Hacking 101: An introductory course in hacking!

[Music]

[Music] all righty so what i'm going to do because you guys are the inaugural class for this new approach and what that means besides yay or guinea pigs thanks man is we literally built part of the platform for you guys 15 minutes ago now we have tested it so it should work out i'm not too concerned but let's uh let's kick this off who maybe uh i'm not sure we can do the show of hands thing on this app i don't know who's never done anything with computer hacking at all unfortunately there is no show of hands option in this particular platform that's okay so maybe a chat uh maybe a chat and marcia can keep an eye on the chat so

just kind of get an idea kind of where we're where we're at so and then what i'm going to do i'm going to keep a running list and i'm going to share out a screen here but i'm trying to watch the chat and the stuff at the same time so if i appear to be distracted and moving around it's just because i'm doing a lot of stuff it's not because you guys are not got my full attention because you totally do i'm a great believer in in this kind of work so i'm completely open to that okay so that's disturbing how far back that can go so i'm going to minimize that and we're going to go for another

thing oops how about that there we are i can look at somebody who's having trouble with some email okay good now because we're going to build these they're not even slides they're kind of the steps and i actually have everything written down so trust me you we have done this before it's just not visible okay so uh but i am gonna try and keep my eye on the chat there's just three people in the chat who've identified as new so far doug okay that's cool so you know what i can do i can move this guy down here and then i can keep an eye on the chat too okay so thank you for helping us figure out how

to navigate this in the middle of a ad hoc conference call i think we showed everybody what we got going on here so earlier it's it's definitely crazy so we're going to start with the very first thing that an adversary does if they're coming at you or your organization and that is they are looking for what we're calling os int or open source intelligence gathering so in this line of work people tend to use abbreviations and stuff like that and we're going to start with the early early early steps and some some testing engagements that i've had in the past we have had scenarios where all we got was a domain name and that's it

cool now i can see the chat too so i'm with you oh and i can see my screen this is wicked okay um crazy haven't you done this before why are you so impressed by technology if that's too small let me know we can pump up the uh fog a little bit but what we're going to do is we're going to start with the requirements uh marcy can i get you to just go underneath and then there we are that's a little better because i could just hear a couple other people because we've got she's uh marcy's doing two jobs right now so uh she's right in the in the group that's also dealing with all the other support calls

and stuff and we've still got um still got support going on vpn if you need so we're getting there so first thing i want you guys to do we're going to start out with the dns issue that i we need you to solve so here's your first question i want you to go out and figure this out when was hacking 101 created and on the internet you have to register a domain name you have to give somebody you know i usually say 20 bucks but sometimes they put it on sale for a couple bucks first but it'll be there right so um so go figure that out so you notice it's h-a-k-n-101 and it's actually hkn101.com

because maybe somebody stayed snagged up.net because i didn't spend the extra two bucks so just looking for it in the chat okay thursday all right so we got a couple now what was the company that registered

first fire productions okay yeah so that's my company long time ago i used to be in the rock and roll business but yep that's not my thing anymore but the company is a legal entity and that's my trade name so i tend to still do that but um why would we want to do that why would we want to know kind of what that company is well sometimes it's a support company or something like that so the ctf this year is talking about the whole idea of compromising vendors in your supply chain now does everybody know how we came up with that number and that name

i'm hoping like i'd be very surprised if who is right exactly yeah so if anybody doesn't know what who is is and they're too scared to say something that's okay um there was a time i didn't know any of this stuff and there are days when i still feel like i don't so who is there's a number of companies that do it that register domains but in order to keep track of it they actually have to they have to go look stuff up and so everybody puts these whois servers out there and that tends to be the name so um yeah you would go look that up now i gave you the link to that particular one

domain tools i'm not affiliated with them i have no opinion on who's better or worse or whatever but that's kind of that first step is to get to the bottom of it now the next thing is now that you've figured out that there's a company relationship and you know that it was started a while back what do you how do you actually sort of how would you break in well most people these days especially if they only started in 2020 they're gonna need some kind of remote access right because there's no [Music] nobody's going into work for the longest time so again let's maybe put it in the chat or something like that but what would be some names of ways that

