1
00:00:00,210 --> 00:00:02,640
Hello everybody and welcome back.

2
00:00:02,700 --> 00:00:08,580
And in the previous video we actually tested out our reverse shell in order to see if all the current

3
00:00:08,580 --> 00:00:15,360
functions and all the current and current responsibilities of our commercial work on our windows 10

4
00:00:15,390 --> 00:00:16,470
machine.

5
00:00:16,470 --> 00:00:23,010
So we managed to compile it successfully with our PI installer not to exceed in our clinics and we ran

6
00:00:23,010 --> 00:00:25,350
it on our windows 10 machine.

7
00:00:25,350 --> 00:00:29,900
Now there are a few things that you might have noticed that actually didn't work.

8
00:00:29,910 --> 00:00:39,000
For example let me just go to my to my directory with the reverse show and let me enlarge this a little

9
00:00:39,000 --> 00:00:39,260
bit.

10
00:00:39,290 --> 00:00:44,040
So we will zoom in and define an on the reverse shell.

11
00:00:44,220 --> 00:00:49,560
You will see that we didn't code anywhere for example that the diverse shells should try to connect

12
00:00:49,560 --> 00:00:53,250
back to us every 30 seconds for example.

13
00:00:53,250 --> 00:00:59,370
So let's say we were a little bit late on with our listener.

14
00:00:59,580 --> 00:01:01,530
So we didn't set a place in the wrong time.

15
00:01:01,530 --> 00:01:08,100
And let's say Target click the the virus or our reverse shell or backdoor however you want to call it

16
00:01:08,160 --> 00:01:10,500
before we actually set up a listener.

17
00:01:10,620 --> 00:01:16,590
That would make us not be able to connect to them or them to connect to us since we didn't listen on

18
00:01:16,590 --> 00:01:19,440
our local host on our local board.

19
00:01:19,470 --> 00:01:21,240
So we want to actually change that.

20
00:01:21,300 --> 00:01:28,800
We do not want the target to actually run the code and run our backdoor and for them to not continue

21
00:01:28,830 --> 00:01:32,150
to connect back to our server just because we didn't set the police now.

22
00:01:32,580 --> 00:01:37,500
So let's say our function right here will put it right here.

23
00:01:38,010 --> 00:01:44,320
So let's add our little bit of space and let's call it connection their function will not take.

24
00:01:44,330 --> 00:01:50,480
I will not take any arguments or just type here the connection and empty brackets and what we want to

25
00:01:50,480 --> 00:01:59,750
do right now is basically try to perform the connection every 20 or 30 seconds or for example however

26
00:01:59,750 --> 00:02:01,730
what you want to be.

27
00:02:01,810 --> 00:02:05,230
Or for example at any period of time you want to make it.

28
00:02:05,300 --> 00:02:11,930
So first of all let us go to the part where we actually perform the connection for now on which is this

29
00:02:11,930 --> 00:02:13,180
part right here.

30
00:02:13,190 --> 00:02:20,600
So the first thing that our code does is basically it sets up a socket with the IP before and DCP and

31
00:02:20,600 --> 00:02:25,460
then it performs the connection after it performs the connection it brings connection establish the

32
00:02:25,460 --> 00:02:26,210
server.

33
00:02:26,270 --> 00:02:31,010
Now first thing we want to do is we want to delete the connection establish the server since we are

34
00:02:31,010 --> 00:02:36,650
running this on a target and there really shouldn't be anything to be printed out on the target system

35
00:02:36,650 --> 00:02:41,660
so let's delete this print connection to server.

36
00:02:41,900 --> 00:02:48,530
And if you notice right here right after we connect we go into our shell function which is a while True

37
00:02:48,530 --> 00:02:55,370
loop which basically performs actions forever until we specify Q And then we actually break out the

38
00:02:55,370 --> 00:03:02,840
while loop and break out of our program so we can actually try to make something similar for our connection

39
00:03:03,110 --> 00:03:04,830
just without the breaking part.

