1
00:00:00,990 --> 00:00:01,480
‫OK.

2
00:00:01,530 --> 00:00:07,830
‫Let's persist, our Metasploit Framework session in the first example will see how to persist a maturity

3
00:00:07,830 --> 00:00:08,280
‫session.

4
00:00:10,720 --> 00:00:11,830
‫OK, I'm in Cali.

5
00:00:12,220 --> 00:00:15,610
‫So first, I checked the IP address, it's two, two two.

6
00:00:17,580 --> 00:00:24,030
‫Now, this is the first victim of Windows XP system, so check its IP address as well.

7
00:00:24,480 --> 00:00:25,680
‫It's two zero seven.

8
00:00:27,450 --> 00:00:31,980
‫So now back to Cali, let's have an interpreter session on the victims system.

9
00:00:32,520 --> 00:00:36,730
‫First start the MSF console since we've already seen all this before.

10
00:00:36,750 --> 00:00:38,490
‫I'll try and keep it as far as I can.

11
00:00:38,490 --> 00:00:41,970
‫But remember, the more practice you get, the more you're able to learn.

12
00:00:44,110 --> 00:00:50,590
‫From the previous lectures, we know that the system has MS 08 067 vulnerability, so well, the search

13
00:00:50,800 --> 00:00:51,340
‫for now.

14
00:00:54,490 --> 00:00:56,800
‫And here's the exploit, so let's use it.

15
00:00:58,470 --> 00:01:00,870
‫I said the reverse TCP interpreter payload.

16
00:01:05,760 --> 00:01:06,840
‫So the options.

17
00:01:07,960 --> 00:01:10,030
‫Set the options remote host.

18
00:01:11,350 --> 00:01:12,040
‫Listen, host.

19
00:01:15,800 --> 00:01:19,100
‫Leave the ports with the default values and run the export.

20
00:01:19,700 --> 00:01:25,430
‫OK, so now we have an interpreter session now, so this info to check the connection and the target.

21
00:01:26,620 --> 00:01:27,580
‫Everything seems OK.

22
00:01:28,770 --> 00:01:31,140
‫Interpreter has a persistence method.

23
00:01:32,310 --> 00:01:37,650
‫So let's look at the help menu of the method first using the H parameter.

24
00:01:39,030 --> 00:01:45,120
‫Now, the beginning of the help page, it says the method is deprecated, and it suggests to us to use

25
00:01:45,120 --> 00:01:46,200
‫persistence.

26
00:01:46,230 --> 00:01:51,030
‫ICSI post module so will use that module as well.

27
00:01:51,060 --> 00:01:57,810
‫But first, I want to show you how to persist and interpreter session using the persistence interpreter

28
00:01:57,810 --> 00:02:06,570
‫method because the persistency ICSI post module requires a malicious executable, whereas persistence

29
00:02:06,570 --> 00:02:09,120
‫method creates the malware itself.

30
00:02:10,020 --> 00:02:12,840
‫So let's create a valid persistence method.

31
00:02:14,570 --> 00:02:20,480
‫First, we need to have a handler to be able to reply to the connection request that will be requested

32
00:02:20,480 --> 00:02:21,560
‫by the victims systems.

33
00:02:22,650 --> 00:02:26,610
‫Well, at this point, I guess I better explain what the handler is in the back door.

34
00:02:26,760 --> 00:02:32,430
‫Use a payload with the reverse connection to let the victim connect to your system when the back door

35
00:02:32,430 --> 00:02:33,600
‫binary is executed.

36
00:02:34,470 --> 00:02:40,980
‫If you use a payload with a reverse connection, also known as a connect back you, the attacker have

37
00:02:40,980 --> 00:02:42,210
‫to set up a handler.

38
00:02:42,840 --> 00:02:46,950
‫We can also use a word listener first on your box.

39
00:02:47,760 --> 00:02:52,140
‫The victim or target machine acts as a client connecting to that listener.