people could get into work so they would have uh some sort of a portal or a remote desktop or a vpn or something like that and those names are going to be you know published in dns and you'll be able to go query and look that up so who's um what's the question here what would be an ip address of a remote access portal for this company that's what i'm trying to say i'm trying to navigate the screens so the best way to do this is think of some names that are plausible names for remote access so throw them in the chat or shout them out and we'll we'll answer for that because your hacker doesn't know anything about it

okay so jonathan put in employees.hacken101 all right so let's just call this plausible names

okay and i don't know how to spell we already know that so employees and we're going to put them down like this just because it's kind of an easier way to do that don't worry about the dot hacking 101 because they're all going to end in that so what other names would be good remote am i liking that yeah that sounds good login and portal okay we're starting to get some some hints here anything else

support i liken that okay an admin oh jonathan's already going for the big guns hoping for a login redirect ra for remote access yeah okay so you guys are getting the idea oh addy how's it going man good to see you yeah and sodium okay somebody's peeking ahead [Music] but there's a there's some other ways to do that so now there's scripts and you can mechanize and things like that so yeah find a list of all sub domains so that one that tyler's already put in is great so there are tools on the internet that you don't even need to go look this up by hand but i liken that pen test tools and just go gather that

stuff all right so if you look some of those up do any of them have a similar ip address because lots of times they're going to have multiple names because people can't remember so if you ran a few of those would we be coming up with uh a name or a plausible name let me get back to my chat here okay yeah tyler you've got those so you came up with remote portal and web access cool all right what's the ip address for any of those because obviously you're going to have to know that and you might want to look at that first before hey kelly this is the same kelly madsen from bell canada days correct the mundo

yeah looking good well still breathing eh yeah good to see you man excellent so and show you how long it's been i i forget myself so let's just take a look let's bring up another let's bring up another chrome browser

okay so jason's got it in here

i'm liking this so he's put it in the text so i'm sharing it on the screen if you're not watching um just for laughs can somebody run let's try some other names let's try oops [Music] that's not the one let's try desktop just for laughs [Music]

so here's another one i like these guys just because there's no ads so it's just creature habit kind of thing but if we were to do um let's see here was it desktop

look it up what are you telling me here 40 and it also says it's sodium right okay so that's all looking good so um at this point i'm thinking we're we're comfortable thinking that's probably the asset okay so now how do you know what that is that's kind of that next thing so the adversary they found you so to speak they they know you're living at 40 69 102 but now you actually got to go figure out what that is now because you haven't got on to the there's a there's another tool that you'd be using to do this and it's kind of we're in that chicken and egg situation so i'm not gonna endanger

our time together with that so i'm gonna put the url in there um it's an http it says we guys we found it and this should work too so portal should work let's strike for it because that's when you guys found honestly

the fact that there's no desktop tells me that pen test tools doesn't have a very fulsome word list because desktop should be in there but you'll notice this one if you look in the chat is actually on port 8080 so what happens when you type that url into your browser what do you get

i'm trying to look at the camera and go this computer just a little bit not secure well it's a hacking class what did you expect no not not secure just means that you're not using an https and yeah it is there so this login portal right so let's bring our other browser up our other chrome just so we can see it i need the empty chrome where it is it's here somewhere really let's just do this new window give me a new window thank you a nice clean new window without all the stuff in there all right so let's just grab it oh and default credits don't work okay did you notice i didn't say hey try some

lousy creds and see if that helps like that's the hacker mindset i don't know i'm here let me try something that's hacking 101 right there did you have permission for this no but in this case you do indeed have permission all right so it's not secure and yeah we got that and it says it's a login screen so we've sort of figured that out that makes sense that it's portal and yeah let's try what's a good what's a good default password username and password pair so admin and password you can try this all day you're gonna be there all day okay thanks kelly we'll talk to you soon empty password yeah try it but yeah this is exactly what they do so

what we want to do instead you guys have found the desktop so good for you um that was really that first user log let's see if we get out okay so the good news is it's nothing that hard all right so i want you guys to each call out a number between uh let's see here 3 and 20 and say i'm number three i'm number four and you watch in the chat okay 1917 okay good yeah no robots.txt hey somebody was peeking ahead now you can't all be 19. that's a 2 19. okay so right there you can see it it's hacker 0 so h a k r 0 so you would be hacker 7

