This webcast was originally published on January 31, 2024
In this video, Eric Kuehn delves into advanced techniques for interacting with Active Directory using various tools such as LDP, PowerShell, and AD Cmdlets. He demonstrates how to effectively query and manipulate Active Directory data, providing insights into the nuances of LDAP queries, the impact of group memberships, and the use of ACLs for security management. The session is rich with technical detail and practical tips for both offensive and defensive cybersecurity professionals.
- LDP tool efficiently manages and modifies Active Directory, offering human-readable formats and the ability to perform complex operations like adding users to groups.
- PowerShell Cmdlets offer a comprehensive way to interact with Active Directory, transforming complex attributes into understandable information and supporting extensive object manipulation.
- Net Executables, although limited and potentially detectable, provide basic functionalities for interacting with Active Directory and can be useful for certain administrative tasks.
Highlights
Full Video
Transcript
Eric Kuehn
Be prepared.
Deb Wigley
Hello, everybody. Wait, let’s say hi. Let’s say hi to everybody. Hello, everybody. To the six of you who are joining us for pre show banter.
Bryan Strand
Seven.
Deb Wigley
Seven. we just count them all. Let’s count them. Brian, that’s your.
Bryan Strand
As they go up. Okay? It’s too fast. It’s too fast.
Chris Traynor
There’s the sasquatch.
Deb Wigley
If you’re joining us early, this is not the webcast. This is pre show. And if you’re showing up this early, then you’re going to hear us talk about some weird stuff. And apparently you either like it or you got the time wrong. Either way, thank you.
And you have a half an hour before the actual show starts. All right, continue, Kyle.
Chris Traynor
Well, the show starts before the show. It’s like a production here.
Eric Kuehn
I feel like I need to put dogs in here and have them, juggle or walk around on type ropes or something.
Deb Wigley
Well, now you need to add that to your presentation.
Eric Kuehn
Okay, I’m gonna. Let me figure out how to add that in to active directory talks I can find.
Kyle Lambros
But first.
Eric Kuehn
But first.
Deb Wigley
But first, watch this dog spin this blade.
Chris Traynor
What is it? The cue that they do, like, in. In theaters and stuff, when they. They, like, dim the. Not dim the lights, but they like, flick the lights, like twice or something to give you a warning of ten minutes or something.
Eric Kuehn
Intermission is about done.
Chris Traynor
Yeah, they. Yeah, something like that.
Deb Wigley
Sure. That sounds too professional for us, though.
Bryan Strand
I should probably stop doing work.
Chris Traynor
And way too professional for you, deb.
Deb Wigley
100%, you bozo.
Chris Traynor
Don’t tempt me.
Deb Wigley
Don’t tempt me.
Eric Kuehn
who’s ready? Who’s saying it’s time to start?
Deb Wigley
Yeah, it’s hello. And the cookie crumbles.
Eric Kuehn
Hello.
Bryan Strand
Do we. Are we ever going to have a webcast that lands on April 1?
Kyle Lambros
That’d be a terrible idea.
Deb Wigley
That’s pretty easy to find out.
Bryan Strand
Yeah, I know. That’s what I’m figuring.
Eric Kuehn
Who’s going to take it, though?
Deb Wigley
It’s Monday.
Chris Traynor
it’s the news. You could do a whole new segment of April 1.
Bryan Strand
Hey, yeah, that’s what we should do. This year is all fake news. What we could do is two real cyber security news sources and one fake one and have the audience try to identify.
Eric Kuehn
It’s like.
Deb Wigley
No, that has, like, Orson Welles vibes. You can get in trouble with that.
Bryan Strand
Like war, the world.
Chris Traynor
Orson Wells world.
Kyle Lambros
Yeah, I have that on vinyl, by the way.
Deb Wigley
Nice.
Eric Kuehn
You do make them very outrageous recording of it. You make the fake ones very outrageous, because then they’re gonna sound even more realistic.
Troy Wojewoda
I’m pretty sure everybody, like seeing like, what’s not real when they look at any media these days.
Bryan Strand
I don’t trust any stuff.
Eric Kuehn
It is real. Sorry.
Troy Wojewoda
or anything on the Internet really, for that matter. except for this, right?
Chris Traynor
This is, this is real.
Bryan Strand
You can trust us. Bhis, you can trust. Anti siphon, you can totally trust. Don’t trust anybody else, though.
Deb Wigley
Not Brian.
Chris Traynor
Seven out of the eight people you see right now are definitely real.
Deb Wigley
Definitely real.
Chris Traynor
At least seven out of some.
Kyle Lambros
Not an AI.
Eric Kuehn
yeah, but I do welcome my AI, overlords when they appear. So. Oh, sorry. Just so it’s ready and it’s out there and it’s recorded to be known when they start reviewing video.
It’s. I welcome them. So it’s like the episode.
Troy Wojewoda
No, I think about, I think about this a lot. Like, like when people like, like forecast, like what AI? And you’re about like Terminator and all these different movies and stuff like that. It’s always like the AI is against, is against humans, right?
It’s not like, isn’t it possible that AI could be against AI? Like that’s, that there’s multiple AI.
Eric Kuehn
That’S.
Troy Wojewoda
Gonna be like Max and Linux and windows. Like all, like, like they’re all just gonna like come together or.
Eric Kuehn
No, they’re.
Bryan Strand
I think so. I think they’re sick of our crap. I really do.
Troy Wojewoda
All you gotta do is say, like, hey, is it, is it Vi or what?
Chris Traynor
It’s gonna be like something here.
Bryan Strand
No, Troy, you’re not created it.
Chris Traynor
They’re gonna, it’s like us at all. They’ll just be against each other.
Bryan Strand
It’ll be like, that’s the logic of being like, well, look, if I get in, if I get Covid, I might as well give myself e coli because they’ll fight each other. It doesn’t work that way.
Eric Kuehn
We’re gonna go with the Max.
Bryan Strand
They’re both going to, they’re both going to kill you in their own way.
Kyle Lambros
The collateral damage, the batteries right there.
Troy Wojewoda
Could be Benellivan A. I mean, that’s the reason why we’re inventing it.
Kyle Lambros
But both sides are going to need batteries, which are Troy’s.
Chris Traynor
Troy’s worried about this existential thing about AI. The most useful thing that I’ve had as a conversation in my household right now is my wife said, did that if you use AI, it could come up with a grocery list and meal plans for you?
So we can stop sitting down every week and figuring out what’s for dinner.
Deb Wigley
Interesting.
Chris Traynor
But what? AI is useful in certain things.
Eric Kuehn
And if you have one of your fridges, it can tell you when you’re beginning to run out of the milk or whatever it’s like. Or your milk is bad, or you.
Troy Wojewoda
Can just smell it.
Bryan Strand
No, I don’t trust that I know when my milk is bad. Don’t tell me when my food is bad. I’m okay.
Eric Kuehn
Yeah.
Troy Wojewoda
Is not expired. Right. If it’s best buy a certain date. Like, that just means, like.
Kyle Lambros
Like, that’s how they get you. It’s not expired, like, two weeks earlier than it’s spoiling.
Eric Kuehn
Yeah.
Kyle Lambros
And then they get more money.
Troy Wojewoda
I got since, like, 2003. Like, they’re. They’re just, they’re fine. They last forever.
Chris Traynor
Well, I was just talking about this, yesterday is I’ve got a. I’ve got a young baby, and I getting some of the baby food. They have labels on the baby food. They don’t put these labels on anything else, but they have labels on the certain containers or cartons of baby food where it’s like, if you open this, you have to use it within five days or you have to throw the rest out on stupid.
Bryan Strand
Don’t trust.
Chris Traynor
Why.
Bryan Strand
Don’t trust.
Kyle Lambros
It’s called. They want you to waste it. So you buy more.
Chris Traynor
Yeah. There’s no way a tiny infant is finishing this giant container you just made me buy because it’s the only size.
Bryan Strand
you’re gonna shame eat that baby food. So don’t talk to me.
Chris Traynor
Just quietly in the dark.
Troy Wojewoda
One for daddy.
Bryan Strand
One for dad.
Deb Wigley
Daddy. Jason and I were in South Dakota last week and very cool to be at the office with all the other people in the area. And we were looking in the kitchen, and there’s this canister on the counter.
Just. Everyone’s using it. Probably just John, but it was, m coffee, was instant coffee. And the expiration date was 2020.
That’s it. Just 2020. So four years ago.
Zach Hill
So here’s the deal.
Bryan Strand
I have. I have a picture of, the oldest thing that I’ve ever seen come out of a cupboard. It was celery, salt, which I didn’t even know was that.
What’s wrong with regular salt? So Chicago style hot dog.
Deb Wigley
Come on.
Bryan Strand
1970. 719. 77 was when that bad boy and I pulled it out of my mom’s cabinet when this was, like, seven, eight years ago.
Deb Wigley
It. Does it go bad? It’s salt preserves itself.
Bryan Strand
I mean.
Eric Kuehn
No, no, all salt goes bad. I mean, it’s been forming for millions of years.
Bryan Strand
Right? Exactly.
Eric Kuehn
But now it’s bad after it’s the.
Troy Wojewoda
Celery part that goes bad, I guess.
Deb Wigley
Yeah.
Kyle Lambros
Reminds me. Getting yelled at by a. By a benedictine monk for asking when honey expires.
Bryan Strand
It doesn’t, apparently.
Troy Wojewoda
That does kind of, like, remind me, though, I have, like, the spice rack that I’ve had since, like, I got married. And, like, I had, like, two thirds of those spices probably never even been opened. Like, they’re just sitting in. Like, the spices will go bad, but they will.
Bryan Strand
They lose their flavor.
Eric Kuehn
Or they lose their flavor.
Bryan Strand
This is the worst pre show band.
Deb Wigley
It’s not great, y’all. Thank you for joining us.
