Hello and welcome to this course in which we're talking about finding credentials. We're going to start out this course with this video called introduction to credential access. And we're going to have two sections in this video, we're going to start out with introduction to credential access. Talking about why we're spending time talking about credentials. And then in the second section of the video we're going to talk about how we can use python to help us access user credentials. So, let's start by talking about the why of credential access. So, there's a lot of different things that we can try to achieve while performing an ethical hacking engagement. And we're spending a course on credential access. Why, the reason why is user credentials can be invaluable during an ethical hacking engagement, because we can apply them to so many different objectives. One way that you can use credentials that are stolen, or found is privileged escalation, or elevation. So, if you've got user level access on a system or maybe access as part of an application account. If you can gain access to the user credentials and some other account on the system. There's a potential that might raise your privileges, maybe you'll move from traditional Windows user access to administrator level. Or you might even find a way to elevate from administrator on the system by taking advantage of those user credentials. Alternatively, if you're working in the context of an application with limited privileges, but you grab some other user credentials there. You might actually gain an actual user account access on the system. Another application of credential access is lateral movement. So, some credentials on a system are for that particular system, while others might be domain level, which gives you access to other machines with the same username and password. Alternatively, there might be credentials that are intended to be domain level, but someone uses the same password on every system. And so if we can find additional passwords on the system that might give us access to more machines and allow us to expand our foothold on the targeted network. A third use of compromised credentials is achieving persistence on the system. So say that you gained access to the system by exploiting a vulnerability and your access did not go unnoticed. And so when that exploit is detected, then they might clean up your foothold that they found through that exploit on the system. And also patch be exploited vulnerabilities, so you can't get back in the same way. However, it's possible that while you're on the system, you might have identified the credentials for another user account. And so, if so you might be able to use a different way in. So, say exploiting SSH or RDP by logging in with that compromised user account. And then also there's the potential that once you gain access to a system you might be able to start moving to online accounts. And so this could include things like social media of course, but also email and other cloud based systems. And increasingly as organizations are making that move to the cloud infrastructure, a lot of useful data and functionality is moving that cloud as well. And so if you gets a high level credentials on AWS deployment for the organization, that's a lot more valuable in many cases than access to a single system. And so we're talking about credential access in this course, because we can do all of these things with the credentials if we find any. And so once we're on a system prioritizing, credential access only makes sense. And so we know that we want credentials, but where can we find them? Well, it turns out that credentials are kind of scattered or cached all throughout a computer. And so one set rich set of credentials are web browsers. So, a lot of times if you're using the web, if you're doing it properly, you're not memorizing all of your passwords, because if you managed to memorize them, they're probably not that good. They're either weak or their repeated. And so you're probably using some sort of password storage system to keep track of all of your online accounts. And that password storage system is stored somewhere. Sometimes you can find credentials or other useful information in the Windows registry designed to be configuration file for the Windows OS and a lot of the applications running on it. And so there's definitely credentials in the registry if you know how to access them. And then thirdly there's the potential that user credentials will be stored on the file system. So you know that there's a good chance there's at least one user here who has a passwords.text files somewhere that says this account has this password. And if we can find that passwords.text file or whatever it's called, then we might be able to extract some useful information from it. And so these are some examples of where you can find credentials cached on a computer and we're going to use python to help us look at them. And then beyond that we're going to take what we get from that and start using it to further our attacks. So here at the bottom we have our diagram of how all the various pieces we're going to talk about here fit together, and so starting at the top left browser caches. So, I mentioned that if you're doing things right then you're having your credential stored for you. And that's useful because that means that you have unique. Hopefully strong random passwords forever user account. However, there's various levels of storing that information in the browser. So, you could be using a dedicated password manager, something like bit ward and last one password, etc. Or you could have clicked on that button that shows up on the modern browser that says do you want me to remember this for you for later. In that second case you might have a bit of a problem. And so we're going to use python and demonstrate for one browser how we can with access to a system, gain access to all those cached credentials. And that provides us access to any online accounts that were used with that browser and having the browser store it's password. Another potential source of data is the registry. So the registry definitely has credentials in it. But there is that question whether you can access them and whether they're useful. So I say definitely because the SAM file on Windows is where user credentials are stored, but accessing the SAM files a little bit difficult. So, we're not going to talk about that here, but recommend you look into tools they definitely exist. However, the SAM might not be the only place where credentials or credential like information is recorded in the registry. Applications also use the registry and some of them might put things there that shouldn't be. Also there is the potential that you might have information in the registry that's perfectly legitimate, but also helps us as an ethical hacker achieve our goals. For example, if you have a pointer to the private key that's used for PuTTY to WinSCP, etc. It's a lot easier to find that file and grab it, and then gain access to whatever remote computer it provides access to. And so we'll use python to help us look for those sorts of things. And then thirdly, we have the file system. So, ideally the file system should have nothing of value from a credential standpoint on it, unless that data is encrypted. In reality there's a decent chance you'll find something good in there. And so in our file analysis will do searches through the file system and use a few different heuristics to try to help us find things that might be of use. And so, this includes both credentials, but we can also tweak it to look for other types of valuable data as well. And so, based off of the approach that we use and what we find, we could get two types of output from these stages. We could get passwords themselves, which is great. Or we could get password hashes, which is how about password data should be stored. And so if we get password hashes, we need to work on trying to crack those hashes. And so we'll have a section on cracking hashes. In this case we'll look at the Lenox operating system and how it does password hashing. And we'll discuss how some of the password dictionaries. And such that we created an earlier course can also be applied here to turn potentially some weak password hashes into the passwords themselves. And so at the end of hash cracking and our other attempts at credential access, we have a list of passwords, which is great. Because that provides us with access to any of the accounts that are using those passwords. But it's possible, we could do more. And so, if we've gotten passwords at this point, it's because something went wrong, because it shouldn't be this easy. And so, if something went wrong there is the potential that other things have gone wrong as well. So for example, you might have weak passwords or passwords that are reused across multiple systems, or someone might have just stored one password in the browser. But there's a chance that those weaknesses, or some features of those passwords might help us to determine passwords for other accounts that we haven't found. For example, if you have someone that uses an algorithm where they've got a nice solid strong root. And then they append some information about the site that they're accessing. So maybe super strong password_FB for Facebook then if we've learned that strong route, then we can easily generate their passwords for any other user account. And so in addition to trying to find passwords, we're going to use a password analysis script to try to look for any indications of those commonalities weaknesses, etc. That might help us determine other passwords for other accounts on the system accounts on other system, or online accounts. And so at the end we've got our list of passwords that we've discovered, which are great. And then potentially some suggestions for, well you might want to try this as well. And so this is invaluable to us for our ability to use passwords and credentials for privilege escalation, expanding our footprint, etc. And so in this video, we've been talking about what credential access is, why we can use it. And finally, we talked about how we can use python to further our goals of accessing user credentials. And so in the rest of the videos in this course, we'll look at the script that we've referenced here and see how python can help us achieve our goals. Thank you.