40
00:03:04,850 --> 00:03:11,720
So what we want to do is basically as soon as the target click double clicks our code we want to make

41
00:03:11,720 --> 00:03:16,800
it try to connect to our server every 30 seconds for example.

42
00:03:16,820 --> 00:03:22,130
So what we want to do is this function right here which is so-called connect we want to paste it in

43
00:03:22,130 --> 00:03:23,450
our connection function.

44
00:03:23,660 --> 00:03:26,780
So we want to delete this.

45
00:03:27,410 --> 00:03:34,840
And basically what we want to do right here is at the third button and then so we added a table.

46
00:03:34,850 --> 00:03:40,780
And so it actually belongs to the connection function and then we want to trap type while true which

47
00:03:40,780 --> 00:03:43,550
means the same as in the shell function.

48
00:03:43,600 --> 00:03:45,880
Where that this will perform forever.

49
00:03:46,060 --> 00:03:49,420
And while true we want to actually use.

50
00:03:49,520 --> 00:03:51,810
Try and accept rule.

51
00:03:53,110 --> 00:04:00,340
So we will just type your try and accept and indeed try we will try to perform the connection so SOC

52
00:04:00,550 --> 00:04:02,710
not connect.

53
00:04:02,710 --> 00:04:08,590
We want to connect to the our IP address which I need to check out what it is.

54
00:04:08,590 --> 00:04:11,690
So let me just open up another terminal.

55
00:04:11,830 --> 00:04:16,490
Now I could just type your I config and we can see my IP address is that on the 9.

56
00:04:16,510 --> 00:04:17,380
Good.

57
00:04:17,500 --> 00:04:24,600
So we will try to perform the connection on our 1 92 that 168 at 1 the 9 which is our clinic's machine

58
00:04:24,610 --> 00:04:31,060
we need to put this under the double codes and we need to specify a port the same port from our server

59
00:04:31,060 --> 00:04:32,530
as well the same port.

60
00:04:32,560 --> 00:04:33,410
We're listening out.

61
00:04:33,430 --> 00:04:35,380
So five four three two one.

62
00:04:35,560 --> 00:04:42,230
We closed the double brackets and thus this is basically it for the connection want to type in the try

63
00:04:42,230 --> 00:04:43,510
and acceptable.

64
00:04:43,660 --> 00:04:51,490
And after that for the accept what we want to do is we basically want to call our connection function

65
00:04:52,330 --> 00:04:54,610
inside the connection function.

66
00:04:54,610 --> 00:04:57,070
Now I will explain what this means.

67
00:04:57,070 --> 00:05:07,240
Basically if I just type here connection this will mean that the function where once someone once the

68
00:05:07,240 --> 00:05:12,370
function is called down here it will go through this code it will go to do all true loop it will try

69
00:05:12,370 --> 00:05:18,910
to connect and if it can't connect it will call itself then it will go back to the connection it will

70
00:05:18,910 --> 00:05:24,520
try to connect and it will go back it will try to connect and it will perform the connection function

71
00:05:25,090 --> 00:05:29,490
forever until we are able to connect back to our server.

72
00:05:29,710 --> 00:05:37,000
So what we want to do is not actually perform this right away we want to add a timeout for the connection

73
00:05:37,000 --> 00:05:41,410
function so we will just import a library called time.

74
00:05:41,410 --> 00:05:42,580
So just type here.

75
00:05:42,580 --> 00:05:50,800
Import time and time allows us to basically pause our program or put our program to sleep for a certain

76
00:05:50,800 --> 00:05:51,830
amount of time.

77
00:05:51,940 --> 00:05:56,740
In our case we will specify that time to be for example 20 seconds.

78
00:05:56,740 --> 00:06:00,870
So let's go to our connection after the while True loop.

79
00:06:01,180 --> 00:06:05,380
We want to type here before we try and accept.

80
00:06:05,380 --> 00:06:06,850
Let's take your time.

