DougWarden

[Music] Vi at any point good um near photographic uh read something anything five years 10 years later she can just come up and spew it back and I canot understand that that is an awesome trait to have it's also sometimes a little bit of a challenge it's a different um because she can right um ey glazing detail yeah I just thought the one that doesn't have

that dog might be smarter than me too uh she's she definitely knows exactly to the second when dinner time is and in the morning she'll her face will be right here waiting waiting waiting for me to wake up um but here was the thing with that she knew what to do if it was out of the book if there's something that's outside and a good I talked about those knots um we were doing a hike on gdt uh a few years ago we were hiking and we we had we in the tent and it was like 2 in the morning and uh a porcupine came in and immedi went for the 20y part of being

St right and in two seconds had chewed through this thing she was lost no I doal what to do because they didn't have a knot for porcupine chewed straps on backpacks two days away from FR country there was no there was no page on that ever so she was she had a problem um but I can't understand we do think totally different I don't think about details like so for today she was like well do thing this morning I'm G to look it up now and I'll show up there on time but I don't need to know that ahead of time um so I'm a lot about the process and how things work we have sort of what we

describe is above the belt job and below the belt job so if something is broken I'm the guy that fixes that if if you yeah money anything to do with money ever she's the one that works with that um and honestly we are going to talk about wire shark eventually but but kind of the point of this is that uh I think I think it's quite critical to think about this in terms of security and in terms of it so my background um I'm a pretty Fierce troubleshooter if something doesn't work uh dog with a bone I don't I don't stop a lot of it has to do with kind of this different f um and so wire shark is a great tool for

this uh I teach St I teach in the networking program there or what used to be the networking program and it's a fantastic tool for teaching students so we use it all the time uh it really shows me what's going on in the it never lies uh I did a contract once for a company and we couldn't figure out why uh certain policies weren't getting pushed out and we realized uh after doing a ton of digging and slapping wire main controllers but in fact when you have more than 25s um it stops by default and like you never would know right so that'll fantastic using for this tool um this won't be super high and I was kind of also kind

of tripped up by the fact that the way that they're doing the live streaming is uh I had originally thought I was going to do a lot of demos and demos on sort of how to do different things in wi shark um but I guess the way that we're doing the live streaming for all the people that are watching online is that we're they're rolling the slides as I'm rolling them so that we can present it so I've got a lot of snips of wire shark I want to talk about wire shark but we're not GNA be doing that um yeah so I've been doing it for a long time I recognize a few people here um being an

IT nerd I'm not necessarily always the best at names but um I used to work as a Microsoft certified trainer and uh I became a ninja at doing certifications because any course you you to teach uh you had to pass the ex for so good with that um I'm teach at Sate I've been there for a really long time um the other thing that I do and this is kind of more of why I'm here actually today uh I've been doing World skills for a long time so it's sort of this biannual that's every other year right biannual every other year they do this world skills competition uh so we do sort of a a regional competition every year and

then every other year we do a national competition it was an IT networking system in this lots of Linux lots of Cisco uh lots of Windows and mtion um and I did that for a long time and you know the top kit in the country goes we have these International competitions and uh now what I'm doing for World skills I'm the skills competition manager for cyber security and one of the main reasons I'm here I I want I want to see their CTF and I you know I would really strongly recommend if you guys have a chance they do a great CTF here you have a chance to go in and go and play with it it is a fantastic

learning opportunity and so my job to do with World skills now in involves uh putting on the CTF is way above my head technically uh but I need to kind of organize it and find sponsors and find people who things and talk about that so if you're keen on CTF look it up okay wi shark let's actually get down the midle of a couple of brass hats probably standing here can't see talk about wire shark ter of what it is so what we call it uh if it's an analyzer it's a network analyzer a protocol analyzer uh it will look at the bits uh as they stream down the wire uh piece by piece as it comes along

um when I say bit by bit I mean it is each bit of the stream not a little bit at any time uh and it's and it's very very clever it's really interesting to kind of look at we start to play with it a little bit and I found it even just trying to put the slides together for this uh I started to getting sort of some interesting just sort of playing with some different things we'll have a look at that uh you can run this thing in promiscuous mode which basically means it will listen to everything that goes by and you can pick up everything on on the wire or Wireless medum whatever the

