1
00:00:00,799 --> 00:00:02,600
what's going on guys welcome back to

2
00:00:02,600 --> 00:00:04,759
this video today we're doing again a try

3
00:00:04,759 --> 00:00:06,600
hack me video and we're going to focus

4
00:00:06,600 --> 00:00:09,400
on SEC the security engineer track so we

5
00:00:09,400 --> 00:00:11,000
have reached the active directory

6
00:00:11,000 --> 00:00:12,759
hardening and it's going to be the

7
00:00:12,759 --> 00:00:15,519
subject of this video so there are some

8
00:00:15,519 --> 00:00:16,840
discussed

9
00:00:16,840 --> 00:00:19,039
methods and I say some because there are

10
00:00:19,039 --> 00:00:22,199
many methods to harden and secure active

11
00:00:22,199 --> 00:00:25,359
uh directory meaning uh Windows server

12
00:00:25,359 --> 00:00:27,800
with active directory but here there are

13
00:00:27,800 --> 00:00:29,160
some methods that are discussed we're

14
00:00:29,160 --> 00:00:30,400
going to go over these methods and we're

15
00:00:30,400 --> 00:00:32,200
going to answer a couple questions going

16
00:00:32,200 --> 00:00:34,719
try to make this as simple as I

17
00:00:34,719 --> 00:00:39,000
can and for my members I released a new

18
00:00:39,000 --> 00:00:42,280
uh Note file it is under the blue team

19
00:00:42,280 --> 00:00:45,640
track The Blue Team notes and the name

20
00:00:45,640 --> 00:00:47,760
is Windows security we'll be finding

21
00:00:47,760 --> 00:00:50,399
this in the uh Google Drive notes all

22
00:00:50,399 --> 00:00:54,600
right let let get back to the room

23
00:00:54,600 --> 00:00:57,520
so we have a machine to spawn we going

24
00:00:57,520 --> 00:01:01,359
to click on start the machine

25
00:01:01,359 --> 00:01:04,319
so basically the task two is about

26
00:01:04,319 --> 00:01:08,400
Concepts on active directory so it's not

27
00:01:08,400 --> 00:01:11,640
a comprehensive uh list or comprehensive

28
00:01:11,640 --> 00:01:14,360
uh you know uh it doesn't contain all

29
00:01:14,360 --> 00:01:16,560
everything about directory but you know

30
00:01:16,560 --> 00:01:17,720
if you are going through active

31
00:01:17,720 --> 00:01:19,200
directory hardening you must know what

32
00:01:19,200 --> 00:01:22,040
is domain domain controller and the

33
00:01:22,040 --> 00:01:23,680
definition of trees and Forest we're

34
00:01:23,680 --> 00:01:25,840
going to talk about this but there is

35
00:01:25,840 --> 00:01:27,400
there are two questions here one

36
00:01:27,400 --> 00:01:29,640
question what is the root domain in the

37
00:01:29,640 --> 00:01:33,680
tab ad machine so basically here uh

38
00:01:33,680 --> 00:01:34,720
let's

39
00:01:34,720 --> 00:01:37,399
see yeah the machine is

40
00:01:37,399 --> 00:01:41,759
still uh starting so here we have triac

41
00:01:41,759 --> 00:01:45,159
me. ioc is the root domain and Z a.