Bryan Strand
Oh, Ryan. Yeah, stop. Stop with the gas station hero and Chris.
Deb Wigley
We’ll save that for tomorrow’s webcast.
Bryan Strand
Yeah, we need.
Deb Wigley
This is Andy Siphon. We’re all a little more.
Kyle Lambros
We’re typically on the realm of food, and I can talk about food all the time.
Eric Kuehn
Food is good. Favorite steak. What’s your favorite steak?
Deb Wigley
Rare.
Eric Kuehn
Okay. Type of steak. Sorry.
Deb Wigley
Like, I don’t care.
Bryan Strand
Rib eye.
Chris Traynor
Bone and Rick.
Bryan Strand
Bone and ribeye. Bone and ribeye. That’s the only correct.
Troy Wojewoda
Porterhouse, Nike.
Eric Kuehn
Brian. Wow.
Bryan Strand
Everybody. Hey, I got an idea. Everybody all at once, they say stuff, so. No, nobody can enjoy anything. Everyone just keeps talking at the exact same time and ruin it for everybody.
Deb Wigley
You’re the worst.
Kyle Lambros
I have a better one. Most overrated cut of steak. Most New York.
Bryan Strand
New York ribeye.
Eric Kuehn
I don’t know.
Bryan Strand
I just said the first one again.
Eric Kuehn
Tomahawk.
Bryan Strand
Oh, yeah, I agree with that. Yeah, that’s a good point.
Troy Wojewoda
that’s the best steak ever.
Deb Wigley
What’s the most overrated? It’s the most overpriced. You’re just paying for bones.
Eric Kuehn
By weight.
Chris Traynor
Yeah, by weight.
Kyle Lambros
that’s why I always get. I always get regular ribeyes. But. Or if you’re really smart, you buy a big chunk of ribeye and you cut it yourself. Save a bunch more.
Troy Wojewoda
Depending on the grocery store, like, the one in town. They sell what? T bones. But they’re technically like porter houses. Because if you look on the side of the boat, it’s like a big chunk of me, and it’s like. Like, that’s the filet, right?
Eric Kuehn
So you have them. Yeah.
Troy Wojewoda
that’s why I like porterhouses, because you have the filet and you have the New York strip. You have both. You have best of, like, bowl.
Kyle Lambros
Yeah, I agree with anybody.
Troy Wojewoda
I think it’s overrated.
Kyle Lambros
Anybody who buys a t bone over a poor house.
Troy Wojewoda
I think sirloins are underrated, honestly. Like, you can get a nice sirloin tip. Like a really good sirloin tip for decent price compared to a lot of.
Kyle Lambros
The other cuts, especially in recipes and stuff. Like you get some sirloin and you eat it with me. Like, you, like, cut it up and fry it up, throw it in some hummus.
Deb Wigley
Hummus?
Eric Kuehn
Hummus.
Kyle Lambros
Oh, yeah, hummus.
Deb Wigley
I was with you.
Kyle Lambros
And on top, throw some steak on there and some pita. Oh, dude, amazing.
Deb Wigley
That’s a euro.
Bryan Strand
Just steak. Euros.
Kyle Lambros
Wait, no, there’s no hummus in a euro.
Bryan Strand
you can in the good ones. And Taziki, I’m the butcher. I know what I’m talking about.
Kyle Lambros
Back me up here.
Deb Wigley
Go back to shoe and horses.
Kyle Lambros
Butchers it. I’m the one who eats it. I’m the blacksmith.
Bryan Strand
That need to change your name from the blacksmith to the eater. Okay.
Chris Traynor
Foodie.
Bryan Strand
The foodie? Yeah, the foodie in the old time Wild west village. Like m this gruel is really gritty.
Chris Traynor
Brian, I want to know how you settled on the butcher for your.
Bryan Strand
That’s, a long story. I’ll tell you in the back. The back.
Kyle Lambros
it’s not worthy of pre show banter.
Bryan Strand
No, I can’t, I can’t, I can’t, I can’t bring that one. I’ll tell you, I’ll tell you, I’ll tell you later.
Chris Traynor
He has to be careful what he says. All right, I do. Timed or perfectly timed phone call not to get fired for at least one webcast.
Bryan Strand
Yeah, he brought me back right away. It was, I mean, had a dramatic pay cut, but I’m still here and I’m.
Deb Wigley
You can leave anytime you want.
Bryan Strand
I can leave any time I want. I don’t need my brother. I’m fine. I can survive on my own.
Deb Wigley
Guys, I need your brother.
Eric Kuehn
I don’t know.
Deb Wigley
So this is pre show banter. This is not the webcast, that, Eric Keene is going to be giving in 20 minutes to all of us who’ve been calling him Eric Coon all along.
We were wrong. Please accept our apologies. Eric, thank you for joining us.
Eric Kuehn
Oh, thank you for having me. And as I said before, if it’s close, I’ll accept it. I’ve had the name for a long time. I know it does not look anything like it sounds, so no problem.
Deb Wigley
Yeah, I guess you could spell it different. You just change it.
Bryan Strand
You could do a lot better.
Eric Kuehn
Well, it’s kind of a historic thing at this point, right. With my grandfather. The story is way back when, so great, great, great grandfather, I don’t know, however many came across from Germany, that area, and they said, what’s your name?
And he said, kuhn. And they said, okay, it’s keen now. And have.
Bryan Strand
That’s a very common story I’ve heard.
Eric Kuehn
And that’s it. So now it’s keen. Yeah, that was it.
Deb Wigley
But it was Kuhn.
Eric Kuehn
It was Kuhn.
Bryan Strand
Well, bring it back, dude. Take it back. Own it.
Eric Kuehn
I can’t. We’ve been keen now for as long as you’ve been in the United States.
Bryan Strand
You’re only keen as long as you want to stay keen.
Eric Kuehn
I’m not really keen on taking it back, I guess. No, no.
Deb Wigley
Is like cursing you.
Bryan Strand
He is on fire today with.
Chris Traynor
I thought he was sick, and he’s in here just burning us in discord.
Deb Wigley
Okay, so we do have Zach, who is here. I’ve been told to welcome him. I was getting to that, but welcome, Zach. We’re so happy that you’re here. Do you want to introduce yourself and tell all these people how awesome you are?
Zach Hill
well, that was different, but, yeah, sure. I’m not as awesome as Deb and Jason, but I’m hoping that one day I will achieve to be as awesome as they are. But, Hello, everyone.
Bryan Strand
Why would you want to limit yourself like that, though, Zach? Why would you want to go down?
Zach Hill
Oh, my gosh. How could you? How could you even insult these people?
Bryan Strand
They’re like, oh, you don’t. You don’t. I’m the little brother. You should know this.
Deb Wigley
Little brother. Yeah, I had to talk to him last week. Yeah, I did, and I deserve it.
Bryan Strand
I need that every once in a while, even my own actual big sister will call me up and be like, you were a massive jerk just now. And I was like, I know, but it was funny a little bit.
Deb Wigley
It brought us closer. That’s what I think. Right, right. Sure, sure.
Bryan Strand
Yeah, I agree. No, I. In all sincerity, yes, absolutely, I agree.
Eric Kuehn
Hang on.
Chris Traynor
I’ve got to bring. I’ve got to bring something from discord. Jason is instructing us virtually to show the discord chat.
Deb Wigley
Oh, shoot.
Chris Traynor
Who is capable?
Deb Wigley
I’ll do that.
Eric Kuehn
Why?
Kyle Lambros
His faces aren’t enough?
Deb Wigley
I’ll, do that.
Bryan Strand
What is he doing?
Chris Traynor
He wants to see his own comments being streamed live, even though he can’t be.
Deb Wigley
What I am saying.
Troy Wojewoda
I’m sorry.
Zach Hill
Brian the insulter. I like that.
Eric Kuehn
I didn’t know you were screen sharing, deb.
Deb Wigley
I do. You want to take it back?
Eric Kuehn
Take it back.
Bryan Strand
I got a. I got a serious problem I need to talk with the group about. I have a 49 inch monitor, and it’s just not enough. I need. When I’m on webcast, I either have to deal with the deal with the, discord or, like, my chat, and I’m constantly moving the webcast around, and there’s just not enough space.
Eric Kuehn
You should buy a second one and then right above it.
Bryan Strand
I agree.
Kyle Lambros
Semicircle.
Bryan Strand
I agree. I think bhis should buy me a second one. I don’t disagree with you. I think if that sounds like an approval to me, we have extras here.
Deb Wigley
You could just come here and work.
Chris Traynor
Yeah, extras.
Bryan Strand
Get the 57 inch samsung. That sounds like a great idea.
Kyle Lambros
When I move to Virginia, I’ll come work with you guys.
Deb Wigley
Sometimes we have.
Bryan Strand
Monitors are turning into, like, razor blades from 20 years ago. It’s like, how many blades are you gonna put on these damn things? And now it’s like, how many inches are we gonna get up to? This is ridiculous. Just like, that’s a Jerry Seinfeld cyber security joke.
These are good and ridiculous. How many do we need?
Deb Wigley
How about we ask?
Chris Traynor
That’s a pretty good impression.
Deb Wigley
Let’s ask our lovely friends here what size monitor. What’s their monitor setup?
Bryan Strand
This is not going to end badly at all. I don’t see how you asking people the size of their monitors is going to end poorly.
Deb Wigley
Well, now it’s going to end.
Kyle Lambros
I have Dwight mega desk. That’s what I have.
Deb Wigley
424 inch.
Bryan Strand
Yeah, that’s pretty good.
Deb Wigley
424 minus personality.
Eric Kuehn
The Apple vision Pro 200 inch monitor. if you want to pay the $40,000 or whatever it is, absolutely.
Deb Wigley
Always need at least one more.
Chris Traynor
Velda, are, you giving away a 49 inch odyssey?
