The Insider - Users

hello everyone thank you for joining me previously on the insider recorded live from beside Scotland on the 20th of April 2008 a lunch target was a global business headquarters recon showed our turnstiles in reception back door also had turnstiles I hate turnstiles a friend told me how he'd bypass turnstiles I liked the idea so I tried it midway through our lunch time I walked in off the street I walked up to the turnstiles and then turn to the security operative and said crap I left my pass on the desk when I nipped out for lunch can you let me in people start forming in a queue behind me the security guard didn't look sure apply pressure come on will you let

me in I'll be late for a meeting I need to get in the turnstile opened I walked in chapter one typically after walking into an office I'll find a place to plug my laptop in and hope I get an IP address then I'll fire up responder and typically you get hash or two here we have an example of what you get with the extract of the hash at the bottom the username and the domain name to reverse the hash of always typically used hash cat and here we have an extract from hash cat showing that the NCL env2 hash that's been collected has been cracked and there's the super strong password at the bottom there now identify if the user has any

local admin rights on any domain machine for that I've started using CM e here's an example of CM e where we've been passing out the username and the password and it's found you see the word code it's found that user one against the IP address has access to the local admin from that I've dumped the local hashes and there's an extract are for local hashes from the box from that I will pass the hash to all machines and here's an extract from CMA again and you can see the multiple IP addresses which we now access use and those local admin hashes this is because people generally do a default build of a machine and then

copy it over and over again Microsoft doesn't salt the hash password hashes as we all know so the password hashes can be used by Microsoft so where it's found on one box if that machine has been copied and cloned and cloned you can use it on the other boxes and so on and so on following off this I hunt the da but this story is not about my hunts it's about what your employees

can do my name's Neil lines I'll work for avian okay let's start so picture a typical office default domain machines so what you normally having a default domain machine generally you'll find that users are in most places given access to CMD and they give an access to PowerShell now I know a lot of you will be thinking ok who here is part of a blue team brilliant this is good I'm going to throw it out to the audience who thinks they're logging PowerShell use correctly I've got like two hands now ok so at the moment in the industry the community call it what you like and a lot of people are saying that and I

think we've still got a few years to go I mean we get MSO 867 still occasionally so I think we still use PowerShell in theory it's very very very easy to log and spot which is why people are saying this so what kind of standard user do ok any user of access to seam D or PowerShell can start a program there you go you can start mspaint or it can also grab a DDA or domain admin account back in 2014 Tim meter did a talk called attacking Microsoft Kerberos and from that coast Cobra roasting was launched and any domain user can request a service ticket for all service accounts Active Directory will turn an encrypted ticket

which contains an ntlm hash and service accounts are typically in the domain admin group originally this was really is quite complex exploit to do and and a lot of people thought I just can't be bothered to do it but then harm joy released why it was included in power of you and I want to give you a quick walkthrough for it for those who haven't seen it all don't know how easy it is to do so here's the basic of the commands so you're requesting PowerShell you're basically asking it to download and X cute well to download Power View and execute this command function invoke Kerberos and you asked it to output the format as a hash cap hash file so only

to show your video so you can see how quick it is to do is that playing there we go plank right so this is one liner so in essence any one of your users could go off to the internet and it could download this one liner copy and paste it into the machine and hit go and we'll see what happens part of the reason for these videos as well is I like people to see how long it actually takes to do this so presently now this is communicating with the domain controller and it's going please send me your service hash it's your server user names and they're correlating password hashes and any standard user can do this

so it could be of concern to some people and there we go we got it so they've got the username and we've got the correlating password hash now if it'd make it easier because we go is not easy to say that's what was returned so the username domain name followed by an extract of the hash now I looked up the user and it was user 1 and it's partly domain admins group service accounts are generally not not all the time but if it gets say like five or six service accounts we probably guarantee that two or three of them are in the domain administrative group and people don't wanna be changing the passwords all the time on service accounts could

be a pain in the butt so they generally have set the password once and they don't say it to expire in 90 days so you can guarantee that there's a chance well we can reverse it anyway so we're winning not quite that easy we still need to reverse the hash now this is something that I think it's interesting when you brute force accounts you can obviously lock things out when you rip Kerberos tickets back and you've got it on your desk it's in the text file or whatever you've saved it as so it's offline you can spend as long as you like you can take it home and spend a month trying to reverse it

