1 00:00:06,829 --> 00:00:08,540 - [Instructor] So we saw how Powershell Empire 2 00:00:08,540 --> 00:00:11,144 can be used to exploit individual machines, 3 00:00:11,144 --> 00:00:13,947 but once you exploit an individual machine 4 00:00:13,947 --> 00:00:15,465 you wanna gain as much information about 5 00:00:15,465 --> 00:00:17,442 the network as possible. 6 00:00:17,442 --> 00:00:19,421 So you'd like to actually find out other 7 00:00:19,421 --> 00:00:21,528 hosts on the machine that are good targets. 8 00:00:21,528 --> 00:00:23,150 You wanna eventually gain sensitive 9 00:00:23,150 --> 00:00:24,843 information on the domain. 10 00:00:24,843 --> 00:00:26,631 So let's look at some tools that you can use 11 00:00:26,631 --> 00:00:30,286 within Powershell Empire to actually gain 12 00:00:30,286 --> 00:00:32,761 important information from the network. 13 00:00:32,761 --> 00:00:35,636 So there is the get computer command, 14 00:00:35,636 --> 00:00:38,719 which queries the domain for certain computer objects. 15 00:00:38,719 --> 00:00:40,054 One great thing about this is that you 16 00:00:40,054 --> 00:00:41,654 can set an operating system. 17 00:00:41,654 --> 00:00:44,276 So you can say search for all Windows seven machines. 18 00:00:44,276 --> 00:00:48,029 So you can see we're typing in set operating system 19 00:00:48,029 --> 00:00:51,549 star seven star, and that's basically searching for 20 00:00:51,549 --> 00:00:54,338 any Windows seven machine on the network. 21 00:00:54,338 --> 00:00:56,681 You'll probably wanna search the network 22 00:00:56,681 --> 00:01:00,181 for Windows XP, Windows 2000, 2003 server. 23 00:01:02,303 --> 00:01:03,999 So here you can see here's the XP command 24 00:01:03,999 --> 00:01:06,166 to search for XP machines. 25 00:01:07,095 --> 00:01:10,624 So let's search for Windows seven machines on the network. 26 00:01:10,624 --> 00:01:12,735 You type in execute. 27 00:01:12,735 --> 00:01:15,670 It takes a second like all these commands. 28 00:01:15,670 --> 00:01:17,253 It's running all in memory and in 29 00:01:17,253 --> 00:01:20,118 Powershell so it takes a second. 30 00:01:20,118 --> 00:01:21,521 And you can see it popped up, 31 00:01:21,521 --> 00:01:25,438 here is a Windows seven machine on the network. 32 00:01:26,822 --> 00:01:28,712 And individual would probably wanna use this 33 00:01:28,712 --> 00:01:30,915 for finding outdated machines that are not 34 00:01:30,915 --> 00:01:35,755 patched such as Windows 2000, XP and 2003 server. 35 00:01:35,755 --> 00:01:40,090 Let's look at more commands that you can use. 36 00:01:40,090 --> 00:01:43,859 So still within this Power View section 37 00:01:43,859 --> 00:01:47,414 we can look at get user, and what does this do? 38 00:01:47,414 --> 00:01:51,323 This queries information for a given user on a domain. 39 00:01:51,323 --> 00:01:54,729 So you see we typed in set username incorrectly, 40 00:01:54,729 --> 00:01:57,872 you actually have to have the correct capitalization. 41 00:01:57,872 --> 00:02:01,834 So we're executing this command on the particular user, 42 00:02:01,834 --> 00:02:06,034 this individual probably has some higher level access. 43 00:02:06,034 --> 00:02:08,751 We wanna find out more information about this person. 44 00:02:08,751 --> 00:02:11,704 And you can see that it pulled out that this 45 00:02:11,704 --> 00:02:14,446 person is the display name, you can see they're 46 00:02:14,446 --> 00:02:17,370 a member of the domain admins user group, 47 00:02:17,370 --> 00:02:20,103 and enterprise admin so you know this is an 48 00:02:20,103 --> 00:02:22,487 important person on the network. 49 00:02:22,487 --> 00:02:25,987 So, that member of is really key in there. 50 00:02:27,424 --> 00:02:29,732 Usually once you find the individual you probably 51 00:02:29,732 --> 00:02:32,885 wanna find out what systems they're actually logged into. 52 00:02:32,885 --> 00:02:36,287 And that's another neat thing about this tool. 53 00:02:36,287 --> 00:02:38,262 It has Powershell commands that you can use to 54 00:02:38,262 --> 00:02:41,694 actually find out where exactly this person is 55 00:02:41,694 --> 00:02:43,694 logged into the network. 56 00:02:44,679 --> 00:02:48,114 We're using the user hunter command. 57 00:02:48,114 --> 00:02:50,882 Which actually searches the network 58 00:02:50,882 --> 00:02:52,438 for that particular person. 59 00:02:52,438 --> 00:02:54,663 Now that we know the person's a domain admin, 60 00:02:54,663 --> 00:02:57,167 we wanna know what computer they're logged into. 61 00:02:57,167 --> 00:03:00,269 If we can compromise that computer, 62 00:03:00,269 --> 00:03:05,197 then we can hopefully pull his password from memory. 63 00:03:05,197 --> 00:03:07,651 So it takes a second. 64 00:03:07,651 --> 00:03:09,396 And we can see the person is logged 65 00:03:09,396 --> 00:03:12,149 into this machine on the network. 66 00:03:12,149 --> 00:03:15,065 So now we have a machine that we're gonna wanna target 67 00:03:15,065 --> 00:03:19,232 in order to pull this individuals password from memory. 68 00:03:22,732 --> 00:03:26,240 So we can also use a command domain controller to find 69 00:03:26,240 --> 00:03:29,698 out where the domain controllers are. 70 00:03:29,698 --> 00:03:31,832 And you can see, here is the domain 71 00:03:31,832 --> 00:03:34,232 controller in the network. 72 00:03:34,232 --> 00:03:37,002 So you can see we're looking for domain admins. 73 00:03:37,002 --> 00:03:40,669 We're using this command, get group members. 74 00:03:41,729 --> 00:03:45,966 And you can see that we found that J King individual 75 00:03:45,966 --> 00:03:48,015 is a member of the domain admins group, 76 00:03:48,015 --> 00:03:50,295 and you can also see the administrator user is a 77 00:03:50,295 --> 00:03:51,880 member of the main admins group. 78 00:03:51,880 --> 00:03:55,047 So, we saw previously that J King was a member of the 79 00:03:55,047 --> 00:03:57,196 domain admins, but here's another way you can get 80 00:03:57,196 --> 00:04:00,119 a list of all the domain admins by just looking at 81 00:04:00,119 --> 00:04:03,737 get group membership so that you can also find this out 82 00:04:03,737 --> 00:04:08,434 using the tool for Linux or pulling a null session, 83 00:04:08,434 --> 00:04:12,900 but this is another great way to find out the domain 84 00:04:12,900 --> 00:04:15,782 admins that are on a network. 85 00:04:15,782 --> 00:04:18,532 You see J King in administrators.