medium is um great trbl shooting tool great for um people to look at that and figure out what is going on with things um really learning and understanding kind of what's happening so this is getting into that that thought process that I was talking about like I think it support people or for Security Professionals or whatever it's it's great to you know get memorize the exams for a test and get that certification you know power but um what's really critical is that you understand what's happening at it so when stuff starts to go wrong you have an idea where to go start a little bit of history on this thing it's been around for a really long

time uh 97 with what I found uh and it's kind of gone through a bunch of things when I first learned it it was actually etheral uh sort of my first thing I looked at actually I think the very first tool like this that I looked at Microsoft used to have one and maybe they even still do one called neton Network monitor really old one but all kind of the same uh essentially how they work um is they have something called the dissector and the dissector what it will do is it will analyze the frame as it moves through and we'll look at this thing uh piece of the frame by piece of the frame I'll tell what I mean by this

in a second uh 2006 rebranded open source why available you can get it um they now formed this this wi shark Foundation um so a couple things about it it is not magic like everything in it it's not really magic although it looks like magic sometimes uh it is based around standards and I I've got a I've got a screenshot later kind of looking at some of the RX stands and comparing that to the front just just to give you an idea of of how this thing kind of look um probably useful to sort of may talk about what It Isn't So this isn't a hacking tool you wouldn't really use wire shark on your network to figure

out if somebody's having attack somebody's attacking you or to figure out to see you know like what's sort of going on on uh you don't use it to modify bits in Flight right there there are other tools there other stuff for that but but it is really fantastic for for looking at things and if you grab captures and you kind of go back and start to understand what's happening in U so just as a reminder just because we're going to be looking just sort of at some of this stuff um as stuff is traveling Wireless wir or whatever it is in this case wet but we have a chunk of data with my you say it's a DNS query or whatever it

is and then that thing gets encapsulated right and I think not sure where everybody's at technically here so I'm just as that thing gets chunked up and passed up and down with tcpi staff right it'll have different headers that will get added to it right so there'll be a transport header like TCP or UDP IP header for addressing so if it's going to go off your network do that and then depending on what the media is it'll have some kind of a header for this and as as stuff moves across network uh devices uh it'll rip off parts of these headers like router or wir wired or whatever'll reassemble headers but the data hopefully stays in t right I think

I think for everybody here that's that's pretty pretty pretty AR Point think I think kind do that um so I do have some screenshots of of we'll have a look um one of the things that I see quite a bit I guess a few things about wi shark is it's really noisy um have I been doing this for a long time like I remember that in 10 days two days or whatever right really really slow and really unstable uh newer networks move a t of data they move very very quickly uh you would be quite astounded maybe people on this room down at the quantity of the crap that goes all to oh I don't know Microsoft Google

all of those ad sourcing places like when you're on the Internet it's just constantly firing stuff all the time and even if you do nothing else with wi shark fire it up and watch that sometimes it's quite eliminating um so yeah basically you can pick an interface the trick sometimes is to pick the correct interface uh it can be pretty tricky sometimes if you've got sort of a multi home system or if you've got multiple basically flue te or whatever Wireless you which one you act on to make sure you get the right one um you know and then you can kind of you can watch it real time but what you find is this thing becomes uh quite

unwatchable pretty quick so my advice would be generally if you're trying to get a good capture uh install wire shark on whatever system you want to grab the Capt capture on so like if you're trying to grab like something we'll look at here in a bit ceros login from a client machine throw it right on that machine do it there and then you can see the traffic go through and you can see with the quest wants the back and it's really clean um the interface itself I think how many people are familiar with it need to be here you guys should be POS interface pretty straightforward right toolbar along top standard know the view all that kind of stuff and the

toolbar underneath uh with a filter bar so you can filter different sorts of types of traffic that are inside that um um and typically then you'll have three paints you can choose the whatever you have the packet list it's a list off the packets in order look at all that's packet details so any packet you're going to highlight will take it up and basically start to use these di is look at that stuff and then we will have a will show the actual bits and it does it in X so this is status bar on the bottom for connected so whole thing looks like this B so all this stuff up along the top right that's that top tool bar