if you want the reality is a lot of service accounts I've come across a generally arguably quite weak and I've seen password1 all lowercase as a service counter to main administrative create it took all four minutes to rip out someone plugging a laptop eared kerberos dink done so here we have an extract from hash cat and see the type of hashes identified what you have to identify it but and so there's the password and a slight extract of the hash at the bottom so now you everyday user theoretically potentially is part of the main administrative group so what are DEA rights members of the DEA group I apologize phone service but not everyone knows they have full control of

the domain by default the domain admin group is part of the administrators group which I'll get onto later which is really interesting they have access to all domain controllers workstations and servers and all the containing data on these devices so I think HR directories which might be restricted twenty four or five people the domain admin may not be allowed access to it but they can probably change the account of someone who can access it chapter two okay don't stress they don't have the skills which to me is the same as saying it's okay to leave your front door under the mat key into the map because no one's going to look i've released a blog

yesterday i didn't advertise it on twitter or anything but it includes all the one-liners including loads of or one-liners from powershell i found really interesting i'm just one of the millions of people who release this stuff anyone can do this you can just copy paste it and drop it in and now for some more quick powershell tricks again using power if you create by han droid invoked check the local admin access this was an interesting discovery it finds whether you are a local admin on a box which you could do is say i'm dave it's nice to each other powershell one-liner so it responds by saying no you can then start to I was interested

could we use this to access other devices and yes surprise surprise haunt droids created it so you can so you can point out of a divorce it devices to find out if your local admin on those true which is great it's stealth it's on one machine after one after one but it's quite time-consuming so let's say you want to do it quickly here you go find local admin access that sprays out across the domaine it checks every single device and it finds out which devices you are local admin on and you can see there is two machines okay by the way to any local group simply by opening PowerShell and pasting the following and that's what we can see

so to see if you're a local Acme on any machine that's all you have to do now if you belong to the local admin group you can actually move that this is what I was saying earlier about RDP and you might think ok we're not going to RDP we're probably gonna pierce exec or WMI but ODP is a nice old-school feature and we will use it for actual movement if we have to and by default you've probably got an RDP group and only those members of it can access it unfortunately so key local admins and your domain admins because it overrides those that original group so look in there and you can see that user 5 was a member of the local

admin so it could IDP and it can pierce exec kanaky WMI ok once you can move off a box it's time to hunt for the da and for that again you can use power of you you have the classic invoke user enter you consciously bloodhound as well but in fact use hunter's quite interesting here's a results from it so user 1 he's discovered that user 1 which is a domain admin is on that IP address so hunt for the DA and see if the count belongs to a local machine you have this so invoked user hunters include - check access so the response shows that there's the local admin but unfortunately we're not allowed to live in on that machine

parish shell is dangerous now I was doing a lot of lobbying and blasts for the year on this and laughs or three or four months I've been really gearing up and doing loads and loads loads more I discovered that user hunter was giving me inconsistent results let me give you a back story right hunting out users on a domain it's tricky to do typically needle local admin or domain admin privileges and if you can't get that you're stuck so I used to use SMB exec to hunt out users and then I progressed to say me but that also needs local admin rights and we need to do is rip out the local admin hash and then just add it and

package that tool will pass that for you and it sprays it out throughout the domain and it will log you in and see if there's any domain admins on those boxes and tells you which box it's on but let's say that your employee can't prove esque how can they hunt out the DA so I fought about it and I spend too much time at home thinking troubled myself about things like this most people VI okay I'll just do it in every way but no only to know the answer so I carried on it so I googled it and it seems this is actually a really common request of Microsoft admins and pen testers but I

found nothing that would run without admin rights so if Microsoft doesn't have at all built into Windows to tell you where the other users are now there is ways to do it but it requires local admin access generally it's a lot or domain admin to log into each box and that it can run the script whatever you want to retrieve that information so a message my mate now I generally turn to my friends after googling no one wants to hit your friend first it was going to go to Google try to figure out yourself and he just replied this it's great he always always helps me never gives me quite exact answer but he always gives me something

that leads me to the answer so I've learnt a new trick so how does this work right most domains think of a typical term a they'll have centralized share sharepoint share server generally on the DCI find and admins will commonly map their share drives to all of their employees so when they first log in the C Drive or S Drive whatever will appear on their desktop or in their My Documents and go to the share and any domain user this is interesting find any domain user can enumerate the share file the share server for a list of who's presently logged into it so you can see the connections now to do that you just have to run this again you'd copy and

