Joe Sarkisian

So we'll look for default passwords places. We'll look for null sessions on host. Can I access this host without a username or a password? Can I just get in there maybe on a domain controller? We still find this. You're able to quote unquote authenticate to a domain controller as nobody and start enumerating the domain.

So we'll look for default passwords places. We'll look for null sessions on host. Can I access this host without a username or a password? Can I just get in there maybe on a domain controller? We still find this. You're able to quote unquote authenticate to a domain controller as nobody and start enumerating the domain.

Now, if you can do that, you can get a list of users from a domain controller, right? And then take that list of users and start password spraying against that domain controller with that list of users, common passwords, right? And then maybe you get a hit on password 2023 exclamation point, right? Or a company name 2023 exclamation point, right? crazier things have happened.

Now, if you can do that, you can get a list of users from a domain controller, right? And then take that list of users and start password spraying against that domain controller with that list of users, common passwords, right? And then maybe you get a hit on password 2023 exclamation point, right? Or a company name 2023 exclamation point, right? crazier things have happened.

Yeah, I mean, to this day, I've been doing this, I don't know, about five years now. To this day, whenever I see that first hash flashing yellow across my screen when I'm on a pen test, I still get a shot of adrenaline, right? It's just like, here we go.

Yeah, I mean, to this day, I've been doing this, I don't know, about five years now. To this day, whenever I see that first hash flashing yellow across my screen when I'm on a pen test, I still get a shot of adrenaline, right? It's just like, here we go.

So now we have domain access as that user. So typically what we'll do, we'll look for some basic, you know, privilege escalation opportunities. And at the same time, we're looking for data, right? So let's say we're kind of poking for both of those things, right? We want to prove that risk that this basic user maybe has access to some data that they don't need access to.

So now we have domain access as that user. So typically what we'll do, we'll look for some basic, you know, privilege escalation opportunities. And at the same time, we're looking for data, right? So let's say we're kind of poking for both of those things, right? We want to prove that risk that this basic user maybe has access to some data that they don't need access to.

And if a bad guy gets access to this account as that person, they also get access to that data. And that's something you need to work on. So as we're rooting through file shares, what does this person have access to? We find this host. And it's like a Windows 10 host. And we have access to a couple of shares on this host. And we're rooting through.

And if a bad guy gets access to this account as that person, they also get access to that data. And that's something you need to work on. So as we're rooting through file shares, what does this person have access to? We find this host. And it's like a Windows 10 host. And we have access to a couple of shares on this host. And we're rooting through.

Typically, we're looking for things that are called like password.txt or like SSH, this, that, or the other thing, or SSN, right? We're looking for data that's going to prove a problem for the company. So I'm looking through. And I find this folder called, I believe it's called like MPEGs. So I'm like, that's interesting. I don't typically find something like that.

Typically, we're looking for things that are called like password.txt or like SSH, this, that, or the other thing, or SSN, right? We're looking for data that's going to prove a problem for the company. So I'm looking through. And I find this folder called, I believe it's called like MPEGs. So I'm like, that's interesting. I don't typically find something like that.

You know, just like a folder called MPEGs. That's different. I'm just curious what's in here. So I look in. Sure enough, there's a bunch of MPEG files. I'm like, okay, that's interesting. There's like maybe four or five of them. So I download one of the MPEG files. I get it locally, and I'm like, let's watch this file. I open it, and I see a camera feed.

You know, just like a folder called MPEGs. That's different. I'm just curious what's in here. So I look in. Sure enough, there's a bunch of MPEG files. I'm like, okay, that's interesting. There's like maybe four or five of them. So I download one of the MPEG files. I get it locally, and I'm like, let's watch this file. I open it, and I see a camera feed.

And the camera is just on a desk facing at someone's kind of where they would sit, right, in front of the computer. And I'm like, that's weird. You know, why would anybody put a camera on their desk, right? That's just strange. What are they recording? It doesn't make any sense. So all right, well, maybe there's something else to this.

And the camera is just on a desk facing at someone's kind of where they would sit, right, in front of the computer. And I'm like, that's weird. You know, why would anybody put a camera on their desk, right? That's just strange. What are they recording? It doesn't make any sense. So all right, well, maybe there's something else to this.

So I download the second one because they're going in order, one, two, three, four. Download the second one. It is the same camera. It is the same desk. And this time the camera is underneath it. And it was a lady's desk I found out later. The way the camera was angled was, yes, at their, you know, the front bottom half of their body. Let's put it that way.

So I download the second one because they're going in order, one, two, three, four. Download the second one. It is the same camera. It is the same desk. And this time the camera is underneath it. And it was a lady's desk I found out later. The way the camera was angled was, yes, at their, you know, the front bottom half of their body. Let's put it that way.

So I see this, and now I'm like, oh, God. Like, everybody, every pen tester has that, like... feeling that sooner or later, they're going to get this moment that is something like this. You find the proof that somebody's stealing from the company, or you find pictures you shouldn't, or whatever it may be. And this was the first time that I had found something like that.

So I see this, and now I'm like, oh, God. Like, everybody, every pen tester has that, like... feeling that sooner or later, they're going to get this moment that is something like this. You find the proof that somebody's stealing from the company, or you find pictures you shouldn't, or whatever it may be. And this was the first time that I had found something like that.