81
00:06:06,850 --> 00:06:13,210
Dot sleep which is basically referring to this library and not sleep is just sleep is a function that

82
00:06:13,210 --> 00:06:20,230
is specified in the time library and all we have to do is specify in the open brackets the time that

83
00:06:20,230 --> 00:06:22,280
we want to put our program to sleep.

84
00:06:22,390 --> 00:06:28,090
If you just specify like this 20 this will mean our program or our backdoor we sleep for 20 seconds

85
00:06:28,150 --> 00:06:31,990
and then it will perform the next step of the program.

86
00:06:32,050 --> 00:06:38,190
So one more thing we want to do is what happens if we manage to connect.

87
00:06:38,560 --> 00:06:43,450
So if this manages to connect we want to perform the shell function.

88
00:06:43,480 --> 00:06:45,310
So we want to enter shell.

89
00:06:46,990 --> 00:06:48,280
And this means two things.

90
00:06:48,280 --> 00:06:54,070
One of them is that we want to delete the shell function right here and we want to specify instead of

91
00:06:54,070 --> 00:06:55,990
the shell function connection function.

92
00:06:58,000 --> 00:07:01,290
So I believe this should be it.

93
00:07:01,420 --> 00:07:02,800
I believe this will work.

94
00:07:02,830 --> 00:07:05,890
So let's see what actually will happen.

95
00:07:05,890 --> 00:07:08,340
So we create our socket.

96
00:07:08,410 --> 00:07:13,670
We perform we call the connection function which will go to this code right here.

97
00:07:13,720 --> 00:07:15,560
It will enter the wild True loop.

98
00:07:15,580 --> 00:07:20,860
It will sleep for 20 seconds then it will try to connect to our server.

99
00:07:21,160 --> 00:07:28,870
If it manages to connect it will call the shell function which will enter us in our command execution

100
00:07:28,870 --> 00:07:31,260
part which is right here.

101
00:07:31,570 --> 00:07:38,140
If it doesn't connect it will call the function again and it will go back to the beginning and it will

102
00:07:38,140 --> 00:07:39,620
again sleep 20 seconds.

103
00:07:39,620 --> 00:07:43,670
Try to connect if it can connect at that time as well.

104
00:07:43,680 --> 00:07:45,560
It will call the function again.

105
00:07:45,700 --> 00:07:51,490
So this will perform forever until the target manages to connect back to our server.

106
00:07:51,490 --> 00:07:55,510
So we want to save this.

107
00:07:55,540 --> 00:07:56,580
So control.

108
00:07:56,600 --> 00:07:59,310
Oh I believe this will work.

109
00:07:59,320 --> 00:08:01,090
We will test it out right now.

110
00:08:01,330 --> 00:08:02,590
So everything is good.

111
00:08:02,590 --> 00:08:07,310
We call the connection function and we call the shell function from the connection.

112
00:08:07,480 --> 00:08:11,770
Okay so say once again control X to exit.

113
00:08:11,800 --> 00:08:15,970
Now let us actually try to compile this and see if this works.

114
00:08:15,960 --> 00:08:18,880
So what we will do is we will compile it.

115
00:08:18,880 --> 00:08:25,080
Then we will actually run our reverse Shell first instead of the listener and then after.

116
00:08:25,080 --> 00:08:30,280
For example 20 to 30 seconds we will run our listener to see if this works.

117
00:08:30,340 --> 00:08:32,830
So let's see what.

118
00:08:32,830 --> 00:08:34,890
Let's first compile the program.

119
00:08:34,990 --> 00:08:38,930
So what we want to do is type your wine slash route.

120
00:08:38,980 --> 00:08:42,970
Now we perform the same compilation as in the previous video.

121
00:08:43,090 --> 00:08:47,170
So drive see item 27.

122
00:08:47,380 --> 00:08:53,770
And then what we want to use is the scripts library and by installer not EMC.

123
00:08:53,770 --> 00:08:56,870
After that we want to specify the name or file which is reverse.