paste drop it in and it'll give you this as a response now what is this so basically user nine user six typically you would have I'd know on a normal domain hundreds and hundreds of users so you might have a list one hundred long and they're not all pretty colorful like this I've done this just so you can hopefully see it better but you can see their user 9 is on machine ending or one 92168 1.11 and user six is ending on 10 now if you hit share directory like this and you numerate it there's a good chance you might get a domain admin in there so that is a way that a standard user can't hunt out

users without having local admin rights or domain admin rights resorting any domain account being able to hunt out most of the users right chapter 3 ok who places one of these in the locked cage one this is good who encrypts not the laptops the physical machines who encrypts the hard drives good but this is good right well I'm going to show you here think about a Windows PC and you plugged you a space sticking to the front and you're booting off it now and if anyone doesn't really know they're dangerous why well this is why you want to encrypt your hard drive basically you can mount a drive and you can rip out files that are of interest to an

attacker if you're not wondering would my employee do this I've been a lot of on-site social engineering Ralph walks in off the streets I've used responder it's not got me anywhere and I've just thought forget this I'm getting nowhere so pull out when USB stick walk up to a machine it's not being presently used by someone and rip out what I require this way so if I can do it as a complete stranger in an organization that should be spotting people your employees can definitely do this secondly you could also just rip out the hard drive and mount it that way multiple ways I've also done that on an SE job when I didn't have any USB stick

with me so what we're doing here I've mounted the C Drive in Windows 10 he's got fast boot or fast mode or something like that and you can't just mounted drive automatically she deemed to have domain credentials then but standard user credentials and what he do is you plug a USB stick in and you reboot the machine and by rebooting it he drops out of fastboot mode and it allows you to the mountain drive and right so we've mounted the drive which is a system facing windows system32 config directory and position of a good idea some people have a good idea what I'm going straight for I'm going for the Sam in the system file now there's these two files

together store your local administrative accounts so this is of use to make like in that past the hash and majorly afterwards I'm probably giving me giving away things right so I'm copying the salmon the system file back to the desktop my first did this not anyone's interested but I was about 12 my machine at home it's such an old-school trick this is but it's still valid today I'm zooming in hopefully so people can see right I'm going to do is I'm going to reference the two files and I'm use PW dump to reverse them not to reverse I'm sorry to combine them and create the hashes out of the two files I should say if someone who hasn't seen

this before it's interesting how quick it is done so there we go we've got the local hashes off a Windows box so it took roughly about two minutes to gain access to a local admin hashes and so what can you do with them you can take them home again it's a foil you've never got copy that and you can reverse it spend all night week get yourself a decent graphics card you'd do it in minutes they go ntlm house she's very very easy to reverse super strong password again so we've local admin access what can you do where they can store these that'd be the first thing I'd do if I had access to a machine with local admin it's not

stealthy I'm not here to do a red team I am a red so you know but this presently here I'm just seeing how quickly I can compromise and domain I'll probably far up VirtualBox I did install Khaled and I do say ma and just stop spraying out those hashes okay if you can't reverse them you can just simply pass the hash now for this I've discovered this script I say here it is here Kevin Robertson's invoked the hash which is incredible I was looking at PowerShell for a long time I kept thinking I don't want to crack passwords you can't always do it I want to pass the hash and then this was released and it does exactly as you can

see there so you give it a target IP address you give it the hash and give it the username and here we're going to tell it to add the user called pone London 2018 add it to the local machine if it accepts it you get that command executed with service and you now have a local account on that machine yourself right chapter four I've seen plenty of clients attempt to restrict employees access to CMD PowerShell and so on most offenders enjoy breakout testing I find it frustrating but we do it I'm going to quickly show you a few techniques which could be used by employees write CMD is restricted this is just great everyone loves internet explorer straight to

options internet internet options and come down to browsing history click on settings and go to view files bingo we've got access to a directory from they just find CMD and there you go now that obviously won't work without restricting you should actually start seeing date that only works when they're strictly restricting you access to find it or be able to just instantly run it and from CMD you can then type PowerShell and there you go we know how PowerShell okay restriction number two okay right-click on the desktop doulton you go to text document some people disabled right click options really annoying which probably means it's a good thing if they do that just go to search

notepads people generally don't restrict access to things like mspaint notepad media player these are all things people think of safe and so you open up notepad and of course you can type in CMD XE there or powershell actually save it it's a bat file and save it to wherever you can save it too often not the desktop in restricted environments but you generally find somewhere you can write to and there you go you've got CMD that way this is the final one you've all would have seen this before but it just amuses me yeah right so you open up mspaint and you create a very very very very very very small picture you go to edit colors and you

