Learn to use AI like a Pro. Learn More

Exploring Windows Post Exploitation

Windows Post Exploitation - Dumping & Cracking NTLM Hashes

Estimated read time: 1:20

    Learn to use AI like a Pro

    Get the latest AI workflows to boost your productivity and business performance, delivered weekly by expert consultants. Enjoy step-by-step guides, weekly Q&A sessions, and full access to our AI workflow archive.

    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo
    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo

    Summary

    In this video, HackerSploit dives into the realm of Windows post-exploitation, specifically focusing on dumping and cracking NTLM hashes. This advanced technique, generally executed after privilege escalation, involves extracting password hashes from the SAM database using utilities like mimikatz or credump. The video demonstrates how to use these tools effectively, showcasing an entire process from hash extraction to cracking the hashes with tools like hashcat and John the Ripper. It also touches upon the use of pass-the-hash attacks and emphasizes the important roles of these methods in both red teaming and forensic analysis.

      Highlights

      • The SAM database holds crucial password hashes for Windows user accounts. πŸšͺ
      • Credump and mimikatz are key tools for extracting NTLM hashes. πŸ”§
      • Hashcat and John the Ripper are effective for cracking NTLM hashes. πŸ’£
      • Pass-the-hash allows for authentication using hashes instead of passwords. πŸ”
      • These techniques are vital for both penetration testing and forensic investigations. πŸ•΅οΈ

      Key Takeaways

      • Understand the importance and sensitivity of the SAM database in Windows security. πŸ›‘οΈ
      • Gain knowledge about NTLM hash extraction using credump and mimikatz. πŸ”
      • Learn about cracking NTLM hashes with Hashcat and John the Ripper. πŸ”“
      • Explore pass-the-hash attacks as a method of authentication without cleartext passwords. πŸš€
      • Insight into the practical applications of these techniques in red teaming and forensic analysis. πŸ”§

      Overview

      In the exciting world of penetration testing, post-exploitation techniques are essential for a comprehensive analysis of system vulnerabilities. In this video, HackerSploit dives deep into one such technique - dumping and cracking NTLM hashes on Windows systems. This method is typically performed after achieving administrative privileges and involves pulling sensitive password hashes from the SAM databaseβ€”a highly protected area in Windows security architecture.

        The video provides a step-by-step guide to extracting these hashes using popular tools like credump and mimikatz, revealing behind-the-scenes operations of these utilities. Not stopping at extraction, the tutorial ventures into the realm of cracking the hashes using powerful tools like Hashcat and John the Ripper, showcasing how one can convert these hashes into actual passwords, an essential skill for ethical hacking and penetration testing.

          Beyond cracking, the video delves into the fascinating topic of pass-the-hash attacks, a method allowing hackers to authenticate using just the hash, bypassing the need for a cleartext password altogether. This video is a must-watch for anyone interested in the nuances of cybersecurity, providing practical insights and techniques pivotal for red teaming and forensic analysis tasks.