Kyle Lambros
The Apple vision program.
Chris Traynor
Find a way to use.
Bryan Strand
No, no, no. Jason.
Kyle Lambros
If I see that come through.
Bryan Strand
If I see that come through as an expense, I am.
Deb Wigley
Multiple thousand dollars.
Eric Kuehn
No.
Bryan Strand
Weird. by the way, the.
Kyle Lambros
Commercials for that, that was kind of private, I think.
Bryan Strand
You ever see that?
Deb Wigley
Could you.
Bryan Strand
So what’s the. What’s the stigma against wearable? Like. Like the Google goggles and different things?
Deb Wigley
Yeah.
Bryan Strand
you look like an idiot. Everyone thinks you look stupid.
Deb Wigley
But if everyone does it.
Bryan Strand
But, no, if you watch the commercials for the Apple vision Pro, what they do is they go through all of the cool characters throughout cinema history. They’re like these. All these cool people were wearing, like, visors and goggles and different things.
So they’re trying to show you change the culture.
Eric Kuehn
It’s. It’s.
Bryan Strand
It’s really genius, because when you start to watch it, you’re like, oh, yeah, that’s cool.
Deb Wigley
Yeah.
Bryan Strand
And then they show. I. Maybe I won’t. Maybe I’ll look like Luke Skywalker with the think down.
Kyle Lambros
Okay, okay, let’s. Let’s balance this, because I just saw a video on social media of this, like, random mom, like, trying out the virtual reality goggles for the first time, got freaked out by what she was seeing and ran directly into a wall.
Chris Traynor
Oh, I saw that.
Kyle Lambros
It was hilarious.
Chris Traynor
It was, like, in her chin, she ran into, like.
Kyle Lambros
Oh, and it confirmed my decision to never put any of those goggles on.
Eric Kuehn
So.
Deb Wigley
So then you see some training. Little. Little bit of training for you where.
Eric Kuehn
You didn’t dump people who wear those. Didn’t they dub those people who wear those glasses, those google glass? Did they call them glass holes?
Troy Wojewoda
Oh, we have Dale.
Deb Wigley
We have a wild dale.
Chris Traynor
Our Canadian.
Eric Kuehn
Wild Dale.
Deb Wigley
Canadian.
Bryan Strand
We invited the Canadians.
Chris Traynor
Just snuck in here.
Deb Wigley
Sorry. Yeah.
Eric Kuehn
There he is.
Chris Traynor
How did you get in?
Eric Kuehn
I thought the border was open.
Deb Wigley
I invited him.
Kyle Lambros
I didn’t.
Eric Kuehn
I didn’t see a wall.
Deb Wigley
It was me.
Chris Traynor
M don’t take Brian’s niche. All right?
Deb Wigley
As a reminder, political London.
Bryan Strand
Speaking of which, we’re getting dangerously close, and I, I’m being pulled into serious work now and serious things that have to be done, so I have to leave.
Deb Wigley
All right, get out of here.
Bryan Strand
Yeah, all right. I’ll leave.
Chris Traynor
Bye, Brian.
Bryan Strand
Appreciate everybody. Bye.
Chris Traynor
I still want that butcher story sometimes.
Bryan Strand
Tell you guys later.
Deb Wigley
I mean, I know it. I could tell it. I’ll butcher it.
Bryan Strand
Yeah, I’ll see ya. Bye. And webinar for attendees.
Deb Wigley
Yeah, do that.
Eric Kuehn
Well done, Deb.
Deb Wigley
Well done. Thanks, Ryan. That was for you, buddy. Bye, Felicia. bye. Bye, Sheila. Bye, Sheila. Well, now it’s quiet.
Kyle Lambros
Everyone’s trying to contemplate what Brian got pulled into.
Troy Wojewoda
So that Brian’s new nickname, Sheila.
Deb Wigley
Sheila. That’s from the other guys. It’s such a great movie.
Eric Kuehn
We were calling Brian now Brian, Sheila.
Deb Wigley
Oh, yes.
Kyle Lambros
Take here all will Ferrell movies are absolutely terrible, but they’re. They. If you break them up into clips for, like, Internet shorts, they’re hilarious.
Deb Wigley
I’m sorry.
Kyle Lambros
His movies are just a bunch of funny clips put together into a crappy story.
Chris Traynor
Yeah, he got his. He got his rise on, snl, man. It’s short skits. They just. They built skits around him.
Deb Wigley
Zoolander is classic.
Kyle Lambros
Okay, Zoolander might be the exception.
Deb Wigley
I mean, he’s not like the main character, so.
Chris Traynor
Yeah. So when he’s not the main character, does that count?
Kyle Lambros
Elf is an exception. Elf I don’t consider for sure.
Troy Wojewoda
Okay. All right. I mean, I agree with you mostly.
Deb Wigley
But we can ask. Ask our friends here, which will Ferrell movie.
Kyle Lambros
I see.
Chris Traynor
You try to. Try to tell us in a gift.
Kyle Lambros
That it was a hot take. Okay.
Eric Kuehn
The one he did with Ryan Reynolds.
Deb Wigley
Uses you for saying nonsense. It’s the same for books.
Troy Wojewoda
When he first came on SNL, I didn’t think he was as funny as, like, all the people. Like, that came, like the Mike Myers and Sandler and Chris Farley and all those guys.
Eric Kuehn
Right.
Troy Wojewoda
Like, I didn’t really like it as much and then, I don’t know, I kind of, kind of caught on. It’s the bearded movie he did with Ryan Reynolds.
Kyle Lambros
Adam Sandler movies actually have a storyline and like, their continuity, but most of his movies are just clips smashed.
Deb Wigley
Other guys have a total deep storyline. Well, I can’t even say it without laughing.
Kyle Lambros
Comedy, not slapstick.
Eric Kuehn
Intellectual comedy.
Deb Wigley
All right, so we have eleven minutes, guys. In about two minutes, we’re going to ask the instructors here why they like teaching. So just, get ready. Ready for your.
Chris Traynor
Oh, no.
Deb Wigley
Sometimes they just spring it on you and you don’t have time to prepare. Two minutes, we’re going to ask.
Chris Traynor
I didn’t know I’d be asked questions on this. I wasn’t prepped properly.
Deb Wigley
Chris, you’re a trainer. I’m feeling very ryan today. I don’t like it. Is this in your brain?
Chris Traynor
I am surprised it’s taken somebody so long to say that.
Deb Wigley
Yeah, I thought it at the beginning. I said it.
Eric Kuehn
Wait, you’ve never heard that before?
Troy Wojewoda
There’s no.
Chris Traynor
I’ve heard it before, just not from this group.
Kyle Lambros
There’s no training from Chris Trainor. I try your trainer, Chris Trainer.
I’m making up for years of missing that. That pun there.
Deb Wigley
Hey, Zach, you got a little call out. Is that it? Career questions. That is you. Zach Hill. Zach Hill. Zach Hill is now with black Hills and anti siphon mirror over the moon. Excited. Super excited to have him here.
It’s like you’ve been here all along.
Zach Hill
So it almost feels that way. it really does. I love you all.
Eric Kuehn
It does.
Chris Traynor
Good thing, I hope. Maybe he’s.
Deb Wigley
It’s still like first week feels right. So you’re like, you’re amazing.
Eric Kuehn
Can you honeymoon phase?
Deb Wigley
Honeymoon phase, for sure. Oh, he was literally born for this. It’s in his name, Zach Hill. I didn’t make that connection until just now.
Interesting. I like it. All right, well, let’s ask the trainers. Chris, why do you like instructing? Why do you like training?
Chris Traynor
Oh, why do I like instructing and training? I don’t know if this is really why I like it, but, after I came out of college and I started a job, it really kind of sucked because the learning kind of stopped.
I didn’t have anybody at that job that I could really feel like I could ask questions to and be stupid too, if to put it nicely. I felt like I didn’t have anybody that would teach me anything.
And if I asked any questions, I felt like I was always getting, a mark down in my capabilities and what could be done for me in the company, as Chris doesn’t really know anything.
So I like training. I like teaching because I try to, I’m trying to teach people what took me probably a long time to figure out so that maybe they don’t have to take so long.
and you can feel dumb with me, I guess, because I was, I still am dumb, but I was dumb in other areas before.
Deb Wigley
So how much of when you’re training students, teach you something?
Chris Traynor
That a good answer?
Deb Wigley
That’s a great answer. When you learn along with them, I think is kind of what you’re saying too.
Chris Traynor
Yeah, hopefully I’ve learned it before I teach them, but yeah, yeah, yeah, I do. Every time I teach, though, I do wind up, pick up new things.
feedback from students is cool and they’ll throw tools back at me that I didn’t even know existed sometimes. So then I look into them, so I learn along with them, too. Share Deb?
Deb Wigley
Yes.
Eric Kuehn
Thanks.
Deb Wigley
Thanks for humoring me, Dale.
Eric Kuehn
How about you, buddy?
Zach Hill
Well, they always say, like, when you are teaching something, it helps you learn and grasp that information better. M like advocate to tell people, like, hey, try to teach something that you’re learning and that’s maybe you just like record yourself, on your computer real quick and you’re going over like a subject.
You’re just explaining that, but, you can watch that over again and you can pick up on the different things that you may have said or maybe missed out on that can really help build, a better understanding of whatever that technology is or so I.
Chris Traynor
Actually did that with, my first class with antiseiphon, the intro to offensive tooling. And then I’m doing that now as I build out the advanced, offensive tooling that I think.
Zach Hill
Yeah.
Chris Traynor
Velda posted it a little bit ago in the discord is I’m deliberately choosing tools that I don’t know 100% now so that as I build out the class I’m teaching myself, I’m getting to learn those things that I can use in my day to day as well as add some new things that people may not know in their own world.
