1
00:00:01,140 --> 00:00:08,610
Okay now that we have vild loaded you can see it show us the main commands that you can use with well.

2
00:00:08,700 --> 00:00:12,200
So the first command is you can do exit to exit.

3
00:00:12,240 --> 00:00:15,950
You can do info to get information about specific to.

4
00:00:16,230 --> 00:00:21,210
You can do list to list the available tools you can do update to update.

5
00:00:21,330 --> 00:00:28,180
And this is very very important because you always want to be up to date when it comes to bypass antivirus

6
00:00:28,200 --> 00:00:29,430
programs.

7
00:00:29,550 --> 00:00:33,950
And then you can do use to use a tool.

8
00:00:33,960 --> 00:00:36,240
Now let's start using evasion.

9
00:00:36,420 --> 00:00:43,280
And as we do it it's going to become so easy and you'll be able to understand this more now.

10
00:00:43,300 --> 00:00:45,570
Will has two main tools.

11
00:00:46,200 --> 00:00:49,240
And if we do list you'll be able to see them.

12
00:00:49,320 --> 00:00:55,230
So we have the first one which is the one that we're interested in which is called evasion and that's

13
00:00:55,230 --> 00:00:59,350
the one that generates undetectible backorders for us.

14
00:00:59,700 --> 00:01:06,450
And then there's the second one which is called ordnance and this tool generates the payloads that's

15
00:01:06,450 --> 00:01:11,320
used by evasion so you can look at this as a helper or a secondary tool.

16
00:01:11,730 --> 00:01:18,930
Now what I mean by a payload is a payload is the part of the code of the back door that does the stuff

17
00:01:18,930 --> 00:01:20,980
that we want that does the evil stuff.

18
00:01:20,990 --> 00:01:25,350
If you say so is the part of the code that give us a reverse connection.

19
00:01:25,490 --> 00:01:29,870
It's the part of the code that download and execute something on the target computer.

20
00:01:29,990 --> 00:01:37,420
It's part of the code that allows us to achieve what we want by executing that file.

21
00:01:38,410 --> 00:01:43,790
And this is going to become more clear as we start using Bill now for now we're interested in to use

22
00:01:43,790 --> 00:01:45,480
in evasion.

23
00:01:45,520 --> 00:01:52,800
So we're going to do use one because that's the first tool that's number one.

24
00:01:52,820 --> 00:01:56,540
And as you can see we have a version loaded now.

25
00:01:56,540 --> 00:02:02,450
And as I said before this used to be a standalone tool that you just download it on its own but now

26
00:02:02,450 --> 00:02:04,970
they have it all combined together.

27
00:02:05,000 --> 00:02:09,920
Now as you can see the first thing that we get when we load the television is the commands that you

28
00:02:09,920 --> 00:02:11,910
can run on this too.

29
00:02:12,410 --> 00:02:18,570
So the first thing that we want to do is we want to list to see all the available payloads.

30
00:02:18,680 --> 00:02:25,640
And as you can see we have 41 different payloads and all of these payloads follow a certain naming pattern

31
00:02:26,240 --> 00:02:31,490
and you can see for example let's take this example right here because that's the payload that I'm going

32
00:02:31,490 --> 00:02:32,360
to be using.

33
00:02:32,420 --> 00:02:35,730
You can see the payload is divided into three parts.

34
00:02:37,080 --> 00:02:43,140
The first part right here refers to the programming language that the payload is going to be wrapped

35
00:02:43,140 --> 00:02:43,820
in.

36
00:02:43,830 --> 00:02:49,590
So we have the evil code and then the evil code is going to be wrapped into a certain programming language

37
00:02:49,680 --> 00:02:51,880
that the target computer understands.

38
00:02:52,320 --> 00:02:56,660
And right here you can see that this payload uses Go programming language.

39
00:02:56,670 --> 00:03:02,670
We can see this one uses See we can see these ones you see as we have python we have power shell and

40
00:03:02,670 --> 00:03:09,670
we have Rubie if we scroll down the second part of the payload is really important.

41
00:03:10,630 --> 00:03:17,680
This is the type of the payload the type of the code that's going to be executed on the target's computer.

42
00:03:19,450 --> 00:03:25,990
In this example we're using Mattel Peter which is a payload designed by meatiest Lloyd meter's Floyd

43
00:03:26,050 --> 00:03:29,730
is a huge framework for hackin and it allows you to do a lot of things.

44
00:03:29,950 --> 00:03:34,530
But in this lecture we're focusing on creating a payload called interpolator.

45
00:03:34,720 --> 00:03:41,230
And what's really cool about Mr. Patel is it runs into memory and it allows us to migrate between system

46
00:03:41,230 --> 00:03:48,580
processes so we can have the payload or the back door running from a normal process like Explorer for

47
00:03:48,580 --> 00:03:49,310
example.