jason you would be hacker 13 at a 19.5 sorry and and so forth so once you do the hacker zero thing in my case you're going to log in and your password is the deceptively simple okay to log in and sorry i skipped one step so let me log out just hang on humor me for one sec this was the other thing you were supposed to do um and my bad so log out come on log out you can do it it's thinking and then log in thank you okay right here um if we refresh right here you're gonna see that little green bowl up there in the top corner and if you want to know what's going on

about what is this thing is this a citrix front end is this a netscaler front end is it a microsoft azure virtual desktop that sort of thing why would you want to know that well because you're going to need to attack it differently each time so one of the things you want to do this is a real easy thing comes free with every browser view page source and now you can look in here most of these apps even these front-end apps have little tool marks that say what they are and nobody ever goes in and cleans all this stuff up because they think oh it's a login page but that can really help out an

adversary so what you're looking for here is funny things that are sort of unusual so look at that one block notification dot get status guac is not a common thing but remember that green bowl up at the top okay some of this other stuff that angular well that's just a normal uh web framework kind of thing but this is like deceptively easy and it works so well so many times just grab that little code and throw that into google and can you tell who's actually made this thing

so jonathan's picked up correctly that there's an nginx proxy in front of it but that's just a web server the app that's running on that web server is actually what it is so right here look at this bootstrap guacamole 1914 guacamole client so now i'm just looking for hacks for guacamole and not how to make guacamole which i happen to love but this is the platform that she would be doing so that's kind of where we're at we're not going to go into here's how you would find an exploit and write one and blah blah blah because this takes a long time guys it really does but what you're doing here what we've just done

is we have in just less than 20 minutes you took a domain you knew nothing about and you figured out stuff so we figured out the software that we're writing the running nginx and they're running guacamole we figured out who actually owns it we know their addresses we might even know something if we were to google first fire productions right now you're going to find that website's down because it's on the pile of things that i haven't done that need to get done again but yeah you guys have gone through who is and all the rest but i am actually pulling this from mitre attack so these are the recon steps that they have observed time in

day in and day out from organized crime nation state actors all that kind of stuff you guys are doing the exact same steps so so far was there anything here that you didn't think you could handle did anybody think that was too hard i don't see yeah i got this or no this is still above my head picking it up yeah cool picking a number between 4 and 19 was the hardest part we've had so far exactly so step by step is how this goes about and the reason miter has put this in a framework and i'm happy to go on about wider for an hour i'm a big fan we're not going to uh but

hit me up offline or just google it there's tons of free stuff but they literally walk through how people hack stuff and these are the things you got to look for but you know folks in just 15 20 minutes we did this now what you're not picking up right now is when it's truly a nation state adversary they're going to find out who works there what they where they like to go shopping who their facebook friends are they'll friend them on linkedin they'll do all that kind of stuff to start moving that pretext how do they know who to talk to how do they know how to target great well right now i can maybe join a guacamole

users group and look for people that work at hacking 101 and become their friend in the users group there's lots of angles in because you know something about them and they don't know that you know so we've got there so now let's go back to getting on to our desktop itself yeah and so we figured out guacamole there's there's me and now you can guess the password all day or you can look in the chat and you'll see that it's all lowercase okay to login and that is going to bring you into this cali instance now i really want to thank the guys at bow valley and the gals of bow valley that did this

they are not only sponsoring this they paid for this so the meter's running on this this is running in azure cloud and there's a reason that microsoft is the second richest company in the world right now behind amazon cloud costs money and the meter's running they're paying the meter so it's all good so this is just part of what they're doing to give back to the community but i really like this platform because it's you know we've spent all morning trying to get some people's vpns and their cali instance in and here you just logged in it was great but and if you like this you could maybe turn it on for your home hacking machine it

would work fine but this is a cali instance if how many people don't know what cali is