packet list packet details and then we can stack this way or this way or whatever and the actual bits themselves um pretty standard interface stuff on the bottom right file edit new go capture along the top so it's kind of got all that usual stuff that you sort of see with every one um everybody put their hand up but how much have you really used B little bit or here's kind of what I found doing this it was really fun actually s was kind of weird but it was like so so I'll show you some slides here in a minute so I was like okay so I propos this let's let's what you know what should we look at so it's like

okay so what happens when you do an end scan okay work how does the scan what for is it coming from what's what order is it sech and you don't I mean you know what it does but then when you slap wire sharp on there you can start to get into it and actually see how it goes and so I started and I've only I'm kind of just scratch the surface it's because of the way that we're doing this presentation with the rolling slides rather than this demo that um there's sort of a lot to see so this is the packet this P this in in a little more so you kind of get a bunch of

things that are coming down here right these things will come in order right always uh and you can sort all these things by column is pretty awesome you click on the column or like so you highlight an ARP it will atically column and so you can grab all the AR packets together orp whatever DNS queries so you can grab all that stuff and you can kind of is here um yeah so these are the sort of standard columns right code time and you'll notice one thing that always astounds me how quick so is how quick that stuff comes through uh source and destination You by I so we can kind of put track it and

then again we can click on this B one sour these different things protocol siid and usually what they'll have is they'll have some kind of breakdown in terms of some kind of English is uh description of what's basically going on inside which is pretty good

um yeah fair enough thank you the details came so this is where I wanted to kind of break break into this a little bit more um that details pain has once you've highlighted a particular packet it will basically blow that thing up and it will start to it'll start to evaluate this thing in a lot of detail and so you've got all the different frames and the reason I kind of showed you that earlier one was that right you've got the ethernet frame on the top in this particular case we got the IP header there as it comes in uh it's UDP in this particular case what is it it looks like an ARP frame

or DNS actually DNS yeah so EDP EDP and TCP for DNS uh and then DNS is the actual data in this particular case right and all of these little arrows are Dro down you can break them open and it will show you bit by bit exactly what's going on so just sort of as an example uh ipv4 so it's is showing in this particular chunk of the header that we've opened up uh the bits are actually 0 one0 0 for binary uh and header length 01 01 so what I did is I grabbed the RFC for this which kind of embarrassed but I think is 796 actually that number but I did my masters I took this course where

with tcpip I thought it was gonna be like the like easy walk through course the full course how to write a router program I have never anything I've never I've never compiled anything i' weeks we on reading and trying to make it and we get this big hex up of stuff but so so here's kind of what we've got of and a diss sector somebody with a big head sits down and looks at these standards and they will write that figure out okay well what is happening with so here we've got the version laid out to the first four bits so this he actually coming 32 bit bites right for the header uh so four bites

by the first four bits right verion and then it's I which is the infinet head so it basically do the description of what it is in this case makes total sense this is I4 so four if it was six six so zero in this case the header rank is 0 one01 five binary basically saying if you read this you know um yeah pretty standard uh beginning of data 32 bits minimum value header at five basically is 20 bytes so not that guess this is everything you see so somebody has to sit down if they want toate DNS traffic or any type of traffic at all which is based on a protocol somebody will have developed so so it's pretty interesting

that the community has generally developed this stuff over time and we can now use it to open this stuff up um yeah by experence this basically shows he dump of this right so one of these is uh right so four bits and four bits so this in this particular case this one the up here's the CER address this is actually T of that but it's kind of neat to see this and quite often what you'll see here is a lot of clear text it shows up it's kind of see what is action

action purpose of the talkto really isn't so much to talk howar to do that um but more sort of a discussion around using it as a tool faity to learn what's happening more of a mind um I'm about tell us the same things you it seems really obvious done a while but it isn't so much uh and I think probably a lot of people here are have to present like this so like I can't I wanted demo but I think we we'll do this in slides and I've got I've got some good Snips some kind of fun stuff that that I had start to see how the so one of the things that I did I