            Chapters

            • 00:00 - 00:30: Introduction The chapter titled 'Introduction' marks the beginning of the penetration testing boot camp, specifically focusing on the Windows privilege escalation section. In the previous video, the focus was on identifying stored credentials within the Credential Manager and the registry. The current chapter builds on that knowledge as it delves deeper into the nuances of Windows privilege escalation.
            • 00:30 - 02:00: Extracting NTLM Hashes from the SAM Database The chapter discusses the task of extracting NTLM hashes from the SAM (Security Account Manager) database, emphasizing that this technique is usually performed after privilege escalation. The use of tools like Mimikatz is mentioned, highlighting that dumping credentials, specifically NTLM hashes, is not typically part of the initial privilege escalation process.
            • 02:00 - 05:00: SAM Database Explanation and Forensic Techniques The chapter discusses the SAM (Security Account Manager) database and its significance within Windows operating systems. It emphasizes the necessity for administrative privileges to dump NTLM (NT LAN Manager) hashes securely. The process of accessing these hashes typically involves extracting them from the LSASS (Local Security Authority Subsystem Service) process cache. In situations where there is an available copy of the SAM database, tools like Password Dump can be used to extract these NTLM hashes. The chapter is focused on explaining forensic techniques related to the SAM database.
            • 05:00 - 07:00: Insecure Storage of SAM and System Files This chapter discusses the security risks related to the insecure storage of Security Account Manager (SAM) and system files in Windows. Typically, having a copy of the SAM database is unusual because it represents a significant security risk. Anyone with access to it can extract NTLM hashes, compromising system security. Windows mitigates this risk by implementing protective measures in its kernel when the system is running.
            • 07:00 - 08:30: Using CredDump for NTLM Hash Extraction The chapter covers the use of CredDump for extracting NTLM hashes from the SAM database file in a Windows system. It begins by discussing the challenges associated with making a copy of the SAM database file, which stores password hashes for Windows user accounts. Highlighting its significance for both defensive (blue team) and offensive (red team) security operations, the discussion positions the SAM file as a critical resource in cybersecurity contexts.
            • 08:30 - 13:00: Password Cracking with John the Ripper and Hashcat This chapter discusses the use of password cracking tools like John the Ripper and Hashcat within the context of cybersecurity, focusing on forensic techniques often used by blue teams. It explains how, in the event of a compromised system, a forensic analyst can extract the hard drive, mount it onto a forensic machine, and make a copy of the necessary files like the SAM file for analysis.
            • 13:00 - 15:30: Pass the Hash Attack Explanation The chapter titled 'Pass the Hash Attack Explanation' discusses potential system issues following an improper shutdown. It highlights that parts of the Windows registry might be corrupted due to these issues. Additionally, the chapter notes that copies of the SAM database and system hive can often be found under the repair directory, which can be valuable for analysis. These backups may assist in understanding and resolving the problems caused by the system's incorrect shutdown.
            • 15:30 - 18:00: Using PsExec for Pass the Hash The chapter 'Using PsExec for Pass the Hash' focuses on the use of the sam and system files to extract user password hashes. It highlights the insecurity of storing these files, especially since it has been a known issue since 2011. The text emphasizes that one should never create and store local copies of these files as it poses a security risk. It notes that the virtual machine in question has insecurely stored backups of these files in the repair directory, which can be transferred.
            • 18:00 - 25:00: Metasploit and Mimikatz Usage The chapter discusses the usage of Metasploit and Mimikatz. It guides users on setting up their Kali virtual machine and suggests cloning a custom cred dump repository. However, it notes that Kali Linux already includes cred dump 7, which comes with a script named password dump.pi. The chapter encourages readers to learn more about credump by visiting the official GitHub repository to understand its functionality, particularly in dumping lm hashes.
            • 25:00 - 27:00: Conclusion The chapter titled 'Conclusion' discusses the use of system documentation and specific tools for system operations. The speaker mentions referencing documentation within a particular context and recommends cloning a repository created by Tiberius. However, the speaker prefers using 'credump,' a tool available in the Kali Linux distribution, which they update regularly to ensure it functions correctly. The focus is on ensuring that the latest version of 'credump' works seamlessly with the latest Kali updates. This provides a practical solution for the task at hand.
            • 27:00 - 28:00: Credits and Thank You In the chapter titled 'Credits and Thank You', the content focuses on a technical walkthrough involving security and password cracking techniques. It discusses the process of copying SAM and SYSTEM files onto a local system, dumping NTLM hashes using a 'password dump' Python script, and then using Hashcat to crack the NTLM hash. The chapter mentions specifying a rockyou wordlist for cracking. Additionally, the chapter indicates that Mimikatz will be used after obtaining the NTLM hashes and performing a 'pass the hash' technique.