okay kylie no problem so cali started out way back when as sort of a hang together linux and the you know guide hackers would sort of add stuff and it was pretty flaky it's moved into this very organized rigorous thing and tj gets the prize because backtrack was the original thing and when i saw it back then yeah i'm gonna build my own machine and back then i used to try and maintain them but it's been years since i went down that i think the last time i was at defcon i got excited about trying to do something on something like parrot linux or whatever because some guy was talking oh everybody's just counting sucks yeah no

way just i use it now and this offensive security company they actually are a legitimate company they provide training they do all this stuff they maintain this instance so it's an actual operating system with all kinds of security and forensic tools and for the most part the stuff just works like it used to be when you when i was doing this cali.org yes exactly and although it's hacking and dangerous and all this it's really not when you pull down one of those isos and build it yourself on a virtual machine it's the real thing it's trustworthy it doesn't contain malware you can right now we're on it you can debug malware on but it doesn't have malware on its own

it is a testing tool by a professional organization that literally sells classes on how to use this if this stuff floats your boat great they've got all kinds of free stuff as a tester as an auditor if you're not using a tool like this you are you have a big gap in your security knowledge and that's kind of what started this i had some guys and gals that i worked with and i was joking around it's like yeah it's not like they haven't run nmap before somebody put up their hands that i've never done that does that mean i'm not a real security person no that's not it so yeah that's that's not what we're doing so

we got in now what we've done right now let's pretend for a second that how did i get that credential what's a what's a common way that people lose their credentials and i'm watching the chat while i'm trying to copy and paste something what's the normal way people lose their credentials sorry if i'm going backwards here uh gets leaked yep so fishing fishing number one yes get the fire truck out there's fishing jinx yeah sometimes it's just bad luck uh but yeah definitely so you have your account on one company and their stuff gets breached and you happen to use the same username and password or a similar username and password so they just guessed

and off they went so yeah um accidentally typing the username in the password field oh yeah i've done that one and it goes in a log somewhere and somebody's on the bathroom total so somehow some way they lose their credits now you guys got lucky you just looked down in that bottom right hand corner and somebody was kind enough to do that for you but if we're looking at the miter and i'm not allowed to use the words kill chain because that's trademarked by lockheed martin so that we're unsaying that and we're going to call it the attack cycle this is just a pattern that they're doing so in the attack cycle we successfully figured out

what it is and we are now getting past and we got into the remote access service so yeah you guys got it all right and addy and jennifer will recognize the original author of this quote because we all used to work together doing risk management we had a boss we talked about risk and likelihood and you would always quote this one from fight club on a long enough timeline everyone's luck runs out so i think it was kylie that said jinx he's like yep somebody just got lucky and guessed they found you on facebook i wonder if their passwords you know sebastian rocks because that's you named your [Music] name yeah your dog's name is sebastian

bach because you're a big skid row fan how's that for an obscure musical reference do i get points for that or what i think that's pretty cool pull that one off of my head plus 10. all right now rod maybe you can share your symbol picture for the class to me that's like all rock maybe another one don't get me started this thing's like this is why he's not allowed to teach school we'd never get past the first date we'd just be having fun making jokes but here's what's going on in that attack what did we call it not kill chain the attack life cycle so here's what's happening we're spear fishing we're dumping credits from somewhere

else we're trying stuff odd times they don't even uh change the account you know like first guys on we're trying to admin admin true story i was doing this and i don't think anybody from that company's on this call but i'm not using the names just in case i'm in there typing and we're doing this pci assessment and it's going pretty good i said yeah i just got to check your routers yeah and i logged on and the guy he's a buddy of mine he's standing behind me he's like yeah here we go it's like yet scanned and found all the front ends the the logging because that was sort of the thing if you're on a network

normally you shouldn't be able to get to the management of those wireless routers but a small company you do what you can and so the management interface was local and it's like seriously admit admin and i got in and i turned around and looked at him and i said you know he goes yeah that shouldn't work i'm really sorry i could have changed it right away i uns you know it's like identified it as a finding i don't unsee because i've got to see issp i have to maintain my ethics because it validated that it was already mitigated so it's not fine but yeah default credits total you'll get it somehow somewhere you get in

