WEBVTT 00:00:01.340 --> 00:00:03.650 Alright, welcome back to our Kali Linux environment. 00:00:04.140 --> 00:00:07.650 Now, let's deploy a persistence implant into our victim machine. 00:00:08.240 --> 00:00:12.360 Remember, we have here, my attacker machine, and here, my victim machine. 00:00:13.340 --> 00:00:16.360 So let's get started by receiving a shell from our victim. 00:00:16.940 --> 00:00:19.350 Again, you can use any exploitation method you want, 00:00:19.350 --> 00:00:22.160 but in here, I will use a simple listener on my attacker machine, 00:00:22.940 --> 00:00:24.450 go to my victim computer, 00:00:24.450 --> 00:00:28.660 and then use the netcat on my victim to connect back to my attacker. 00:00:31.140 --> 00:00:31.620 Done. 00:00:31.620 --> 00:00:34.900 Now I have a fully interactive pwncat shell here. 00:00:34.900 --> 00:00:35.410 First, 00:00:35.410 --> 00:00:39.070 let's take a look in our persistence techniques that we can execute with pwncat. 00:00:39.940 --> 00:00:43.870 If you use the comment, search implant, and then .*, 00:00:43.870 --> 00:00:48.920 then we can see all the potential persistence implants that pwncat supports. 00:00:48.920 --> 00:00:53.450 Personally, I like to use the first one, which is the authorized keys. 00:00:53.450 --> 00:00:55.890 The other two methods are not that reliable, 00:00:55.890 --> 00:00:57.660 sometimes they work and sometimes they don't. 00:00:58.440 --> 00:01:01.040 The idea of the authorized key implant is that it will 00:01:01.040 --> 00:01:03.610 put on your victim computer an SSH key. 00:01:03.610 --> 00:01:05.830 So we can later access the victim via SSH, 00:01:05.830 --> 00:01:09.840 and this is usually more stealthy than creating new backdoor user, 00:01:09.840 --> 00:01:13.060 since almost no one checks for the SSH keys files in the computer. 00:01:13.640 --> 00:01:18.500 So to deploy this implant, first, we need to create an SSH key pair to use, 00:01:18.500 --> 00:01:20.390 and it's really simple to do that. 00:01:20.610 --> 00:01:26.280 I will just use the command ssh‑keygen ‑t and then rsa. 00:01:26.280 --> 00:01:26.990 Basically, 00:01:26.990 --> 00:01:32.350 what I'm doing here is creating an RSA type of key using the keygen tool. 00:01:32.350 --> 00:01:35.060 Once I press Enter, it'll ask me the name of the key pair. 00:01:35.540 --> 00:01:37.250 I will use anything, like mykey. 00:01:38.840 --> 00:01:41.500 Also, if I wanted, I could add a password for this key, 00:01:41.500 --> 00:01:44.070 but in my case, I will just leave it blank. 00:01:44.070 --> 00:01:46.860 And that's it. The key now is created. 00:01:47.240 --> 00:01:49.500 And now if you take a look at the contents of this folder, 00:01:49.500 --> 00:01:53.860 we will note two new files here, the mykey and mykey.pub. 00:01:53.860 --> 00:01:57.320 Also, we should take a note of the path of this folder, 00:01:57.320 --> 00:01:58.960 since we'll be using this key soon. 00:01:59.540 --> 00:02:00.110 Perfect. 00:02:00.120 --> 00:02:04.130 Now that we have the SSH keys that we want to use, let's deploy our implant. 00:02:04.130 --> 00:02:06.060 For that, it's pretty simple. 00:02:06.190 --> 00:02:10.550 I'll use the command run implant.authorized key. 00:02:11.240 --> 00:02:11.980 And after that, 00:02:11.980 --> 00:02:14.930 I'll tell pwncat the location of my key by using the 00:02:14.930 --> 00:02:17.150 key = and the path of the key. 00:02:18.740 --> 00:02:19.340 Perfect. 00:02:19.350 --> 00:02:20.450 Now let's run this. 00:02:21.740 --> 00:02:22.320 Amazing. 00:02:22.320 --> 00:02:22.870 Take a look. 00:02:22.880 --> 00:02:25.960 Pwncat is telling us that the implant was successfully deployed. 00:02:27.040 --> 00:02:31.770 If you want to confirm, we can even use the command run implant list. 00:02:31.770 --> 00:02:35.150 And here, we can see that we have one implant deployed in this server. 00:02:36.240 --> 00:02:39.740 Now, let's go to the victim machine and see what pwncat did there. 00:02:39.740 --> 00:02:42.840 To switch between the pwncat terminal and the victim terminal, 00:02:42.840 --> 00:02:44.550 I will just press Ctrl+D. 00:02:45.640 --> 00:02:46.200 Perfect. 00:02:46.210 --> 00:02:49.250 In this user folder, if we list the contents of this directory, 00:02:49.250 --> 00:02:52.850 we'll see that pwncat created a .ssh directory, 00:02:52.850 --> 00:02:55.530 and this is where pwncat put our public key, 00:02:55.530 --> 00:02:57.250 so we can connect back later. 00:02:58.140 --> 00:03:02.960 However, in some cases like mine here, the SSH folder is over permissive, 00:03:02.960 --> 00:03:05.220 so we might have trouble connecting later, 00:03:05.220 --> 00:03:07.410 but to fix that, it's really simple. 00:03:07.500 --> 00:03:14.580 We just have to use ch mod 700, and then the name of the folder, which is .ssh. 00:03:14.580 --> 00:03:16.030 Perfect. 00:03:16.040 --> 00:03:17.550 Now that permissions are fixed, 00:03:17.610 --> 00:03:20.560 we can return to the pwncat shell by using Ctrl+D. 00:03:21.340 --> 00:03:23.650 And we can even disconnect from the session if we want. 00:03:24.340 --> 00:03:28.180 Since we created the persistence, we can access the server at any time now. 00:03:28.180 --> 00:03:31.140 We don't even need to re‑exploit the vulnerability that we used. 00:03:31.170 --> 00:03:35.060 We can just use the pwncat to connect back to our backdoor SSH key. 00:03:35.640 --> 00:03:36.950 And for that, it's really easy. 00:03:37.020 --> 00:03:42.900 I will use pwncat, then ‑i to specify the location of my SSH key, 00:03:42.900 --> 00:03:46.760 and then the user and the IP of the server that I'm connecting to. 00:03:48.840 --> 00:03:49.440 We'll also press Enter. 00:03:49.440 --> 00:03:54.560 Pwncat will connect to our victim machine using the SSH key that we generated. 00:03:54.560 --> 00:03:56.030 And here we go. 00:03:56.200 --> 00:03:57.020 Pretty cool, right? 00:03:57.540 --> 00:03:59.910 We can even see here that I have one session created, 00:03:59.910 --> 00:04:03.060 and I can use Ctrl+D to interact with the victim machine.