1 00:00:01,140 --> 00:00:08,610 Okay now that we have vild loaded you can see it show us the main commands that you can use with well. 2 00:00:08,700 --> 00:00:12,200 So the first command is you can do exit to exit. 3 00:00:12,240 --> 00:00:15,950 You can do info to get information about specific to. 4 00:00:16,230 --> 00:00:21,210 You can do list to list the available tools you can do update to update. 5 00:00:21,330 --> 00:00:28,180 And this is very very important because you always want to be up to date when it comes to bypass antivirus 6 00:00:28,200 --> 00:00:29,430 programs. 7 00:00:29,550 --> 00:00:33,950 And then you can do use to use a tool. 8 00:00:33,960 --> 00:00:36,240 Now let's start using evasion. 9 00:00:36,420 --> 00:00:43,280 And as we do it it's going to become so easy and you'll be able to understand this more now. 10 00:00:43,300 --> 00:00:45,570 Will has two main tools. 11 00:00:46,200 --> 00:00:49,240 And if we do list you'll be able to see them. 12 00:00:49,320 --> 00:00:55,230 So we have the first one which is the one that we're interested in which is called evasion and that's 13 00:00:55,230 --> 00:00:59,350 the one that generates undetectible backorders for us. 14 00:00:59,700 --> 00:01:06,450 And then there's the second one which is called ordnance and this tool generates the payloads that's 15 00:01:06,450 --> 00:01:11,320 used by evasion so you can look at this as a helper or a secondary tool. 16 00:01:11,730 --> 00:01:18,930 Now what I mean by a payload is a payload is the part of the code of the back door that does the stuff 17 00:01:18,930 --> 00:01:20,980 that we want that does the evil stuff. 18 00:01:20,990 --> 00:01:25,350 If you say so is the part of the code that give us a reverse connection. 19 00:01:25,490 --> 00:01:29,870 It's the part of the code that download and execute something on the target computer. 20 00:01:29,990 --> 00:01:37,420 It's part of the code that allows us to achieve what we want by executing that file. 21 00:01:38,410 --> 00:01:43,790 And this is going to become more clear as we start using Bill now for now we're interested in to use 22 00:01:43,790 --> 00:01:45,480 in evasion. 23 00:01:45,520 --> 00:01:52,800 So we're going to do use one because that's the first tool that's number one. 24 00:01:52,820 --> 00:01:56,540 And as you can see we have a version loaded now. 25 00:01:56,540 --> 00:02:02,450 And as I said before this used to be a standalone tool that you just download it on its own but now 26 00:02:02,450 --> 00:02:04,970 they have it all combined together. 27 00:02:05,000 --> 00:02:09,920 Now as you can see the first thing that we get when we load the television is the commands that you 28 00:02:09,920 --> 00:02:11,910 can run on this too. 29 00:02:12,410 --> 00:02:18,570 So the first thing that we want to do is we want to list to see all the available payloads. 30 00:02:18,680 --> 00:02:25,640 And as you can see we have 41 different payloads and all of these payloads follow a certain naming pattern 31 00:02:26,240 --> 00:02:31,490 and you can see for example let's take this example right here because that's the payload that I'm going 32 00:02:31,490 --> 00:02:32,360 to be using. 33 00:02:32,420 --> 00:02:35,730 You can see the payload is divided into three parts. 34 00:02:37,080 --> 00:02:43,140 The first part right here refers to the programming language that the payload is going to be wrapped 35 00:02:43,140 --> 00:02:43,820 in. 36 00:02:43,830 --> 00:02:49,590 So we have the evil code and then the evil code is going to be wrapped into a certain programming language 37 00:02:49,680 --> 00:02:51,880 that the target computer understands. 38 00:02:52,320 --> 00:02:56,660 And right here you can see that this payload uses Go programming language. 39 00:02:56,670 --> 00:03:02,670 We can see this one uses See we can see these ones you see as we have python we have power shell and 40 00:03:02,670 --> 00:03:09,670 we have Rubie if we scroll down the second part of the payload is really important. 41 00:03:10,630 --> 00:03:17,680 This is the type of the payload the type of the code that's going to be executed on the target's computer. 42 00:03:19,450 --> 00:03:25,990 In this example we're using Mattel Peter which is a payload designed by meatiest Lloyd meter's Floyd 43 00:03:26,050 --> 00:03:29,730 is a huge framework for hackin and it allows you to do a lot of things. 44 00:03:29,950 --> 00:03:34,530 But in this lecture we're focusing on creating a payload called interpolator. 45 00:03:34,720 --> 00:03:41,230 And what's really cool about Mr. Patel is it runs into memory and it allows us to migrate between system 46 00:03:41,230 --> 00:03:48,580 processes so we can have the payload or the back door running from a normal process like Explorer for 47 00:03:48,580 --> 00:03:49,310 example. 