42
00:01:45,159 --> 00:01:48,560
triac me is not the subdomain uh we it's

43
00:01:48,560 --> 00:01:50,880
it's called the child domain so both

44
00:01:50,880 --> 00:01:55,520
these domains um exists under uh the

45
00:01:55,520 --> 00:01:58,880
same tree so we call this a tree because

46
00:01:58,880 --> 00:02:01,759
it contains more more than one domain

47
00:02:01,759 --> 00:02:03,920
now the subject of this video will be on

48
00:02:03,920 --> 00:02:06,759
the securing authentication

49
00:02:06,759 --> 00:02:10,038
methods and the other tasks so let's

50
00:02:10,038 --> 00:02:11,720
first make sure that the machine is up

51
00:02:11,720 --> 00:02:15,239
and running going click on split

52
00:02:20,040 --> 00:02:24,400
view okay so going to task three so in

53
00:02:24,400 --> 00:02:28,760
task three we have the land manager

54
00:02:28,760 --> 00:02:31,160
hash SMB

55
00:02:31,160 --> 00:02:33,560
signing ldb

56
00:02:33,560 --> 00:02:36,120
signing password policies and

57
00:02:36,120 --> 00:02:38,640
rotation and some suggestions on

58
00:02:38,640 --> 00:02:41,920
password policies so these are settings

59
00:02:41,920 --> 00:02:44,080
that you can configure on your active

60
00:02:44,080 --> 00:02:46,000
directory to make sure that the

61
00:02:46,000 --> 00:02:49,000
authentication process is secure meaning

62
00:02:49,000 --> 00:02:50,280
uh MIT

63
00:02:50,280 --> 00:02:54,000
Maxs have little to no chance to succeed

64
00:02:54,000 --> 00:02:55,840
at the same time you configure strong

65
00:02:55,840 --> 00:03:00,400
password policy for uh your users

66
00:03:00,400 --> 00:03:02,440
simultaneously in task four here they

67
00:03:02,440 --> 00:03:05,280
talk about the General

68
00:03:05,280 --> 00:03:09,200
Security um Concepts here so for example

69
00:03:09,200 --> 00:03:12,599
the role based access control the uh

70
00:03:12,599 --> 00:03:14,480
methods of Access Control the principle

71
00:03:14,480 --> 00:03:16,760
of leas privilege all of these are

72
00:03:16,760 --> 00:03:19,560
General Security controls that you can

73
00:03:19,560 --> 00:03:21,599
um apply to the active directory or

74
00:03:21,599 --> 00:03:24,000
Windows Server active directory and here

75
00:03:24,000 --> 00:03:25,080
there are two

76
00:03:25,080 --> 00:03:27,959
questions so computers and printers must

77
00:03:27,959 --> 00:03:30,159
be added to tier zero so here's about

78
00:03:30,159 --> 00:03:33,120
tiered access model now the tiered

79
00:03:33,120 --> 00:03:35,000
access model is not discussed in

80
00:03:35,000 --> 00:03:38,439
computer in comp Security Plus so here

81
00:03:38,439 --> 00:03:41,200
I'm preparing for you guys a note file

82
00:03:41,200 --> 00:03:44,519
to prepare for comp Security Plus

83
00:03:44,519 --> 00:03:48,159
so here in comp Security

84
00:03:48,159 --> 00:03:50,799
Plus there are

85
00:03:50,799 --> 00:03:53,599
certain models for Access Control oh my

86
00:03:53,599 --> 00:03:56,959
God many things about as control as

87
00:03:56,959 --> 00:04:01,400
control uh methods model

88
00:04:01,400 --> 00:04:05,400
just too hard to find them

89
00:04:12,439 --> 00:04:15,680
Mac okay as you can see guys in comp

90
00:04:15,680 --> 00:04:18,238
Security Plus we discuss discretionary

91
00:04:18,238 --> 00:04:20,320
Access Control role pce

92
00:04:20,320 --> 00:04:22,639
mandatory and there is the rule based

93
00:04:22,639 --> 00:04:24,639
access control as well if you scroll

94
00:04:24,639 --> 00:04:27,479
down you're going to find it

95
00:04:27,479 --> 00:04:30,759
maybe rule pay access control so all of

