hey john, really liked this series, followed along with you and it was super dooper fun, thank you so much for such a great content, and i hope that the series continue. 🙏🏻
Pentester here. I see this frequently in AD environments large and small. In a few cases, the user was a domain admin. You can even create custom queries in BH to pull data like this down. :)
User should never be a domain admin and domain admin should never login to anything else than performing domain administrative tasks. Simple as that right?
We have 0 users with domain admin and we have an escalation policy if someone needs to perform domain admin functions like adding new domain controllers where you can temporarily get domain admin for up to 7 days
Honestly you are providing too much info for my brain to keep up with how do you learn and remember all these techniques u have posted vedios about just in recently alone
@BallBustinBandit ya but if u dnt refresh what u learned would u still remember how u solved those boxes thats what I wonder and how to over come such a a situation if it exists
Hi John, I'm from India. I'm a very big fan of you. Your uploading very useful Security information videos. I'm impressed by your way of explanation in the videos. I'm interesting to learn Penetrating testing. If you don't mind please guide me how can i start from scratch. I want to become a your student.
At one point Rogue Valley Youth Correctional Facility in Grants Pass OR used Windows active directory to store passwords alongside the user names in (a comment). They fixed it after I logged into someone's account and he switched on me for leaving a blank text document titled "hi"
This is something where something like Windows Hello for Business would come in. You'd set up a PIN, fingerprint, or facial recognition and let WHB broker the login to the local workstation. Generally, something like a PIN is going to be weaker than a strong password, but you need to have interactive control of the computer to use it, and if you fail the challenge a few times it will force a password challenge. Generally if you are in a situation where the attacker can get interactive access to the computer to even attempt to get through something like the PIN, you're already owned. So for day to day login to the station, you would use a fingerprint reader for example. Then when logged in you would have your password manager available. The time when you want to use the password would be for any kind of remote access, which is generally when an attacker will want to know your password too. In this case you're likely in a session locally with access to your password manager. There will be times when you will not have access to the autofill options from your password manager, like first login to OOBE on new hardware or if you have failed the WHB challenge on login. In this case generally password managers will have phone apps where you can view your password and type it in manually. Generally you probably don't want a 60 character password for just the pain it would be to type it in, but you can certainly have a secure password that doesn't need to be easy to remember.
I've seen passwords and usernames clearly in javascript (just view the page source). One place I worked at back in the early 90's (non internet machine) had the passwords stored in a pass.txt file which included the user end password as well as install / config passwords. A quick "dir" command made it easy to find. "I know someone" who found a scam centre where the password was the username.. So 124 , 124 ; 125, 125 . It made it super easy to log on to their system and pretend to be a scammer or just disconnect calls.
I have been use passbolt sine the beta web version. It's great but the only downside I feel is it need an sign CA Ssl to connect. Thankfully, they have the guide for ssl using traefik those
Quick question: How does it work with password managers when you need to login to another computer (like checking your emails on a friend's computer, or when you're travelling and don't have your laptop with you, etc...)? Is there an easy to way to login? Or do you have to type in the 35 characters of your password? Thanks :)
I think an offline password manage like Keepass is reasonably safe, and I buy into the argument that a password manager lets you use more complex passwords that you'd never be able to remember yourself. However, I'd avoid anything with an "online" component, or even browser extensions which have been exploited to leak passwords. Lastpass, 1password, passbolt etc though; no thanks to any of these solutions. Offline storage only, even if it's a little inconvenient.
In the company i worked every new user got the same password. After logging in they had to mandatory change it. I don't see a problem with that to be honest. To place a initial password in the user description serves no use at all.
I used to work for a very large retailer that used the same password schema for all employees and NEVER prompted anyone to change it. There were people who had worked there for 40 years(managers included) that were still using that initial password. Don't ask me how I know 😉 They finally changed it just 2 years ago, adding some 0's to the passwords, but they're still predictable.
Great points John. I have some passwords saved in random lines of code inside of various avatar png/jpg files online. I have been working on fortifying my method by not sticking strictly to LSB...but trying out significant bytes as well...without corrupting the image,...a tedious process lol ! At least the file escapes being 'cleaned' by servers that parse image files for eXif etc.... I'm a noob at steg and obfus & crypt, but find it rather fascinating. ...loving your devotion...
I still think that until you get a password manager, following xkcd's password safety philosophy. Just add some numbers and capitals and you're probably fine. Still, if you have the time to migrate all your passwords, then do so.
It could be insteresting to speak also about other locations where you can find clear passwords (It happens so often): - Configuration file - Script - GPO - Logs -...