just built a little virtual NK and took it off the internet and set that machine down and so these guys weren't con you see everybody's always clearing and just

like I've done um I start play so I talked about um so how is our NPP every and not confusing I mean it's really simple but it's also like it's

got um you start to play so yeah I just fired this thing up I installed a couple of services on my server I ran a scan um no how do we what

order what does it do when it gets a hit um so simple simple right so I just sort of thought yeah just play with a kind of a couple things one of the things I was also curious about was the time of templates and I think guys are familiar with timing templates so- t uh what is it one is paranoid I think where it's super super slow and T5 is like fast I think they call that insane aggressive or something um so just kind of curious about well okay so what does it and here's kind of what I saw so so here was sort of the first thing here's our timing like check how fast that is so 16.5 it's yeah 2 three

four five six seven eight it's doing about 10 frames every 10,000 of a seconds so it's quick it's very very very fast um down here I actually took the dog up for a walk and I thought I'd stop the capture and then I came home and yeah so that's why that's 49,000 but uh it's basically 15 seconds wa the T5 and I guess the idea is if you're trying to avoid detection right you can go a lot slower but that is just sort of um if I want to scan a machine I want to get in there I can do that um gets the same actually didn't even get I didn't even get a result not what I what's the

default 10,000 points prob be more than a thousand because I'm looking at numbers here like oh yeah this is the other P right um just to read it off 5810 then a scan uh 1163 and 48.9 9 2105 3269 so it's random uh all of you have coming from Port 34 919 it's just a random non-well not a non-w port um but we got a hit here because in this case he came back right so went 32 69 here and we've got a reply back here the 3269 is what is that L thank so this is a domain controller that it's scanning uh it hits that machine and eventually it got a reply back on that

so that P is open 3368 3369 so so so I thought that was really interesting so it just sort of randomly does this and you can um and there's a million things you can do with map is like every different type of like TCP scans sin scans uh you name it all sorts of really kind of super um and I found it was pretty fun I started playing all kinds of different stuff and and I didn't get cish B it just because it's it's too much um but I thought okay well so what happens if we run like a script so you guys know you can use nmap uh in the community uh they've de developed the whole NSE or

the nmap scripting engine and there's a bunch of scripts that will run to do all kinds of different tasks so I just grabbed a pretty common one you know this is a Windows machine so SMB you n should enumerate the users that exist on it's gonna try it's gonna fail this case 2022 so in you know just out of the box but still uh I I thought it was interesting to to look at what was sort of going on and and really what I found was that it dides a really really standard you know it does the scan um but when it goes ahead and it runs the script it basically does this in order does the

scanning first and eventually gets down to doing scripting and when the scripting starts what it will do then is in this case whoever wrote the script basically used mov standard utilities MBT ST which then um that us to rings and all that kind of stuff you have to worry about that um but let me just see so here's it's it's doing a NE uh NE negotiate protocol request so it's basically trying to figure out okay well what version of SNB are we going to use for net bias what are we going to use um and it's come back and it comes back a couple of times and it basically runs this membership query and and it's just

really really standard um it's a query against basically an NBT dash n is is your local and Das a would basically a query against that particular machine whatever the machine name is and that's that's basically exactly what it's done um so I just sort of found that se kind of interesting because I've run lots of scripts before in inmap uh just to sort of see know whatever the challenge is uh just to try to pull information up but yeah basically these guys have just written pretty standard open script it will run it'll do the scan first and then it will basically run us whatever it is stat that's trying to do one time it'll also do those things in

order started playing around with this so one of the cool things about uh wire shark and uh doing nmap so if you download nmap and you want to install it on Windows no problem you can do that uh it comes with a really awesome interface just to sort of just because we were talking about it I just sort of thought you know I and I don't know if you guys have done that or it's just straight up command line uh I learned my first computer use these could afford the really expensive Zenith easy PC that had the the 20 meg hard drive in it so I got the one with the two floppies um so I I

