1
00:00:00,120 --> 00:00:02,700
Hello everybody and welcome back.

2
00:00:02,700 --> 00:00:08,880
And in the previous video we fixed some of our code bugs that we had and we also added some of the functions

3
00:00:09,180 --> 00:00:14,660
in order to perform the action of receiving and sending packets a little bit more efficient.

4
00:00:14,700 --> 00:00:20,010
So right now as we saw in the previous video right now we can send out packets of any size and we can

5
00:00:20,010 --> 00:00:21,600
receive packets of any size.

6
00:00:22,110 --> 00:00:28,560
So right now since we finished the first part of our beginner show basically we just finished the executing

7
00:00:28,560 --> 00:00:29,530
commands part.

8
00:00:29,640 --> 00:00:34,470
We can actually try to test out the shell itself on the target system.

9
00:00:34,650 --> 00:00:40,890
If all works well that means we can continue to add our different types of functions to our shell and

10
00:00:40,890 --> 00:00:48,210
we can add some of the things such as running at at system boards for example putting the file in the

11
00:00:48,210 --> 00:00:54,750
registry key self scoping the file and basically screen shotting target running key loggers and so on

12
00:00:54,750 --> 00:00:55,740
and so on.

13
00:00:55,740 --> 00:01:01,140
But before we do all of that we actually have to make sure that our shell works properly.

14
00:01:01,140 --> 00:01:05,910
So let me enlarge this terminal so you zoom in.

15
00:01:06,870 --> 00:01:16,080
Now let's go to the Python where my reverse directories where we have our reverse shell so you finance

16
00:01:16,130 --> 00:01:16,300
it.

17
00:01:16,320 --> 00:01:17,930
We can see everything that we did.

18
00:01:17,960 --> 00:01:23,280
Now we have these two functions for receiving and sending we have the shell function which we're now

19
00:01:23,280 --> 00:01:28,320
on only basically quit the main function or the program itself.

20
00:01:28,320 --> 00:01:34,920
Once we specify Q As a message or as a command or in any other case it will try to execute the command

21
00:01:34,950 --> 00:01:36,420
on the target system.

22
00:01:36,420 --> 00:01:41,660
If the command can be executed it will send this string can't execute that command.

23
00:01:41,760 --> 00:01:48,810
So right now what we want to do is actually run this program on our windows machine but we all know

24
00:01:48,870 --> 00:01:54,150
in order for a program to be an executable and to be able to run it to the Windows machine we have to

25
00:01:54,150 --> 00:01:58,050
make the dot EMC file with this reverse Shell.

26
00:01:58,320 --> 00:02:04,240
For that we will use the wine and the pie installer that we installed in the system packing section.

27
00:02:04,350 --> 00:02:10,350
If you didn't go over that section make sure to check out the video wine installation scenes there.

28
00:02:10,350 --> 00:02:16,390
I showed how we can install the wine program which allows us to use Windows programs on Linux systems.

29
00:02:16,410 --> 00:02:21,960
There we installed the python 27 version and there we also installed the PI installer which we will

30
00:02:21,960 --> 00:02:25,080
use to compile this program into dot EMC version.

31
00:02:25,680 --> 00:02:29,560
But before we do all of that we need to change a few things right here.

32
00:02:29,610 --> 00:02:36,590
So you might notice that basically we cannot connect to the 127 0 0 0 1.

33
00:02:36,750 --> 00:02:42,680
Once we run this on a target system we actually have to specify the IP address of our clinic's machine.

34
00:02:42,720 --> 00:02:46,310
So let us close this and check out our I.P. address.

35
00:02:46,350 --> 00:02:48,530
So it is not one dot nine.

36
00:02:48,570 --> 00:02:50,760
We take this IP address right here.

37
00:02:50,880 --> 00:02:53,390
We can copy it.

38
00:02:54,040 --> 00:03:00,300
And right now we need to go to our reverse shell find the connect connect function.

39
00:03:00,300 --> 00:03:06,840
So here it is connect and instead of the local host IP address we specify our own IP address.