            Windows Post Exploitation - Dumping & Cracking NTLM Hashes Transcription

            • 00:00 - 00:30 [Music] hey guys hackersploit here back again with another video welcome back to the penetration testing boot camp uh more specifically the windows privilege escalation section of this particular boot camp uh as we explored in the previous video we've taken a look at how to identify uh you know stored credentials uh we know within the credential manager as well as the registry etc etc and now we're moving on
            • 00:30 - 01:00 to the the next task which essentially involves extracting ntlm hashes from the actual sam database right and again as i mentioned in the previous video this really isn't a technique that you would typically include within within privilege escalation as dumping credentials ntlm hashes to be specific you know whether you're using mimikats or using this particular technique usually comes after privilege escalation
            • 01:00 - 01:30 the reason for that is you require in most cases administrative uh you know administrative privileges in order to uh to dump ntlm hashes and that's i'm typically referring to uh or specifically referring to you know dumping ntlm hashes from the lsas process cache right so in this particular scenario if there is a copy of the sam database then you can actually utilize a tool like password dom to essentially extract the ntlm hashes
            • 01:30 - 02:00 now as i said this is quite an unorthodox situation in that you'll typically um never find that you have uh you know a copy of the sam database made right and the reason for that is because anyone who has access to the sam database can pretty much extract the ntlm hashes and as part of a security feature within windows or nt rather the actual kernel uh when a windows system is running you
            • 02:00 - 02:30 typically cannot or you really cannot make a copy of the system file right or sorry the the sam database uh and again now that you know you have an understanding of that let me just explain what the sam database file is uh the sam database file is essentially where all you know windows user account uh password hashes are stored and as a result you you can already tell it's a really important resource when it comes down to both the blue team and the red team and you know in the context of you know
            • 02:30 - 03:00 just uh you know cyber security in general this technique is typically a you know forensic technique whereby uh you know uh it it will typically fall under the blue team the reason for that is uh whenever you're performing a blue team and you have a compromised system uh you know you can essentially you know take out the drive of a particular system or server and uh essentially mount it onto your forensic system and you know make a copy of the sam uh file when this operating
            • 03:00 - 03:30 system is turned off and then you know analyze whatever you need to analyze and as i said in some scenarios you may find that there is a copy of the sam database as well as the system hive made and in this case it looks like it's under the repair directory so it looks like this system had a few issues that could have been caused by an incorrect shutdown all we know is that parts of the windows registry might have been corrupted irregardless of all of that it looks like there are copies available
            • 03:30 - 04:00 so let's take a look at the documentation here so it says that that the sam and system files can be used to extract user password hashes this vm as insecurely and it's good that they state that is because it really this is a no no especially in 2022 or rather since 2011 this is like you should never make a copy of this file and store it locally all right so this vm has insecurely stored backups of the sam and system files in the repair directory right so you can transfer these copies
            • 04:00 - 04:30 uh you know onto your kali vm and then it actually recommends that you clone a custom cred dump repository uh we already have uh kali linux already comes with cred dump 7 and as part of that you have password dump.pi uh if you want to learn more about credump you can take a look at the official github repository here and take a look at how it works it essentially allows you to essentially you know dump into lm hashes uh from the
            • 04:30 - 05:00 you know system or from the system and the sam hives so uh you know you can go through that documentation there as for the documentation within this particular room uh it recommends you know cloning the repository uh created by tiberius however i have used credump as i said i use kali on a daily basis the latest version if you update your you know your repositories and your packages the latest version of cred dump that comes pre-packaged with kali will work without any issues right so this particular task
            • 05:00 - 05:30 involves copying the sam and system files onto your local system uh dumping the ntlm hashes using password dump the password on python script and then are using hashcat to crack uh the ntlm hash and of course specifying the rocky word list there now i'm also going to be taking a look at mimikats however that will only happen after i've obtained the ndlm hashes and after i've performed the pass the hash technique here which we will
            • 05:30 - 06:00 actually perform so i'm not going to be following this to the word the reason for that will become obvious and i'm going to be showing you the typical scenario that you typically find right now one thing that i want to mention is that you cannot typically for example with a tool like mimikatz that you know will uh you know will try and interact with the lsas process you cannot interact with the lsas process without anti-authority system privileges or an elevated uh you know an elevated session
            • 06:00 - 06:30 um so as i said this step usually comes after privilege escalation and again this is just a scenario that has been set up to demonstrate this technique so i've already made a copy of the sam or i've downloaded the sam file and the system file from windows repair and it's stored within my current directory here so uh ls you can see i have it there we have sam and system and uh you know cali already comes pre-packaged with cred dump so that's already done as i said if you're using
