PASSWORDS LEFT OUT IN THE OPEN (Active Directory #10)

Подписаться 1,9 млн

Просмотров 41 тыс.

50% 1

j-h.io/passbolt Use a FREE password manager to keep all your credentials secure! j-h.io/passbolt
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeac...
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
🐜Zero2Automated ➡ Ultimate Malware Reverse Engineering j-h.io/zero2auto
🐜Zero2Automated ➡ MISP & Malware Sandbox j-h.io/zero2au...
⛳Point3 ESCALATE ➡ Top-Notch Capture the Flag Training j-h.io/escalate
👨🏻‍💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humbleb...
🐶Snyk ➡ j-h.io/snyk
🤹‍♀️SkillShare ➡ j-h.io/skillshare
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsor...
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc

Опубликовано:

14 окт 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 67

@_Sherlock_ed Год назад

hey john, really liked this series, followed along with you and it was super dooper fun, thank you so much for such a great content, and i hope that the series continue. 🙏🏻

@beatsbyLSD 2 года назад

Pentester here. I see this frequently in AD environments large and small. In a few cases, the user was a domain admin. You can even create custom queries in BH to pull data like this down. :)

@micheleromanin7168 2 года назад

AS a pentester, how do you look at password managers? Are they secure? Won't they mean I could lose all my stuff in one single very unlucky time?

@boogieman97 2 года назад

User should never be a domain admin and domain admin should never login to anything else than performing domain administrative tasks. Simple as that right?

@TheXiguazhi Год назад

We have 0 users with domain admin and we have an escalation policy if someone needs to perform domain admin functions like adding new domain controllers where you can temporarily get domain admin for up to 7 days

@boogieman97 Год назад

@@TheXiguazhi couldn't be better

@jayricepillau 2 года назад

Subliminal messages in passwords is a great way to get new subscribers

@ramr9958 Год назад

Hi John, I'm from India. I'm a very big fan of you. Your uploading very useful Security information videos. I'm impressed by your way of explanation in the videos. I'm interesting to learn Penetrating testing. If you don't mind please guide me how can i start from scratch. I want to become a your student.

@rangelbatista4594 2 года назад

Thank you for all.

@firosiam7786 2 года назад

Honestly you are providing too much info for my brain to keep up with how do you learn and remember all these techniques u have posted vedios about just in recently alone

@firosiam7786 2 года назад

@BallBustinBandit ya but if u dnt refresh what u learned would u still remember how u solved those boxes thats what I wonder and how to over come such a a situation if it exists

@Exposingscammers 2 года назад

I've seen passwords and usernames clearly in javascript (just view the page source). One place I worked at back in the early 90's (non internet machine) had the passwords stored in a pass.txt file which included the user end password as well as install / config passwords. A quick "dir" command made it easy to find. "I know someone" who found a scam centre where the password was the username.. So 124 , 124 ; 125, 125 . It made it super easy to log on to their system and pretend to be a scammer or just disconnect calls.

@davidraymond7420 2 года назад

You can also look at the “info” attribute or the “notes” field in GUI, already seen password there in the past

@wrathofainz 2 года назад

At one point Rogue Valley Youth Correctional Facility in Grants Pass OR used Windows active directory to store passwords alongside the user names in (a comment). They fixed it after I logged into someone's account and he switched on me for leaving a blank text document titled "hi"

@ktj6186 2 года назад

I have always found passwords on yellow sticky pads stuck on the inside of left hand side drawers.

@cpmtube 2 года назад

John, Sharphound (-CollectionMethod All) does indeed include the description field.

@CrittingOut 2 года назад

the only thing missing from his thumbnails are laser eyes to show his true power.

@onmc4754 2 года назад

No chuck norris is the John Hammond of pentesting

@mr.seal.gaming_6810 2 года назад

Great content John as always but I have to ask.. Were did you get that cool Pacman Whitehat Tshirt I need one Thanks

@robertwouda 2 года назад

Always exited for your videos

@es1090 2 года назад

Guru John.

@lancemarchetti8673 2 года назад

Great points John. I have some passwords saved in random lines of code inside of various avatar png/jpg files online. I have been working on fortifying my method by not sticking strictly to LSB...but trying out significant bytes as well...without corrupting the image,...a tedious process lol ! At least the file escapes being 'cleaned' by servers that parse image files for eXif etc.... I'm a noob at steg and obfus & crypt, but find it rather fascinating. ...loving your devotion...

@rob-890 2 года назад

Knobhead.

@zeonos 2 года назад

Pick the password from a line of the code, then you don't have to temper with the image.

@unicodefox 2 года назад

@@zeonos try typing out non-alphanumeric, binary data on a touch screen keyboard

@lancemarchetti8673 2 года назад

Brilliant idea!

@srikeshmaharaj 2 года назад

YES!

@ksurya4073 2 года назад

i guess u can also see the description of users in the active directory search functionality

@AlecegonceTV 2 года назад

I did an audit on one of our clients. When I saw this I almost flipped...

@ducseul 2 года назад

I have been use passbolt sine the beta web version. It's great but the only downside I feel is it need an sign CA Ssl to connect. Thankfully, they have the guide for ssl using traefik those

@gabrote42 2 года назад

I still think that until you get a password manager, following xkcd's password safety philosophy. Just add some numbers and capitals and you're probably fine. Still, if you have the time to migrate all your passwords, then do so.

