1 00:00:00,770 --> 00:00:01,040 All right. 2 00:00:01,050 --> 00:00:06,210 So we come to a little bit of a meaty part of the course where we're gonna do a few videos in a row 3 00:00:06,210 --> 00:00:11,100 that are kind of a little bit of Death by Powerpoint but I really need to get the point across as to 4 00:00:11,310 --> 00:00:16,590 what we're doing and why we're doing it that way you have a better understanding of the following attack 5 00:00:16,620 --> 00:00:18,080 that's about to come. 6 00:00:18,090 --> 00:00:24,600 So this first part of the videos are on token impersonation which if you've done the other Udemy course 7 00:00:24,630 --> 00:00:29,970 you've seen this in the Active Directory portion and this is a very very real thing that we see on assessments 8 00:00:30,000 --> 00:00:33,390 and you're going to see how it comes into play when it comes attack time. 9 00:00:33,420 --> 00:00:37,410 But I'm going to show you a quick overview we'll talk about token impersonation and then we'll start 10 00:00:37,410 --> 00:00:42,930 talking about the different privileges you might see in a machine and the potato attacks. 11 00:00:42,930 --> 00:00:49,470 So token impersonation what our tokens so tokens are basically like cookies for your computer. 12 00:00:49,470 --> 00:00:54,810 They are temporary keys allow you to have access to a system or a network without having to provide 13 00:00:54,840 --> 00:00:57,290 credentials each time you access the file. 14 00:00:57,390 --> 00:01:01,340 So there are two types there's a delegate token and an impersonate token. 15 00:01:01,440 --> 00:01:07,440 Now the delegate tokens what we're going to see most often you're looking for somebody logging into 16 00:01:07,440 --> 00:01:10,280 a machine or even remote desktop. 17 00:01:10,350 --> 00:01:15,630 But say you have a situation where you're sitting at a computer and somebody comes over and switches 18 00:01:15,630 --> 00:01:21,030 user and they log in as a user while they're leaving a token behind just as you're leaving a token behind 19 00:01:21,810 --> 00:01:27,360 an impersonal token uses a script more than that interaction. 20 00:01:27,360 --> 00:01:32,430 So like attaching a network drive or domain log on script those are a little bit different you don't 21 00:01:32,430 --> 00:01:33,750 see them as much. 22 00:01:33,750 --> 00:01:38,700 So we see a lot of delegate tokens and you're going to see an example here as to why that's going to 23 00:01:38,700 --> 00:01:39,360 be bad. 24 00:01:39,480 --> 00:01:44,190 But just think of somebody like a domain admin logging in or helpdesk logging into a computer and just 25 00:01:44,190 --> 00:01:47,730 leaving a token behind who knows when that computer's going to get rebooted. 26 00:01:47,760 --> 00:01:49,920 That's the only time these tokens go away. 27 00:01:49,920 --> 00:01:52,470 So let's take a look at why this is bad. 28 00:01:53,250 --> 00:02:00,630 So here is an example from a lab that I had set up where we have a regular user named Frank Castle and 29 00:02:00,690 --> 00:02:02,820 we load this tool called Incognito. 30 00:02:02,820 --> 00:02:06,900 What you're going to see here in just a little bit and this is part of maternal fritter we list the 31 00:02:06,900 --> 00:02:14,860 tokens out and we say hey I have Frank Castle here and I want to impersonate Frank Castle. 32 00:02:14,880 --> 00:02:21,180 So we just say impersonate token I'm impersonating Frank Castle you go into a shell you are this user. 33 00:02:21,240 --> 00:02:22,260 So we say who am I. 34 00:02:22,800 --> 00:02:29,340 Frank Castle OK well let's try to run Mimi Katz and we're going to run Mimi Katz which is going to attempt 35 00:02:29,370 --> 00:02:36,870 to dump the LSA off of the domain controller here which is this hydra dot marvel that local all we're 36 00:02:36,870 --> 00:02:41,180 doing is nothing really malicious we're trying to dump all the hashes from the Domain Controller. 37 00:02:41,220 --> 00:02:48,290 Well this person's not a domain admin so we're getting access is denied however would have a domain 38 00:02:48,310 --> 00:02:53,930 AB and token was available or an administrator token or a system token don't think of this just from 39 00:02:53,930 --> 00:02:59,190 an active directory even though this is an active directory example think of this for. 40 00:02:59,390 --> 00:03:05,060 For any sort of escalation here if you see an administrator token when you go list all tokens and you 41 00:03:05,060 --> 00:03:11,000 say hey I want to impersonate this token guess what you can drop into a shell and now you are the administrator 42 00:03:11,690 --> 00:03:16,820 and you want everything from an active directory perspective if you can run Mimi Katz remotely you can 43 00:03:16,820 --> 00:03:24,080 dump the LSA and you can get very sensitive hashes including the curb gross hash which allows you to 44 00:03:24,080 --> 00:03:28,550 create golden tickets and do a lot of the nasty nasty things in the network. 45 00:03:28,550 --> 00:03:35,270 So going back just a little bit here remember we're looking for any sort of token that's available to 46 00:03:35,270 --> 00:03:35,610 us. 47 00:03:35,630 --> 00:03:41,000 So if we see the administrator token and we elevate into that token we are the ministry or we control 48 00:03:41,000 --> 00:03:42,980 that machine it's game over. 49 00:03:43,040 --> 00:03:45,140 So that's what token impersonation is. 50 00:03:45,140 --> 00:03:48,590 And it's really really bad and does show up in the real world. 51 00:03:48,620 --> 00:03:54,470 So in the next video we're gonna look at the get preempts command and who am I slash all command and 52 00:03:54,470 --> 00:03:58,790 look at some of the different privileges that you might see on a system and how they can relate to being 53 00:03:58,790 --> 00:04:03,470 bad and then this is all going to tie together in the third video when we talk about potato attacks. 54 00:04:03,470 --> 00:04:05,240 So I will get you over in the next video.