124
00:08:56,870 --> 00:09:00,780
That is why and we want to also specify it to be one file.

125
00:09:01,000 --> 00:09:06,730
And without counsel we do that with this two commands which that each one file and that there is no

126
00:09:06,730 --> 00:09:10,290
console then we press enter and let this compile

127
00:09:16,960 --> 00:09:22,420
this will perform the compilation with our paint store and then we will be able to transfer it to our

128
00:09:22,420 --> 00:09:26,880
target with our USP drive or however you want it.

129
00:09:26,910 --> 00:09:29,340
So I will just plug in my USP drive

130
00:09:32,690 --> 00:09:39,480
and right now what I will do is first of all I will put it to be on our virtual machine so King data

131
00:09:39,480 --> 00:09:46,230
traveller now where it is black then I will copy the file to offer you with me drive.

132
00:09:46,230 --> 00:09:52,470
So first of all we go to the this directory is in the previous video released and we move the reverse

133
00:09:52,470 --> 00:09:55,870
shall not accede to media road.

134
00:09:55,920 --> 00:09:57,910
And then Mike Kelly live.

135
00:09:57,930 --> 00:09:58,780
You will be right.

136
00:09:59,580 --> 00:10:06,160
Once we move it I can now eject you as you drive right here.

137
00:10:07,620 --> 00:10:14,820
And I can call my function from here or pardon me my backdoor so I'll paste it on my terminal on my

138
00:10:14,820 --> 00:10:22,590
desktop and I will double click it so it will run once it runs I will wait for a few seconds and then

139
00:10:22,710 --> 00:10:30,480
I will actually try to run my server and see if it will connect back to us after we actually run it

140
00:10:30,480 --> 00:10:31,950
on target system.

141
00:10:32,010 --> 00:10:39,210
So first of all while we do that let us delete the unnecessary directory which is the gist we do not

142
00:10:39,210 --> 00:10:40,250
need it anymore.

143
00:10:40,410 --> 00:10:47,460
The build and the reverse shall dots back we can delete all of those and right now if we check out if

144
00:10:47,460 --> 00:10:51,320
everything is okay with the server so we didn't change anything.

145
00:10:51,630 --> 00:10:54,930
It listens on the correct IP address and on the correct court.

146
00:10:54,960 --> 00:10:59,740
And now if we try to run the server we run it.

147
00:10:59,790 --> 00:11:04,440
It says listening for income and connections and we can see our target has connected.

148
00:11:04,620 --> 00:11:11,730
Even after we run and get on target b c if we type your code my we can see we get the account if we

149
00:11:11,730 --> 00:11:16,380
type here dear we get all the files on our desktop.

150
00:11:16,380 --> 00:11:23,040
So now we got a way that we can actually connect to our target whenever we want.

151
00:11:23,070 --> 00:11:32,290
If they run the backdoor for example three hours ago and we run our listener three hours later we will

152
00:11:32,290 --> 00:11:39,010
still be able to connect to the target system since they are constantly performing the connection function

153
00:11:39,580 --> 00:11:43,420
from socket library every 20 seconds.

154
00:11:43,420 --> 00:11:46,700
So that will be about it for this video.

155
00:11:46,840 --> 00:11:53,140
What we will do in the next video is we will see how we can also make this program run even after the

156
00:11:53,140 --> 00:11:55,630
target reboot their system.

157
00:11:55,660 --> 00:12:02,590
So right now for example we can connect at any point after the target runs the program but if they shut

158
00:12:02,590 --> 00:12:07,320
down the APC and they restarted the program will not be running anymore.

159
00:12:07,330 --> 00:12:13,420
So what we can do is if they reboot the APC we will not be able to connect anymore to the target until

160
00:12:13,420 --> 00:12:15,310
they run the program once again.

161
00:12:15,340 --> 00:12:19,570
So we want to bypass that as well and we will do that in the next video.

162
00:12:19,580 --> 00:12:23,770
So you enjoyed this one and I hope I see you in the next one by.