96
00:04:30,759 --> 00:04:32,440
these access

97
00:04:32,440 --> 00:04:36,720
controls are used depending on the

98
00:04:36,720 --> 00:04:39,360
scenario or depending on organization so

99
00:04:39,360 --> 00:04:42,759
tiered access model groups your

100
00:04:42,759 --> 00:04:44,840
resources based on tiers for example as

101
00:04:44,840 --> 00:04:47,960
you can see tier zero includes top

102
00:04:47,960 --> 00:04:50,759
level uh resources such as admin

103
00:04:50,759 --> 00:04:53,000
accounts domain controller and

104
00:04:53,000 --> 00:04:57,320
groups so tier one applications and

105
00:04:57,320 --> 00:05:01,560
servers tier two and user devices so the

106
00:05:01,560 --> 00:05:04,320
higher it goes the less sensitive it

107
00:05:04,320 --> 00:05:07,639
becomes so as you can see tier zero it's

108
00:05:07,639 --> 00:05:10,320
the highest contains the highest

109
00:05:10,320 --> 00:05:12,240
sensitive resources such as admin

110
00:05:12,240 --> 00:05:14,160
accounts domain controller and groups so

111
00:05:14,160 --> 00:05:16,160
here the question is computers and

112
00:05:16,160 --> 00:05:19,880
printers must be added to tier zero nope

113
00:05:19,880 --> 00:05:21,600
because computers and printers are end

114
00:05:21,600 --> 00:05:24,240
points so we can add them to tier two

115
00:05:24,240 --> 00:05:25,919
suppose a vendor arrived at your

116
00:05:25,919 --> 00:05:29,680
facility for a twoe duration visit task

117
00:05:29,680 --> 00:05:31,639
being a system administrator you should

118
00:05:31,639 --> 00:05:34,800
create a high privileged account for him

119
00:05:34,800 --> 00:05:38,160
nope because this goes to uh the role

120
00:05:38,160 --> 00:05:40,960
ped access control so in role ped Access

121
00:05:40,960 --> 00:05:43,800
Control we assign people

122
00:05:43,800 --> 00:05:47,319
resources and permissions pays on their

123
00:05:47,319 --> 00:05:50,600
uh job and additionally we apply the

124
00:05:50,600 --> 00:05:53,039
principle of lease

125
00:05:53,039 --> 00:05:55,319
privilege meaning the least privileged

126
00:05:55,319 --> 00:05:58,520
means that if they don't need access to

127
00:05:58,520 --> 00:06:00,840
a certain resource we don't grant them

128
00:06:00,840 --> 00:06:03,160
that uh permission to access that

129
00:06:03,160 --> 00:06:05,360
resource depending on your job

130
00:06:05,360 --> 00:06:07,880
description on your need as

131
00:06:07,880 --> 00:06:12,039
well okay so finally the machine

132
00:06:12,039 --> 00:06:13,720
started all right so we're going to

133
00:06:13,720 --> 00:06:16,560
demonstrate task three now all right so

134
00:06:16,560 --> 00:06:18,080
we're going to allow this and we're

135
00:06:18,080 --> 00:06:22,560
going to start with the GP

136
00:06:22,560 --> 00:06:25,199
edit the group policy editor most of the

137
00:06:25,199 --> 00:06:27,039
policies you configure in active

138
00:06:27,039 --> 00:06:30,240
directory whether to harden sec cure or

139
00:06:30,240 --> 00:06:33,720
even to set certain settings are done

140
00:06:33,720 --> 00:06:36,160
via the group policy

141
00:06:36,160 --> 00:06:39,319
editor so it's good practice if you uh

142
00:06:39,319 --> 00:06:43,000
go over the policies here and understand

143
00:06:43,000 --> 00:06:44,440
what every single one of them the

144
00:06:44,440 --> 00:06:46,599
purpose of every single one of them so

145
00:06:46,599 --> 00:06:47,800
the first thing we're going to do is the

146
00:06:47,800 --> 00:06:50,120
Lan hash

147
00:06:50,120 --> 00:06:52,120
manager so here we're going to make sure