So, yeah, if you want to learn something, if you want to know something, well, teach it because you’re your first student. Right. Don’t quote me with that. That’s a stupid tagline.
Deb Wigley
You’re your own student.
Eric Kuehn
Yeah.
Chris Traynor
You’re.
Deb Wigley
Yes. Team ui.
Chris Traynor
You’re your.
Eric Kuehn
You are your.
Deb Wigley
You are your. Yeah. Yeah. In, any interview process that I’ve been a part of here, that’s one of the questions that we ask people and is when was the last time you taught something, taught someone something, or just the tribe of people who want to share their knowledge?
So, yeah. And usually they’re really excited to explain it, like, oh, just yesterday as my little brother, so that’s kind of fun. Dale. Dale Hobbs, our canadian correspondent.
Why do you. Why do you like teaching?
Eric Kuehn
I have a couple of reasons.
Troy Wojewoda
First off, like these guys, everyone else.
Eric Kuehn
Said that it forces you to learn something a little bit deeper.
Troy Wojewoda
but the bigger one for me.
Eric Kuehn
Is I’m not really big on being.
Troy Wojewoda
Out in front of people.
Eric Kuehn
I never really liked being in front.
Troy Wojewoda
Of people, so it forces me out.
Eric Kuehn
Of my comfort zone to kind of get into a spot where I have.
Troy Wojewoda
To stand in front of people and talk to them.
Eric Kuehn
And it just makes. I don’t. Just personal growth thing for me, I guess.
Chris Traynor
Dale’s so humble.
Eric Kuehn
It’s the canadian in me.
Deb Wigley
It’s the canadian polite and humble and kind.
Chris Traynor
Meanwhile, Dale just, like, rips out an awesome two day class for anti siphon and then has it teaches it for the first time at Wild west hack and festival. Like, I. I created a class with a timeline specifically so that I taught it, like, five times before doing it in Deadwood.
He was just like, no, first time I teach will be in Deadwood in person.
Troy Wojewoda
Do it live.
Eric Kuehn
Go big or go home.
Deb Wigley
Go big. I like it. That’s good.
Zach Hill
How often do you guys make mistakes when you’re doing your training live? I’m just curious.
Chris Traynor
Good question.
Troy Wojewoda
Every 3 seconds.
Eric Kuehn
Yeah, I think it’s pretty easy. yeah. You just say one wrong thing, you’re like, oh, that’s not exactly what I meant. It’s a classic back and forth. It’s, very easy to.
It’s not necessarily you get it wrong explicitly. It’s more of, I meant this, but I didn’t say it in that exact way. I think is quite often what happens.
Zach Hill
I think, with the live training, too, as a student, I would almost want to see you guys make mistakes, because then it just shows, hey, you’re a real person, too, and you do make mistakes,
Troy Wojewoda
Well, Chris had something interesting about Dale teaching it, like, in, like, live. Not, not only live, but, like, in person. I actually would rather be in person teaching than virtual.
I hate teaching virtual. Not that I hate teaching, but if I prefer live in person versus virtual, because I can actually, like, see everybody’s faces and m I can.
Eric Kuehn
I can.
Troy Wojewoda
Then I can gauge whether or not, like, like that corner of the room is falling asleep or like they’re dozing off, or like, oh, they’re actually paying attention. Like, those kinds of things help a lot for me when I’m teaching.
Deb Wigley
So for discord, we say that discord, when people react and post gifs and ask questions, that’s like the head nods and the, oh, I get like, of, virtual teaching, but it’s not the same.
Chris Traynor
That’s right. That’s a good.
Troy Wojewoda
Because you don’t see the people dozing off in the back.
Eric Kuehn
Right. You’re just so.
Troy Wojewoda
You’re like, okay, well, I have 20 people in the class, and only five are participating on discord. Does that mean 15 of them are just. Or, like, they just walked away because they’re just getting a couple hours off.
Eric Kuehn
Of work or whatever.
Troy Wojewoda
So, that’s like always in the back of my mind.
Chris Traynor
I feel like when you’re teaching virtually, because that’s how I do. Most of mine, except for deadwood, is, you actually have to be forced to like the sound of your own voice, m because you’re talking for 30 minutes straight, 40 minutes or something, and you’re doing demos and running commands, and all you’re hearing is your own voice and you’re trying to just read text.
Yeah, it’s hard to gauge when people.
Deb Wigley
Would everyone here agree with that besides Kyle. Kyle likes the sound of his voice, but what everyone else agrees.
Troy Wojewoda
No, I don’t like the sound of Kyle’s voice. The other thing, good thing about teaching.
Eric Kuehn
Virtual, too, is you don’t have to worry about flying fruit if you get something wrong.
Chris Traynor
Someone.
Eric Kuehn
Wow, speaking of flying, really go off.
Deb Wigley
The rails, Eric, I’m going to stop sharing my screen and let you share your slides.
Eric Kuehn
Oh, alrighty then. So what does that have to do with.
Kyle Lambros
Every time I see your background, it makes me want to go watch rogue one.
Eric Kuehn
Go for it. Great. One.
Deb Wigley
Go for it.
Chris Traynor
That is my wife’s favorite movie, Rogue one. That’s the one that won her over to Star wars.
Kyle Lambros
It’s the biggest Star wars movie.
Troy Wojewoda
It’s also the one that has the biggest data exfiltration ever. Plans to the like, to the dutch star. Like, like, that’s like, where’s their dlp?
Where’s their protection? You could just get in and swap out drives and boop. The plans go right up until the freaking.
Kyle Lambros
Physical.
Eric Kuehn
I was gonna say, once again, you have to remember, in the future, especially in Star wars. The whole idea of personal safety is gone. You’re on all these big platforms, floating in the air without any railings or anything.
Why worry about your data exfiltration. When you’re most more likely to fall off and die.
Troy Wojewoda
Or the planet or get blasted by.
Kyle Lambros
A giant space laser?
Eric Kuehn
Space laser. Any number of things.
Chris Traynor
So in a few of my. A few of my webcasts and a few times I’ve taught. I’ve put a couple slides at the beginning. Asking students what their most realistic showing of, security is in a movie.
And episode four is the most realistic to me. Because at the beginning, they’re all sitting in a boardroom discussing how secure the Death Star is. And one guy’s like, it doesn’t matter what sort of information or technical data they have.
It’s impenetrable. Another guy’s like, you’re stupid.
Kyle Lambros
And he tries to choke him with the. With space magic.
Deb Wigley
Space magic.
Chris Traynor
Yeah, wizards with space magic.
Deb Wigley
Someone wants to know if the cloud exists in space.
Eric Kuehn
It’s been renamed the nebula.
Chris Traynor
It’s Bespin. Yeah, it’s Bespin. Well, you can jam palms, and Bespin’s one big cloud.
Deb Wigley
All right, everybody, I’m gonna ask you to go to backstage if you are not Eric Keene. Because we’re going to start.
Chris Traynor
Can we talk Star wars every pre show banter.
Deb Wigley
That and drugs. we didn’t touch on drugs today. Well done, everyone.
Eric Kuehn
Keeping it real. No. No.
Deb Wigley
All right. Eric. Eric, thank you so much for joining us today in this anti siphon. Anticast. You’re going to be talking about active directory hacking. Three new techniques.
Eric, take it away.
Eric Kuehn
Thank you very much, Deb. Thank you for having me here. yes. So, as mentioned, active directory hacking. Three new techniques. And the new is, in quotes, for a very important reason.
these aren’t necessarily new techniques. Having, seen a lot of what’s going out there with pen testing and what people are doing, there’s a lot of reliance on a whole bunch of automated tools.
Things like bloodhound, which are great. And all of these tools are very, very good, but they often will be picked up by different utilities that might be out there. So what I wanted to do is cover some other ways that we as pen testers or we as defenders or whatever we might be, could start seeing information and then modifying information in ad without relying on a shell or relying on any of these tools.
Before I start, I noticed that it’s the 31st. I put that date in there and I can’t believe that we’re almost done with the first month of the year. it is just flying by.
Before I start. As mentioned, my name is Eric Keene. I’m a principal security consultant with secure ideas, actively working with anti siphon, for training and getting our information out there.
I’m in the Charlotte area, which is really I’m south of the border in South Carolina, but just outside of Charlotte. Been doing security consulting for seven years.
Before that my experience was really around windows engineering, Windows systems architecture, applications, active directory. I’ve been dealing with active directory since before it was officially released.
so way too much of my time beyond, that. Now I do penetration testing, security consulting and training like this. I really, really enjoyed the training. The whole goal here really for me and my companions are we want the world to be a better place.
If I could get everybody to have their environments be secure because they know what it takes or what we’re doing as attackers and pen testers and they can prevent it, that would be better than me continuing to do what I’m doing.
I could find something else. I like getting paid, I like what I do, but I could find something else. And I’d much rather have the world be a safe and secure place than knowing that my four kids, all of their medical information has already been leaked out on the web at least six times.
And my oldest or my youngest is only 16. So all sorts of problems, other things when I’m not teaching, training, et cetera. I’m a huge movie enthusiast.
so I really like the idea of talking about Star wars and other movies. My major actually was film, and audio. I moved into computers because at the time, when I was in college, the whole idea of having to move to New York or LA and be a starving artist didn’t really mesh with the woman that I loved and married.
And having a family. Beyond that, I love playing games, role playing games, online games, board games, et cetera. And as I mentioned before, father of four. So that’s me in a nutshell.
We’re here to talk about active directory though. So if you’re not familiar with it, why should we care? If you’re a pen tester or you are a defender?
You are probably already aware, but active directory is everywhere. If there is an environment out there that has more than three Windows systems in it, it’s probably using active directory.
It is the legacy system that provides your centralized identities, authentication and kind of authorization in Windows networks. Microsoft, is definitely urging people to move to Azure and entra, but until every app that is on Prem has been migrated and can start using Oauth or SAML, et cetera, ad is going to be around for a while.