40
00:03:06,870 --> 00:03:10,200
This is because the reverse Shell will run on the target system.

41
00:03:10,200 --> 00:03:14,740
So we need to specify to which IP address the reverse Shell should connect to.

42
00:03:14,850 --> 00:03:17,430
We specify the IP address of the Linux machine.

43
00:03:17,430 --> 00:03:21,000
So our target will connect to our calisthenics machine.

44
00:03:21,000 --> 00:03:24,510
Now keep in mind that this IP address will only work on local code.

45
00:03:24,540 --> 00:03:31,020
So if you were to run this over the Internet this attack you would need to specify either a port forward

46
00:03:31,170 --> 00:03:36,660
either to port forward this IP address on your alter or to use for example and grok in order to run

47
00:03:36,660 --> 00:03:38,520
the attack over the Internet.

48
00:03:38,520 --> 00:03:40,820
Here you will specify the IP address of Anglo oxide.

49
00:03:40,830 --> 00:03:44,660
And here you would specify the IP address or part of them in the port.

50
00:03:44,680 --> 00:03:46,680
That anger shock has given to you.

51
00:03:47,340 --> 00:03:49,650
Now we will do all of that even later on.

52
00:03:49,650 --> 00:03:56,070
But for now not to the attack on a local host I will leave the port to be five four three two one so

53
00:03:56,640 --> 00:04:02,880
also another thing to make sure is that the port isn't in use on the system on your clinic system.

54
00:04:02,880 --> 00:04:05,070
So keep that in mind as well.

55
00:04:05,070 --> 00:04:06,840
And this should be good to go.

56
00:04:06,870 --> 00:04:10,170
Now we need to change these things also in our server.

57
00:04:10,500 --> 00:04:15,270
So nano server the UI in our server we can see we have similar functions.

58
00:04:15,270 --> 00:04:21,600
So for sending and receiving data these shall function which sends the commands to the target's system

59
00:04:21,690 --> 00:04:26,820
and the server function which actually performs that connection or basically performs the listening

60
00:04:26,820 --> 00:04:28,860
part of our server.

61
00:04:28,860 --> 00:04:33,600
Here we can see that we bind it the IP address of local hosts in five four three two one we need to

62
00:04:33,600 --> 00:04:39,800
change the local host to the IP address of Oracle UNIX machine so just copy paste it right here.

63
00:04:39,990 --> 00:04:45,420
Now if you don't have any programming knowledge you might be asking why are we pasting the same IP address

64
00:04:45,420 --> 00:04:46,830
in both of our programs.

65
00:04:46,830 --> 00:04:53,420
Well basically the server program is the program that we will run as a listener on our Cal Linux machine.

66
00:04:53,430 --> 00:04:55,620
So that is the program that we don't send to anyone.

67
00:04:55,620 --> 00:05:02,130
We run it ourselves and the reversal program that we saw previously is the program that we send to the

68
00:05:02,130 --> 00:05:04,450
target and that the target executes.

69
00:05:04,650 --> 00:05:08,670
And basically that program will perform a connection back to our server.

70
00:05:09,240 --> 00:05:14,640
So we need to specify on our server the IP address and local port on which to listen to which is our

71
00:05:14,640 --> 00:05:17,080
IP address and our local port that we choose.

72
00:05:17,310 --> 00:05:23,700
And on target we need to specify the Connect function to the IP address of our clinic's machine which

73
00:05:23,700 --> 00:05:27,190
is the same as here and to the same local that we chose.

74
00:05:27,420 --> 00:05:29,390
So that should be it.

75
00:05:29,400 --> 00:05:30,910
We need to save this as well.

76
00:05:31,720 --> 00:05:40,380
And all we have to do right now is make sure that we have the route not waiting for the right here if

77
00:05:40,380 --> 00:05:48,120
you click here unless you should make sure to have dry see as well in the drive see if we go there you

78
00:05:48,120 --> 00:05:55,590
should go to the Python 27 right here and in Python 27 you will see a directory called scripts in that

79
00:05:55,590 --> 00:06:01,290
directory there is where we installed our PI installer at the AKC so change our directory took scripts

80
00:06:01,330 --> 00:06:02,220
tell us.