now i'm now on remote access so you guys are there you are now inside this organization and you've got an attack tool and i've gotta get this come on don't be a jerk here on the other side maybe okay let's just save that no let's not say that right now that'll jinx it we've got enough live demo gods already waiting in just pounds you guys know about the demo gods right you've seen that this is live democrats on steroids okay so back to our thing you're inside the organization anybody who doesn't have a cali instance up and running uh yeah don't do that yes please do not hack the machines themselves because there's two more

classes uh so you're on or no you're not playing you're just here to keep me honest i do not have cali running okay so um let's put that back in the chat again and faith are we out of are we out of

okay i will need to check that in a second let me just see here let's go home all right so it looks like somebody could use number 10 so hackin 10 so h a k n number 10 is free to use and ok to log in and it looks like 14 and 15 are open and so is number 20. so we've got one two three four free desktops okay so let's try that let's see how this works somebody snag number 14 not quite yet okay all right so excellent all right and so if we're out of desktops that's fine we can wind this back and there's two more classes and it's going to be up

all all over the weekend or the uh the two-day conference so i mean consider we only built these 20 minutes ago that's actually pretty cool for the cloud so yay cloud well it's good for stuff okay so you're inside the organization so that's kind of it and assuming this did right back to dns now first question who am i here okay so god bless you zinji so zinji from bow valley college was our our gear man so in my day job rod is my right hand man when it comes to keeping our our color purple nice and bright purple he's a wizard with everything when it comes to logs and equipment management so don't hire him away right yet but if

you're looking for a skilled guy he's your guy but he's really expensive and he's worth every penny so higher god says shut up what if hagel's watching this later no rod didn't tell me he's looking for a job i was just saying he's a great guy and zinji is from bow valley he did a bunch of this work this is not simple to do but you notice what i did here so i do this nslookuphackin101.com now just to be fair let's play this on the outside let's go to cloth again who does hack and 101 show up there um hacking101.com i'm going to tell you why this matters in a second uh you notice that address is

74 208 236 194 what's the address on the inside here no i do not want to pass you off you're going to take me with you

um so what's the difference between the answer to that

anybody do we know about the difference between inside address as and outside addresses internal dns right on so what we're talking about here is on the outside of the internet there are i don't know 205-ish large networks and then they broke it up into things so millions and millions and millions of addresses supposedly we've run out but everybody still seems to be able to get on the internet so something's working but on the inside they carved out these three spaces they called rfc 1918 i'll just throw that in the chat but that's a little trivia and you'll hear the network guys always talk about this because they think if they use acronyms enough you'll think they're smarter than

they really are um it's too bad kelly's on here i tell my telephone joke about the stuff but anyway that's useful because we now know for sure we're on the inside so the next thing we want to do now that we know we're on the inside we want to figure out what can i see so if we're looking here in our attack cycle you want to you want to sort of figure out kind of where you're where you're at okay so we know what the domain name is so you want to know what the ldap server is and stuff like that so how would one do that so these are nmap nse scripts

you gotta go i thought nmap was just a thing so who has never run nmap before

okay all right i have not endmapped all right so this is your inaugural nmap session so right in your cali window i want you to type just this

and that is awesome it's about to get more awesome especially nfc okay you stole my thunder so once you see the nse scripts you'll never go back and go i didn't know that came with it so this and this is why i rang on the network guys because they think they got this okay so here's my thing 10. um

uh what do we got here 10. zero where we got zero to 50 0 24 okay so there we are so i'm just going to quickly walk you through what you can do here with this so copy that and paste really come on paste nope okay let's type it out again doug you guys can read it in the chat and uh a tcp scan yeah so this is literally nmap 101 but no you're wrong tj not quite the reason that so i'm adding this other thing so you look at this one top ports and i give it 50 and uh 0 to 50 to 0 24. now what that's saying is go try every ip address in this 1050