148
00:06:52,120 --> 00:06:55,960
that Windows stores the hashes for the

149
00:06:55,960 --> 00:06:59,440
user's password in the ntlm not the L

150
00:06:59,440 --> 00:07:02,120
the LM because the LM is relatively

151
00:07:02,120 --> 00:07:04,960
weaker than the NT right and it's

152
00:07:04,960 --> 00:07:06,759
vulnerable to Brute Force attacks so we

153
00:07:06,759 --> 00:07:08,400
make sure that the passwords or the

154
00:07:08,400 --> 00:07:10,039
hashes are

155
00:07:10,039 --> 00:07:13,240
stored uh in entty so we're going what

156
00:07:13,240 --> 00:07:14,400
we're going to do here we're going to go

157
00:07:14,400 --> 00:07:16,319
to computer configuration as you can see

158
00:07:16,319 --> 00:07:17,840
here and then we're going to go to

159
00:07:17,840 --> 00:07:20,840
policies Windows settings so in Windows

160
00:07:20,840 --> 00:07:23,319
settings going to expand

161
00:07:23,319 --> 00:07:26,360
this the machine is too slow frustration

162
00:07:26,360 --> 00:07:29,039
frustrating okay security settings can

163
00:07:29,039 --> 00:07:32,080
highlight this and expand to local

164
00:07:32,080 --> 00:07:34,120
policies and if we expand the local

165
00:07:34,120 --> 00:07:36,919
policies we go to Security Options and

166
00:07:36,919 --> 00:07:41,840
from Security Options here we have the

167
00:07:41,840 --> 00:07:43,560
security policies so as you can see

168
00:07:43,560 --> 00:07:47,759
there is one here that's about the uh

169
00:07:47,759 --> 00:07:51,639
land manager let's see what it

170
00:07:54,440 --> 00:07:58,520
is so it starts with don't store let's

171
00:07:58,520 --> 00:08:01,319
see what it is

172
00:08:02,039 --> 00:08:04,759
yeah this is done

173
00:08:04,759 --> 00:08:07,080
properties so now secure don't store

174
00:08:07,080 --> 00:08:09,479
Land manager hash value on next password

175
00:08:09,479 --> 00:08:11,919
change so by default this is enabled

176
00:08:11,919 --> 00:08:13,599
which is good so make sure on your end

177
00:08:13,599 --> 00:08:16,560
this is enabled because you don't want

178
00:08:16,560 --> 00:08:20,400
um the password to be stored as LM hash

179
00:08:20,400 --> 00:08:23,080
because it's going to be susceptible to

180
00:08:23,080 --> 00:08:24,520
Brute Force attacks it's going to be

181
00:08:24,520 --> 00:08:26,720
easily cracked all right that's the

182
00:08:26,720 --> 00:08:30,039
first thing to securing uh or that's the

183
00:08:30,039 --> 00:08:31,959
first thing you can do to secure active

184
00:08:31,959 --> 00:08:35,240
directory other thing is SMB signing so

185
00:08:35,240 --> 00:08:38,120
SMB as you know server message block is

186
00:08:38,120 --> 00:08:40,479
the protocol responsible for file and

187
00:08:40,479 --> 00:08:41,880
printer sharing so if you have file

188
00:08:41,880 --> 00:08:44,279
sharing printer sharing enabled this

189
00:08:44,279 --> 00:08:46,399
protocol most probably is enabled so the

190
00:08:46,399 --> 00:08:49,160
problem is the the communications happen

191
00:08:49,160 --> 00:08:51,680
in clear text so it's vable to mitm

192
00:08:51,680 --> 00:08:56,000
attack so in order to prevent this we're

193
00:08:56,000 --> 00:08:57,920
going to need to configure some security

194
00:08:57,920 --> 00:08:59,440
policies again we go to back back to

195
00:08:59,440 --> 00:09:02,320
window settings and then to security

196
00:09:02,320 --> 00:09:07,880
settings back to local policies Security

197
00:09:08,560 --> 00:09:12,519
Options and we're going to look for the

198
00:09:12,519 --> 00:09:14,320
digital sign digitally signed