81
00:06:02,370 --> 00:06:05,910
And here we should be able to find a PI installer which is right here.

82
00:06:05,910 --> 00:06:12,330
So if you do not have this python right here as I said previously make sure to check out the wine installation

83
00:06:12,330 --> 00:06:18,720
video that I did in system hacking section but right now since we have it we can compile our program

84
00:06:18,720 --> 00:06:19,620
with no problem.

85
00:06:19,740 --> 00:06:23,790
So let's go back to our reverse shall directory.

86
00:06:23,810 --> 00:06:32,070
So rude item files reverse and all they have to do is compile our reverse shall not be why we do not

87
00:06:32,070 --> 00:06:36,720
need to compile the server the p why since the server is something that will run our clinic's machine

88
00:06:37,050 --> 00:06:43,590
and it is already executable file in existence we only need to make an E XY version of this shell right

89
00:06:43,590 --> 00:06:46,110
here in order to run it on Windows systems.

90
00:06:46,110 --> 00:06:52,410
So how we do that we need to specify defined right here since as we said before the wine is a program

91
00:06:52,410 --> 00:06:56,600
that we use to run the the windows programs on Linux.

92
00:06:56,610 --> 00:07:01,890
So we need to specify wine since we will be running the python for Windows that we downloaded in our

93
00:07:01,890 --> 00:07:09,300
wine folder and we need to specify the path to the by installer which we will use to compile the program.

94
00:07:09,420 --> 00:07:19,920
So the path is rude not wine drive seed Python 27 scripts and then by installer dot EMC you need to

95
00:07:19,920 --> 00:07:21,040
specify this path.

96
00:07:21,060 --> 00:07:27,210
It should be the same for you if it is not a new actually install the program into some other directory

97
00:07:27,210 --> 00:07:30,540
make sure to find a directory have all of this in there.

98
00:07:30,540 --> 00:07:36,690
So have installed Python 27 under the scripts and make sure to specify that directory.

99
00:07:36,730 --> 00:07:41,630
Now after that we want to specify the name of our file that we want to compile which in our case is

100
00:07:41,730 --> 00:07:43,190
reverse shall that be why.

101
00:07:43,800 --> 00:07:45,920
And basically this could be it.

102
00:07:45,930 --> 00:07:51,750
But we want to specify a few other options that we will use in order to make our program more appropriate

103
00:07:51,750 --> 00:07:53,000
for this task.

104
00:07:53,010 --> 00:07:59,840
So for example we if you were to run this it would give you our full of full of files and libraries

105
00:07:59,840 --> 00:08:04,750
that need to be used in order to run the dot the AKC version of our reverse shell.

106
00:08:04,850 --> 00:08:08,080
But we only want to make the entire program to be one file.

107
00:08:08,090 --> 00:08:14,500
So we need to make to compile the reverse shell into one file and not a bunch of files.

108
00:08:14,510 --> 00:08:19,970
So we will specify the option right here so as to specify dash dash.

109
00:08:19,970 --> 00:08:22,990
And then one file just type here would work.

110
00:08:23,000 --> 00:08:30,120
So one file and also when we run the program we want to not be able to see the console.

111
00:08:30,130 --> 00:08:32,180
Now the console is basically the command prompt.

112
00:08:32,180 --> 00:08:39,060
So sometimes when you open programs the command prompt to pump pop up in waiting for some task to finish.

113
00:08:39,080 --> 00:08:43,730
We do not want to prompt the user with this window right here since that would be suspicious.

114
00:08:43,730 --> 00:08:49,060
What we want to do is basically user to double click the file and to think that nothing happens.

115
00:08:49,070 --> 00:08:53,800
So and it nothing will be opened once the users runs and runs our reverse shell.