If you putting passwords in discription your just a complete idiot and shouldnt be an admin. Period. Any default password given must be set to change at first login. If any user is caught with a password on thier screen or in an unsecure space, thats a verbal warning and instant password changed. Passwords need to be changed frequently. Every 60-90 days. Your password policy needs to be strong in GPO. All users (including admins) must not have admin rights. The admins should be assigned admin accounts for each admin that is only used for admin tasks. Admins must never logon to thier computers with admin account (policies will fix that). Admins should never directly log into domain controllers or other servers. Jump hosts are required. No users should have local admin rights to thier computers. Devs can be a pain with this aspect and excptions are made for them only on a case by case basis. Service accounts need to have extremely complex passwords and locked down to the servers they are running on so they cannot be used anywhere else. Auditing these accounts is a must as they usually have very powerful rights. No scripts should have any passwords in them. If you do script like that you need to stop and do it correctly This is just super basic stuff.
Until someone writes/leaks a list for your language. If it's a commonly used language or its speakers are commonly into various cyber security careers that works less
hey john, really liked this series, followed along with you and it was super dooper fun, thank you so much for such a great content, and i hope that the series continue. 🙏🏻
Subliminal messages in passwords is a great way to get new subscribers
Pentester here. I see this frequently in AD environments large and small. In a few cases, the user was a domain admin. You can even create custom queries in BH to pull data like this down. :)
AS a pentester, how do you look at password managers? Are they secure? Won't they mean I could lose all my stuff in one single very unlucky time?
User should never be a domain admin and domain admin should never login to anything else than performing domain administrative tasks. Simple as that right?
We have 0 users with domain admin and we have an escalation policy if someone needs to perform domain admin functions like adding new domain controllers where you can temporarily get domain admin for up to 7 days
@@TheXiguazhi couldn't be better
I have always found passwords on yellow sticky pads stuck on the inside of left hand side drawers.
Always exited for your videos
Honestly you are providing too much info for my brain to keep up with how do you learn and remember all these techniques u have posted vedios about just in recently alone
@BallBustinBandit ya but if u dnt refresh what u learned would u still remember how u solved those boxes thats what I wonder and how to over come such a a situation if it exists
the only thing missing from his thumbnails are laser eyes to show his true power.
Hi John,
I'm from India.
I'm a very big fan of you. Your uploading very useful Security information videos. I'm impressed by your way of explanation in the videos.
I'm interesting to learn Penetrating testing. If you don't mind please guide me how can i start from scratch. I want to become a your student.
John, Sharphound (-CollectionMethod All) does indeed include the description field.
At one point Rogue Valley Youth Correctional Facility in Grants Pass OR used Windows active directory to store passwords alongside the user names in (a comment).
They fixed it after I logged into someone's account and he switched on me for leaving a blank text document titled "hi"
Thank you for all.
No chuck norris is the John Hammond of pentesting
Serious question: How do you use a password manager for AD logins? Surely it only works once you've logged in to the PC.
This is something where something like Windows Hello for Business would come in. You'd set up a PIN, fingerprint, or facial recognition and let WHB broker the login to the local workstation. Generally, something like a PIN is going to be weaker than a strong password, but you need to have interactive control of the computer to use it, and if you fail the challenge a few times it will force a password challenge. Generally if you are in a situation where the attacker can get interactive access to the computer to even attempt to get through something like the PIN, you're already owned.
So for day to day login to the station, you would use a fingerprint reader for example. Then when logged in you would have your password manager available. The time when you want to use the password would be for any kind of remote access, which is generally when an attacker will want to know your password too. In this case you're likely in a session locally with access to your password manager.
There will be times when you will not have access to the autofill options from your password manager, like first login to OOBE on new hardware or if you have failed the WHB challenge on login. In this case generally password managers will have phone apps where you can view your password and type it in manually. Generally you probably don't want a 60 character password for just the pain it would be to type it in, but you can certainly have a secure password that doesn't need to be easy to remember.
Multi factor authentication
I've seen passwords and usernames clearly in javascript (just view the page source).
One place I worked at back in the early 90's (non internet machine) had the passwords stored in a pass.txt file which included the user end password as well as install / config passwords. A quick "dir" command made it easy to find.
"I know someone" who found a scam centre where the password was the username.. So 124 , 124 ; 125, 125 . It made it super easy to log on to their system and pretend to be a scammer or just disconnect calls.
You can also look at the “info” attribute or the “notes” field in GUI, already seen password there in the past
i guess u can also see the description of users in the active directory search functionality
I did an audit on one of our clients. When I saw this I almost flipped...