Beyond it doing its general background stuff, it also holds a significant amount of information. When I say significant, I’m not just talking about group names or user ids.
I mean that you can find an incredible amount of information in there. just a couple of months ago I was doing a pen test and I was looking at different ids and different things out there and I found passwords in clear text.
I also found that there was a very old application that someone had written that was putting things like financial account information and other things like that into a different directory, a different domain in the forest.
It is amazing what you can find if you’re just willing to start looking at ad and seeing what’s there. it’s amazing what you can find beyond that because it is the centralized authentication and authorization area for Windows.
It means if you can compromise it, you have full control over the network. You are able to get everywhere. You may need to do some extra steps, add yourselves into groups, et cetera, but really you own the entire environment.
As pen testers, we are always trying to get domain admin or privileged access into ad so that we can find a way of giving ourselves access to what the client really cares about.
The client says, I need you to gain access to that SQL server, pull out information from that database. We can go through different methods, find a way to get somebody’s specific account, or if we can gain access to ad and just say, what, my account is now a database, administrator.
Now I have access different ways of getting to the same place. So active directory, there’s two parts to it. Number one, we want to read information out of ad so we can plan our attacks, see where we need to go who we want to become, what groups we need to get to, but then also we need to be able to modify it.
Reading information out of ad just requires a set of credentials. Those credentials could be a normal user account that the client gives you when you’re doing a test. It could be a computer account.
Perhaps you got a web shell or some other method of gaining shell access to a server. You can use that server itself to be able to read information out of ad.
It does not require anything except having a valid account in the environment. Now, modifying information, that’s another step. It does require that you have permission. So you need to find that id that you’re trying to get to.
You may not need to get the incredibly privileged or administrative access to do it. You might be able to do it with some other set of credentials because they said these people are able to modify groups in the environment, any number of things.
So reading all you need are a set of credentials. Normal user doesn’t need to be a member of any groups, it’s just a set of credentials. Modifying requires special permissions.
So what are some of these tools we can use to get this information? Once again, I mentioned Bloodhound. Absolutely bloodhound, not my list here today. That could be a separate class on its own.
Very common tool used by pen testers. It goes out and it will query a huge amount of information out of ad. It will then start looking at different devices on the network and it gives you this beautiful map of hey, what you need to do is find a way to become an admin on this box.
Now go here, then do this. Gives you a path from a to z. Very easy. Once again though, bloodhound and most of the utilities like it at this point are going to be caught by every endpoint protection known to man.
If anybody has something in the back end doing behavioral analysis, it will absolutely catch you. if you’re using a defender for identity or other tools like that, it will catch you very quickly and say something strange is going on here.
So maybe we want to use some other tools to get the same information a little bit slower but still get to the same end. Goal. First up on my list and probably my least favorite are the net exe tools out there.
These are really old. They’re holdover from Windows nt. They’ve kind of progressed. These are old command line utilities, things like net accounts net group net local group net user.
All of these are built into every version of Windows. They’re right there. Always easy to use. it’s very easy to use them to make changes because they can accept very specific commands.
It doesn’t require any special knowledge about the environment. It’s very consistent because they’ve been held over for a very long time. Some downsides though.
Number one, the device that you’re going to run these commands from need to be part of the domain that you’re trying to make the changes to or read information out of. You can’t have your own attack host sitting out there that you haven’t joined to the domain.
It’s just a Windows box or yeah, Windows box in this case sitting on the network that you control. But it’s not actually in the domain, it’s its own independent thing.
It’s in a workgroup. You cannot use these commands at all on them. it’s also not the best for getting information. It can, it can absolutely give you a much, a very good amount of information, but it’s very limited because they are compiled executables that can only return exactly what they’ve been told to get.
So really your search is very limited but it’s still there. In addition, similar to Bloodhound, this is probably going to get you flagged as suspect by any EDR, especially if you use the group’s local group or user information.
let me see. So any significant caveats to use past the hash net on Linux from a non domain joined computer instead of the windows? so I have not tried to do that before.
I could definitely see and see what happens. I haven’t done it. I do know that really a lot of times when you’re using the net commands from Linux and a whole bunch of tools that exist out there, quite often what you’re doing is, yeah, you said it, you’re passing the hash or you’re saying I’m doing some m sort of SMB exec or other method of having that device run this command for me.
It will work, but once again it will probably still get caught depending on how you’re trying to pass it though it might be caught in a variety of different ways. the SMB exec could be caught as a new service has been created and we removed it.
any number of ways it can work, but typically, as I said, in that case you’re actually asking the device to run it. You’re not running it from the Linux box itself, unless I misunderstood the question.
so when we look at this, I have four up there because there’s actually, I want to say there’s twelve to 15 different net commands these days. Now, net accounts is the first one that’s practically out there.
Very easy way to figure out what the password policy is for the domain. That’s about it. All you’re going to get out of that, net m group and local group do the exact same thing. They are going to give you information about all the groups or a specific group if you ask it.
local group is listed as supposedly only the groups on your box, but really that is for a specific type of group in ad as well. User, will give you information about a specific user that you query in there.
So when we look at some examples here, if we wanted to get all the members of the domain admins group, it’s very simple. Net group domain admins.
The slash domain is very important for a lot of these commands because that says actually query the domain, not the local box. I’m on adding a member. This is probably one of the oldest commands and every pen tester, will let Netgroup domain admins user.
One domain add will add the user into that group. One of the oldest, known ways of doing this over and over again and once again is probably going to get you flagged.
It’s very important that you remember to put that user one in there, though. If you just say Netgroup m domain admins domain add, you’re going to try and create a new group called domain Admins, which will not work.
You can remove people as well by running the delete. as I said, you can create a new group. you can do other things like get the membership of domain local groups, which is a separate type of group.
there’s global domain local. They’re used differently in ad overall. If a group exists out there and you do net group and it doesn’t give you the information, try net local group.
I bring up administrators as a very important one here. Many, pen testers are always going for domain admins. Domain admins. That’s what we want to get. Administrators is a group that exists in the domain just like it does on every Windows server or Windows device, and it gives you full administrative control over domain controllers and active directory.
It doesn’t have some other benefits that domain admins has, but if you can get the ability to be a member of administrators, you can add yourself to domain admins then and you’re set.
Someone did mention that, the net group or any of the net commands will not give you nested group information. That is absolutely correct.
I would cover that in a minute. But to go through it now with an active directory when you are a member of a group, you could put an individual user in there or you could put a group in there and then have members of the group that’s a member of the group you actually care about.
These commands are just going to give you the direct membership. If you are in the nested group, whether that is one level below or 30, it doesn’t make a difference.
this will not show it, it will just show the direct membership. so speaking of what you get in the caught any thoughts of avoiding detection with the net one exe is a workable substitute.
That is absolutely yet again, another way that you can try and avoid detection. It depends on your client and what they are using and how they have tuned things.
it really, it is really all the time between pen testing and defenders we have this ongoing battle forever of hey, our detection tools are getting really, really strong and then suddenly the pen testers and attackers are finding better ways of getting through, etcetera.
so it depends on your client. I have some clients that their blue teams, their purple teams are incredible. I try and do something once and it will never work again.
And it’s not because I did the simple let me rename something. They start looking at the behaviors and what is actually being called and start picking up on that those clients.
Things like renaming an executable from one to another is not going to work. If you are dealing with clients that have default out of the box systems it very well could, but it depends on what you see and who you’re dealing with.
If you’re doing a pen test versus a red team engagement, this might be my own method of thinking about this and other people might be different. A pen test engagement is I am trying to find as many methods to get to the end goal as I can in a short period of time.
I’m loud, I’m noisy, I don’t care if you catch me or not. Actually, I would rather know if you caught me so I can put it in the report saying I tried these 14 things.
Yep, one worked but these other 13 were caught. So pen test, absolutely, try it all, do it, have a great time, try all those different things you get caught with.
Net, try net one, see what happens, go through it. if you’re doing a red team engagement where you are trying not to be noticed, then I’m going to try and avoid anything that I think is going to have a chance of being caught and net one would definitely be my list of things to avoid.
So my personal opinion, it’s very hard to say what you might see out there. So quick, the net examples, right there.
The next method that I want to talk about is straight LDAP queries. This is absolutely one of the best ways to get information out of ad.
It will always be one of the, best ways. That’s because in order for clients to be able to use active directory, they need to be able to get to LDAP.
It’s one of the required parts. Active directory is an LDAP directory. As well as doing other things, LDAP is always available. There’s no extra ports that you need to have access to.
You don’t need to worry about having SMB access, you don’t need to worry about anything else. Just 389 or 636, two ports and they will always be available to you unless that domain controller happens to be isolated from your network for some unknown reason.
your device that you’re doing the querying from doesn’t need to be in a domain anywhere because you can supply the credentials as part of the query. there are a ton of different tools and programs out there that exist that allow you to query this information.
You don’t need anything special. And LDAP itself is not a Windows centric tool or utility. It’s a very well documented method of getting information.
Unfortunately for you to use it, you need to understand the LDAP syntax, which is unique into itself. depending on the tool that you’re using, you may not get all of the results for a query because by default you’re only going to get a small number unless you add an extra piece of information to your query.
The values that you get back from an LDAP query may not be human readable. There are so many different, attributes in active directory.
Attributes are pieces of information existing on objects. Objects are users, groups, et cetera. There’s so many different types of attributes out there that have information that are just numbers.
If you don’t know what that refers to or what it means, it’s not going to bring you any value, it’s just some number. So you may not have anything actually usable depending on what you’re trying to get.
the other problem with LDAP is bad queries can absolutely kill a busy domain controller. Domain controllers can only handle so many LDAP queries at one time. If you build an inefficient query, it will take a long time for that domain controller to respond.