116
00:08:54,350 --> 00:08:57,700
So that's what we want to achieve in order to achieve that.

117
00:08:57,740 --> 00:09:01,820
We need to specify dash dash no console.

118
00:09:01,820 --> 00:09:07,010
So that console doesn't pop up and this should be good and right now if you click your enter this should

119
00:09:07,010 --> 00:09:16,720
start compiling our our rivers shall the P Y into the reverse shell dot EMC so this will take a few

120
00:09:16,720 --> 00:09:17,860
seconds.

121
00:09:17,950 --> 00:09:19,370
All should be done well.

122
00:09:19,660 --> 00:09:24,270
And you might notice that at the end of this compile our program will be significantly bigger.

123
00:09:24,280 --> 00:09:29,620
That is because this adds a bunch of other programs as well to it a bunch of other libraries and all

124
00:09:29,620 --> 00:09:32,700
the things it needs in order to make this an executable.

125
00:09:33,400 --> 00:09:40,660
And right now we see that our compiling has finished so it says right here building EMC completed successfully.

126
00:09:40,690 --> 00:09:47,320
So let us just Alas once again and you will see we get a bunch of different takes added to our directory.

127
00:09:47,320 --> 00:09:53,670
We get a directory called Build a directory called this and also something called reverse on the Scrolls

128
00:09:53,690 --> 00:10:00,070
shall dots back now where we want to go if you want to go to the this directory so change our directory

129
00:10:00,070 --> 00:10:00,790
to this.

130
00:10:01,390 --> 00:10:04,200
Let's just clear our screen a little bit and type here.

131
00:10:04,210 --> 00:10:09,640
L S and in our this directory we have our compile program.

132
00:10:09,640 --> 00:10:12,490
This is what we have to deliver to our target.

133
00:10:12,520 --> 00:10:17,320
So what you want to do right now is deliver this however you want.

134
00:10:17,320 --> 00:10:19,200
I will use my USP drive.

135
00:10:19,210 --> 00:10:22,540
So I will just plug it in right here and go to devices.

136
00:10:22,540 --> 00:10:26,230
You will be and to Jerry will be dry right here in my case.

137
00:10:26,230 --> 00:10:30,850
This is the Kingston data traveller and I will plug it in.

138
00:10:31,090 --> 00:10:36,520
Then it should pop up right here that the U.S. B Drive has been plugged in.

139
00:10:36,520 --> 00:10:37,030
That's good.

140
00:10:37,030 --> 00:10:39,320
So we owe the US b drive.

141
00:10:39,550 --> 00:10:42,400
And I will copy the file with my terminal.

142
00:10:42,490 --> 00:10:49,540
So we have the USB drive called Cal alive our closets is underneath it the that window open and I will

143
00:10:49,540 --> 00:10:57,400
just copy or I can actually move not need two copies inside I need the reverse Shelly c on my system

144
00:10:57,550 --> 00:11:02,310
move it to media route and then Carl alive.

145
00:11:02,350 --> 00:11:07,540
Now if you do not know how to copy this to the or you do not know the name of your use be dry.

146
00:11:07,540 --> 00:11:14,530
Most likely if you just have to the media slash route type tap you will it will prompt you with the

147
00:11:14,770 --> 00:11:18,400
available options for the ending of that command.

148
00:11:18,400 --> 00:11:23,710
Now I just tapped and since only I have one you will be dry plugged in it basically founded by itself

149
00:11:23,740 --> 00:11:25,710
and its name did carry light.

150
00:11:25,990 --> 00:11:32,890
So if I move it right here I move the program there and now my reverse shell that the AKC should be

151
00:11:32,890 --> 00:11:34,370
on my you will be right.

152
00:11:34,630 --> 00:11:41,920
So now what we can do if it is tap your left nothing in this directory now you can remove all of these

153
00:11:41,920 --> 00:11:50,360
things that the compiler has made so we can remove the build minus sa we can remove the disk minus sign.

