Proper recon is critical!  In this lecture you're going to learn the the modern TMUX methodology to doing recon, managing tabs and running attacks all mapped to the MITRE ATT&CK tools, techniques and procedure methodology.  You'll learn how to identify the target OS from a single ICMP echo request, how to use rustscan to scan a target faster than the flash and sonic running a race.  You'll also learn how to read the scan output, how to freggin' actually understand it.   We're going to get into using whatweb, wappalyzer, Burp Browser, how to manually inspect a web application for vulnerabilities, how to force browser a target using feroxbuster, how to using digital forensics to inspect images to pull usernames and more!! ARE YOU READDY!??? LET'S GO!!

Okay, let's get our hands dirty here.  We're going to modify the hosts file on your Commando VM pentesting box, then we'll use ldp.exe to connect to the DC over LDAP! Very cool.  Next, we'll use ldapsearch, crackmapexec and kerbrute to enumerate users and passwordspray accounts!   I'll also show you how to install impacket from scratch (Even PimpMyKali doesn't get this one right!).  We'll wrap things up running smbclient, getTGT, klist, we'll learn about SPNs, GetUserSPNs to Kerberoast the victim and obtain a hash for crackin'. YES YES YES!! THIS IS WHAT YOU SIGNED UP FOR BABY!! Let's go!

In this lecture I will give you a thorough and careful explanation of how Kerberos works, how Kerberoasting works and why we need these things called Service Principal Names ("SPNs").  We'll also use hashcat to crack our TGS ticket.  Then we'll create a TGT for the cracked cleartext credential and pivot laterally to the service account!  Yup, we're going to create a Silver Ticket!  I'll explain what it is, how to pull it off with getPac and ticketer then we'll build a NTLM hash from the plaintext password... from ... scratch ... crazy yes.  I can't help myself!  Let's go!

Now it's time to EXPLOIT the Silver Ticket and make use of it.  We'll authenticate as the victim service using a silver ticket which gives us elevated rights on the target service!  You're about to see why this is so freggin' dangerous.  Next, because of a misconfiguration on the target Microsoft SQL Service, we'll end up running arbitrary commands on the victim machine including a reverse shell.  We'll manually encode the shell and confirm access.

Let's elevate!  We're going to run PEASS-ng on the victim machine to inspect escalation vectors.  We'll also run manual SQL commands on the database and find cleartext credentials.  We will try to use PSRemoting and evil-winrm to use the credentials; however, we'll hit a bunch of road blocks.  You'll learn my troubleshooting methodology for tackling issues like this.  Which is pure gold.  Then we'll use the impact release of smbclient to gain access to network file shares on the victim machine!

I love discovery.  This is our exploration phase.  We're going to find two juicy binaries and transfer them over to our Commando VM for static analysis :)

You're going to learn how to think critically and reasonably when it comes to binary disassembly.  I LOVE THIS.  You'll use CFF Explorer,  netcat to probe the service port, debug log analysis to understand the target application, Wireshark to understand the network flows generated by the application, dnSpy to decompile the application and more!  It's going to be bonkers guys.  I can't WAIT to show you.  Let's go!

You are about to understand one of the most difficult security vulnerabilities to understand: Insecure Deserialization.  You'll base64 decode deserialization strings, examine encoded strings in Wireshark, study the application logs to understand exactly how the target app is processing user controllable serialized input.  At the end, we'll piece it all together and use ysoserial to get a system shell on the target!!! YES!!!

You ready for some potatoes? Nope, this isn't Hot Potato, Juicy Potato, Rotten Potato, Rogue Potato, Lonely Potato, or Sweet Potato, or Generic Potato but Juicy Potato NG! I'm going to show you what the local privilege escalation exploit is and how to leverage it against our target to obtain system rights!

Now we're going to demonstrate impact by establishing persistence on the victim machine!  These are the exact behaviors attackers execute on victim machines after gaining a foothold so pay attention! :)

It's time to see the box we attacked.  We'll observe the services and study how we were able to pop this box.   We'll use netstat to find the process ID listening on port 4411 and then we'll pivot on the PID to find the service backing the binary opening that port.  We'll see it's running as system and the system account running MSSQLServer service is using a Kerberoastable password! FAIL! Come join me as we take a look at the factors that led to complete compromise! 

Let's QUICKLY look at weak passwords (and why it's so bad)

Kerberoasting is hard to detect.  Pay attention to RC4 TGS requests, particularly a surge in TGS events.  Also consider changing the msDS-SupportedEncryptionTypes account property to AES256 to making it harder to crack if credentials are captures.  Finally, make sure you are NOT running services with over permissioned access!  Then we'll jump into EventID 4769 and 4770 events.

Silver Tickets! Use strong password hygene for your service accounts: yes gMSA is a thing.  We'll talk about what that is and why you should consider enabling it. We can also look for 4624 events and pay attention to the Source Network Address value in the Network Information attribute.

It's time to make history.  In this lecture I'll show you how there are ZERO detections for a new JuicyPotato privilege escalation vulnerability.  Then I'll walk you through the process of a building a new detection from scratch.  We'll use a careful, methodical approach to recreating the issue in our lab, observing detection analytics and then crafting a reasonable observable for this new attack technique.  This is my favorite lecture!! Which is why it's an extra.  Let's go!