199
00:09:14,320 --> 00:09:16,760
communication let's see what it is

200
00:09:16,760 --> 00:09:20,200
digitally sign secure

201
00:09:20,720 --> 00:09:24,320
Channel Microsoft

202
00:09:24,360 --> 00:09:27,240
network this is the one digitally sign

203
00:09:27,240 --> 00:09:30,240
communication properties and is disabled

204
00:09:30,240 --> 00:09:32,320
so we're going to make sure this is

205
00:09:32,320 --> 00:09:35,680
enabled explain go to explain going you

206
00:09:35,680 --> 00:09:37,959
can see more information about this

207
00:09:37,959 --> 00:09:40,600
digitally sign Communications the

208
00:09:40,600 --> 00:09:42,440
security setting determines whether

209
00:09:42,440 --> 00:09:44,760
packet signing is required by the SB

210
00:09:44,760 --> 00:09:46,760
client

211
00:09:46,760 --> 00:09:48,920
component so you want to you want the

212
00:09:48,920 --> 00:09:50,880
communications through theb to be signed

213
00:09:50,880 --> 00:09:53,160
and not vulnerable to mitm so you need

214
00:09:53,160 --> 00:09:57,240
to or therefore you need to enable

215
00:09:57,600 --> 00:09:59,640
this all right

216
00:09:59,640 --> 00:10:02,839
another thing to securing uh protocols

217
00:10:02,839 --> 00:10:05,760
in active directory is the lb protocol

218
00:10:05,760 --> 00:10:08,160
so lb is the main protocol directory is

219
00:10:08,160 --> 00:10:10,640
based on it's the light lightweight

220
00:10:10,640 --> 00:10:14,399
directory access protocol so also we

221
00:10:14,399 --> 00:10:17,000
want to PR secure the communications

222
00:10:17,000 --> 00:10:19,839
based on that protocol for mitm attacks

223
00:10:19,839 --> 00:10:20,839
so what we're going to do we're going

224
00:10:20,839 --> 00:10:23,440
need also to enable the signing of these

225
00:10:23,440 --> 00:10:26,839
communications so on the same uh pain

226
00:10:26,839 --> 00:10:28,680
here we're going to need to find domain

227
00:10:28,680 --> 00:10:31,640
control rer section and then we're going

228
00:10:31,640 --> 00:10:34,839
to look for elab Server Channel binding

229
00:10:34,839 --> 00:10:38,839
tokens yeah elab server signing

230
00:10:42,200 --> 00:10:44,519
requirements so modifying the setting

231
00:10:44,519 --> 00:10:46,040
may affect compatibility with the

232
00:10:46,040 --> 00:10:48,839
clients so here it doesn't allow me to

233
00:10:48,839 --> 00:10:50,639
enable it for some reason related to

234
00:10:50,639 --> 00:10:53,440
this explanation but usually this needs

235
00:10:53,440 --> 00:10:55,839
to be

236
00:10:56,399 --> 00:10:59,800
enabled and to the most important part

237
00:10:59,800 --> 00:11:02,399
is of this video is the password

238
00:11:02,399 --> 00:11:04,720
policies so password policies can be

239
00:11:04,720 --> 00:11:08,519
configured from the oh we're going to go

240
00:11:08,519 --> 00:11:10,639
back to security headings and we're

241
00:11:10,639 --> 00:11:12,760
going to check on account policies so

242
00:11:12,760 --> 00:11:14,480
account Poli there is account there is

243
00:11:14,480 --> 00:11:16,399
password policy here and from here you

244
00:11:16,399 --> 00:11:19,639
can configure the minimum uh and maximum

245
00:11:19,639 --> 00:11:22,160
length of the password the complexity

246
00:11:22,160 --> 00:11:24,240
the age so on and so forth for example

247
00:11:24,240 --> 00:11:26,600
as you can see here the Min maximum age

248
00:11:26,600 --> 00:11:29,680
of the pass is 42 days which means after

249
00:11:29,680 --> 00:11:32,560
42 days your users will be prompted to

250
00:11:32,560 --> 00:11:35,160
