1
00:00:00,920 --> 00:00:03,950
‫So now is it time to persist on the Windows eight system?

2
00:00:05,110 --> 00:00:11,500
‫As we've seen before, the persistence method of mature preter suggests to us to use post windows Manage

3
00:00:11,500 --> 00:00:13,240
‫Persistence ICSI module.

4
00:00:14,230 --> 00:00:21,070
‫Now we can use the module directly with the run command, as seen in the example in this regard, we

5
00:00:21,070 --> 00:00:23,160
‫have to set the options in the command line.

6
00:00:24,530 --> 00:00:31,040
‫So I prefer using the module with use command to be able to interrogate the options in detail.

7
00:00:32,060 --> 00:00:39,290
‫So I'll use the background command to drop back to my F console interface.

8
00:00:40,250 --> 00:00:43,370
‫And I use the use command to use the module.

9
00:00:44,650 --> 00:00:46,240
‫Now, let's look at the options.

10
00:00:48,300 --> 00:00:54,840
‫Our path is the option where we set the executable file, which will be used as the back door.

11
00:00:55,590 --> 00:00:59,880
‫My pretty back door was under the output folder of the fat red.

12
00:01:00,940 --> 00:01:03,820
‫So we need a session and we have one.

13
00:01:04,660 --> 00:01:07,360
‫Let's list the sessions to see a tiny number.

14
00:01:08,350 --> 00:01:10,120
‫The ID number of our session is one.

15
00:01:11,840 --> 00:01:15,950
‫Start-Up option asks when to trigger the back door.

16
00:01:16,400 --> 00:01:20,810
‫It can be triggered when the user system or service is started.

17
00:01:22,270 --> 00:01:28,060
‫And as you see in the session, details, our session runs with this system privileges, so we'd better

18
00:01:28,060 --> 00:01:30,490
‫use system for the start up option.

19
00:01:31,540 --> 00:01:38,260
‫Now, let's look at the options once again, just to double check that we have them properly back doors,

20
00:01:38,260 --> 00:01:38,890
‫OK?

21
00:01:40,400 --> 00:01:46,250
‫Session is one aria sexy name is the name of our back door in the victim system.

22
00:01:46,940 --> 00:01:54,050
‫I left it as default, but you can change it any way you want and start up is system great.

23
00:01:54,950 --> 00:01:56,330
‫We are ready to run the module.

24
00:01:58,370 --> 00:01:59,750
‫OK, let's see what happened.

25
00:02:01,140 --> 00:02:06,630
‫So it says the back doors been written as default RDX under the temp folder.

26
00:02:07,510 --> 00:02:10,870
‫So now I go to the victim to verify it, open the Windows Explorer.

27
00:02:11,740 --> 00:02:14,200
‫Go to the temp folder under the Windows folder.

28
00:02:14,560 --> 00:02:17,560
‫Default audio file is right here as expected.

29
00:02:18,990 --> 00:02:25,050
‫OK, so now is it time to examine whether we are able to persist on the victim's system or not?

30
00:02:26,100 --> 00:02:33,390
‫So I'll use sessions I command to interact with him, Interpreter says, info to check the connection

31
00:02:33,390 --> 00:02:34,170
‫and the system.

32
00:02:35,230 --> 00:02:39,550
‫Now, let's reboot the victims system using interpreters reboot command.

33
00:02:40,390 --> 00:02:41,890
‫Now look at the Windows eight VM.

34
00:02:42,340 --> 00:02:43,960
‫Yep, that's restart.

35
00:02:44,890 --> 00:02:49,000
‫So now we're going to lose the interpreter session, and second.

36
00:02:49,990 --> 00:02:54,250
‫But remember, from the first method, the back door will try to connect back to us.

37
00:02:54,580 --> 00:03:00,310
‫So we need a listener also known as a handler, to listen to the connect back requests.

38
00:03:01,090 --> 00:03:07,870
‫So I'll draw back to the MSF console interface using the back door command to create a handler.

39
00:03:08,930 --> 00:03:11,840
‫So use exploit multi handler.

40
00:03:13,160 --> 00:03:19,250
‫Payload has to be the same as a payload used in the back door, and remember, that is windows interpreter

41
00:03:19,250 --> 00:03:21,030
‫reverse TCP.

42
00:03:23,500 --> 00:03:24,760
‫OK, let's look at the options.

43
00:03:25,800 --> 00:03:27,600
‫Set L host is Carly.

44
00:03:28,780 --> 00:03:32,440
‫Delport was four three, two one in our back door.

45
00:03:32,680 --> 00:03:36,970
‫Remember, the Old Port has to be the same as you used in back door.

46
00:03:38,430 --> 00:03:41,550
‫So I start the handler using the exploit command.

47
00:03:41,850 --> 00:03:42,330
‫OK.

48
00:03:42,840 --> 00:03:44,430
‫So go back to Windows eight.

49
00:03:45,150 --> 00:03:49,500
‫Yup, it's restarted and we're ready to log in now.

50
00:03:49,710 --> 00:03:51,150
‫I log in to this system.

51
00:03:55,660 --> 00:03:56,920
‫And back to Carly.

52
00:03:58,380 --> 00:04:01,630
‫So we're supposed to have a session in second.

53
00:04:01,650 --> 00:04:03,140
‫So wait for it.

54
00:04:13,400 --> 00:04:19,790
‫Yes, the maturity session opened well for sessions are open.

55
00:04:20,210 --> 00:04:23,420
‫So double check, triple check, quadruple check.

56
00:04:24,200 --> 00:04:25,520
‫Ben, now we've got the answer.

57
00:04:26,480 --> 00:04:30,350
‫We have a persistent back door on the Windows eight victim.