1050 24 and what i want you to do is only look for the most common 50 things minus one points for tj yes we're going to take that off as cts

all right notice how fast that came back it's just crushing it now what nmap does under the covers is it says i just going through my list let me connect out to that port and the way tcpip works is as you're running these services it actually has these tools or these ports that are running and they're sitting there listening and if somebody connects it says yes can i help you think of them like an open window now if you have a large house and there's only two windows open you've got to be pretty darn accurate with that baseball to get it through the window and not break the glass because because because because this is

kind of the world rod and i live in if you break enough windows somebody's going to come looking for you and shut you down

oh end map actually i wouldn't mind sitting in on that i love talking about end map and learning new things so but this is the hacking side of it now so not just how to do the tools but yes this is part of the community stuff i'm talking about jerry jeremy just put in a link uh or a note about it and yeah feel free to throw the link in there too jeremy and we can and throw it on the b-sides chapter as well so good yeah so we're set up and you want to just be strategic on where you're looking and what this top quartz does is it says just look for the real common stuff

because even if you've got something weird and esoteric on your network odds are pretty good it's going to have an rdp interface an ssh interface or an https interface or an http one because who needs to encrypt it it's internal so yeah that top ten you can sweep pretty quickly you'll be in and gone before rod knows hey something went off and we try and shut you down and you're not gonna break too many windows so you might not set off an alert in their network monitoring so this is a great way so what do we got here that top port so that's your number one takeaway out here top ports now tj was right if you just if you don't

give it this top port it's going to try a thousand which is going to take longer it's going to be noisier but you just want to see who's out there and are they alive real uncommon for something to answer on a couple of these ports and not be alive but what do we got here i got a 10 50.7 i got something running on 36. i got something on 35. oh so the good news is we found ourselves these 30s and 35s i think that's us so that's probably good how would you know that you asked okay control c you can just look at your own address and kind of make a guess yeah i'm at uh

oh it thinks i'm a dodd7 so all right i don't pretend to have this entire guacamole environment figured out but i can tell you right now those ones that are 33 89 and 22 those are the cali boxes so those are not the ones you're interested in but there are others in here that are pretty useful so right there so somebody had mentioned sodium way back when so sodium that's actually the inside of this guacamole box so please don't hack at that but what do we think this guy is here oxygen what is he

and there should be one more here probably a domain controller yeah because it's got 445 listening so that's a normal windows port and it's also running 53 which is yep yeah so jonathan had also pointed out yeah they're all in dot 50 so that means these are all local machines and that makes sense because we're hacking from inside in this environment but you'll notice right here that that domain service and i got a what this means this mswtb server on 3389 that's just rdp exactly faith that's what it is but it's got a little more formal name in the protocol so that's what nmap is reporting in back ads now you say well how did you know that doug well you do

this enough you look at enough nmap scans it actually starts to make sense you can tell by looking at it what it is it's like yeah does anybody thinks this is a linux box no it's definitely a windows box because it's running all these things or it's somebody who's gone insanely crazy trying to make it look like a windows box but now it's like okay i know where the domain controller is now so that's very useful and so what we've done here is kind of that first step when you get in to say what is the what's the domain name and what's the ldap server you're kind of you're working around these recon steps you're now looking inside so

now tj had mentioned the nse scripts so this is the other one and i don't expect anybody to ever remember any of this so literally you want to google and see something like that yeah so snmp numbs remains like all of these things here so these nsc scripts there's 600 and change of these and they measure all kinds of crazy stuff now if one was playing the ctf you might find this stuff kind of useful and it's not because it's always the best thing in many cases there's a better tool that's specifically for this but nmap the reason that they're teaching this at the infosec is it's very useful from a networker's perspective i don't know

any guy running firewalls and network switches and stuff that isn't isn't up on end math but they didn't know about these nse scripts and when i started when i started using these there's about a hundred and i even knew some of the guys that had written and now it's like every like look at this like what kind of language does apache speak so you found something that says it's an apache server and it's going to try and guess that for you you want to look at you know what's going on on a samba share it's in here and you literally run it so the nice thing about it is you don't have to memorize all the tools what you'll find

is because it's good at a lot of stuff it's not the fastest at any of them so you know you kind of take it but if somebody's running nmap in your environment for a long time it's it's probably a thing you know what are they up to but yeah so there's an ldap root dsc i think that's the one and i will probably stop at this one for the nses because i feel those demo gods just chattering in my left ear and because i'm not hearing anybody talking so other than jen who said hi so but right here okay so this is a discovery thing it says it's safe say fish okay um usually yes and yeah totally tj and