            • 06:30 - 07:00 meterpreter you can easily just download it so just download sam download system and that's pretty much it right so we can run uh you know password dump dot pi and specify the system and sam hives there okay and that'll dump it in just a couple of seconds right so you know the credit dump on kali is stored under user share red dump so what we can do is we can say python 3 and user here cred dump 7
            • 07:00 - 07:30 and then password dump dot pi and then because we're working within the current directory we can say system and sam hit enter and we get the ntlm hashes all right pretty cool right now we really don't have to go through the process of cracking these hashes i know a lot of you think that cracking password is like something a hacker would do but uh you can pretty much use ps exec to authenticate and perform a pass the hash attack so i'll take you through how to crack these
            • 07:30 - 08:00 passwords or these hashes so you can utilize hashcat if you want or you can utilize john the ripper in any case let me save this under i'll just call it hashes.txt and the the hash that i want to crack is uh not the user account uh but that might be useful if especially if you don't know that so um i'll delete that default account guest um sorry about that let me undo that there guest we don't want the utility account
            • 08:00 - 08:30 we can crack admin but i don't want to do that let's crack the administrator the administrator account right so you can write and quit if you're doing it with john you say john and then format is this is ntlm so format equals nt and then hashes.txt this will use the default word list that john will create you can also specify your own word list let's just hit enter and let's see whether this is able to get the password with the you know the
            • 08:30 - 09:00 word list user share john password.list so we'll give this a couple of seconds and then of course we'll take a look at how to use hashcat hashcat is much more comprehensive and it's really an easier tool to understand once you you've actually started using it so i'll take you through that as well if you want to specify a word list with uh with john the ripper let me just terminate that there you can say you know word list and that is going to be equal to user share word lists um is that under user share word lists
            • 09:00 - 09:30 yeah rock u dot txt hit enter there we are so uh that's weird it uh tell me that administrator that's the password yeah all right so there we are we get the password for the administrator account when we specify the correct word list so uh you can utilize queue whatever you know you you want to use as i said in a real scenario this is going to be a little bit tricky given the fact that the password might be uh quite strong
            • 09:30 - 10:00 and it might be lengthy so uh again at this point um or at that point you pretty much want to utilize hashcat now let me explain something about how hashcat works here so when i say hashcat help whenever you're specifying the mode or the type of algorithm that you'd like to crack or the type of hash that you'd like to crack these are specified right over here so you can see these all your modes so if we're saying mode 1000 as specified by the documentation that is obviously
            • 10:00 - 10:30 going to be ntlm so let's see if i can find 1000 it's not sorted numerically and this is going to be a headache as i already knew that it would but it should be or somewhere around here because 1000 is ntlm that is quite frequently utilized especially during a penetration test uh no that's you can see for example 900 is md4 0 is md5 etc so it's very very uh you know very very helpful tool and the documentation is fantastic so you can
            • 10:30 - 11:00 pretty much get uh you know the actual um the actual hash mode uh based on the type of hash you're trying to crack um so let me see if i can find 1000 because i just want to prove to you that that is the case oh boy this uh probably need to you know utilize a tool like grep here but i can't seem to find it really weird let me just get back to you when i do after long after a long long time i
            • 11:00 - 11:30 did find them so you know you have lm here which is 3000 and then of course ntlm 1000 so i just wanted to make sure that i highlight that so uh the instructions provided are pretty straightforward um you know you specify the hash mode which is ntlm and then force specify the hash that you'd like to crack and then the word list right so what we can do here is say cashcat and then mode is 1000 and then we can specify force now you
            • 11:30 - 12:00 can also specify the file that contains the hash so you know if i say you know for example force and then hashes.txt it only contains one and then you can specify any word list in this case you can see it is user share wordlistrocu.txt so user share wordlistsrocq.txt hit enter we'll give this a couple of seconds oh boy you guys are going to see what system i'm running on don't judge me man this is just my recording uh workstation
            • 12:00 - 12:30 so uh yeah pretty not a bad cpu at all i can tell you that the base clock 2.8 gigs 3.9 with turbo boost although i do have a ryzen workstation in the build uh this is not what i use for cracking so again i'm just going to give this a couple of seconds to actually begin all right so hash cat just took a couple of seconds longer and that's because it was preparing uh the back end and you can see right
            • 12:30 - 13:00 over here it cracked the hash and we get the password so let me just save this because i've not been saving my output which is uh something i don't recommend um so let me just save that make sure we have that there this is for the administrator user and that's pretty much the price uh the objective here we want the administrator account right so now that we have the password we can pretty much just log in via rdp you know um and we can also utilize the psx module which
            • 13:00 - 13:30 involves performing a pass the hash attack so this is done right so it's going to ask us for the ntlm hash of the admin user here to complete this that's very nice of them so ntlm hash let's just copy that there unless it also wants the lm hash that's uh i'm pretty sure this is just it here oh yeah so okay so it wants the lm hash the complete thing ntlm uh