change their

251
00:11:35,160 --> 00:11:37,279
password that's the maximum age and

252
00:11:37,279 --> 00:11:39,040
that's the minimum age minimum age is

253
00:11:39,040 --> 00:11:41,120
one meaning you cannot change your

254
00:11:41,120 --> 00:11:44,120
password uh during the first day of the

255
00:11:44,120 --> 00:11:46,399
assignment and you have minimum password

256
00:11:46,399 --> 00:11:49,120
link is seven

257
00:11:49,560 --> 00:11:53,079
characters so these are the uh some

258
00:11:53,079 --> 00:11:54,959
settings you can see and you askk there

259
00:11:54,959 --> 00:11:57,279
are some questions to answer so we

260
00:11:57,279 --> 00:12:00,079
scroll down change CH the yeah what is

261
00:12:00,079 --> 00:12:02,240
the default minimum password length it

262
00:12:02,240 --> 00:12:04,639
was seven as you can see

263
00:12:04,639 --> 00:12:08,800
here going back showing it one more time

264
00:12:08,800 --> 00:12:11,760
to you guys so seven characters all

265
00:12:11,760 --> 00:12:14,160
right so these are these are some

266
00:12:14,160 --> 00:12:16,240
policies that you can enable to harden

267
00:12:16,240 --> 00:12:19,800
your active directory or to maybe secure

268
00:12:19,800 --> 00:12:22,240
the authentication so additionally there

269
00:12:22,240 --> 00:12:25,720
is in Task 5 there is this nice new tool

270
00:12:25,720 --> 00:12:27,560
that I haven't heard before it is a

271
00:12:27,560 --> 00:12:31,240
Microsoft security compliance tool kit

272
00:12:31,240 --> 00:12:33,360
so this

273
00:12:33,360 --> 00:12:38,000
tool let's go to the relative folder

274
00:12:38,279 --> 00:12:42,360
scripts open that

275
00:12:43,240 --> 00:12:46,000
okay opening the link of the tool so if

276
00:12:46,000 --> 00:12:48,399
you download this tool it will give you

277
00:12:48,399 --> 00:12:50,720
recommendations and give you ready

278
00:12:50,720 --> 00:12:53,240
templates so that you download them and

279
00:12:53,240 --> 00:12:54,720
configure active directory if you don't

280
00:12:54,720 --> 00:12:56,800
know what to what to do and what

281
00:12:56,800 --> 00:12:59,279
policies to configure you can uh

282
00:12:59,279 --> 00:13:02,760
download this tool and retrieve ready

283
00:13:02,760 --> 00:13:05,480
templates to configure for example on

284
00:13:05,480 --> 00:13:08,480
Group Policy there are already readymade

285
00:13:08,480 --> 00:13:12,240
um uh configurations for example here

286
00:13:12,240 --> 00:13:15,720
Windows Server 2019 security Baseline

287
00:13:15,720 --> 00:13:18,560
downloaded from the tool itself

288
00:13:18,560 --> 00:13:22,279
so to illustrate further in the figures

289
00:13:22,279 --> 00:13:23,560
here as you can see when you run this

290
00:13:23,560 --> 00:13:26,320
tool it gives you the

291
00:13:26,320 --> 00:13:29,399
templates now here Windows server 22

292
00:13:29,399 --> 00:13:32,920
security peline zip this is zip file and

293
00:13:32,920 --> 00:13:35,399
it was downloaded to this machine and

294
00:13:35,399 --> 00:13:37,480
once downloaded you can see the relative

295
00:13:37,480 --> 00:13:39,880
folder if you open it and go to local

296
00:13:39,880 --> 00:13:42,360
scripts you can see the partial script

297
00:13:42,360 --> 00:13:46,959
that if you um run it will configure uh

298
00:13:46,959 --> 00:13:50,120
the uh configurations set on this Bas

299
00:13:50,120 --> 00:13:52,519
line so the P line it's actually

300
00:13:52,519 --> 00:13:54,800
collection and combination of

301
00:13:54,800 --> 00:13:56,839
configurations that makes sure your

302
00:13:56,839 --> 00:14:00,920