And when I say a long time, 500 milliseconds is a long time. it might take a long time. You soak up one of those threads that ad is allowed to use.
You have your other clients who are doing things and suddenly the DC can’t respond to lDAP anymore and you start running into problems from a blue.
When I was managing and engineering and dealing with active directory all the time, this would kill us. at one point in time we had a group stand up a Hadoop cluster.
I think it was something around like 3000 nodes in this cluster. And every once in a while they would run this one job, it would hit one specific domain controller because their cluster was not ad aware.
All of the clients hit it at once and we just watched the domain controller literally catch on fire and die because it couldn’t handle all of the queries that were trying to come in at one time. Time.
so, a question about LDAP and soap. I might need a little bit more detail. I’d be happy to talk about that later.
I’m not exactly sure the relation between the two. Yeah, tell, me that adding too much text in the comment fields of ad would slow down ad overall.
yes and no. That’s an interesting one. It depends on how we look at it. like any database or LDAP directory, it will contain lots of information.
Depending on what you’re using to query that information. It might take a long time to get that entire field out of Ad. When you do the query because you have to get that entire piece of text, the domain controllers have to send it all to you.
Or even worse, if somebody has written queries that says I am looking for some piece of information out of ad, then we have to search all of that text over and over and over again, which could absolutely slow things down.
but it really depends. Having too much information in adjusting will begin to slow things down as information is returned.
When you build out an ad environment, you start trying to build wider than deeper. You have multiple domain controllers out there that can help return information.
But once again, absolutely, if you have way too much information in an attribute, you could absolutely begin to slow things down. It can slow down replication. All the domain controllers are sitting out there.
They all believe that they are absolutely 100% authoritative. They all believe in themselves. They go through, saying hey, here’s information, you need to take it, please take this information.
We need to pass it around. Too much can start slowing things down, et cetera, overall. So that doesn’t mean don’t put information id, it might mean don’t put the dictionary in a field, right?
Be, be careful of what you’re putting. let me see. So, LDAP, great, great way of getting information. Something. I highly recommend giving some examples here.
ldap filters to give you an idea. This is just the filter. It is not the specific of format for whatever tool you’re using.
so the filter to find the domain admins group is saying, hey, I’m looking for a group and I need the name to be domain admins.
CN stands for common name. If I want to get all of the properties for a user account. In this case, SA one is the name.
I’m going to say active directory. I need you to give me the category a, person, a user. You need to do it twice. You don’t really, but it’s still better to do it.
And same account name is SA one, same account name is what we know of as your login name, what everybody knows as a login name. Then we get to have a fun one down here.
I want to know all of the members of the built in administrators group for this domain, whether they are direct member or a nested member. We mentioned earlier with.
Net it only gives directions. Membership net groups will only give you direct members. This will actually go out and say, who is a member of the administrators group?
Now are any of those groups great? Who’s a member of those groups? And continue down the line until it can list everyone. But as you see, this is not exactly the most human readable method of getting information.
if I want to find all enabled user accounts, we do something similar. We have another very human readable method here that says I’m doing something special in this attribute equals two.
Great way of getting information. Hard to do it necessarily. to get around this query set. Hold on, what are we asking about here?
some group names in active directory could be different languages. Yes, thank you, Kathy. That is a great mention. Yes, that will work for known groups.
I find it interesting. I have clients who believe in security through obscurity. They’ve renamed their domain administrators group to Billy’s group and the administrator id is now something like John or once again Billy.
Any number of things. Those special groups in ad domain administrators, administrators, print operators, the list is fairly long, will have SIDS, which is the security identifier, which is actually used for granting security.
But the security identifier will always be the same or at least end in the same digits. So you can absolutely go through and people rename things and I can’t find administrator, then yes, I just go look for S 139500.
I think I did that right and bang there. I now have the administrator id. So there are ways of getting the information outside of that. I cover that in the class which I didn’t talk about.
I’ll be teaching next week covering red team fundamentals for active directory cover. Some of those tips and tricks. This is really just about the tools.
So someone said, I think LDAP can only be used to collect info and query domains, right? Not modify. Thank you for leading me right into my next slide.
That is not correct. You can absolutely modify information with ad or with LDAP. M. That was a bad term right there.
We mentioned, hey, what happens when you catch yourself right there? You can modify active directory and LDAP information with LDAP tools.
My favorite tool for doing anything, or LDAP tool for doing anything in active directory is a tool that’s called LDP. It comes as part of the active directory directory services, RSAT tools.
You can install it on any Windows server, doesn’t cause a reboot. You can install it on Windows ten or eleven for free without rebooting. Well, windows eleven does require reboot right there.
You can absolutely go through and modify this information. So this happened to me recently as well. I had my box, I was sitting there and I didn’t have other methods of communicating with the domain very well because of how everything was set up.
But I could hit LDap itself. I had credentials. All I did is add myself to domain admins through LDAP. So absolutely, you can start doing that.
so very good tool to do. I have the steps right here, what to do with LDP and how you can do this. If you are not using LDP, if you are not using a Windows attack host and you are hitting and doing things with active directory, I urge you to add a Windows host into your environment, into your toolkit.
It doesn’t need to be anything specific. things like Linux and all of the tools built with Linux absolutely work.
100% will work. If you can use a Windows box, there are some extra things you might be able to do that will help you in certain ways. It’s a little bit closer to what the ad, is expecting you to do.
If you can have a Windows box that’s on their domain, you’re golden. You are so much further ahead than if you were not in the domain. so let me see, what are some questions here?
Some problems can you run into problems getting nested group membership? If you have, yes. So another great question. If you are manually checking the let’s talk about a nested group really fast so everybody understands what that means.
So once again, you can have a group in ad and it can have members. They can be users, computers or other groups. If it’s another group that is a member of the group you’re carrying about, it’s considered a nested group.
You can have this wonderful circular relationship happen, which is what was mentioned there, where you have group one and in there is group two, that’s a member of group one. Then you have group three as a member of group two, and then group one is a member of group three.
If you start running tools yourself that are going to go through and say find the group, find its members. If you see a group go down the line, continue, they will get stuck in this infinite loop using commands like I did with the LDAP here.
Should not get that because it can actually then begin to parse it and get through. You should not run into an issue with that. There are other tools that will come from, Powershell, which we’ll talk about in a minute that will once again give you the list.
It shouldn’t get caught in that loop. Where you begin to run into other issues is if you have a group and you have multiple domains out there.
So we have more than one domain and you have members in this group in domain a and those groups or people come from domain b, you could start running into problems getting that information back.
Depending on how the query is formed and what access you have and how things are built, you can start running into, they’re called referrals and chasing referrals and having a whole bunch of things just begin to error out.
yes, the circular relationship as mentioned there by Dozekar. dozcar. Absolutely. If you build your own tools that are looking at groups and going down the line, you will begin to run into errors, all sorts of the problems.
so not run into that. Yes. So as always, haven’t dug into it a lot. When we build our queries, whether we’re using LDP or LDAP or we’re using Powershell that we’re talking about in a minute, you want to make them as narrow as you possibly can.
two reasons. Number one, as I mentioned, bad queries can absolutely crush domain controllers. Also, if you are asking for a lot of information back, you could begin to slow things down on top of that, depending on your client and how they have built their environment and if they’re looking for inefficient queries you’ll start flagging that.
It doesn’t mean they know that you did something specifically or that you are causing a problem. Just the domain controller got something and was asked to return something and it wasn’t the best way of doing it either.
A, it was too broad and it didn’t use index attributes and a whole bunch of other things which are kind of outside of this talk here. or it returned too much data and therefore was taking too long for it to supply the information that can flag as an inefficient query.
And if you have somebody who’s looking up to or is using that flag as a problem, they might start investigating things. So we want to make our queries as nice as we possibly can so a, avoid detection and b, be nice to our client.
so yes, circular problems are huge. yeah, also mentioned by UMD Smith, another great point. If they’re using circular grouping and other problems there are typically other issues that you can exploit.
quite often you’re going to find maybe passwords in clear text or too many permissions granted to other people. All sorts of things out there that will make it easier to move through the environment.
So LDP and lDap, great. I urge you once again, LDP is my tool of choice. The main reason it’s my tool of choice on a Windows box is it will automatically convert all of those attributes that are out there that don’t mean anything to us as people into what it actually means for a Windows environment.
So your ad forest functional level is six. I don’t know what that means off the top of my head, but it will do it automatically.
it will say hey your user account control attribute is this, well that means hey your normal user account, you don’t need to reset your password, your password never expires, you don’t even need a password.
And something else, it will translate all of that over to you, so you don’t need to go look it up all the time. what tool would I use on a Mac if it’s a newer Mac where you can’t build your own Vm?
you can use LDap search. It’s a utility that’s common with Linux. You could use that. I think there’s Apache studio also has a tool of getting things out there.
Powershell core can be installed on macOS, but I didn’t think that you could actually load the ad cmdlets in there. Now you could build your own.net queries to get ad information, but then you’re back in that same place.
Unless things have changed. I didn’t think you haven’t. Yeah, I don’t think you can actually load the ad cmdlets, which is what we’re going to talk about next actually in just a minute. okay, so Mac has a built in directory tool.
So great. okay, so they have vms. Great as well. Like I said, having a Mac as your main box or a Kali box or your choice of Linux, whatever it is, use whatever you are most comfortable with for dealing with most of your pen test, 100%.
But having a Windows box that you can go and load windows utilities on will help you immensely doing certain things. So that’s why I say have a vm, or, well, all right, two laptops or two devices, maybe not.
But if there’s a way, absolutely. Try and have a windows. yeah, Mac itself is not going to work the best on its own doing ad stuff. There are ways that you can, there are utilities out there.
I unpack it. Great suite of utilities to use to do things with adjusted, or windows environments in general. Not as good in my opinion, as using windows inherent tools.