154
00:11:50,760 --> 00:11:56,010
Now remember to use minus r for the directories and the reverse shall we can use without the minus r

155
00:11:56,310 --> 00:12:01,470
so just make sure to delete the right one don't delete the reverse shall not be y delete the reverse

156
00:12:01,470 --> 00:12:07,890
shell dot spec and now we should be left with both these programs that we had even before before the

157
00:12:07,890 --> 00:12:10,080
compiling of our reverse shall not be Y.

158
00:12:10,500 --> 00:12:20,870
So right now what we want to do is unplug our USP drive and run the file on our windows machine so continue

159
00:12:20,960 --> 00:12:28,340
without scanning and we have my reverse shell right here our pasted on my desktop.

160
00:12:28,340 --> 00:12:30,520
We can see it is not easy.

161
00:12:30,710 --> 00:12:33,320
The size of that file is a little bit large.

162
00:12:33,320 --> 00:12:39,140
So if I go right here you can see that the size of the file is three point forty five megabytes which

163
00:12:39,140 --> 00:12:42,870
is kind of large not too much but it's still something.

164
00:12:43,610 --> 00:12:48,650
So that could be the only problem with this thing since it adds the size to the file.

165
00:12:48,650 --> 00:12:51,980
Once the installer composites to the EMC.

166
00:12:52,130 --> 00:12:54,050
That's why the file becomes so big.

167
00:12:54,320 --> 00:12:56,210
But that's something we can't change.

168
00:12:56,210 --> 00:12:58,370
So let's not think about that.

169
00:12:58,400 --> 00:13:00,610
Let's actually now run the server.

170
00:13:00,830 --> 00:13:06,770
So make sure before you actually run the deep before the target runs this make sure to set up a listener

171
00:13:07,190 --> 00:13:12,890
by running our server dot P Y as we can see listening for incoming connections.

172
00:13:12,890 --> 00:13:17,990
And right now with you if you send this to the target and target runs it

173
00:13:21,020 --> 00:13:23,890
you can see that nothing really happens right here.

174
00:13:23,960 --> 00:13:25,460
There is no window popping up.

175
00:13:25,460 --> 00:13:26,210
There is nothing.

176
00:13:26,210 --> 00:13:28,880
It basically looks like the program didn't run at all.

177
00:13:28,880 --> 00:13:34,580
But if we go to our killer Linux machine you can see the target connected shell from this IP address

178
00:13:34,580 --> 00:13:38,900
which is the IP address of my vendor's stand machine which I can show you right now.

179
00:13:38,900 --> 00:13:46,210
If I open my command prompt and just type your IP config we can see that the IP address of my windows

180
00:13:46,210 --> 00:13:52,490
10 machine really is one eighty two that 168 that one the three this port Fred here is the port from

181
00:13:52,490 --> 00:13:54,740
where the connection is coming from.

182
00:13:54,740 --> 00:14:00,200
On the we understand machine the local port the traditional was five four three two one and this is

183
00:14:00,200 --> 00:14:03,550
the port from we understand machine that is sending the packets to us.

184
00:14:03,620 --> 00:14:07,760
So right now you will notice a fire for example type here.

185
00:14:07,760 --> 00:14:13,520
There you can see that they actually get the least of all the files on my window stand desktop as we

186
00:14:13,520 --> 00:14:19,750
can see they really are there so he can handbrake clinic's master ethical hacking the J PAC this potable

187
00:14:19,790 --> 00:14:25,910
New Folder record though and all of these things that really are on my desktop currently.

188
00:14:25,910 --> 00:14:34,630
If you were to for example run a R minus S. you would get all the ARP tables of our we understand machine

189
00:14:34,630 --> 00:14:38,920
which currently only has the router and Michaela Linux machine in there.

190
00:14:39,070 --> 00:14:43,360
If you were to find a tool for example shut down the P.C. it would shut down.

191
00:14:43,360 --> 00:14:48,220
We understand ABC including our clinic's machine so we will not do that since there is no point to do

192
00:14:48,220 --> 00:14:48,860
that.

