WEBVTT

00:00:01.440 --> 00:00:01.980
Hey there.

00:00:01.990 --> 00:00:04.350
Welcome to the course, Persistence with pwncat.

00:00:04.350 --> 00:00:05.490
In here,

00:00:05.490 --> 00:00:08.380
you'll learn how to create a foothold on your target environment

00:00:08.390 --> 00:00:10.550
so you can access it at any time you want.

00:00:11.640 --> 00:00:12.780
So imagine that.

00:00:12.780 --> 00:00:14.610
Imagine you're in a red team engagement.

00:00:14.610 --> 00:00:16.070
You're working on a server,

00:00:16.070 --> 00:00:20.060
and you finally find a way to exploit the server and get access to the machine.

00:00:21.040 --> 00:00:22.960
Now, since you exploited the server,

00:00:22.970 --> 00:00:25.800
there's a chance that the client might detect your actions and

00:00:25.800 --> 00:00:28.420
might try to patch the vulnerability you exploited.

00:00:28.420 --> 00:00:31.360
As you need access to the server for a long period of time,

00:00:31.360 --> 00:00:34.730
what you need to do now is deploy some kind of implant or tool

00:00:34.730 --> 00:00:37.560
that allows you to access the server at any time,

00:00:37.560 --> 00:00:40.460
which is also called creating persistence on the victim.

00:00:41.540 --> 00:00:43.040
Once you establish persistence,

00:00:43.050 --> 00:00:45.300
even if the client fixes the vulnerability and you

00:00:45.300 --> 00:00:46.920
lose your original point of access,

00:00:46.930 --> 00:00:49.550
you can still access the server using your implant.

00:00:50.440 --> 00:00:51.190
Pretty cool, right?

00:00:51.460 --> 00:00:52.500
And if you do a good job,

00:00:52.500 --> 00:00:55.960
this implant will be there for a long time before the victim notices it.

00:00:57.440 --> 00:00:59.210
There are several ways of creating persistence,

00:00:59.210 --> 00:01:01.160
and although we could do everything manually,

00:01:01.160 --> 00:01:03.940
there are few tools out there that can help you to automate

00:01:03.940 --> 00:01:06.810
the creation of persistence like the pwncat.

00:01:06.810 --> 00:01:10.500
Pwncat is a tool developed by Caleb Stewart and John Hammond.

00:01:10.500 --> 00:01:12.560
Personally, I'm a big fan of those guys.

00:01:13.140 --> 00:01:15.500
Caleb has some really cool projects and tools,

00:01:15.500 --> 00:01:18.520
and also, if you want to learn about security and exploitation,

00:01:18.530 --> 00:01:22.650
John has an amazing YouTube channel with several tools on red team tools.

00:01:22.650 --> 00:01:26.920
So if you don't know them yet, I definitely recommend you follow both of them.

00:01:26.920 --> 00:01:27.250
Anyway,

00:01:27.250 --> 00:01:31.680
pwncat is a post‑exploitation platform that streamlines common red team

00:01:31.680 --> 00:01:34.700
operations while staging code from the attacker machine,

00:01:34.740 --> 00:01:36.360
not the target one.

00:01:36.360 --> 00:01:37.000
Basically,

00:01:37.000 --> 00:01:40.600
this tool receives a connection from a victim computer and is

00:01:40.600 --> 00:01:42.770
able to provide several out‑of‑the‑box features,

00:01:42.770 --> 00:01:43.850
like persistence.

00:01:45.340 --> 00:01:47.970
What I love about pwncat is that it's an open source tool,

00:01:48.190 --> 00:01:50.130
meaning that you can download it from GitHub and

00:01:50.130 --> 00:01:51.660
customize it as much as you want.

00:01:52.040 --> 00:01:54.380
The way they implemented the code makes it really easy to

00:01:54.380 --> 00:01:56.480
create new modules and add new features.

00:01:56.480 --> 00:01:57.990
In a nutshell,

00:01:57.990 --> 00:02:01.710
pwncat provides a stable communication between the attacker and victim machines.

