1
00:00:00,300 --> 00:00:01,000
Welcome back.

2
00:00:01,650 --> 00:00:03,590
Let's get back to our Paillot creation.

3
00:00:04,020 --> 00:00:10,620
So in the previous video, we saw how we can create a simple Trojan using NSF.

4
00:00:10,620 --> 00:00:16,170
Wynnum for you, the basic options where we only set local host and local port.

5
00:00:16,830 --> 00:00:20,550
Now let's check out some other options that we have available.

6
00:00:21,540 --> 00:00:26,760
If I go and open up my terminal and run the command MSF, why not Dash H.

7
00:00:28,570 --> 00:00:35,620
We will get our help menu and the purpose of all of these other options that we can see right here will

8
00:00:35,620 --> 00:00:42,640
usually be to either bypass an antivirus or to make your pay a lot smaller in size or something similar

9
00:00:42,640 --> 00:00:43,200
to that.

10
00:00:43,690 --> 00:00:47,760
Basically, it is used for creating a payload for your own needs.

11
00:00:48,490 --> 00:00:53,560
For example, in the previous video, we created the payload that was a windows Metropia.

12
00:00:53,560 --> 00:00:55,500
But there Shell as in the file.

13
00:00:56,230 --> 00:01:02,920
But we can create other file types if we want to check out what other file types can recreate.

14
00:01:03,250 --> 00:01:07,960
We can run the command MSF one on dash dash list formats.

15
00:01:08,170 --> 00:01:14,440
And it tells us that right here under the dash of command, we can use that Ashlee's format to list

16
00:01:14,440 --> 00:01:15,750
all of the available formats.

17
00:01:15,910 --> 00:01:21,490
So let's do that real quick dash dash list and then formants.

18
00:01:22,620 --> 00:01:27,040
This will take a few seconds to execute and this will be really useful.

19
00:01:27,900 --> 00:01:28,290
Why?

20
00:01:28,710 --> 00:01:35,100
Well, imagine you were sending a payload to a Linux machine and the file wouldn't be much useful then,

21
00:01:35,250 --> 00:01:35,660
right?

22
00:01:36,270 --> 00:01:39,870
However, a Python file could be of use in that case.

23
00:01:40,650 --> 00:01:44,740
Well, MSF allows us to create any file type that we want.

24
00:01:45,570 --> 00:01:48,140
So let's check out all of the available file types.

25
00:01:48,630 --> 00:01:55,500
So up here, we can see if we can create a spe, e, c, some other file types as well.

26
00:01:56,130 --> 00:01:57,240
We can go down here.

27
00:01:57,240 --> 00:02:03,150
We can see different programming languages such as C, C, sharp, we can create in Perl, in power

28
00:02:03,150 --> 00:02:04,410
Shell, in Python.

29
00:02:04,800 --> 00:02:09,990
We can also do Ruby s h and many other file formats if we want.

30
00:02:10,650 --> 00:02:16,380
And what I also want to show you besides this is different options that are also useful, whether it

31
00:02:16,380 --> 00:02:19,970
is for bypassing antivirus or changing the size of your payload.

32
00:02:20,130 --> 00:02:21,540
Let us check them out.

33
00:02:21,960 --> 00:02:25,440
So let's create a couple of payloads right now and compare them.

34
00:02:25,860 --> 00:02:27,210
Let me clear the screen first.

35
00:02:27,390 --> 00:02:31,830
And to compare them, we're going to use a site called Virus Total.

36
00:02:32,800 --> 00:02:41,140
And to do that and to visit the site, we must open the Firefox and what viruses total is, is a website

37
00:02:41,140 --> 00:02:46,690
where you upload your viruses and they will tell you how many antivirus vendors are able to detect it

38
00:02:46,690 --> 00:02:47,850
as a malicious program.

39
00:02:48,820 --> 00:02:54,160
So if I open fire, it's total by typing words total right here.

40
00:02:55,380 --> 00:03:03,240
Go to the first link, which is this one was dot com, and one thing to keep in mind is that every file

41
00:03:03,240 --> 00:03:07,680
you upload to this website is sent to the antivirus vendors.

42
00:03:08,040 --> 00:03:14,340
So something that might be undetectable today after uploading it to this website, it will for sure

43
00:03:14,340 --> 00:03:17,490
become detectable in a few days or a week.

44
00:03:18,300 --> 00:03:21,780
Are there other websites that don't send your files to antivirus vendors?