            • 13:30 - 14:00 oh boy oh boy where's uh well i actually have it within hashes.txt right okay so that's the hash there and paste that in there submit uh oh what is the ndlms oh that's the admin user ah my bad man i can't even i can't even read this this is just this is just too much now let's let's dump them again from the actual system and sam file so that's admin
            • 14:00 - 14:30 does it want lm or ntlm i'm really confused here because it really doesn't tell you the character limit there so let's get rid of that there submit yep that's correct okay that's done so we've dumped the hashes although not through a conventional technique uh but you know still you know we've been able to get that and we've we've been able to crack the actual passwords now when it comes down to past the hash attacks what is a pasta hash attack well past the hash attack essentially
            • 14:30 - 15:00 involves authenticating with a windows system typically using either the hash the ntlm hash or the clear text password right and the objective here being to actually uh you know obtain a interpreter session or a commercial session if you will or alternatively you can also utilize the pass the hash technique to essentially execute native windows commands and there's multiple tools that you can use to do this one of the tools that i like using
            • 15:00 - 15:30 is ps exec right and i believe i have the python script or the uh python implementation of psx because psx is a windows binary or executable that is part of our windows sys internals or the cis internal suit i apologize for that notification i should have muted my my phone there but what can you do all right so i have the script here you can download it really easily so if i say you know psx dot pi um and you know that's actually going to
            • 15:30 - 16:00 cause a few issues let me just say psx there dot pi now uh there we are so developed by um you can see you can get some information about how this script works so there we are it allows you to interact with uh you know it has the reference for smb there it also works with uh winrm um so uh it works very very similar to the windows binary except uh you know in this case we can simply just say
            • 16:00 - 16:30 i'll just launch the script here so you know psx dot pi and then we say administrator uh we can log in like ssh we specify the target ip so let me just get let me just copy that there and we have the password right so let me make sure that is noted there we can actually copy that i don't want to type that in because i'm lazy at this point in time paste that in there and it looks like
            • 16:30 - 17:00 that administrator account is disabled oh they got us man they actually got us oh man but we have we have actually got the administrator or the admin user password previously so you know we can pretty much just go through the process of cracking again with john the ripper however we need to add the admin account there instead of the administrator account so before i do that vm hashes.txt delete that paste that in there
            • 17:00 - 17:30 administrator account has been disabled that's weird it actually didn't look like it was disabled we actually can but we would need elevated privileges in any case we've obtained uh the actual um the actual clear text password so what we can do now is again just utilize the john command that i used previously and i'm doing that because john is just much faster let me specify the rocky word list as well we ran the john command with where the rocky word list there we are we get the password password one two three so no issue there i'll go through the
            • 17:30 - 18:00 process of using ps exec again so this is admin paste that in there okay now i'd want to save that so we can say ps exec and this time we will change this to admin all right so we can say admin and that is password one two three hit enter give that a couple of seconds there we are it's gonna upload find shares upload the executable
            • 18:00 - 18:30 create the service we should get a command shell session hopefully hopefully let's see if this works because this module the metasploit module should work as well there we are so uh you know who am i should be anti-authority yep there we go in the authority system so that's one of the advantages of you know past the hash attacks as opposed to a traditional um you know as opposed to some of the other techniques that you typically utilize like login via rdp
            • 18:30 - 19:00 uh and of course that's something that's valid as well but we get into authority system here you can also utilize the metasploit module which i have covered before one thing i want to check which is really bugging me i thought the admin i thought the administrator the the administrator password or the administrator account was actually enabled so let's test this out i actually want to run an experiment live on air here and i'm just going to search for the module so ps exec
            • 19:00 - 19:30 this is obviously authentication is performed via smb so we're looking for exploit windows smb and that is authenticated user code execution so we need actual credentials to use it so we'll say use for the default payload we will set this to windows x64 materpreter reverse tcp and then we can show the options here i'm going to set the l host to panel
            • 19:30 - 20:00 zero oh boy oh boy hit typing that in before i do that let me set l port to one two three four and set smb user to administrator we can also use the hash to authenticate so smb pass i'll use the password in this case and then um i have config let me just get my my ip address here this is the
            • 20:00 - 20:30 uh try hack me vpn ip so set lhost to the ip there and let's try and see what happens here huh oh yeah forgot to specify the target ip how foolish of me i thought it was a a post exploitation module so set our hosts because that's typically what i you know would typically run administrator oh yeah okay so it looks like that account has been disabled so
            • 20:30 - 21:00 this would still work we would be able to get an ad interpreter session with you know the admin account so you know i can say admin and then set uh smb password to password one two three one two three there we are and uh exploit now let's see whether my hypothesis will actually be validated here should i have specified a different target i'm not really sure um let's see how this works