48 00:03:49,450 --> 00:03:53,890 And this payload will allow us to gain full control over the target computer. 49 00:03:53,890 --> 00:03:59,260 So we'll be able to navigate through the file system download upload files turn on the mike turn on 50 00:03:59,260 --> 00:04:05,350 the webcam even use that computer to hack other computers install a key log or you can literally do 51 00:04:05,410 --> 00:04:06,770 anything you can think of. 52 00:04:07,030 --> 00:04:11,440 And all of this will be running from the memory from a normal process on the system. 53 00:04:11,560 --> 00:04:13,080 So it's very hard to detect. 54 00:04:13,180 --> 00:04:15,700 And it doesn't leave a lot of footprints. 55 00:04:15,850 --> 00:04:19,420 That's why it's a really really cool payload and we'll be using it a lot. 56 00:04:21,260 --> 00:04:26,590 The third part of the name is the method that's going to be used to establish that connection. 57 00:04:26,630 --> 00:04:31,050 So in here we can see that this is called Drive Hastey CPS. 58 00:04:31,130 --> 00:04:38,120 So register stands for reverse and hasty T.P. as is the protocol that's going to be used to establish 59 00:04:38,120 --> 00:04:45,470 the connection so we can see that this payload will create or reverse hasty CPS connection. 60 00:04:45,600 --> 00:04:52,140 You can see this one right here for example it creates a reverse ETP connection and we have this one 61 00:04:52,140 --> 00:04:56,690 in here that creates a reverse TCAP connection. 62 00:04:56,700 --> 00:05:04,440 Now what I mean by reverse is the connection is going to come from the target computer to my own computer. 63 00:05:04,470 --> 00:05:08,190 So I want to be connected to the computer that I want to hike. 64 00:05:08,190 --> 00:05:13,500 What's going to happen is once the person double clicks the back door the back door will connect back 65 00:05:13,500 --> 00:05:15,650 to me from the target computer. 66 00:05:17,290 --> 00:05:23,840 What's cool about this is I'll be able to bypass antivirus programs because the connection is not going 67 00:05:23,840 --> 00:05:26,670 to the target computer is coming back to my computer. 68 00:05:26,770 --> 00:05:30,980 So it's literally as if the target person is just connecting to a normal website. 69 00:05:31,060 --> 00:05:34,790 I'm going to use aport that sites use which is 80 or 88. 70 00:05:34,960 --> 00:05:40,230 So again if the person analyzes the connection it will look as if they're literally just connecting 71 00:05:40,240 --> 00:05:41,960 to a normal web. 72 00:05:42,010 --> 00:05:46,540 Also if the target's computer is hidden behind a router or behind a network. 73 00:05:46,660 --> 00:05:52,660 Again this is going to work because the connection is coming from the target computer to me instead 74 00:05:52,660 --> 00:05:55,000 of me connecting to the target computer. 75 00:05:55,330 --> 00:05:58,630 So using a reverse connection is really really handy. 76 00:05:58,630 --> 00:06:04,270 And I think this is really the only practical way of gaining access to a computer because there is a 77 00:06:04,270 --> 00:06:09,650 lot of things that can stop you from connecting to a certain computer. 78 00:06:09,650 --> 00:06:12,350 Now this is the general naming pattern. 79 00:06:12,350 --> 00:06:17,850 You'll see some payloads like this one right here which doesn't follow that general naming pattern. 80 00:06:18,020 --> 00:06:24,190 And basically what these payloads do for example we can see this one is called shellcode inject. 81 00:06:24,320 --> 00:06:30,170 So what is going to do is it's going to create a payload that injects your other payload. 82 00:06:30,170 --> 00:06:36,560 So it's going to create a normal payload and that normal payload injects interpretor payload for example. 83 00:06:36,560 --> 00:06:39,590 Now what does this to try to bypass more security. 84 00:06:39,590 --> 00:06:45,350 But usually they want bypass more things than the normal payloads would bypass. 85 00:06:45,470 --> 00:06:50,870 So that's why I usually just use one of the normal payloads in here. 86 00:06:50,900 --> 00:06:51,710 So this is it. 87 00:06:51,740 --> 00:06:54,450 This is all about the payloads. 88 00:06:54,450 --> 00:06:59,160 So I took a bit of time but I wanted to make sure that you guys understand the naming pattern. 89 00:06:59,210 --> 00:07:04,640 I wanted you to understand what a payload is and the difference between a reverse and a bind and a TCAP 90 00:07:04,640 --> 00:07:05,810 payload. 91 00:07:05,810 --> 00:07:11,030 This way the rest of the cars will become more clear to you and I can just use the payload that I want 92 00:07:11,030 --> 00:07:13,250 without explaining what it is. 93 00:07:13,250 --> 00:07:18,170 Now in the next picture we're going to be generating a payload and we'll be testing it against antivirus 94 00:07:18,170 --> 00:07:18,910 programs.