Windows server is secure Bas on specific

303
00:14:00,920 --> 00:14:03,880
Baseline right and you can use this as a

304
00:14:03,880 --> 00:14:05,959
start if you don't know what to do

305
00:14:05,959 --> 00:14:09,959
additionally there is the policy

306
00:14:09,959 --> 00:14:14,120
analyzer again Guys these are uh can be

307
00:14:14,120 --> 00:14:16,160
downloaded by running the tool on your

308
00:14:16,160 --> 00:14:18,040
machine and then selecting the

309
00:14:18,040 --> 00:14:20,040
configuration you want to download it be

310
00:14:20,040 --> 00:14:21,440
downloaded in zip file and you can

311
00:14:21,440 --> 00:14:23,800
extract and see it this way so policy

312
00:14:23,800 --> 00:14:25,720
analyzer analyzes the group policy

313
00:14:25,720 --> 00:14:30,680
settings in your environment okay

314
00:14:31,279 --> 00:14:35,320
and as you can see here there are the

315
00:14:37,040 --> 00:14:39,079
demonstrations so if you go back here to

316
00:14:39,079 --> 00:14:41,639
policy analyzer you can see these are

317
00:14:41,639 --> 00:14:44,720
the uh scripts that if you run we

318
00:14:44,720 --> 00:14:47,600
configure your group policy based on the

319
00:14:47,600 --> 00:14:49,800
settings let's go over one of them so if

320
00:14:49,800 --> 00:14:52,720
you go back to Windows Server security

321
00:14:52,720 --> 00:14:56,680
Baseline and check the

322
00:14:57,680 --> 00:15:01,320
gpos so as you can see these gpos can be

323
00:15:01,320 --> 00:15:03,839
directly imported to your group policy

324
00:15:03,839 --> 00:15:07,839
editor based on the machine and the

325
00:15:09,600 --> 00:15:13,920
user if you open this in XML

326
00:15:20,279 --> 00:15:24,320
format hopefully it's going to

327
00:15:27,600 --> 00:15:29,920
open

328
00:15:29,920 --> 00:15:33,519
yeah see guys these are

329
00:15:33,519 --> 00:15:36,519
the

330
00:15:37,079 --> 00:15:39,360
configurations now the best thing to do

331
00:15:39,360 --> 00:15:42,040
is to import them to your security or to

332
00:15:42,040 --> 00:15:46,880
to the the uh Group Policy editor

333
00:15:46,880 --> 00:15:49,759
lgpo as you can see is an executable

334
00:15:49,759 --> 00:15:52,480
file all right so on the task here there

335
00:15:52,480 --> 00:15:55,120
is find an open Baseline local and

336
00:15:55,120 --> 00:15:58,199
install script and find the flag let's

337
00:15:58,199 --> 00:15:59,720
go here and see where is that script

338
00:15:59,720 --> 00:16:02,079
local script and there is Baseline local

339
00:16:02,079 --> 00:16:04,680
and install let's open this and see what

340
00:16:04,680 --> 00:16:06,839
it

341
00:16:17,959 --> 00:16:21,199
does okay so the description says

342
00:16:21,199 --> 00:16:23,040
applies a Windows security configuration

343
00:16:23,040 --> 00:16:25,959
peline to a local Group

344
00:16:25,959 --> 00:16:28,360
Policy execute the script with one of

345
00:16:28,360 --> 00:16:30,600
the required command line switches to

346
00:16:30,600 --> 00:16:33,279
install the corresponding pay

347
00:16:33,279 --> 00:16:37,120
line so here you specify you execute

348
00:16:37,120 --> 00:16:39,880
this either on a domain controller or in

349
00:16:39,880 --> 00:16:42,600
a domain joined machine requirements

350
00:16:42,600 --> 00:16:44,759
partial execution

351
00:16:44,759 --> 00:16:47,040
policy domain join machine and this is

352
00:16:47,040 --> 00:16:49,800
the flag so as you can see guys these

353
00:16:49,800 --> 00:16:51,600
are set of configurations that will be

354
00:16:51,600 --> 00:16:54,040
applied on any domain or any computer