start adding your own custom colors and then you add these other following colors and there you go so you've got yourself a beautiful palette and there's the wonderful picture that you'd print off and put in your fridge now if you save that as a bat file and then run it you get CMD there's millions always and these are low down fourth source of a leak ways but there's millions of ways to access and even if they've stopped access to simply in PowerShell there's always other ways around that as well right chapter five let me be blunt every time every day IT admins should not be part of the DEA group what does microsoft say about the DEA group and no

one can read that so there you go and enterprise that means blah blah blah das should only be really used for the build at the very very start of your domain and disaster recovery why they have complete control over all domain controllers and everything we've heard all this unfortunately it's common to see accounts belonging to the DEA group being used every day and I've regularly on internals found people using DEA rights and they've actually elevated their rights to access something like a browser why peopIe passes the socks proxy restrictions if I run it is an admin so how do you fix this well firstly you stripping with the domain admin rights and you do delegated rights

or delegated permissions and I've heard it called other things what does Microsoft say about delegated rights there's the link if you know wants to have a look and this is it quickly basically by properly delegating rights you can enforce specified roles in the environment limit the impact and likelihood of administrative error and apply the principle of least privilege throughout your infrastructure I fought wicked that's great and really really good so I tried it so here we go I'm looking at the local group on my machine and I'm not I'm looking at a domain group here and you can see I've got domain admins I've got domain users I've got help desk I'm trying to delegate things correctly and I'm

looking at the domain admins that are in being assigned domain administrator privileges I've got far too many there but generally are you'll see most enterprises will have anywhere between two to 100 and I'm going to use user hunter and it returns nothing this is great delegation of privileges or rights has been done correctly and is no das winning right so there's no domain admins the red team goes home the blue team claps game over

but introducing a Ciel's Microsoft says an ACL is this is really confusing when you read this an access control list is a list of access control entry interests yep each a CA is an ATI that's just confusing basically you delegate rights and you're saying who can use what okay I'm no expert of ACLs it's definitely worth noting I've only really start getting interested in the last probably three or four months I'm just quite bad up until then I never had a problem getting to main admin but I always think at some point someone's going to delegate rights correctly and I might have a problem so it's good to know so they've delegated it correctly there's

no domain admins out there right so let's go back to the domain users let's take a look at user six user six is just a domain user there you go you're a loser you've got no rights but wait let's take a closer look and using the invoked ACL scanner again just copying and pasting this in it will go off and show you all the users that got extended rights so we know that user six you can see there does it say user six anywhere yeah it does at the bottom user six extended right so we know they've been delegated right so we can do something and I feel like this has been a long chapter so I

want to conclude this quick so here goes right user six works for the IT team it spends most of their day changing passwords and hating users but user six is interesting because it's a standard user account that it's been delegated the rights to change passwords which is better than just being placed in the DA group so what's the problem well the problem is the account can change passwords making user six a desired account the red team come back and play so how can you exploit user six first off you'd have to target and capture the account now there's multiple ways to do that and I've discussed earlier can look on a share file and hope that you could

spot them somewhere as you can go up and rip out their local hashes and I know exploit some wikis excuse me up so that will be the main up in local I'm a naked mimic at some you could also use this which is responder for PowerShell I do it obviously right so here is the one-liner so invoke you've a console output yes yes yes and how user six just testing the new internal site works please test it by clicking here a few seconds later we get that because people like to help you so those user six name there's the hash okay so you reverse that and then following that you can enumerate users who have local admin rights and there we

go so get net local group and there's the machine and you can see their user four is a false no disabled site user for has rights so using user six it's get a bit confusing now using user six rights you can change the password of user four so here I am as user six changing the password of use of four who does have local admin rights you can then use user fours accounts because you now have control of that to laterally move right finally to wrap up delegations of rights is great but you still need to respect the account chapter six okay this is a very quick chapter people talk about automation will it affect the sec world