metasploit so that's that's maybe hacking 201 uh check back with us next year we metasploit is a another tool like this where a lot of the plumbing and the hard work is done for you and you can bring up a framework and run this but you can run your in-map scans however you want and then you can import them into metasploit to start trying to break into the various things okay so right here so right here this one and it's pretty scrunchy little syntax so i'm going to throw it in the thing here copy and then they're going to have brackets and where they say host that doesn't mean you type the host that means you type

the ip address of the machine you're going after so you'll notice here that we're not running 33 80 or 389 i'm pretty sure it's there i'd be real surprised if it isn't so how we would do this maybe somebody want to volunteer how they would type this into their cali machine it's like you not only

yeah hacking yes so that's like the you're stealing my last three minutes of my class hang on we're probably going to go over because we're a little delayed but so if you're gonna go to the table top i the tabletop workshop on incident response i have never actually done that even though i am a contributor and if you go see it you may just you may see where i contributed to that but it's a fantastic class i've heard nothing but great reviews so yes so faith close so zero is the whole network actually change that to be yes that's the one aj's running yeah that's definitely worth checking out he's gamified the whole thing and uh

he's an interesting personality for sure but the the the whole gaming approach is well worth doing but yeah you would want to run this oh yeah you did it it is a great time so thanks for the plug yep i'm sure you've welcomed me back i'm not sure what their seating capacity is but since it's virtual it's probably pretty easy run that let's try that with the dot 8. let's just see if that's even working so if we tried that so dot 8 we think is our domain controller and unless xinji added a domain controller when i wasn't looking um and i'm copying your notes here faith either i'm just changing that last thing was it script

ldap dash root dse 10. 0.50 let's try eight if my typing is okay oh yeah go baby so here we are look at this i'm inside it's telling me stuff about the domain itself these are actually artifacts if you were to use microsoft's active directory users and computers tool against the domain controller it will tell you things like the name of the default site and it'll tell you a bunch of different items now a lot of these numbers mean something to that environment um but it definitely tells me that there's a domain controller named oxygen 101 and right here this default first sight first names blah blah blah that tells me that's one lazy sysadmin

that didn't bother doing anything other than just turn it on and get it going but you found the domain controller okay so one of the reasons that you want that is because if you can break into that as an adversary oh and it was even kind enough to tell us the mac address which might tell us what kind of equipment it's running on it says it's windows well yeah that all sounds good it looks legit it's not somebody faking us out with a different kind of uh domain controller or something so what you've got here now is you're looking around and if we were to go back to our miter attack steps and where we are in the attack cycle

you're doing things now you are discovering stuff about the network so you've done some network scanning and there's some network shares that might be useful um file and directory it's always good to know where people are leaving their files around but look at what we've covered you know we understood about how they would use remote services how they might be able to gain access through different types of credentials now there's a whole trippy thing on nmap alone in kerberos using admin you don't know anything you don't have any creds at all but you need some user names you can start to use nmap and use a little trick in kerberos to say is there a user there or not

which is what we did last year and maybe we'll dig that up so there might be some follow-up notes

yeah because we can leave this there i just wrote that down um because that's that's it i i really just wanted to be an hour and i want to be mindful of the other presenters in their work as well now we're running two more sessions i believe of this so uh i'm and i'm gonna hang out on the channel on the ctf channel and keep an eye on things there but we can definitely uh keep going there so yep oh and kyrie's uh helping us out so we're looking good all right so uh there were a couple of resources that came in uh that people mentioned yeah well thanks to you guys for showing up it's really tough to teach a class

when there's nobody here um but have you started to appreciate how this is just a methodology that you learn just like anything else okay so and addy asked a great question as the hacker is there a good way to know if you're actually in a test environment why no there's not until you get skilled enough to identify some of these artifacts and technically this whole ctf is a test environment so look around you might see a few telltale signs but yeah there are companies that go out of their way to make test environments look exactly like the real ones so that the adversary doesn't know they're bouncing around here and they're already cordoned off so