Great content John as always
but I have to ask..
Were did you get that cool Pacman Whitehat Tshirt
I need one
Thanks
YES!
I have been use passbolt sine the beta web version. It's great but the only downside I feel is it need an sign CA Ssl to connect.
Thankfully, they have the guide for ssl using traefik those
I want to learn web application pentration testing can you give me a road map
passwords or passphrase? thoughts?
A password I used for quite a while is on your thumbnail lol
Guru John.
Quick question: How does it work with password managers when you need to login to another computer (like checking your emails on a friend's computer, or when you're travelling and don't have your laptop with you, etc...)?
Is there an easy to way to login? Or do you have to type in the 35 characters of your password?
Thanks :)
John what about RF
LastPass was breached so no I won’t be using a password manager
I think an offline password manage like Keepass is reasonably safe, and I buy into the argument that a password manager lets you use more complex passwords that you'd never be able to remember yourself. However, I'd avoid anything with an "online" component, or even browser extensions which have been exploited to leak passwords. Lastpass, 1password, passbolt etc though; no thanks to any of these solutions. Offline storage only, even if it's a little inconvenient.
In the company i worked every new user got the same password. After logging in they had to mandatory change it. I don't see a problem with that to be honest. To place a initial password in the user description serves no use at all.
I used to work for a very large retailer that used the same password schema for all employees and NEVER prompted anyone to change it. There were people who had worked there for 40 years(managers included) that were still using that initial password. Don't ask me how I know 😉 They finally changed it just 2 years ago, adding some 0's to the passwords, but they're still predictable.
Thats exactly how it should be done. New users get the standard password. Then forced to change when first logging on.
Can you help me sir
I remember this guy was earlier advertising for lastpass, after the data breach at last pass , he is started advertising for someone else ,,😂😂
Great points John.
I have some passwords saved in random lines of code inside of various avatar png/jpg files online. I have been working on fortifying my method by not sticking strictly to LSB...but trying out significant bytes as well...without corrupting the image,...a tedious process lol !
At least the file escapes being 'cleaned' by servers that parse image files for eXif etc.... I'm a noob at steg and obfus & crypt, but find it rather fascinating.
...loving your devotion...
Knobhead.
Pick the password from a line of the code, then you don't have to temper with the image.
@@zeonos try typing out non-alphanumeric, binary data on a touch screen keyboard
Brilliant idea!
I still think that until you get a password manager, following xkcd's password safety philosophy. Just add some numbers and capitals and you're probably fine. Still, if you have the time to migrate all your passwords, then do so.
Which software would you recommend for password migration?
@@cyrusparsons9625 I have never used one, so I wouldn't know
Passwords in the description field? W000t
Nice Video... Again XD
2 more posted up for you
NEVER STORE YOUR PASSWORD ONLINE
John, besides the fact I like your content. I'm watching this because half of the passwords in your thumbnail I've seen used at work...smh
I'd love to work for him but I'd also be hella intimidated by him. Like, x1000.
powers hell
It could be insteresting to speak also about other locations where you can find clear passwords (It happens so often):
- Configuration file
- Script
- GPO
- Logs
-...
anywhere text is stored
passwords may be found
browsers
If you putting passwords in discription your just a complete idiot and shouldnt be an admin. Period.
Any default password given must be set to change at first login.
If any user is caught with a password on thier screen or in an unsecure space, thats a verbal warning and instant password changed.
Passwords need to be changed frequently. Every 60-90 days. Your password policy needs to be strong in GPO.
All users (including admins) must not have admin rights. The admins should be assigned admin accounts for each admin that is only used for admin tasks. Admins must never logon to thier computers with admin account (policies will fix that).
Admins should never directly log into domain controllers or other servers. Jump hosts are required.
No users should have local admin rights to thier computers. Devs can be a pain with this aspect and excptions are made for them only on a case by case basis.
Service accounts need to have extremely complex passwords and locked down to the servers they are running on so they cannot be used anywhere else.
Auditing these accounts is a must as they usually have very powerful rights.
No scripts should have any passwords in them. If you do script like that you need to stop and do it correctly
This is just super basic stuff.
Why would you ever give a service account DA rights?
@@JaffaHeckle u wouldnt. Thats retarded. However, they do require specific permissions that can really cause havoc. Like a backup serivce account.
I got my passwords in another language 😼
Until someone writes/leaks a list for your language. If it's a commonly used language or its speakers are commonly into various cyber security careers that works less
123456seven
John on gr8 number. 🥚
pizza123 :)