1
00:00:00,220 --> 00:00:00,590
OK.

2
00:00:00,600 --> 00:00:04,040
Now we're on to an user enumeration we're back on our machine.

3
00:00:04,050 --> 00:00:11,130
Let's just go ahead and type in shall on this and we can look at the different types of users first

4
00:00:11,130 --> 00:00:12,170
let's start with ourselves.

5
00:00:12,180 --> 00:00:19,260
We could to say something like Who am I and you could see on this machine where I guess at pool.

6
00:00:19,370 --> 00:00:22,310
So this means that we are not the system level user.

7
00:00:22,310 --> 00:00:23,450
That's OK.

8
00:00:23,540 --> 00:00:29,510
We can also look at our privileges say who on my site prefer and this will provide some information

9
00:00:29,540 --> 00:00:31,970
and all of this might not make any sense right now.

10
00:00:31,970 --> 00:00:37,730
This will come back into play later when we talk about token impersonation and how we can utilize that

11
00:00:38,390 --> 00:00:45,440
firm different perspectives one from what we call potato attacks either juicy potato rotten potato etc.

12
00:00:45,800 --> 00:00:47,960
or even just standard token impersonation.

13
00:00:47,960 --> 00:00:50,810
We'll talk about that in privileges and how they work.

14
00:00:50,810 --> 00:00:54,080
So it's very interesting but we'll dive into it later.

15
00:00:54,080 --> 00:00:55,270
Just know this who am I.

16
00:00:55,270 --> 00:01:00,530
Proof of command exists and that it allows us to look at different packages that we have available to

17
00:01:00,530 --> 00:01:01,400
us.

18
00:01:01,430 --> 00:01:03,170
So last we can do.

19
00:01:03,200 --> 00:01:03,950
Who am I.

20
00:01:03,950 --> 00:01:11,220
Slash groups we can look at what groups were involved in so you can tell that this user is not part

21
00:01:11,220 --> 00:01:13,810
of any sort of administrative group.

22
00:01:13,890 --> 00:01:17,150
We just look to be part of standard users.

23
00:01:17,160 --> 00:01:18,320
Nothing going on here.

24
00:01:18,330 --> 00:01:19,530
That's exciting for us.

25
00:01:19,560 --> 00:01:24,300
But you never know we might be part of an administrative group and we might have rights and even though

26
00:01:24,300 --> 00:01:28,920
we say I guess at pool maybe it was mis configured and we actually have added rights to begin with.

27
00:01:28,950 --> 00:01:32,530
So it's always good to look at the groups that were belonging to.

28
00:01:32,670 --> 00:01:36,030
Now we could type in something like net user.

29
00:01:36,030 --> 00:01:39,320
And that will show us the users on this machine.

30
00:01:39,750 --> 00:01:42,630
So you could see that they're actually just really two users.

31
00:01:42,630 --> 00:01:48,690
They have a guest account but we have administrator and then this badass user while we're honest service

32
00:01:48,690 --> 00:01:50,160
is what we actually landed on.

33
00:01:50,190 --> 00:01:51,830
So we're not on a real user account.

34
00:01:51,830 --> 00:01:56,190
We just happen to be a part of a service that's running which is the IRS service.

35
00:01:56,190 --> 00:02:01,590
So what's happening here is we're taking over a service but there are these user accounts so maybe we

36
00:02:01,590 --> 00:02:06,720
can move laterally into a user account and then escalate into administrator or maybe we can just escalate

37
00:02:06,720 --> 00:02:08,850
directly into an administrator account.

38
00:02:08,910 --> 00:02:14,190
We don't know quite yet but it's good to know what's out there and how we can take advantage of it possibly.

39
00:02:14,190 --> 00:02:20,250
We could also look at specific users like we want to say net user Travis and we can see information

40
00:02:20,250 --> 00:02:25,270
about Mabus we can see when their password is last set when it expires.

41
00:02:25,350 --> 00:02:27,480
All of this is just extra information.

42
00:02:27,480 --> 00:02:28,200
Right.

43
00:02:28,290 --> 00:02:30,510
And you could see what group memberships they have.

44
00:02:30,510 --> 00:02:34,300
Same thing with the Net user of administrator.

45
00:02:34,410 --> 00:02:38,040
We can take a look at this and you can see what group memberships they have.

46
00:02:38,040 --> 00:02:42,930
Well look they're part of the administrators where this Babs user is just part of the users group.

47
00:02:42,960 --> 00:02:47,610
So if we were to take over this Babbitt's user it's still what matter because we wouldn't be escalated

48
00:02:47,610 --> 00:02:51,940
fully we would just be at a same level user that we're at.

49
00:02:51,960 --> 00:02:56,640
There might be more information maybe there's a password store to file or something on that user that

50
00:02:56,640 --> 00:02:58,840
we didn't have access to as the current user.

51
00:02:58,950 --> 00:03:05,160
But for now it's not an admin user we can identify what avid user we could possibly take over just by

52
00:03:05,160 --> 00:03:08,480
doing quick user enumeration like this.

53
00:03:08,520 --> 00:03:14,880
So the other thing that we can look at are the local groups so we could try and get local groups sometimes

54
00:03:14,880 --> 00:03:17,040
it works sometimes it doesn't.

55
00:03:17,040 --> 00:03:19,980
You could see here we don't have a log on session that actually exists.

56
00:03:20,010 --> 00:03:26,110
So it's not gonna work for us but maybe we know a local group that does exist like administrators that

57
00:03:26,130 --> 00:03:30,360
we can say hey I want to look at the administrators group maybe there are a bunch of users and we just

58
00:03:30,360 --> 00:03:32,700
want to see who's part of that group.

59
00:03:32,760 --> 00:03:35,560
Well we could find out the membership quite easily.

60
00:03:35,640 --> 00:03:39,600
Here we see its administrator and that's all we have to focus on.

61
00:03:39,690 --> 00:03:41,670
So that's really it for now.

62
00:03:41,670 --> 00:03:46,230
Again a lot of these are and come back into play later on I'm just trying to get you introduced to the

63
00:03:46,230 --> 00:03:53,400
basics and kind of get you introduced into what you should be looking for system related user related.

64
00:03:53,400 --> 00:03:58,530
And the next we're going to focus on network related so we're going to dig into some network enumeration

65
00:03:58,650 --> 00:04:00,000
and move on from there.

66
00:04:00,000 --> 00:04:02,010
So I'll catch you over in the next video.