45
00:03:22,320 --> 00:03:25,010
Yes, but they are not as good as far as total.

46
00:03:25,470 --> 00:03:30,810
And we already know that undetectable virus is a game of cat and mouse to date.

47
00:03:30,810 --> 00:03:33,180
It's undetectable tomorrow it isn't.

48
00:03:33,930 --> 00:03:36,900
So this isn't really something to worry about right now.

49
00:03:37,500 --> 00:03:39,960
Let's create two payloads real fast.

50
00:03:40,740 --> 00:03:44,420
So the first one that we are going to create is going to be the one from the previous video.

51
00:03:44,550 --> 00:03:45,690
So let's do it real fast.

52
00:03:45,700 --> 00:03:47,420
We already know how to do that.

53
00:03:47,570 --> 00:03:52,730
It will be a 64 bit payload interpretor reverse DCP.

54
00:03:53,190 --> 00:03:55,430
Our host will be equal to the IP address.

55
00:03:55,440 --> 00:03:57,660
So let's check it out real quick.

56
00:04:00,250 --> 00:04:06,040
That one to 12, and if I specify it right here, outport can be five five five five.

57
00:04:06,070 --> 00:04:07,300
It doesn't really matter.

58
00:04:07,690 --> 00:04:10,690
The format will be ACCE and the output.

59
00:04:10,690 --> 00:04:13,390
We can save it as shell one that the XY.

60
00:04:16,180 --> 00:04:22,540
And as soon as this finishes, we are going to upload this payload to the virus total to see how many

61
00:04:22,540 --> 00:04:26,530
antivirus is detected as a malicious program, so it has finished.

62
00:04:26,530 --> 00:04:33,250
Let us go to the virus website, click and choose a file, navigate to the desktop directory and select

63
00:04:33,300 --> 00:04:36,700
Shelbourne that I will double click it.

64
00:04:37,090 --> 00:04:40,860
I will confirm the upload and it will upload this channel for me.

65
00:04:41,320 --> 00:04:43,630
Now, this scan will take a minute or two.

66
00:04:44,050 --> 00:04:50,470
So while that is doing, what we can do is we can create our second payload and to create the second

67
00:04:50,470 --> 00:04:53,620
payload, we're going to use some additional options.

68
00:04:54,130 --> 00:05:00,480
So I'll clear the screen right here and I will type a massive one on Dash H right here.

69
00:05:00,490 --> 00:05:02,320
So we have the help menu available.

70
00:05:02,950 --> 00:05:05,590
Then I will go right here and run the command NSF.

71
00:05:06,520 --> 00:05:13,300
We will use the same payload, which is Windows 64 interpretor slash reverse DCP.

72
00:05:14,420 --> 00:05:22,220
We will select the localhost wanted to do the 2068 fund, the 12 local port will be five five five five.

73
00:05:22,880 --> 00:05:26,900
After this, we can use the dash, a option to select the payload architecture.

74
00:05:26,900 --> 00:05:32,490
As we can see right here, there's a stands for the architecture to use for the payload.

75
00:05:32,780 --> 00:05:39,010
So let's go and select X 64, because in my case, I'm attacking of Windows 10 64 bit machine.

76
00:05:39,290 --> 00:05:44,460
If your Windows machine is 32 bit, you can proceed with x 86, OK?

77
00:05:45,320 --> 00:05:50,210
The next thing that we are going to use is a very interesting thing and that is an encoder.

78
00:05:50,720 --> 00:05:52,220
And what is an encoder?

79
00:05:52,520 --> 00:05:57,110
Well, let's go right here and find Dashi option, which says right here the encoder.

80
00:05:57,290 --> 00:06:03,560
And what we need to specify after it is the encoder that we want to use and can help us bypass some

81
00:06:03,560 --> 00:06:07,580
of the anti viruses to list all of the encoders that we have.

82
00:06:07,590 --> 00:06:09,980
We can use that at least encoders.

83
00:06:10,220 --> 00:06:11,300
So let's do that first.

84
00:06:11,480 --> 00:06:13,010
So MSF, when I'm.

85
00:06:14,320 --> 00:06:16,990
That's that list and then encoders.

86
00:06:19,510 --> 00:06:25,050
And here they are, we get a bunch of encoders, four x eight, six or four, 32 bit architecture,

87
00:06:25,480 --> 00:06:33,560
we get some 40 x sixty four or 64 bit architecture, and we get some other encoders up here as well.