So LDP, great method of doing straight up multiple devices, also will work for you if you can, held up packets wrapped in soap are really clean.
Technically anything wrapped in soap should be very clean. but then you have to deal with a soap envelope and that may make you feel not clean, trying to understand what it’s doing.
So it’s not always the easiest thing to read in my opinion. oh, was there a new tool brought out here?
I’m going to have to look at that. So pound. Okay, so pound, I’ll have to check that one out. Thank you. I want to make sure I caught all the questions here.
where should we run these ldap filters? the ones that I showed before. Yes. They would be put in your tool of choice. Now I will show it, an example with LDP in just a little bit here.
They would be added to whatever tool. They are. Generic. They’re generic LDAP filters. They will work with LDAP search, they will work with LDP, they will work with any LDAP tool.
python three has an lDap tool. Absolutely. Yep, yep. someone said, if I’m not mistaken, you can limit data that can be read by normal users in ad, restrict ad fields, groups, description.
Yes you can, but it’s not necessarily the easiest thing to do. Do.
by default an LDAP directory is considered readable by everybody in it. You can try and tweak security and put in blocks and denies and all sorts of things to limit who can see it.
But you are going to be, excuse me, making several very fine grained security changes into ad. And if you mess that up you are going to cause problems and there’s typically workarounds.
One example I have is I have a few clients who have said the what, I don’t want people to be able to see you as a member of domain admins. I just block that.
I don’t let you see the membership of domain admins. That’s fine, I can work backwards and I can query user account to say hey, who’s a member of domain admins?
And that will return it for me. There are workarounds for a good amount of information out there. There are also, extra attributes added into ad that are considered confidential.
Once again, outside the scope of this talk. Those require special permissions to see, but by default you can see almost all the information out there.
Exactly. Kathy, an example of a confidential attribute is laps machine passwords, or bitlocker recovery password, keys, or a whole bunch of different things out there.
There are many examples of things that you will not be able to read by default unless they did something wrong, which happens quite often.
so we covered, the net executables. We covered LDP and LDAp. Now, probably my favorite one, but I am a windows guy.
The Powershell Cmdlets Powershell command. Powershell once again, built into every Windows box out there known to man.
It’s been included since 2008. you could install it with 2003, but it’s been there forever. if you load the ad cmdlets, which are part of the active Directory domain services rsat tool, again, you can use things that will query information.
Using them is easier than LDAP, although you might still need to do some LDAP filtering here and there depending on what you’re trying to look for, but it’s very easy to use. It is standard Powershell language now and not LDAP.
the objects that you get back when you query information are Powershell objects. You can start doing other things with them automatically through Powershell. It’s not just a list of things, text, most of the attributes, almost all of them are converted into a human readable format yet again, just like LDP.
I don’t need to get something and try and look up what that number means. It’s just translated for me. it will return all of the objects. When you do a search a query and not just a subset because it automatically does something called paging, it will continue to query and give you all the information that is appropriate, not just a subset.
Using the Powershell cmdlets does not require that you are in that domain, just like LDAP doesn’t. You can have your box. As long as you have access to the domain controller, you’re good.
The downside is it requires a special service to be running on the domain controller and you have access to another port, 9389. That is not considered a true standard active directory port, and some people may block it.
I don’t see that happen very often. In most of the environments I’m at. Typically they allow that port to be open to clients, but you might run into a situation where you can’t.
The last pen test I did where I had to use LDAP is because they were blocking Powershell to domain controllers so I couldn’t use my normal tool.
the downside is it’s probably not on a compromised host. So if you don’t have your own Windows box that you own, that you can get on the network that has these tools installed, they probably aren’t going to be on that compromised host and you’ll have to install them.
But luckily installing it on a server doesn’t require reboot. You might want to talk to your client first and say, hey, I want to install these tools, are you okay with it?
But it should not cause a problem installing those tools. It doesn’t require reboot. It’s very innocuous to do. The other problem with Powershell is one that I hear from everybody who tries Powershell for the first time, which is, it’s verbose.
It is not what I call the leanest language ever to use, but it is absolutely usable. if I block that port, am I going to break your domain, port 9389?
I’m going to go back to the great security term of maybe, probably not, but it depends where you’re blocking it from. If you have a well defined network where you have your client devices on one subnet and one network, and you have servers and other things on another network, you could probably be fairly safe blocking 9389 to your client devices.
Unless your users are using the cmdlets, the likelihood of them hitting 9389 is pretty limited.
Now, if they are doing any Windows administration, and when I say Windows administration, that could be exchange administration, it could be SQL administration, it could be SharePoint, any number of those tools, they have tended to really be running PowerShell on the backend these days, if they are then going to query ad for any information which exchange and SharePoint most likely will, you’re going to start running into problems.
So your users hopefully aren’t doing administrative access and administrative things from their normal user boxes. Otherwise that’s a different problem I’m going to be exploiting when I come down on your environment.
Exactly. Stingray, you shouldn’t be using your client for administrative duties. but I do know places where that exists. My typical groups that I look at immediately are your developers and your dbas because in my last seven years and historically beyond that, when, I was responsible for ad, those were the two groups that typically said no, no, no, I need to do it for my own box.
So, the second con, the second con listed here is that the Powershell cmdlets that we’re going to use to query this information?
is, yes. Those tools are not installed by default on a box. Powershell is going to be there, but the cmdlets that we want to leverage won’t be there and you’ll have to install those to be able to use these.
That’s what the second con is. So Powershell is there but not the ad commandlet. You’re right, I should update the slide to say Powershell ad cmdlets.
Minor mistake on my point. so good catch. Thank you. I heard one time got domain admin through a web request.
yes, but that goes to several. So many misconfigurations. Once again, that is, I had an application that existed out there that we could do stuff with.
In that case it was, you could do LDAP injection. Hey, that’s great. Not only am I able to query information, but I can say actually modify it.
We sent the request and it was nice that this utility had more privileges that it should have in the domain. There are so many environments out there where people still make service accounts, domain admins for different reasons.
Quite often it’s because people developing applications don’t understand what they actually need and they’re like, just make it a domain admin and you’re good to go. And then that’s what’s done.
but so let me see. You should be able to use the.net objects through. Yes, absolutely. JD 50. If you are a.net person, you can absolutely do that.
I’ve done that before myself. I can’t install these extra tools on this box. Let me start querying.net directly. I don’t have that in the slide deck.
I do cover that in my class next week about how you can build, objects and things in Powershell to do straight.net calls and get that same information.
Downside to that is it doesn’t do the reformatting and reconstruction for you. To tell you what that attribute actually means, some quick samples here, similar to what I did before.
it’s almost the same as what we listed with LDAP, but it is now in the Powershell cmdlet format. This, first one is going to find all the members of the domain admins group, including nested groups, and then it’s actually going to give me their user account name.
So if you’re not familiar with Powershell, this is get ad group member. Give me the actual members of the group. Here’s the group I’m looking for. Recursive is look everywhere and get me everything, but then I have to say give me same account name because of the information that’s in there.
so RSAT act directory domain services and lightweight directory services tools have been installed? Yes, that is correct.
the RSAT tools should still continue to work, even on older versions. So if you have access to ad as a standard user, what are ways you can escalate privilege to be an administrator?
Step one is you find out what you have access to. that can be by querying lDap or by other means.
But you see what you can do, what you have access to. Do you have admin access? Do you have write access to things? If you don’t, then you start looking to see who does and you see where they are and see if you can get somewhere.
somewhere, yes, acls would get you there, the simplest, but you have to query them, which we’ll cover in just a minute. so here’s some examples for you.
As I said, similar things that we’ve been querying before with the different tools, just a different syntax to do it. As I look at my time, so using ad cmdlets remotely, not on that box.
number one, you need to have port 9389 open to the domain controller. Be sure that you add an extra little parameter to all your queries, the server parameter, all these don’t have it that says go out and reach to this domain controller, this specific one, and get me the information.
Then you can run it as different people. You have a compromised Kerberos ticket. You import it into your Powershell window and you start doing that. You do a Powershell window with run as net only, and then you’re querying, you’re using all of your remote calls, anything going across the network as the new user you have specified.
You can also store your credentials in a Powershell, as Powershell credentials, and then run them as another one as credentials. Here’s my example using all of this together.
The credential dollar creds get credential that will pop up a window where you put in the user id and password you want to use. And then you say getad domain server because I want to hit this one specifically.
You could put name or IP address, either one will work. Name is typically a better way to go. And then credentials with the variable that I pulled up here before.
When I say name, I mean DNS name. The last tool, even though I said three number four is active directory users and computers.
This is the GUI that’s installed, the old Gui because it was out from way back when, windows, 2000 days.
that goes and will show you information in a GUI format. It’s very easy to use. It will show you the structure of everything.
Very easy. it’s also the best way to see those acls on an object, ad explorer. you can use that one as well.
Absolutely. I don’t use that one as often as I probably should. In all honesty, I would rather use aduc than ad explorer.
I should probably add that one to my wheelhouse more often than I do typically. I’m running through Powershell myself. it is the best way to show acls and the reason is acls are just text.
If you query it with LDAP or you query it with Powershell by default, what you’re going to see is a grid and some piece of information and a sid and you may not know what it means exactly.
oh, somebody’s talking about bad blood. Yep, that’s a good one. but so fair.
LDP does a better job of displaying them without combining them into special. Yes, I completely agree. In this case, anything under special or this object or whatever it might be, might require you to actually look at the details individually.
This is a more manual process. Jim, I completely agree, but it often is easier for people to read and figure out who has that rights than trying to read the ACLs themselves and seeing what that might refer to because they aren’t always translated yet again, depending on the tool you’re doing.
So I do agree with you. LDAP and other tools can absolutely give you that information.
Yeah. Oh, well Jim, I’m happy for you that you can read those like English. most people can’t so that’s awesome. You must be an old school developer who’s trying to assign security, acls and things through programs.