40
00:02:52,470 --> 00:02:54,450
‫And then finally, you receive this session.

41
00:02:55,630 --> 00:03:01,510
‫So in the persistence module, we can start a listener automatically using a parameter.

42
00:03:02,650 --> 00:03:07,990
‫The L parameter is to define the location in the victim's system to put the backdoor binary file.

43
00:03:08,500 --> 00:03:12,400
‫It's the temp folder by default, which is OK by me.

44
00:03:13,860 --> 00:03:17,700
‫So you set the payload that will be used to connect to the victim.

45
00:03:18,300 --> 00:03:23,820
‫It's interpreter's reverse TCP by default, which is the same with the payload we used while creating

46
00:03:23,820 --> 00:03:29,400
‫a maturity session so we can leave it as is or let's just set it in this example.

47
00:03:30,800 --> 00:03:34,130
‫X sets a start, age and automatically when the target system is booted.

48
00:03:35,430 --> 00:03:39,840
‫I is to set the interval of the tries in seconds between the connection attempts.

49
00:03:40,440 --> 00:03:44,850
‫I don't actually know the default, so let's set it, for example, 10 seconds.

50
00:03:46,270 --> 00:03:48,430
‫Now, these are the most important parameters of the method.

51
00:03:49,390 --> 00:03:56,320
‫Is to set the listen for I'll set it to five five five five and R is to set the listen host, which

52
00:03:56,320 --> 00:04:00,820
‫is running the Metasploit and ready to listen for the connection requests.

53
00:04:00,850 --> 00:04:02,770
‫And that's Michael 2-2-2.

54
00:04:03,880 --> 00:04:06,250
‫Now we are ready to run the persistence method.

55
00:04:06,670 --> 00:04:07,600
‫So hit enter.

56
00:04:13,030 --> 00:04:14,020
‫And that's finished.

57
00:04:14,380 --> 00:04:16,330
‫So let's look at the messages to see what happened.

58
00:04:16,930 --> 00:04:22,030
‫So this method looks like it put the back door under the Windows Temp folder of the victims system,

59
00:04:22,360 --> 00:04:28,600
‫and let's go to the victim's system and look at the temp folder, open in Windows Explorer and go to

60
00:04:28,600 --> 00:04:30,400
‫the folder Windows Temp.

61
00:04:33,490 --> 00:04:37,060
‫And here is the back door, it's a visual basic script file.

62
00:04:38,370 --> 00:04:42,390
‫Now, I turn back to Cali to continue to look at the messages.

63
00:04:43,320 --> 00:04:49,200
‫Now, the method has started the handler, which is required to listen for the request of the victims.

64
00:04:50,340 --> 00:04:56,250
‫And lastly, it's installed a key into the registry, which will be used to auto run the back door when

65
00:04:56,250 --> 00:04:57,090
‫the system boots.

66
00:04:57,960 --> 00:05:04,410
‫So now go into the victims system and look at the registry to check if the auto run key is installed.

67
00:05:05,920 --> 00:05:11,080
‫Now from the Start menu, click run type Reg Edit and hit Enter.

68
00:05:12,190 --> 00:05:14,200
‫So now we're in the registry editor.

69
00:05:14,720 --> 00:05:16,900
‫I'll follow the path written into the message.

70
00:05:17,450 --> 00:05:20,650
‫Each HKEYLOCALMACHINE Software.

71
00:05:20,950 --> 00:05:22,210
‫Microsoft Windows.

72
00:05:22,630 --> 00:05:23,560
‫Current version.

73
00:05:25,290 --> 00:05:25,770
‫Run.

74
00:05:26,760 --> 00:05:32,670
‫And here it is, here's the initial key and its value direct to the installed back door fire.

75
00:05:34,750 --> 00:05:39,580
‫And finally, the last message says that the method has created another interpreter session.

76
00:05:40,680 --> 00:05:49,380
‫So I'll go back to the MSF console interface using the background function, list the sessions and jump

77
00:05:49,380 --> 00:05:52,470
‫into the session that's created by the persistence method.