88
00:06:34,300 --> 00:06:38,230
Now, the ones that we're interested in at the moment are these X sixty four ones.

89
00:06:38,890 --> 00:06:42,460
So we're going to go with this one X 64.

90
00:06:43,240 --> 00:06:46,870
Suto underscored the Chihiro so let's go Pete's name.

91
00:06:48,060 --> 00:06:52,430
Right here and pasted after the Dash eight.

92
00:06:53,480 --> 00:07:00,470
Now, if we go back to the help menu and go back to the encoder, another option that is closely linked

93
00:07:00,590 --> 00:07:07,730
to the encoder is this Dash I option, and it is the amount of iterations, as it says in the description.

94
00:07:07,880 --> 00:07:10,680
This is the number of times to encode the payload.

95
00:07:11,450 --> 00:07:16,130
So if I go right here after selecting the encoder, we want to select Dash.

96
00:07:16,170 --> 00:07:20,390
I specified the number of iterations that we want to encode our payload.

97
00:07:20,990 --> 00:07:24,950
Now, the more iterations, the bigger the payload will be in size.

98
00:07:25,220 --> 00:07:29,900
But it also might mean that it will be less detectable to the antivirus vendors.

99
00:07:30,240 --> 00:07:37,370
So let's specify Dashi and then let's perform 15 iterations, for example, after it, we're going to

100
00:07:37,370 --> 00:07:43,420
specify the platform on which the payload will run, which is Windows and Astrid.

101
00:07:43,520 --> 00:07:49,970
We are going to use the dash and option and select five hundred now to see what this dash and option

102
00:07:49,970 --> 00:07:50,270
is.

103
00:07:50,270 --> 00:07:55,280
We can go right here and in the dash and we can see it is not slight.

104
00:07:55,580 --> 00:07:59,270
It will prevent another set of lenses onto the payload.

105
00:07:59,690 --> 00:08:01,250
Remember what a knob is.

106
00:08:01,520 --> 00:08:04,960
A knob is an obstruction for the processor to not do anything.

107
00:08:05,150 --> 00:08:09,380
And here we are simply just telling how many knobs we want to add to our payload.

108
00:08:09,890 --> 00:08:17,330
Once we select a bunch of these options, we can add at the end dash F to be a nixey and dash o to be

109
00:08:17,660 --> 00:08:20,180
shelp to that.

110
00:08:20,930 --> 00:08:22,460
So this is our second shell.

111
00:08:22,880 --> 00:08:25,850
Let's run it and wait for Mr. Farnham to create our payload.

112
00:08:26,090 --> 00:08:31,910
And while it is creating the payload, let's go to the various total and see how many detections we

113
00:08:31,910 --> 00:08:34,040
got with the regular Mehtar potential.

114
00:08:34,640 --> 00:08:43,490
So of sixty eight antivirus 43 detected this as a malicious program and here we can see which ones detected

115
00:08:43,490 --> 00:08:46,820
it as a malicious program and which ones didn't.

116
00:08:47,660 --> 00:08:54,800
Hmmm, let's see what if we get any better result using the second shell so we can see right here,

117
00:08:54,830 --> 00:08:58,040
it has been created successfully, add a number of sites.

118
00:08:58,040 --> 00:08:59,660
Five hundred from X, sixty four.

119
00:08:59,660 --> 00:09:00,170
Simple.

120
00:09:00,530 --> 00:09:03,880
The final size of the file is eight thousand bytes.

121
00:09:04,460 --> 00:09:10,040
So let's go to our total and remember this number forty three out of 68 and let's see whether we can

122
00:09:10,040 --> 00:09:12,930
at least bypass a little bit more antivirus.

123
00:09:12,980 --> 00:09:17,930
Then from this first scan let's select the at the confirm the upload.

124
00:09:18,980 --> 00:09:25,160
Now, while this is happening, let me tell you something real quick with the MSF options, don't expect

125
00:09:25,160 --> 00:09:30,110
to get much better results once applying some additional options or something like that.

126
00:09:30,380 --> 00:09:37,190
As I already mentioned, the MSF is a really known tool and everyone use these options to generate payloads.

127
00:09:37,400 --> 00:09:40,670
So they are very well known to all the antivirus vendors.

128
00:09:41,570 --> 00:09:47,120
Here we can see our second shell is scanning and let's see whether we get a lower number than forty

129
00:09:47,120 --> 00:09:47,450
three.