I think it will change things let's take a look so typical internal compromised responder reverse the hashes look for shares find out where the domain user is part of the local admin group and use that rights to compromise the machine click the local admin hashes pass the hash hunter da win okay this typical process takes between thirty to fifty minutes to four hours sometimes very very quick you can sometimes just responder and get di immediately anyway and now you can automate this so my friend sent me this message you're like this talk and it comes from this talk and the quick version is Dan has released a script called icebreaker they don't hear heard of icebreaker cool

this is someone said yes it automates typical ways to pone admins it basically files it responder for you it automates that's for you it comes with a million word list it reverses the hash where it can with that and then it looks to see if it can laterally move if it can actually move it far as a vampire we can fire up Empire there far as a death star you see where this is going it didn't get CDF so I tried it in my lab and here we go it does other things as well worth watching the talk it's very very good okay so I fired it responder and I made sure I got an SMB connection going and

there you go so I got a user free and you can see the hash it then reversed it for me automatically and there you go super strong password again okay it then killed responder and moved on and sort of draw ntlm really then I know it's extern open and Empire loaded followed by Death Star if everyone here knows what Empire is but Def's star you're shaking your head Empire is a situ and think of it as like Metasploit it's a framework all in PowerShell and you can use it for reverse connection so you can send someone an email embedded with a link when they click on it it runs the PowerShell command that allows that to

communicate back to Empire you then control their computer remotely I apologize I just said everyone knows Empire not everyone does so sorry okay Death Star automates the process of hunting out a domain admin so if you were to run Empire combined with def start bloodhound is triggered it will look at the results of blood hanife believe this is how def style works it will then look for the quickest route to domain admin and it will see if it has the rights and it will do it for you now running icebreaker which combines Empire and also deaf staff together it took me around 15 minutes now the reason why I took 15 minutes to actually find the

domain admins because it defaults to ten minutes on one of the sections on the responder section now you can turn that down to as little time as you need or require but generally the longer-run responder for the more hashes you collect so increases your chance to compromise but if I was to show up in this test environment it could have been done in a minute so it's gone from just running an author an automated script to get into main admin probably in under a minute what would say is I try it again the next day it's completely broken so these things are not simple to use okay so to install though initially the employer would require a VirtualBox Cali

which we discussed earlier ways that they could get on to their machine and and that and YouTube boasted watch the videos how I like to work right chapter 7 I'm coming to the end now so I apologize to only significant what is he talking about before I start this chapter I need to share a back story I ignored PowerShell for a long long time I found it very very painful to use I find it a sea of red every arrow just was head-butting the screen as it was driving me insane it dramatically slowed me down on internals but people kept saying you've got to try it you love it you know you've got to become parish

I'll see you late I gave up and I started to use it okay so start using it it's okay let it go and what I discovered is that both that they to use it on an internal you have to have domain access you have to be joined on the domain to get the most out of it will be the best way to describe it most the scripts required to be a domain joined so let's get sort of domain access what used to do is get credentials was on the internal network and then I would look for an IDP or way to get access to a physical users machine use that credentials there you go and then I was told about this by

someone no you don't have to do that hey add yourself add a domain joined machine right so his question in this room who has the rights to add a machine to the domain throw out anyone sorry you'd hope anyone anyone this is a it's not an odd one it is a slightly odd one the odd one is to remove a machine from the domain you have to be an admin now I get I I think that's why he thinks odd is to add a machine and you've by default you just being any standard user and the reason why I think that's a bit ah what you wouldn't want people removing machines because that could be really malicious I

suppose from a service point of view but what is odd is that you can add machines because I still think it's malicious so what I would do is I would spin up a clean VirtualBox image and I would use the credentials have gained to add that machine to the domain I would use a clean image every single times to respect their environment and you'd look at the naming convention of their present machines and you'd replicate it so it wouldn't stand out and you don't see in the report you tell them what you've done and you'd have a screenshot of it and you would tell them exactly the machine to go off and delete after the test but anyone can

do it where I've tried that what you would be able to restrict this but by default any domain user can add a new machine and this was that discovery to me was like bulb moments I love those sort of moments when thinking wow that you can do that so internals that started there you go adding a clean VB and I started to live off the land and now back to at seven so I started thinking knowing that any user can add a machine to the domain how dangerous could it be for home workers who here's a home worker brilliant they provided you your employee provided you with a laptop you've got VPN access watch on ok it's typically homework

workers have VPN solution now this could be for any SSL vendor out there I suppose and VPN I'm not going to just attack any one particular vendor here but I've used this one because it's a popular one and I've spent quite a long time as a network administrator so I learned how to configure Cisco I saw some pics before that right so how would you connect to it yeah a URL and it connects this is the best bit you don't have to use the provided client by default you can just go into your own browser you can type it in and it often let you connect that way or as I discovered on Kali you can use open

