1
00:00:02,650 --> 00:00:07,620
This lecture We'll see how we can get a reverse connection from our weekly show.

2
00:00:07,930 --> 00:00:14,600
So at the moment we upload it weekly and we're connecting to it directly using this you are Elb.

3
00:00:14,640 --> 00:00:17,920
So when we hit enter we're actually just doing a direct connection.

4
00:00:17,970 --> 00:00:24,890
And it's as if we're just interacting with a normal ph script uploaded on that directory.

5
00:00:24,900 --> 00:00:30,510
So what we want to do is maybe in some cases you can't really run commands like this so right now I

6
00:00:30,510 --> 00:00:37,230
can run whatever command I want whatever Linux command we also seen how we can use the shell SH function

7
00:00:37,470 --> 00:00:41,770
that comes with weekly to try and bypass if we can't run commands.

8
00:00:42,000 --> 00:00:48,150
If none of that works or if you wanted just an actual direct reverse connection from the target web

9
00:00:48,150 --> 00:00:52,980
server to our machine then you can follow what I'm going to do in the structure.

10
00:00:52,980 --> 00:00:58,140
It can be really handy because you'll have a direct connection and you'll be able to bypass a lot of

11
00:00:58,140 --> 00:01:01,780
security measurements.

12
00:01:01,810 --> 00:01:08,740
So we're going to do help first to see the options that we have and the function that I want to use

13
00:01:08,740 --> 00:01:17,030
today is the reverse whereas it's back to reverse TCAP and it basically just gives you a very TCAP shell

14
00:01:17,040 --> 00:01:23,100
so it won't be executed throw a PSP it will be a reverse shell or reverse connection come in from the

15
00:01:23,700 --> 00:01:26,280
target server towards your computer.

16
00:01:26,280 --> 00:01:32,940
And because of that it'll bypass firewalls because the connection is coming out of these web server

17
00:01:33,030 --> 00:01:34,570
not to the web server.

18
00:01:34,860 --> 00:01:41,650
So the first thing we gonna do is as usual we're just going to run back reverse TCAP.

19
00:01:41,970 --> 00:01:47,550
And I'm going to put mine on stage to see the options that we can get with this function.

20
00:01:47,820 --> 00:01:54,570
And you can see the way to use it is the first thing you need to specify the name of the function followed

21
00:01:54,570 --> 00:01:57,480
by the type of shell so we're going to leave that the same.

22
00:01:57,480 --> 00:02:00,270
You can tell it not to auto connect but we don't want that.

23
00:02:00,270 --> 00:02:05,940
We actually want it to automatically connect and then you can specify the vector and again the vector

24
00:02:05,940 --> 00:02:11,540
is very important and it specifies the way the reverse connection will be spawned.

25
00:02:11,730 --> 00:02:13,970
So you can use netcat.

26
00:02:14,070 --> 00:02:17,740
It can be done through netcat it can be done through python.

27
00:02:17,740 --> 00:02:19,950
It can be done through perl ruby.

28
00:02:20,010 --> 00:02:22,020
These are all programming languages.

29
00:02:22,290 --> 00:02:29,010
So if the connection doesn't if the target server doesn't have netcat installed or if it has certain

30
00:02:29,190 --> 00:02:35,370
security or permissions that prevent you from using netcat then you can try to get your shell through

31
00:02:35,370 --> 00:02:36,090
python.

32
00:02:36,390 --> 00:02:42,480
If Python is not installed or if it has some sort of measurements that prevent Python from connecting

33
00:02:42,480 --> 00:02:45,480
back to you then you can do it through Perl.

34
00:02:45,750 --> 00:02:51,450
And again if Perl is configured in a way that it's not allowed to spawn reverse connections you can

35
00:02:51,450 --> 00:02:52,530
do it through Ruby.

36
00:02:52,770 --> 00:02:56,960
And again you can use any of these vectors until one of them works for you.

37
00:02:57,210 --> 00:03:03,190
And once one of them works for you chances are you're going to be able to bypass a lot of security measurements.

38
00:03:03,270 --> 00:03:07,060
Definitely you'll be able to run bash commands on the target server.

39
00:03:07,110 --> 00:03:13,680
So if you can't run bash commands normally and if you tried the shell SH function that we seen in an

40
00:03:13,710 --> 00:03:19,390
earlier video and still didn't work for you then you should come to this try this method.

41
00:03:19,470 --> 00:03:23,770
If it works then you'll be able to run any shell commands you want on the target server.

42
00:03:24,150 --> 00:03:26,070
So let's try it in action.

43
00:03:26,070 --> 00:03:32,750
So we're going to type in backdoor reverse TCAP.