yeah and yeah tj if his two red flags should be going off i don't know as a guy who works on detection engineering for a very large oil and gas company and my running mate it's really easy to miss stuff so it's got to be a pretty big explosion in some cases so okay and yes sarah is this a guide you were following that going off is too easy so great one that i want to plug since we're all doing this uh it's called the red team field manual and i know that the guy is having a thing because that acronyms to this so and that f stands for fine yes it does pinky swear

but yeah there are classes so the guys alluded to a couple of these there's a blue team there's a purple team there's a few of them so there are people out there that write books on these methodologies there is a really great book by a gal named georgia weedman from lightbulb security on hacking and there's an earlier version written by dave kennedy and the guys from offensive security i don't know how many copies there are of all of the signatures of the original authors on it i own one so when i die the people in my will might sell that for five bucks or something but yes all of these are available great resources and the takeaway here is this kali

platform that you're working on is tends to be the way it goes lot of these tools recognize this and they why because it just works and it's safe to use and you can get some reliable stuff so yeah yeah for sure the the book's dated but the methodology isn't and i think that's what i want to get everybody's head around there will always be a new exploit and a new thing but how they go about it doesn't really change these are defensive activities and offensive activities that have been going on since sun tzu wrote it down so yeah so book links so i think that's a good we're gonna take that away kari we've got that there's a thing

we're gonna get some links out and uh yeah that's cool um i'm happy to chat all day about this but i know people have stuff to do so technically that's it for the class but that is not it for us learning and these these environments aren't going down so if you wanted to play there's actually a whole bunch more material i never even got to which is kind of how i do all my classes so feel free to look around in this area and yeah the recording should be available and there's lots more to find so seriously dig around and if you want to just go back in the ctf channel hey hackin 101. is this a

thing that i just found i'm happy to share freely about that all day in that channel because it's not giving away hints because this isn't for points now next year maybe we can do this but there is a small token of appreciation for those that participated and i want the name of the one other author besides dave kennedy from dave kennedy's pen testing with metaphor at metasploit for the prize first one up we're going to nominate you for a door prize

there's it's like a real door prize i'm not kidding we're giving one away each time so what was the question who was one other author besides dave kennedy on the metasploit pen testing book that dave kennedy was the lead author on and the other three all work for offensive security so that might be another tip that works okay jeremy got it devin kearns all right yeah dave kennedy doesn't count rod because no but yes dave kennedy r dave kennedy no that's not the same dave kennedy but the dave kennedy there he's he came to our first b-sides so he flew all the way from cincinnati ohio to calgary alberta did the talk and then flew back and if you look

you will see that um that intro that the intro to dave kennedy's talk on the very first b sites that we have is this and hd moore did not participate in that but yes hd is a friend of ours and a great so yes devin is the guy and jeremy got it first so fastest on the google wins uh next year we'll have a little ctf mini in there but seriously there are actual ctf type things in here pack away all day if you guys want it's it's totally cool and maddie is there so he goes by the name of mutts online and yeah the true story of the the intro that besides and as i was getting dressed this

morning i thought about it and go i need to change my jacket because if i'm in the same you know i know this is going to be recorded then go isn't that the same jacket he was wearing i have the jacket and i was reaching for it was like no where are the other ones so spelling doesn't count jeremy you still win so you get a door prize coming to you yeah i'm not that hard ass i'm really like mister i'm the easiest teacher of all okay so hack all the things uh [Laughter] yeah you still bounce off and break your leg exactly uh yeah kennedy's book is good i really like it because it is uh

you know kind of literally step by step again even earlier than george's book but he has it's very focused on how to use metasploit and just use that framework to do the stuff and because he is the original author of the secure social engineering toolkit the healer called set which is again a little long in the tooth now but it still works just saying uh and part of that intro and b-sides is the him him building that so he definitely got to go back and check out his talk because it's great and they did a great job of merging the two video things so if you go to b-sides calgary or whatever besides calgary.org you're going to see the links to all the

previous talks and everything over the years so dave kennedy the dave kennedy he's there he taught and we had uh chris nickerson who spoke at that one unfortunately the ghosts in the machine ate his video and we've got jack jack daniel as well we're there so we had two of the original b-sides founders were part of the original calgary b sites and the founder of derbycon was here as well so