78
00:05:54,870 --> 00:06:00,420
‫So let's just say that as the user of the victim machine, I decided to restart the computer.

79
00:06:01,400 --> 00:06:08,210
‫Without the persistent step, we would lose them, interpret recession forever, and we would have to

80
00:06:08,210 --> 00:06:10,040
‫exploit the system all over again.

81
00:06:11,010 --> 00:06:13,620
‫But now we have run the persistence.

82
00:06:13,830 --> 00:06:20,520
‫Let's see what happens when the victim system reboots, the victims system is shutting down.

83
00:06:23,220 --> 00:06:25,110
‫Now, let's look at our maturity session.

84
00:06:25,470 --> 00:06:30,510
‫Send a command system info, for instance, and as expected, it doesn't respond.

85
00:06:31,350 --> 00:06:32,490
‫And yeah, there it is.

86
00:06:32,490 --> 00:06:37,950
‫It says the session did control C back to the MSF console.

87
00:06:38,250 --> 00:06:42,390
‫Now look at the active sessions using sessions L came in session.

88
00:06:42,390 --> 00:06:45,360
‫One seems active, but it's not.

89
00:06:45,750 --> 00:06:52,530
‫So try to interact with the session using Sessions AI Command run a command such as this info.

90
00:06:53,220 --> 00:06:54,030
‫Now look at that.

91
00:06:54,030 --> 00:06:56,760
‫You see that the session is already dead.

92
00:06:57,750 --> 00:07:01,800
‫So use controls to drop back to MSFT console interface.

93
00:07:03,050 --> 00:07:04,460
‫So we have no session at the moment.

94
00:07:07,440 --> 00:07:09,210
‫So go to the victim machine and log in.

95
00:07:10,540 --> 00:07:15,370
‫Well, do you know how to press, control, delete in a virtual machine?

96
00:07:16,600 --> 00:07:22,390
‫In most cases, one of these buttons has a special meaning in the virtual environment, so you cannot

97
00:07:22,390 --> 00:07:24,810
‫simply press the buttons instead.

98
00:07:24,840 --> 00:07:29,200
‫You can find a menu item to send, control or delete to the VM.

99
00:07:30,210 --> 00:07:37,950
‫In VMware Fusion, in the main menu, go to Virtual Machine and select Control Elite.

100
00:07:43,710 --> 00:07:50,010
‫So back to Cali, as you see a new interpreter session is opened as soon as the victim is logged into

101
00:07:50,010 --> 00:07:50,520
‫the system.

102
00:07:51,360 --> 00:07:58,470
‫So now sessions el and here is the new maturity session Youth Sessions II to interact with the session,

103
00:07:59,370 --> 00:08:01,350
‫send a command to check the connection.

104
00:08:02,400 --> 00:08:06,360
‫And look at that, we now have a back door on the victim machine.

105
00:08:07,880 --> 00:08:12,170
‫So let's try to log off and log on again to just to test the persistence.

106
00:08:12,590 --> 00:08:13,760
‫So log off the victim.

107
00:08:18,150 --> 00:08:19,890
‫And the maternity session dies.

108
00:08:21,930 --> 00:08:22,890
‫Log in again.

109
00:08:29,440 --> 00:08:30,970
‫Yet another session is created.

110
00:08:31,930 --> 00:08:37,660
‫And if the system is in use and is attached to the network, we have a maturity session on it.

111
00:08:38,650 --> 00:08:43,960
‫So I'd like to remind you once again that persistence might be out of the scope and your penetration

112
00:08:43,960 --> 00:08:44,380
‫test.

113
00:08:44,980 --> 00:08:51,820
‫Read the conditions of the agreement carefully and do not attempt to persist on any system unless you're

114
00:08:51,820 --> 00:08:52,510
‫allowed to.

115
00:08:53,750 --> 00:08:55,070
‫Very important to remember that.