> 00:15:02,369
and it'll tell you all sorts
of additional information

339
00:15:02,369 --> 00:15:06,286
relating to our Powershell
instance on this machine.

340
00:15:06,286 --> 00:15:09,272
So, we can also run different
types of shell commands,

341
00:15:09,272 --> 00:15:12,123
so any command you can
run on the command line,

342
00:15:12,123 --> 00:15:13,427
on that Windows 7 machine,

343
00:15:13,427 --> 00:15:17,237
we can run straight from our
Powershell Empire screen.

344
00:15:17,237 --> 00:15:18,929
So if we just type shell,

345
00:15:18,929 --> 00:15:21,234
and then a shell command, it runs.

346
00:15:21,234 --> 00:15:23,402
So we just typed in the hostname command.

347
00:15:23,402 --> 00:15:26,437
It showed us the name of the machine.

348
00:15:26,437 --> 00:15:29,699
We type ipconfig, to look at
the network configuration,

349
00:15:29,699 --> 00:15:31,887
and up pops the network configuration

350
00:15:31,887 --> 00:15:34,664
from the Windows 7 machine.

351
00:15:34,664 --> 00:15:39,610
How about we look at the
local administrators group?

352
00:15:39,610 --> 00:15:41,374
Sometimes it takes a second,

353
00:15:41,374 --> 00:15:43,419
but you can see that it pops up

354
00:15:43,419 --> 00:15:46,682
all the administrators
that are on that machine.

355
00:15:46,682 --> 00:15:49,706
Somebody named administrator, sectraining,

356
00:15:49,706 --> 00:15:53,039
and there's a zorro user on the machine.