connect to do apt-get install open connect and then just put their host et pse followed by the IP address or domain name and actually you've connected you can then use domain credentials to connect so you as a standard user you could install it on your own laptop that you control and you can now add your own laptop in essence to connect it to them their ship or their network let's not say the main yet we're not there yet but you're starting to see where I'm going with it so if you get access burn away yeah yeah some people I discovered is people don't lock down SSL VPN is by default I think choke point do but I

can't confirm that I need to spin up a virtualized Check Point to figure out ok sick on me thinking you send your employees home with credentials and a VPN solution purse they could add their VPN client to their own laptop there you go sounds dangerous yeah it gets even better could I add a machine that I control over the VPN to the domain I serve our sites get really interested so I tried using my laptop I connected it to a VPN ping the DC it works this is good I then added the machine to the domain my laptop then asked me to when you first add a machine to domain you have to reboot it a lot of you will know this

not even will you have to reboot it look promising sorry booted and then identic ated with the domain creds now if anyone can't see that there's currently no logon servers some of you may be laughing now and you're not but you might be inside and saying such things as yeah attempting to add a machine to the domain over a VPN absolutely crazy talk you can't do it so I googled it and it seems the problem is while you can connect to the domain once you reboot your VPN disconnects and you can't login to restart the VPN because can't contact the DC so it's a chicken-and-egg moment and I came up with this it's my professional slides the Microsoft domain

hell loop to authenticate the first time you need to access to DC you access the DC you need a VPN access to start the VPN you need to login you can't log into the DC she can't start the VPN and he just goes on and on and on on up and I do what most people should do give up no I went insane and of course Microsoft had the answer and there it is it's absolutely that it's beautiful can't see what it is that one there brilliant some spider if you click down there it will start up their VPN so then you can then vindicate so Microsoft got an answer which is genius absolutely shaven no one

uses it so someone's about to say I use it but I haven't come across anyone who does so I went insane more I found at my mate again and this time he just laughed at me when I told him what I was trying to do that time to admit defeat I don't hate and he have to give up on a project but then it hit me actually this it's really really really easy to do it's on point meet up at four in the morning it's really trivial I can't believe I hadn't fought this before hours days weeks months later two physical machines built loads and loads loads of virtual machines built I think I've last six months I've probably added

close to three or four thousand machines to a day to Adam a controller a USB cable ordered from China three weeks later that turned up and finally an ASA far wall configured and I was ready to go and of course one and happy wife apparently that is not how a dining room table should look for weeks and the result right so here I am on my desktop of the laptop that I own and I'm connecting to the corporate style VPN and the super secure username and password thankfully you won't be able to see it from where you are and it's authenticated now you might quite quickly realize what the answer was because here I am on a

virtual machine so this virtual machine is connected over NAT to my physical machines connected to the VPN you've got the answer but we're still watch the videos I've got time to kill them almost at the end so here I am I'm adding it to a domain and worth noting again I'm a standard user at this point so I'm not domaine happening

I have spent some of the video up so you're not gonna go for the pain of seeing it completely time out and everything right and there we go it's asking me for the codes so I put in standard user codes

welcome to the domain

yeah yeah now not fan of live demos it goes wrong I'm a video person I apologize but right so we're rebooting now of course this is the bit my machine is still connected over the VPN so we're now rebooting a machine and why is it actually lethal because okay you lose local admin rights of that machine once you've added it to the domain I've discovered but you had local admin rights before and can install anything you like on that virtual machine so I can think of a million things that be malicious that you won't want on your network which you could now be on your network and we hit go and what I did want to show is to

emphasize that only to show you something here that's a bit odd this is members a Windows 7 machine you can't probably see it here but I'm now actually accessing Active Directory tools on a Windows 7 machine and I'm accessing users I can numerate all the domain users visually and all the machines ok so we may be thinking how did he get ad tools on a Windows machine I love loving I do it all the time I don't do a lot of capture the flags and I capture a flag person I'm the sort of person who likes to build things and just do it for a gig or exchange for me as a Friday night it helps me to

discover things and I came across this our SAT has anyone used this brilliant brilliant I'm new to the game new to the party it gives you Active Directory tools on any need more on a Windows 7 machine Windows 8 Windows 7 onwards there you go so recap employee now has a virtual machine the control and your domain remotely they can install anything they like before they add it and then use those tools on your domain right my name is my exploit 2600 on Twitter and any questions