00:02:01.710 --> 00:02:05.460
And with that, we can perform several post‑exploitation activities.

00:02:05.460 --> 00:02:09.780
For example, pwncat has out‑of‑the‑box modules for enumeration,

00:02:09.789 --> 00:02:11.930
privilege escalation, and persistence.

00:02:11.930 --> 00:02:15.560
As you can see, pwncat does much more than just persistence.

00:02:15.560 --> 00:02:18.150
It's a complete framework for post exploitation.

00:02:19.840 --> 00:02:21.890
If you're familiar with the Kill Chain methodology,

00:02:21.900 --> 00:02:24.680
we can use pwncat from after the exploitation phase,

00:02:24.680 --> 00:02:28.360
all the way to the action phase, meaning that after exploiting a machine,

00:02:28.360 --> 00:02:31.910
we can use the pwncat framework to do pretty much all the other steps,

00:02:31.910 --> 00:02:34.660
including escalating privileges enumerating internal information,

00:02:34.660 --> 00:02:36.250
and creating persistence.

00:02:37.840 --> 00:02:40.340
Also, if you're familiar with the MITRE ATT&CK framework,

00:02:40.350 --> 00:02:44.650
we can map this course to two phases, persistence and discovery.

00:02:45.940 --> 00:02:47.960
The main technique that I'll be covering here is

00:02:47.960 --> 00:02:51.470
the T1078 called Valid Accounts.

00:02:51.470 --> 00:02:55.100
And more specific, we'll be doing the sub technique 003,

00:02:55.100 --> 00:02:57.250
which is more defining a local account.

00:02:58.340 --> 00:03:01.350
Also, as a bonus, we'll be covering a discovery technique,

00:03:01.350 --> 00:03:04.990
which is the T1087, or Account Discovery,

00:03:04.990 --> 00:03:07.720
in which you would use pwncat to list out the local

00:03:07.720 --> 00:03:09.260
accounts in your victim machine.

00:03:09.940 --> 00:03:11.760
A lot of interesting stuff in this course, right?

00:03:11.840 --> 00:03:14.070
So, let's talk about the demo.

00:03:14.070 --> 00:03:18.610
In our demo, we'll cover one of the most common ways of establishing persistence,

00:03:18.610 --> 00:03:21.060
which is using SSH authentication keys.

00:03:21.940 --> 00:03:22.320
So,

00:03:22.320 --> 00:03:24.340
imagine you already compromised the server and you have

00:03:24.340 --> 00:03:25.910
some kind of access to the machine.

00:03:25.910 --> 00:03:30.410
With pwncat, we'll deploy an SSH authentication key in a hidden location,

00:03:30.410 --> 00:03:33.180
so even if the author of the server patches the original vulnerability,

00:03:33.640 --> 00:03:36.270
we can use the SSH key to access the server remotely.

00:03:38.240 --> 00:03:42.100
If you want to follow this demo on your own environment, you need two things.

00:03:42.100 --> 00:03:44.240
First, you need an attacker machine.

00:03:44.240 --> 00:03:47.450
In here, I'm using a Kali Linux version 2021.4,

00:03:47.450 --> 00:03:49.950
because it comes with pretty much everything we need,

00:03:49.950 --> 00:03:50.650
pre‑installed.

00:03:50.650 --> 00:03:54.140
But in theory, you can use any Linux version you want.

00:03:54.140 --> 00:03:56.520
Also, you need a victim machine.

00:03:56.520 --> 00:03:59.120
In here, I'm using another Kali Linux machine,

00:03:59.120 --> 00:04:02.570
but again, you can use any Linux distribution you want.

00:04:02.570 --> 00:04:04.880
And that's it, that's all you need for this demo.

00:04:05.040 --> 00:04:06.370
So enough of theory.

00:04:06.460 --> 00:04:09.560
Let's go to our lab environment and see how this technique is done in real life.