I applaud you in being able to do that. Does, the class include escalation via certificate abuse? So I have not put that in there for one reason and that is I like to cover how ad is working and things that will work in any environment.
Not everybody has set up a Windows certificate authority. but it is something that we can do. It’s something we can absolutely cover during the class and how it works and what it’s looking for.
the tools that you would use actually are just querying ad for information in a lot of cases and so you can see that without running those extra tools as well. So that is a great way of escalating privileges.
By the way, even though the notice of how to use certificates to abuse ad permissions I think was published in 2000.
Was it in 2000? it’s still not been a common technique that everybody is looking at or things of going out there and most people either a, aren’t using certificate authorities, b, are using some default settings and therefore they’re safe with the templates.
or c, yeah, they have no idea what they’re doing and you have all sorts of fun. so, not many people are qualified to set up Windows PK. I would agree.
That is not an easy one to do. it can be, yep, absolutely. It can cause problems. So yeah, there’s the original post from some incredibly smart guys out there.
So yes, I only have five minutes. I ran long and it’s mainly because of the questions which I’ve really been enjoying.
I was going to show the differences between the different tools, but that might be a little difficult with the time that we have left.
How does removing everyone in authenticated users groups affect the ability to query if you have not already been able to elevate privileges? I need a little bit more.
Yeah, the questions have been absolutely great. so, how does it move? I need a little bit more detail on that one as far as. What do you mean removing those.
LDP? Sure, I can do an LDP demo.
So this is my windows attack host. His name is Chernabog. By the way, if you ever see Chernabog out there on your network. Hi.
we’ll see what happens. I have a pretty good track record of getting domain admin and environment, so here is LDP.
This is the tool. Once again I had to install the RSAT tools here, this box as shown. No it’s not shown for some reason bguinfo left.
This box is not part of the domain. It is its own little standalone box.
Just to show really fast, I open Powershell. I’m going to run a very simple Powershell command, get ad domain, which would let me see information about the domain if I had rights.
But just to prove that I don’t. There we go. The server is rejecting my credentials. I’m not there, I can’t do it.
using LDP, I want to connect to the domain controller. This is its ip. I could also put its name, the port 389 default LDAP port. Probably what you’re going to use to do the queries.
There’s another one, six through six. Some differences there. Without credentials all I can see is some basic information. But once again to highlight the most important part of LWDP, this is converting things over for me to human readable format.
So domain controller functionality seven I can never remember. That means it’s a Windows 2016 forest and domain. So it will start converting even more things like the all of these wonderful things down here that are just random numbers.
What does it mean? Converts it all for you. But I can’t see anything else unless I log in. And that’s the bind, I’m going to bind as a user because I don’t have any.
So let’s use user two. And I’m going to specify the password and the domain. I’m a member of lab TvT and there I have now authenticated once again this box itself, the user, it’s a normal user, chair in the bog, nothing from here.
The first thing that I’m typically going to do is I’m going to say hey let me look at the tree view tree and you will be able to select different partitions.
The one that is the name DC equals the domain you’re in. You want to query is what’s going to have the objects you’re typically looking at.
and it will show you can you start drilling through pieces just like you would anything to do a search when you click on a box or sorry, an object.
So in this case I clicked on administrator. It automatically parses and gives you the information back. You don’t even need to do a search. But if I didn’t know where something is I can come up here and I can say search.
And we can do specific things, search for different objects. So this is not the best query in the world because I’m saying search everybody for SA one where that is a scope is, I’m only going to look at the level I’m at.
I’m going to look one level below me, which is ous. We cover that more in the class subtree is look everywhere and then star says return everything. And there we go.
It finds that thing for me and it will bring it back. It was nice seeing you as well. so that is general searching.
You have the ability to search from up here. LDP will also let you look at acls. If you look at the security descriptor. Somebody was saying that they love SDDL.
So I can show the things. This is the security descriptor. I can’t remember what the other DL stands for, but language is the last part.
as I said, this is what it returns. It doesn’t really for most people mean anything. You might be able to look at the surge descriptors text, which unfortunately I can’t in this case, but it will show you something.
Aduc would show you the graphical way. If I wanted to make a change using LDAP in this case, I would go through, I would say, I’d select the object I want domain admins, I’d say modify.
You need to know what you want to do. You look at the member. Let me. Yeah, it wouldn’t run. Yeah, yeah. So we look at domain admins here, a quick cn m.
Its name, member is who is a member of this group. We see domain admin one. So I want to modify the member of this group.
I would come in here, I’d say member, and I would have to give it the distinguished name of the person I want to use. So I won’t have rights. But let’s say domain admin two.
It’s very important with this operation, add as it sounds. I’m going to add, delete, I’m going to remove it, replace. Whatever is in that attribute at this moment is going to be replaced by what I put here.
You want to do add, typically for what we’re talking about, you’d see it be here, I’m going to add this guy and then you click run. I’m going to get an error because I’m just a normal user. So here we go.
You can go through. If you had permissions to modify it, it would add it and then you’d see I’m, everything is good. That’s the quick rundown and we’re at one, 01:00 exactly.
Deb Wigley
So our good timing, Eric, well done. Yep, coming right to the end of it.
Eric Kuehn
Yeah, sorry I ran a little late. I will continue to look for questions, though, but I know we have to stop.
Deb Wigley
Yeah. Amazing job on answering questions. on the fly during your presentation. There’s, I’ve watched John Strand do it a lot and I’m like, I don’t know how you do that and that get derailed. So well done, Eric.
You John stranded it.
Eric Kuehn
Thank you. I’m going to take that as a huge compliment.
Deb Wigley
It is a huge compliment.
Eric Kuehn
Like massive.
Deb Wigley
So yeah, no, awesome. Thanks guys for joining us. there were obviously a ton of questions that you, I think, did a great job of answering, like I said. But if anyone has another one that they’d like Eric to, answer that we didn’t cover, go ahead and pop it in the discord chat and we’ll try to answer, we’ll stick around for a couple minutes.
Eric Kuehn
Absolutely.
Deb Wigley
Yeah.
Eric Kuehn
Any talks coming up? for me? So that’s a great question. I was actually submitting a bunch of talks, to find out most of the conferences were going to be in April, which turned out to be a very bad month for me.
I have one child in gymnastics and that is prime gymnastics time. Like, hey, here’s nationals and regionals and all this stuff. And my twins, the middle ones, are going to college and that is also prime welcome to college time.
And so we’re going to be touring different colleges. So I will definitely post when I’m going to be talking again. I just need to find when I am going to be talking.
Troy Wojewoda
Looking for one of those buy one, get 150 percent off kind of deals.
Eric Kuehn
That would be so nice if it happened that way. So I have one in college right now, two more going and in two years I’ll have four in college. And yeah, I’m not looking for, yeah.
Troy Wojewoda
My twins are in high school, I got the freshman’s, I got four more years.
Deb Wigley
So you both have twins?
Eric Kuehn
Yes, I was when you said that.
Troy Wojewoda
You were talking about that in pre show.
Deb Wigley
Okay, I missed that part. Yeah, well, that’s a different kind of four kids, guys. That’s.
Eric Kuehn
No, but that’s how you don’t have middles and. Yeah, how, yeah, my wife guaranteed we had four kids. That was one of our big jokes. I wanted to, she wanted four, we had one. We went for the second, we got two.
Now I’m at three. I’m like, I have no leg to stand on. So.
Deb Wigley
It, really is. Once you get past three, it’s like, what’s one more? Like, seriously, I get I get now why people have six. I mean, we’re not.
Eric Kuehn
Five is crazy. Five, you’ve gone bonkers. Because at four, each adult still has two hands when they’re kids. That’s why I had to build a.
Troy Wojewoda
Shell from my office because I ran out of bedrooms, like, literally out in my backyard. This is where I am.
Eric Kuehn
Awesome.
Kyle Lambros
Well, hey, everybody. So we’re going to do the sasquatch again. So if you are looking for training, to get for yourself, for, if your. If your team at work needs some training, put a sasquatch in the discord chat and I will reach out to you about, how to get that training going.
So, poster sasquatch, your best sasquatch gift. Or just the word sasquatch. And I will sassy squash send you some m info about getting training.
Deb Wigley
That is my favorite sasquatch gift for sure. Yeah. Well done, Eric. Yeah. If you enjoyed this, give. Give eric some kudos and, and let him know that you enjoyed it.
Eric Kuehn
Yep.
Deb Wigley
In the chat.
Eric Kuehn
Appreciate everybody here and listening to me ramble for an hour.
Zach Hill
So we loved having you and the chat. Loved having you as well. They’re already asking when are you coming back?
Eric Kuehn
So I’ll be back at some point.
Deb Wigley
Yes. After april. For sure.
Eric Kuehn
After april. Maybe beforehand too.
Deb Wigley
Maybe.
Eric Kuehn
Awesome.
Deb Wigley
okay, well, I don’t see any other questions. some people can also, everyone, if.
Kyle Lambros
You like, these talks and topics on this, especially the stuff that’s free. We have a summit coming up, the most offensive con that ever offensed.
It’s coming up, in early March, so make sure you register for that. the conference itself is virtual and free. And there’s lots of paid training, happening, on the back end of that.
Deb Wigley
So we’ll post the link in the discord again. It’s also in the resources section in zoom, so lots of ways to find it, but yes, free. We love giving a lot of stuff away. If this is your first time, this is us as Andy siphon in Black Hills.
And we really want to help you succeed. We want you to be the best possible versions of yourselves. And we love giving away. I love giving away lots of things. So welcome. Thanks for giving us a chance.
Eric Kuehn
Yep. Thank you all.
Deb Wigley
Okay, well, with that, I think I’m going to go ahead and call it, Ryan, you have one job, so, Ryan, you kill it. Kill the fire. Kill the fire.