learned computers on from the command line and so for me that's not bad but I find a lot of people now have never really worked with it and they find reading a man page or a help page or whatever end of the world lightning is gonna strike we going to die um when you install nmap on Windows it comes with this utility called Zen familiar with I don't know um and it's a really nice uh doing interface you can run uh create these profiles and what it will do is it will wa what type of scan do you want to do and it will pull these things out and it will build build the teex scan exactly how you're supposed to

do that query and run it so it's a great way to learn it so if you want to start to learn all the different options and all the different switches and things you can put in there um I would highly recommended it's a really useful way to start to do that um andap of course it's also part like if you want to one of the things that when run from Windows is this utility called netcat which I think probably lot people heard of being a Unix kind of guy ncat is built into every version of Linux or Unix uh when you install zenmap and windows you also getat on Windows now netcat also is part of something

like Cali and you can then as part of an ATT we could load something like net cat but one of the first things that I ever saw or ever or learned about doing we're setting up bind and reverse bind shells guys know what I'm talking about to say that yes at least at least two or three thumbs up or big head on um so I sort of thought that be kind of cool let take a look at that e slap wi shark and do uh a Bine shell like what do you actually see um so yeah the idea with this thing is is you can use netcat to make essentially a straight so connection between two computers that's

really all it is it's just a straight up uh connection directly from one computer to the other computer it's the world's most boring chat is you can type something and it would show up on the other screen and that's all it does but you there's a lot of other utilities that you can do with it as well one of the things you can do is you can bind an application one side or the other side it is this bind or reverse bind um so if it's like a reverse and somebody comes in and makes a connection to it you can bind it to an application like oh I don't know cmdc and effectively what you'll get is

when you've connected from Linux or from the other machine um you will get the command on on that machine and God helped them if you happen to be connected to the person who's loged in as administrator right um I think in I think in uh Richard mittnik Kevin MN yeah Kevin mitnik in his book in that ghost in the wies gave a pretty hilarious account of he was trying to get in and he and he was talking to some woman he had been fired from this place but he was trying to get in and get access to some files or something and and she was asking him for help because he was the only one that

knew he basically told her to set up this net cat listen her and he was able to connect in and build an account for himself um yeah medit does this as well so like uh you can set up bind reverse bind and you get into like The Interpreter shells and things like that inside there you can you can do that a lot of fishing links use this I I had one just the other day where uh it'll it'll you connect up to this weird stupid link and I would hope most people in here would not have an issue with that but when you click on it essentially what it's doing is it's going to create this reverse

bind back to your machine and then you can s them in and through your firewall they get access to but if we do a capture of it um was kind of interesting so basically you know what pretty handy I logged into the bu we don't have to make these things too hard but yeah that was the top command so that Dash e option basically is saying I want to I want to do I open up for a port 5446 in this particular case I opened up a firewall rule which nor would have blocked it but of course there's ways that we could have got around it um and basically it just sits there and it just listens it's just

waiting for something to make a connection on that port and so you do that so I went ahead and and I made the connection from from the cing machine um but eventually yeah it says oh yeah host name look up fail but eventually pops right there and you get that command and of course because really likes hacking um buil myself an account add to the demain admin want sh off no problem so good cautionary tale of why never log into the administrator as then you will have the rights of the person on the bar side what does the capture that look like so the capture um didn't really show me a ton uh some stuff it basically it'll start off and

it it it's running you can see it's doing a syap so any TCP session always will'll do the syap so we'll try to synchronize we'll acknowledge that the other side because computers have no idea if when they sending that ISS got to get these acknowledgements going back and forth and then it will come back for the second acknowledgement so let's set that up so so that even of itself is is kind of interesting so you can see I'm connecting from uh the first computer to that particular Port the reply comes back you know going the opposite direction um yeah the text description there really isn't too enlightening if you look at the data that starts to come

through here it's not that clear here kind of exactly what you see what I I I sort of thought was pretty interesting when you um look at the data bites and start to see this it's not so clear but once it starts to actually read these characters as asky characters it starts to pop up and you can see that clear as anything and what you have the ability to do in wire Shar and know was pretty interesting at it if you right click on it follow SC Bic pull all of that information together put it in one pain you can kind of read all the output through it and so when I did that this is exactly what it