            • 21:00 - 21:30 because within this room of actually within this video we've actually completed two of the tasks and we'll do one extra one just for you guys uh just to see or just to test and see whether this works um so we still have a privilege session there via psx um so this is done as well what i wanted to cover is uh mimikatz right and i've covered mimikatz before that's not really something you guys are not familiar with uh this doesn't look
            • 21:30 - 22:00 like it worked huh interesting that's weird eh um so set target uh this is using yeah let's use native upload that usually fixes the issue or we can also try command exploit this module needs a bit of tweaking in order for it to work so it's smb version one that's a bad thing especially on windows server 2016 but hey this has been configured to
            • 22:00 - 22:30 demonstrate these techniques um so yeah let's see whether that actually is able to upload the payload if it isn't then we'll use the command target or we'll set the target to the command or to command rather so let me just wait for this to complete in the meantime the next task that we'll be taking a look at in the next video is going to be schedule tasks and then of course insecure gui apps startup apps i'm not really sure why we need to go through that now but hey
            • 22:30 - 23:00 uh yeah so we're almost done with this particular room all right so it looks like it sent the stage so that worked modifying the target actually worked and let's see whether the sorry yeah modifying the target works it sends the stage and the stage should be executed and we should get a meterpreter session one thing that i'm curious and it's not something i ever noticed before is whether or not it'll provide it should provide us with
            • 23:00 - 23:30 anti-authority system privileges so i'm just going to wait for this to actually complete here not really sure why it's that slow um let's see all right so we get the interpreter session so get use id and the authority system all right so ps exec is pretty much the best thing that you can do in terms of authenticated code execution uh in the previous some of the previous videos we got access to the um we got access to the actual admin
            • 23:30 - 24:00 account or we got access to an interpreter session with the admin account but not anti-authority system privileges so you know we say get privs now you'll see we get the entire gamut of privileges that you typically associate with the highest level of privileges on a windows system right so now that we've obtained a uh an elevated session we can now move on to what you know you typically or the stage that would typically involve dumping credentials which is post exploitation
            • 24:00 - 24:30 which i don't think i'll i'll you know i'll cover in depth because uh that's something i'll cover during active directory pen testing but for now uh you can utilize the mimikatz executable which comes pre-packaged with kali as i've mentioned many times before or you can just load kiwi right so load kiwi and you can also use the hash dump utility so you know if i say hash dump as well there we are only gets the admin hash there and we looks like we get an error for some of the other hashes which is
            • 24:30 - 25:00 perfectly fine if we say lsa dump i believe it's lsa dump sam yeah we hit enter there we are so we get the hashes ndlm hashes or rather the nt hashes for all the user accounts on the system um let's see there we are so you get them right over there administrator and of course let's see if we can find the admin user there we are and is that the admin user
            • 25:00 - 25:30 no that's the standard user and uh we should have the admin use there we are fantastic so you can use mimikatz to do that as well uh lsa dump secrets so we can also dump secrets and this we got the cis key there the sam syskey which is quite helpful in certain scenarios i'll not be getting into that uh in this video but uh yeah so you know the process of dumping hashes is fairly easy and as i said you really don't need to move on to cracking
            • 25:30 - 26:00 um to actually cracking the hashes until you reach a stage or a point during a penetration test where you need the clear text credentials primarily for password reuse so you know many employees that work in companies will typically reuse their passwords for other accounts and that's typically when you need a clear text password uh but for lateral movement and or you know remote uh authenticated code execution you can utilize the hash no problem uh
            • 26:00 - 26:30 even with the psx metasploit module and uh you know psx dot pi uh you can also utilize the psx portable executable with wine it works almost flawlessly i believe i did cover that in the red team series yeah i believe i did so you know you can use that as well as i said it's fairly simple to perform and we've been able to complete two tasks in one video so we're now almost done uh pretty much the most important
            • 26:30 - 27:00 one is going to be uh the ones that list is important to me is of course token impersonation and the last task really isn't pertinent here we've taken a look at win peas there are a few others like power up i will be making an independent video on powerup because it's quite important and i wanted to only focus on one tool uh in this particular uh in this particular section of the penetration testing boot camp um so yeah that's gonna be it for this video guys thank you very much for watching if you have any comments uh suggestions or feedback
            • 27:00 - 27:30 please leave them in the comment section if you'd like to reach out to me you can do so via twitter or you can join the discord server there are really awesome people in there and if you want to support this channel you can do so via patreon the link to our patreon is in the description section as always thank you very much for watching thank you very much for supporting the channel and i'll be seeing you guys in the next video peace a huge thank you to all of our patreons
            • 27:30 - 28:00 your support is greatly appreciated and this is a formal thank you so thank you shamir douglas ryan carr sandor michael busby sits up doozy defean barry dustin on press and michael hubbard your support is greatly appreciated and you keep us making even more high quality content for you guys so thank you [Music]