48
00:03:49,450 --> 00:03:53,890
And this payload will allow us to gain full control over the target computer.

49
00:03:53,890 --> 00:03:59,260
So we'll be able to navigate through the file system download upload files turn on the mike turn on

50
00:03:59,260 --> 00:04:05,350
the webcam even use that computer to hack other computers install a key log or you can literally do

51
00:04:05,410 --> 00:04:06,770
anything you can think of.

52
00:04:07,030 --> 00:04:11,440
And all of this will be running from the memory from a normal process on the system.

53
00:04:11,560 --> 00:04:13,080
So it's very hard to detect.

54
00:04:13,180 --> 00:04:15,700
And it doesn't leave a lot of footprints.

55
00:04:15,850 --> 00:04:19,420
That's why it's a really really cool payload and we'll be using it a lot.

56
00:04:21,260 --> 00:04:26,590
The third part of the name is the method that's going to be used to establish that connection.

57
00:04:26,630 --> 00:04:31,050
So in here we can see that this is called Drive Hastey CPS.

58
00:04:31,130 --> 00:04:38,120
So register stands for reverse and hasty T.P. as is the protocol that's going to be used to establish

59
00:04:38,120 --> 00:04:45,470
the connection so we can see that this payload will create or reverse hasty CPS connection.

60
00:04:45,600 --> 00:04:52,140
You can see this one right here for example it creates a reverse ETP connection and we have this one

61
00:04:52,140 --> 00:04:56,690
in here that creates a reverse TCAP connection.

62
00:04:56,700 --> 00:05:04,440
Now what I mean by reverse is the connection is going to come from the target computer to my own computer.

63
00:05:04,470 --> 00:05:08,190
So I want to be connected to the computer that I want to hike.

64
00:05:08,190 --> 00:05:13,500
What's going to happen is once the person double clicks the back door the back door will connect back

65
00:05:13,500 --> 00:05:15,650
to me from the target computer.

66
00:05:17,290 --> 00:05:23,840
What's cool about this is I'll be able to bypass antivirus programs because the connection is not going

67
00:05:23,840 --> 00:05:26,670
to the target computer is coming back to my computer.

68
00:05:26,770 --> 00:05:30,980
So it's literally as if the target person is just connecting to a normal website.

69
00:05:31,060 --> 00:05:34,790
I'm going to use aport that sites use which is 80 or 88.

70
00:05:34,960 --> 00:05:40,230
So again if the person analyzes the connection it will look as if they're literally just connecting

71
00:05:40,240 --> 00:05:41,960
to a normal web.

72
00:05:42,010 --> 00:05:46,540
Also if the target's computer is hidden behind a router or behind a network.

73
00:05:46,660 --> 00:05:52,660
Again this is going to work because the connection is coming from the target computer to me instead

74
00:05:52,660 --> 00:05:55,000
of me connecting to the target computer.

75
00:05:55,330 --> 00:05:58,630
So using a reverse connection is really really handy.

76
00:05:58,630 --> 00:06:04,270
And I think this is really the only practical way of gaining access to a computer because there is a

77
00:06:04,270 --> 00:06:09,650
lot of things that can stop you from connecting to a certain computer.

78
00:06:09,650 --> 00:06:12,350
Now this is the general naming pattern.

79
00:06:12,350 --> 00:06:17,850
You'll see some payloads like this one right here which doesn't follow that general naming pattern.

80
00:06:18,020 --> 00:06:24,190
And basically what these payloads do for example we can see this one is called shellcode inject.

81
00:06:24,320 --> 00:06:30,170
So what is going to do is it's going to create a payload that injects your other payload.

82
00:06:30,170 --> 00:06:36,560
So it's going to create a normal payload and that normal payload injects interpretor payload for example.

83
00:06:36,560 --> 00:06:39,590
Now what does this to try to bypass more security.

84
00:06:39,590 --> 00:06:45,350
But usually they want bypass more things than the normal payloads would bypass.

85
00:06:45,470 --> 00:06:50,870
So that's why I usually just use one of the normal payloads in here.

86
00:06:50,900 --> 00:06:51,710
So this is it.

87
00:06:51,740 --> 00:06:54,450
This is all about the payloads.

88
00:06:54,450 --> 00:06:59,160
So I took a bit of time but I wanted to make sure that you guys understand the naming pattern.

89
00:06:59,210 --> 00:07:04,640
I wanted you to understand what a payload is and the difference between a reverse and a bind and a TCAP

90
00:07:04,640 --> 00:07:05,810
payload.

91
00:07:05,810 --> 00:07:11,030
This way the rest of the cars will become more clear to you and I can just use the payload that I want

92
00:07:11,030 --> 00:07:13,250
without explaining what it is.

93
00:07:13,250 --> 00:07:18,170
Now in the next picture we're going to be generating a payload and we'll be testing it against antivirus

94
00:07:18,170 --> 00:07:18,910
programs.