showed it showed exactly all the text things that had flown through there and it came across the wire and you could see the actual commands as they were coming across the wire so that's not super crazy to me the netcat you can get there's different version cryp cat I think is one can do I would say that you know your your standard a lot of Defense sort of things if should hopefully wave a flag a command like net user adomain comes across um somebody thinking hey there's something going on there but you can actually yeah you can actually set up like an SSL connection and then it will encrypt that traffic and so oh we can't we can't get it which

is also true of all this stuff you if it gets encrypted did the data that you'll see comes across you can't really read it right it's but but but when it come through pretty good um I fired up edap I don't know if we're familiar with edap Ed caps it's it's um man in the middle of top real simple and you can do different types you can do it uh with SSL uh without SSL um it's then basically the way that like a lot of attacks work it's based on the fact that when uh the bearded hippie guys that WR the internet in California in 1969 or whatever were coming up with these protocols they had

no idea that maybe security might be an issue someday all this information traveling back and forth so when they wrote The Art protocol there's no authentication there's no encryption there's no verification of the data there's no anything so so here here we go you can see we've got a whole laack of art play um and essentially initially the attacker in this Cas case this is my attacker fbaa he fires up and he sends a couple AR frames out and says hey who out there has 11 100 who out there has 1.254 and the reason I pick those two machines is I want to jump in the middle of this conversation 254 is the gate so ideally as an attacker what I

want to start to be I want to tell uh that client that my Mac address is really the MAC address in gate and vice versa I want to tell the Gateway that my Mac address is the MAC address for this machine which happens controller so then when it starts to do is it just starts vomiting out information um and it just basically keeps sending these out broadcasts and even though nobody's asked it just starts firing out and saying hey here's my Mac address here's an AR frame here's my Mac address here's my Mac address and he and he and he replaces the IP address of his IP address with the target IP addresses but he keeps throwing out

his Mac address and the way AR works is it'll just cach in because they were really trusting 7 wa 60s and so these machines will just cash in it should make things go faster right you don't have to do broadcast every single time so it's quicker and easier what I thought was kind of interesting is when I did this after that problem really clear and easy uh you can see who the attacker is and the attacker isn't but it did actually flag it which I thought was kind cool um so it's basically showing that there's a duplicate IP address for that address so it actually T that but it didn't to do anything don't think anybody on the L

here

that's you have to give it so what did what you you can pick specific IPS to do it what it can do is it can do like a broadcast on the network find all the stuff and then um you can pick targets and you can specify what those targets should be so yeah um but yeah so I kind of thought that was pretty interesting and that's pretty good so then so then what will happen is is when the client is going to the internet it'll Port it to the attacker and the attacker fors it to the Gateway and then ATT the Gateway replies back from wherever it is it goes through again the same idea can work it's really

really hard to do now uh it used to be pretty easy but what you can do is you can basically create a self- sign certificate on the attacker client will come to you give you its certificate then it will pass it certificate off as you and go out it's much much harder to do that now than it used to be so what do we have for time just about there we'll try to do this quick um here's what I found out about ker Ross it's like the cloud nobody knows how it works nobody I talk to people who know a lot about this nobody had the right answers um Everybody kind of knows like can I

and I'm I would put myself solidly here so hopefully I don't go way technically in a wrong spot nobody understands it not exactly so okay so it's tickets used to be um back in the day if I want to authenticated on Microsoft network we use manager and land manager would go out and if I was going to loog in I would say here I am I want to log in server would send me back challenge with this thing called a n which was supposed to randomize it and then I would type in my password and use this nons to encryp it except if somebody's listening on The Wire they would pick it all up challenge and the nons and then

when I replied they could pull that information out it's really easy to get the hash of my password and then you can run against the password cracker so that was really weak especially the way that Microsoft used to do the hashing used the the LM hashing which was terrible um so it was really really easy to pull it so they they basically started to use curos the idea with curos AC director uses it uh we can do curos Realms and Linux same kind of a deal but it's tickets so now we'll have a ticket so instead of ever throwing my password across the netork I will have a ticket and I can use this ticket to go