@cyrusparsons9625 2 года назад

Which software would you recommend for password migration?

@gabrote42 2 года назад

@@cyrusparsons9625 I have never used one, so I wouldn't know

@dom1310df 2 года назад

Serious question: How do you use a password manager for AD logins? Surely it only works once you've logged in to the PC.

@zeidrichthorene 2 года назад

This is something where something like Windows Hello for Business would come in. You'd set up a PIN, fingerprint, or facial recognition and let WHB broker the login to the local workstation. Generally, something like a PIN is going to be weaker than a strong password, but you need to have interactive control of the computer to use it, and if you fail the challenge a few times it will force a password challenge. Generally if you are in a situation where the attacker can get interactive access to the computer to even attempt to get through something like the PIN, you're already owned. So for day to day login to the station, you would use a fingerprint reader for example. Then when logged in you would have your password manager available. The time when you want to use the password would be for any kind of remote access, which is generally when an attacker will want to know your password too. In this case you're likely in a session locally with access to your password manager. There will be times when you will not have access to the autofill options from your password manager, like first login to OOBE on new hardware or if you have failed the WHB challenge on login. In this case generally password managers will have phone apps where you can view your password and type it in manually. Generally you probably don't want a 60 character password for just the pain it would be to type it in, but you can certainly have a secure password that doesn't need to be easy to remember.

@crazysteve8088 2 года назад

Multi factor authentication

@nosheep2655 2 года назад

A password I used for quite a while is on your thumbnail lol

@sebastienbrottes1931 2 года назад

It could be insteresting to speak also about other locations where you can find clear passwords (It happens so often): - Configuration file - Script - GPO - Logs -...

@walksanator 2 года назад

anywhere text is stored passwords may be found

@mollthecoder 2 года назад

browsers

@MrBfg586 2 года назад

LastPass was breached so no I won’t be using a password manager

@d3c0deFPV 2 года назад

I think an offline password manage like Keepass is reasonably safe, and I buy into the argument that a password manager lets you use more complex passwords that you'd never be able to remember yourself. However, I'd avoid anything with an "online" component, or even browser extensions which have been exploited to leak passwords. Lastpass, 1password, passbolt etc though; no thanks to any of these solutions. Offline storage only, even if it's a little inconvenient.

@Freeak6 2 года назад

Quick question: How does it work with password managers when you need to login to another computer (like checking your emails on a friend's computer, or when you're travelling and don't have your laptop with you, etc...)? Is there an easy to way to login? Or do you have to type in the 35 characters of your password? Thanks :)

@oppenheimerplusplus5887 2 года назад

I remember this guy was earlier advertising for lastpass, after the data breach at last pass , he is started advertising for someone else ,,😂😂

@QuickFixHicks914 2 года назад

John, besides the fact I like your content. I'm watching this because half of the passwords in your thumbnail I've seen used at work...smh

@AnonymousPhucker 2 года назад

NEVER STORE YOUR PASSWORD ONLINE

@jruok 2 года назад

I'd love to work for him but I'd also be hella intimidated by him. Like, x1000.

@48pluto 2 года назад

In the company i worked every new user got the same password. After logging in they had to mandatory change it. I don't see a problem with that to be honest. To place a initial password in the user description serves no use at all.

@UToobSteak 2 года назад

I used to work for a very large retailer that used the same password schema for all employees and NEVER prompted anyone to change it. There were people who had worked there for 40 years(managers included) that were still using that initial password. Don't ask me how I know 😉 They finally changed it just 2 years ago, adding some 0's to the passwords, but they're still predictable.

@crazysteve8088 2 года назад

Thats exactly how it should be done. New users get the standard password. Then forced to change when first logging on.

@sandra8139 2 года назад

2 more posted up for you

@hossamadel5231 2 года назад

I want to learn web application pentration testing can you give me a road map

@nixielee 2 года назад

Passwords in the description field? W000t

@UnChiller Год назад

powers hell

@ghostmedic2009 Год назад

passwords or passphrase? thoughts?

@minecraftsteve8784 2 года назад

Nice Video... Again XD

@anshumishra9368 2 года назад

John what about RF

@Reqwuer 2 года назад

I got my passwords in another language 😼

@y.vinitsky6452 2 года назад

Until someone writes/leaks a list for your language. If it's a commonly used language or its speakers are commonly into various cyber security careers that works less

@croken9256 2 года назад

Can you help me sir

@crazysteve8088 2 года назад

If you putting passwords in discription your just a complete idiot and shouldnt be an admin. Period. Any default password given must be set to change at first login. If any user is caught with a password on thier screen or in an unsecure space, thats a verbal warning and instant password changed. Passwords need to be changed frequently. Every 60-90 days. Your password policy needs to be strong in GPO. All users (including admins) must not have admin rights. The admins should be assigned admin accounts for each admin that is only used for admin tasks. Admins must never logon to thier computers with admin account (policies will fix that). Admins should never directly log into domain controllers or other servers. Jump hosts are required. No users should have local admin rights to thier computers. Devs can be a pain with this aspect and excptions are made for them only on a case by case basis. Service accounts need to have extremely complex passwords and locked down to the servers they are running on so they cannot be used anywhere else. Auditing these accounts is a must as they usually have very powerful rights. No scripts should have any passwords in them. If you do script like that you need to stop and do it correctly This is just super basic stuff.