193
00:14:49,090 --> 00:14:52,870
So we can see that our shell works perfectly.

194
00:14:53,140 --> 00:14:54,360
We can.

195
00:14:54,500 --> 00:15:05,220
The one thing that we can do so for example BW doesn't work in the in the we understand environments.

196
00:15:05,220 --> 00:15:11,710
Let's just type where and we can get the name of the account so we can see which account are we on.

197
00:15:11,780 --> 00:15:14,630
And basically the one thing that doesn't work.

198
00:15:14,630 --> 00:15:21,020
So if you notice if I just type your dear once again I am currently in this directory.

199
00:15:21,110 --> 00:15:28,370
But for example let's say I wanted to go to the one directory back so I would do that with the dot dot

200
00:15:28,900 --> 00:15:33,980
and you would see if I type there once again the time still in the desktop directory.

201
00:15:34,010 --> 00:15:39,950
Now that is something that we have to fix since we are only for now on able to change and we are only

202
00:15:39,950 --> 00:15:43,180
4 now able to execute commands in the current directory.

203
00:15:43,250 --> 00:15:44,670
We are not able to change.

204
00:15:44,870 --> 00:15:51,260
The directory to some other folder or change directory back one folder or two folders basically go to

205
00:15:51,470 --> 00:15:52,340
anywhere we want.

206
00:15:52,400 --> 00:15:56,000
So we want to make sure to fix that or not to fix that.

207
00:15:56,000 --> 00:16:01,850
There is a command we need to import the OS library in order to be able to assist but we will do that

208
00:16:01,910 --> 00:16:03,440
in the next videos.

209
00:16:03,440 --> 00:16:09,350
For now it is good that we actually know that our shell is good and that is running on both Windows

210
00:16:09,380 --> 00:16:11,740
and Linux even after compilation.

211
00:16:11,900 --> 00:16:14,720
So that will be about it for this video.

212
00:16:14,780 --> 00:16:21,680
Now let's see before we actually end this video let's see how the target can close this program.

213
00:16:21,680 --> 00:16:25,730
So if they go right here and try to delete this they will get printed.

214
00:16:25,740 --> 00:16:31,760
The action can be completed because the file is open so they can delete this file as long as we are

215
00:16:31,760 --> 00:16:36,530
on P.C. or basically as long as we are performing the connection as soon as we close the connection

216
00:16:36,530 --> 00:16:40,600
they will be able to delete this file and they will delete this file.

217
00:16:40,640 --> 00:16:48,350
Now anyone who knows a little bit about computers knows that they can just go to the task manager find

218
00:16:48,350 --> 00:16:54,210
the reverse shadow to see an end to the task right there which basically would terminate our connection

219
00:16:54,210 --> 00:16:54,690
right here.

220
00:16:54,720 --> 00:17:03,360
So what we want to do is basically copy the file itself and make it also persistent and make a registry

221
00:17:03,360 --> 00:17:10,530
key for the file that we copied so it can run every time a target system puts up so we will be looking

222
00:17:10,590 --> 00:17:16,320
at that as well because right now if the target knew how to open the task manager and found the reverse

223
00:17:16,320 --> 00:17:21,030
shell they would just go to the end task and they would and the reverse shell itself.

224
00:17:21,660 --> 00:17:27,870
So that is another thing we have to take a look at so we can actually have a usable shell and not something

225
00:17:27,870 --> 00:17:30,450
that the target can close anytime they want.

226
00:17:30,450 --> 00:17:39,450
So if I just type your queue we should be able to see that the target and the target communication connection

227
00:17:39,480 --> 00:17:41,580
and the server connection has been terminated.

228
00:17:42,450 --> 00:17:49,440
So right now if we just delete this We can delete the file since we closed the connection so we will

229
00:17:49,860 --> 00:17:55,390
see how we can fix all of that and that will be about it for this material.

230
00:17:55,410 --> 00:17:58,890
I hope you enjoyed it and I hope I see you in the next one.

231
00:17:58,980 --> 00:17:59,390
Bye.