Before this tool was commercialized, it was used a in a couple of white hat pen tests I was part of, at one Government agency in at least one State.

This tool “sniffs” your “level” or authorization level of access within an Active Directory environment to find someone else related to you by another AD factor that has greater permission than you do, so they know who to target next for phishing.

I am a white hat pen tester known as “Legit1”. I am, in fact, not legit.

I want to make my life super fucking easy by sending out a few emails, then turning this thing on and letting it find the next victim, so I can send even more phishing emails, so I can get on your network to an account that has enough permission to own all of your systems. All the systems.

I start by sending a phish email to ‘ol Betty Lou, who’s been there for 998 years, but will never retire, because she’s the only one who knows how to make Mr. so-and-so’s coffee. Mr. so-and-so doesn’t even like coffee and pounds a Rockstar on the way to work in the Uber. He just keeps her around because she doesn’t know what her information, discretion, coerced illegal shit she’s really done really is. The rules were fucking different 958 years ago.

Ofc Betty clicks the email and I get in in about 18 seconds. It took a long time to adjust her lenses and bifocal to see the little link, but it says it’s an invoice, omg, Mr. So-and-so is going to be so pissed if this isn’t paid immediately! Even says so in the email, it’s overdue already, yikes! I rush to grab my credit card, click on another phishing link that brings me to a very convincing page, for a person who is 998 years old, to think it’s legit.

The invoice may or may not be real. If it is real, Betty has now just given a “secure” card number to a criminal who will most definitely not just use it for himself until it’s all gone and then sell it to someone else. In any case, submitting more information in those tiny field boxes, on the website you don’t know is “compromised”, can execute endless amounts of other shit on your computer. It’s called injection, look it up.

The “hacker” has spent about 15 minutes to get onto Betty’s computer “securely” enough that I can get to the rest of everything. Her life, it’s long, 998 years, it picks up around the time photography gets invented though. Takes a real shitty turn about the time Instagram comes around.

Then they use mimikatz to break into the rest of her/Mr. so-and-so’s criminal shit(passwords, “secure” storage, keys, etc) to hold him hostage over all his bad decisions so they can blackmail him. If they can’t do that, they just hope the cops don’t catch them.

Protect yourself. Learn what phishing emails are all about. Understand the things to look for to identify “real” information. When in doubt, get in touch with the other person from the email in another form of communication, preferably face-to-face, because everyone needs to go touch some fucking grass once in awhile. Touch each other, or something.