355
00:16:54,040 --> 00:16:55,279
you apply it

356
00:16:55,279 --> 00:16:57,639
to and it will configure the group

357
00:16:57,639 --> 00:17:00,319
policy pays on the mentioned

358
00:17:00,319 --> 00:17:03,120
configurations

359
00:17:10,199 --> 00:17:12,439
here

360
00:17:12,439 --> 00:17:16,160
okay the other question find an open

361
00:17:16,160 --> 00:17:18,319
merge policy rule

362
00:17:18,319 --> 00:17:21,400
script imported from policy analyzer

363
00:17:21,400 --> 00:17:24,000
impartial

364
00:17:26,880 --> 00:17:31,280
editor so back back to policy

365
00:17:31,280 --> 00:17:33,880
analyzer can check the scripts merge

366
00:17:33,880 --> 00:17:35,960
policy let's take a look at the uh

367
00:17:35,960 --> 00:17:40,360
script here what it does so merge policy

368
00:17:40,400 --> 00:17:44,080
analyzer policy files what merge policy

369
00:17:44,080 --> 00:17:46,440
analyzer policy rules files into one

370
00:17:46,440 --> 00:17:49,120
policy rules set written into the

371
00:17:49,120 --> 00:17:51,799
pipeline so one of the things that

372
00:17:51,799 --> 00:17:54,200
policy analyzer does is that

373
00:17:54,200 --> 00:17:57,919
it gets rid of redundant uh policies

374
00:17:57,919 --> 00:18:00,000
configured in

375
00:18:00,000 --> 00:18:02,400
GP and if you scroll down as you can see

376
00:18:02,400 --> 00:18:04,799
this is the

377
00:18:06,080 --> 00:18:08,799
flag uh other questions we have to ask

378
00:18:08,799 --> 00:18:11,080
so these are the common attacks against

379
00:18:11,080 --> 00:18:12,520
active director we have discussed many

380
00:18:12,520 --> 00:18:14,120
rooms on active director penetration

381
00:18:14,120 --> 00:18:15,799
testing we can get back to them guys and

382
00:18:15,799 --> 00:18:19,320
see how uh attacks are conducted against

383
00:18:19,320 --> 00:18:21,760
these kind of environments so does Cur

384
00:18:21,760 --> 00:18:23,480
roasting utilize an offline attack

385
00:18:23,480 --> 00:18:25,520
scheme for cracking gted passwords we

386
00:18:25,520 --> 00:18:26,880
explained previously guys about C

387
00:18:26,880 --> 00:18:30,440
roasting just go through this again and

388
00:18:30,440 --> 00:18:32,120
the answer is yes it's offline because

389
00:18:32,120 --> 00:18:34,440
at the end you you you will you take the

390
00:18:34,440 --> 00:18:37,039
ticket and you crack it offline as per

391
00:18:37,039 --> 00:18:39,120
the generated report how many users have

392
00:18:39,120 --> 00:18:41,840
the same password as Aon Booth so for

393
00:18:41,840 --> 00:18:43,600
you guys who are asking where is the

394
00:18:43,600 --> 00:18:47,440
report the report is here if you go

395
00:18:47,440 --> 00:18:50,919
to the image here you click on it and

396
00:18:50,919 --> 00:18:52,559
see this is the

397
00:18:52,559 --> 00:18:55,880
report these are the

398
00:18:55,880 --> 00:18:59,600
usernames who who have the same password

399
00:18:59,600 --> 00:19:02,760
as you can see Iron

400
00:19:02,760 --> 00:19:04,960
Booth the number of accounts with the

401
00:19:04,960 --> 00:19:07,840
same password is

402
00:19:08,159 --> 00:19:11,720
186 and lastly this is cheat sheet from

403
00:19:11,720 --> 00:19:16,159
tryck me you can download it to uh take

404
00:19:16,159 --> 00:19:17,480
a look at more details on active

405
00:19:17,480 --> 00:19:21,480
directory hardening so that was it guys

406
00:19:21,480 --> 00:19:23,880
I hope you enjoyed the video and

407
00:19:23,880 --> 00:19:25,520
definitely I'm going to see you later to

408
00:19:25,520 --> 00:19:28,600
complete this track