but the trick is is okay so how how do we authenticate really um passwords never sent a wire uh but here's the deal part of the ticket is going to be encrypted with my password and so if the server sends it to me and I want to be able to use it I need to be able to decrypt it which means I have to have so really it's like a shared secret like when you set up a Wi-Fi router you want to connect to the Wi-Fi you have to put in the password you'd also put the password in rou and if they match you're good same idea with Cur ra so if you think about the process when you build a

user account and active directory um you put in the user all the stuff you put in the US's password maybe click that little box that says password must be changed to First login um and I found this process really interesting started to talk to people about okay so what happens there I get that part no problem this part's great so ticket goes nobody came up after the right so essentially what we have in active direction we got the KDC lives on the domain controller really there's two things inside there there's this authentication Service and there's this ticket gr service so there's sort of two things that are going to live inside there so we should

be able to see this and so if we grab a capture of this we should be able to see the request and reply back to the authentication Service and we'll have this TS exchange and again we should see the refquest and apply and we can get that pretty clol water shark and then what we'll get is if I ever want to go out I will have this ticket and I want to get access to a resource like a printer or a share or something I'll then take the ticket that I've been given from this ticket graning service and say hey I should be able to get access to this and I will get another ticket tickets all over the place so my

question was this that I started to ask people okay so great I get this part I think mostly um what happens when we use the Chang as in eyes just went everybody's eyes just went wait a second because surely that password's got to go across the network right so how do you how do you get that we getting pretty tight on let's just try to raply Sol this so when a client loged in we should get an an authentication request and reply uh they'll get this ticket granny ticket and then you know it'll use this service um but here's kind of what I got and this was fascinating I talked to lots of people nobody could tell me how

that password got sent secur turns out it depends this is the right answer um and so I I wind up doing a lot of reading this is kind of the thought process that I I kind of wanted to explore a little bit because once we start to get into it um you start to play with it more and more and you start to grab more captures and you start to do it so you can see at the very top I've got uh the request and reply the authentication Service so it needs to authenticate the user first thing it's going to have to do is do this TGs request because the user needs to be able to get access to its own computer

my allow access to nor so it'll get that and you can see that there's a whole bunch of these TGs requests and replies coming back and forth um one of the things that I kind of wanted to show you was this guy this tros TGT this ticket graned ticket and I kind of had this idea um that uh maybe we could have a look at Golden tickets or what that looks like but here's what I'm doing because I think I'm going to run time um homework I do about homework you can build one of these things pretty easily um it's it's pretty fascinating to jump on there and you can grab this so I've got this curos uh

ticket granting ticket but that's sort of not enough when if you want to do a Golden Ticket attack you need just sort of a couple of things that that you can do you what need domain name s of the domain need you need this account this is the thing that really kind of means it work

um if you actually want to do a password

chck so how does the password change let's maybe just stick with that that's all I got to F if if we're going to do password change I have to send my password I have to go in control delete the op to change password clearly that thing has to be sent across the network and per us isn't supposed to do that so I talked to lots of people had all kinds of good answers good guesses but it turned out including me nobody was right what it turned out the actual answer was is it totally depends how you change that US password if you do it from the command line you do one thing if you're doing it from the client and you do

control out delete go change password it does a certain thing if you do it from the domain controller it actually does something different so it totally depends which of these processes kind of go there in our case because I did it from the client this is option three and that isn't too eliminating either I had to go lead up on that but basically there's this K password is essentially what it would do which is a request and a reply um and I just sort of thought this was kind of interesting I grabbed it just because it did eluminate it so essentially in this particular standard what it will do is it'll actually set up an

aesel between the client and server 256 uh so it'll set this thing up and the hash of the password is the thing that will sent between the two machines I had all kinds of aners on so anyway all right I think we'll probably at about fun um fun to try to do mimic outs or in um metas blade you do those golden ticket attacks but yeah so I guess really what I was trying to bring across was just having maybe a different attitude about stuff not to just sort of memorize answers but to try to get a hand what's happening I think that's all I got [Music]