44
00:03:32,930 --> 00:03:37,370
We're going to give it the vector and I'm going to want to use netcat

45
00:03:40,730 --> 00:03:46,430
and then we're going to give it dependent on this as you can see so we did that and we gave it the vector

46
00:03:46,730 --> 00:03:52,700
then we need to give it our localhost So the IP address of our current computer followed by the port

47
00:03:52,850 --> 00:03:55,410
that we want the connection to be done through.

48
00:03:55,430 --> 00:03:59,110
So to get the IP address of my computer I'm just going to run if config

49
00:04:02,370 --> 00:04:13,540
and you can see that my IP address is 10 20 14 to 13 so I'm going to close this.

50
00:04:13,770 --> 00:04:20,380
And then we're going to give it forward and I'm going to set the port to 80 80 so the command is very

51
00:04:20,380 --> 00:04:21,610
simple.

52
00:04:21,630 --> 00:04:28,990
After the first ECP vector which is going to be netcat and then we put our current IP address followed

53
00:04:28,990 --> 00:04:29,750
by the port.

54
00:04:29,750 --> 00:04:32,170
So we want the connection to be done through.

55
00:04:32,470 --> 00:04:33,230
I'm going to head into

56
00:04:36,830 --> 00:04:42,580
and now the connection established So now we can run any commands we want and keep in mind that these

57
00:04:42,580 --> 00:04:45,880
commands will be executed through netcat.

58
00:04:45,880 --> 00:04:52,510
So the connection is coming back now from the server to us and now we're communicating with it through

59
00:04:52,510 --> 00:04:54,150
a completely different port.

60
00:04:54,160 --> 00:04:58,340
It's not going to go through really it's actually going to go through and that's cut.

61
00:04:58,360 --> 00:05:03,880
So if there was some sort of security that didn't allow us to run commands through weekly then we'll

62
00:05:03,880 --> 00:05:05,600
be able to bypass them now.

63
00:05:05,860 --> 00:05:07,120
So now we can use it.

64
00:05:07,120 --> 00:05:12,310
We're going to do W.D. for example and we have to add a semicolon after it.

65
00:05:12,310 --> 00:05:14,650
You can see that where we are we can do all my

66
00:05:20,190 --> 00:05:25,160
Seems like we've lost our connection so I'm just going to do it back.

67
00:05:25,170 --> 00:05:26,450
So again we can do.

68
00:05:26,470 --> 00:05:27,340
Who are.

69
00:05:31,280 --> 00:05:34,150
We can pretty much do any commands we want.

70
00:05:34,160 --> 00:05:39,160
Now again if this didn't really work for you you can go ahead and try a different vector.

71
00:05:39,160 --> 00:05:40,420
You can try the python.

72
00:05:40,490 --> 00:05:47,560
You can try the Prawle after each of these vectors try to see who are my and see the current permissions

73
00:05:47,560 --> 00:05:54,190
or the current user that you're ionised because you might actually be Arayan under a different user.

74
00:05:54,190 --> 00:06:00,320
One thing to keep in mind here is your IP because the connection is is a reverse connection.

75
00:06:00,320 --> 00:06:05,420
So it's coming back from the target web server to your computer.

76
00:06:05,420 --> 00:06:11,420
Therefore at the moment I'm actually using a private IP within my county network but it works because

77
00:06:11,420 --> 00:06:13,960
the website is on the same network.

78
00:06:14,030 --> 00:06:20,240
If I was doing this against a real Web site this won't work because my private IP is not accessible

79
00:06:20,240 --> 00:06:23,620
publicly because it's hidden behind the router.

80
00:06:23,690 --> 00:06:30,830
So if you want to receive connections if you receive reverse connections from an actual web server and

81
00:06:30,830 --> 00:06:37,070
if you're not on the same network as that web server then you need to either set up your Cali machine

82
00:06:37,100 --> 00:06:43,850
as a DMZ host or you need to enable IP forwarding to enable the poor at the port that you're using here.

83
00:06:43,850 --> 00:06:53,060
So 88 in this case to be forwarded to your private IP you can do both of these things from the Control

84
00:06:53,060 --> 00:06:58,790
Panel of your router your router is usually located at the first IP.

85
00:06:58,790 --> 00:07:05,270
So my IP now is Dan 20:14 and 2:13.

86
00:07:05,490 --> 00:07:12,040
The router is usually at the first IP so it will be at the one so he can access that through the browser.

87
00:07:12,490 --> 00:07:20,830
Look for the option called DMZ and said the Callimachi in the DMZ host another option is to go to Port

88
00:07:20,830 --> 00:07:29,460
forwarding other will to forward port 80 80 to the IP of the Callimachi and also make sure the IP the

89
00:07:29,460 --> 00:07:35,280
Kalli machine is connected to your actual network and it's not set up as a network like this.

90
00:07:35,290 --> 00:07:40,360
So make sure you have a wireless card connected to your home network and from there you will have an

91
00:07:40,360 --> 00:07:45,110
actual IP in your network instead of a private virtual IP like we have here.