1 00:00:02,650 --> 00:00:07,620 This lecture We'll see how we can get a reverse connection from our weekly show. 2 00:00:07,930 --> 00:00:14,600 So at the moment we upload it weekly and we're connecting to it directly using this you are Elb. 3 00:00:14,640 --> 00:00:17,920 So when we hit enter we're actually just doing a direct connection. 4 00:00:17,970 --> 00:00:24,890 And it's as if we're just interacting with a normal ph script uploaded on that directory. 5 00:00:24,900 --> 00:00:30,510 So what we want to do is maybe in some cases you can't really run commands like this so right now I 6 00:00:30,510 --> 00:00:37,230 can run whatever command I want whatever Linux command we also seen how we can use the shell SH function 7 00:00:37,470 --> 00:00:41,770 that comes with weekly to try and bypass if we can't run commands. 8 00:00:42,000 --> 00:00:48,150 If none of that works or if you wanted just an actual direct reverse connection from the target web 9 00:00:48,150 --> 00:00:52,980 server to our machine then you can follow what I'm going to do in the structure. 10 00:00:52,980 --> 00:00:58,140 It can be really handy because you'll have a direct connection and you'll be able to bypass a lot of 11 00:00:58,140 --> 00:01:01,780 security measurements. 12 00:01:01,810 --> 00:01:08,740 So we're going to do help first to see the options that we have and the function that I want to use 13 00:01:08,740 --> 00:01:17,030 today is the reverse whereas it's back to reverse TCAP and it basically just gives you a very TCAP shell 14 00:01:17,040 --> 00:01:23,100 so it won't be executed throw a PSP it will be a reverse shell or reverse connection come in from the 15 00:01:23,700 --> 00:01:26,280 target server towards your computer. 16 00:01:26,280 --> 00:01:32,940 And because of that it'll bypass firewalls because the connection is coming out of these web server 17 00:01:33,030 --> 00:01:34,570 not to the web server. 18 00:01:34,860 --> 00:01:41,650 So the first thing we gonna do is as usual we're just going to run back reverse TCAP. 19 00:01:41,970 --> 00:01:47,550 And I'm going to put mine on stage to see the options that we can get with this function. 20 00:01:47,820 --> 00:01:54,570 And you can see the way to use it is the first thing you need to specify the name of the function followed 21 00:01:54,570 --> 00:01:57,480 by the type of shell so we're going to leave that the same. 22 00:01:57,480 --> 00:02:00,270 You can tell it not to auto connect but we don't want that. 23 00:02:00,270 --> 00:02:05,940 We actually want it to automatically connect and then you can specify the vector and again the vector 24 00:02:05,940 --> 00:02:11,540 is very important and it specifies the way the reverse connection will be spawned. 25 00:02:11,730 --> 00:02:13,970 So you can use netcat. 26 00:02:14,070 --> 00:02:17,740 It can be done through netcat it can be done through python. 27 00:02:17,740 --> 00:02:19,950 It can be done through perl ruby. 28 00:02:20,010 --> 00:02:22,020 These are all programming languages. 29 00:02:22,290 --> 00:02:29,010 So if the connection doesn't if the target server doesn't have netcat installed or if it has certain 30 00:02:29,190 --> 00:02:35,370 security or permissions that prevent you from using netcat then you can try to get your shell through 31 00:02:35,370 --> 00:02:36,090 python. 32 00:02:36,390 --> 00:02:42,480 If Python is not installed or if it has some sort of measurements that prevent Python from connecting 33 00:02:42,480 --> 00:02:45,480 back to you then you can do it through Perl. 34 00:02:45,750 --> 00:02:51,450 And again if Perl is configured in a way that it's not allowed to spawn reverse connections you can 35 00:02:51,450 --> 00:02:52,530 do it through Ruby. 36 00:02:52,770 --> 00:02:56,960 And again you can use any of these vectors until one of them works for you. 37 00:02:57,210 --> 00:03:03,190 And once one of them works for you chances are you're going to be able to bypass a lot of security measurements. 38 00:03:03,270 --> 00:03:07,060 Definitely you'll be able to run bash commands on the target server. 39 00:03:07,110 --> 00:03:13,680 So if you can't run bash commands normally and if you tried the shell SH function that we seen in an 40 00:03:13,710 --> 00:03:19,390 earlier video and still didn't work for you then you should come to this try this method. 41 00:03:19,470 --> 00:03:23,770 If it works then you'll be able to run any shell commands you want on the target server. 42 00:03:24,150 --> 00:03:26,070 So let's try it in action. 43 00:03:26,070 --> 00:03:32,750 So we're going to type in backdoor reverse TCAP. 44 00:03:32,930 --> 00:03:37,370 We're going to give it the vector and I'm going to want to use netcat 45 00:03:40,730 --> 00:03:46,430 and then we're going to give it dependent on this as you can see so we did that and we gave it the vector 46 00:03:46,730 --> 00:03:52,700 then we need to give it our localhost So the IP address of our current computer followed by the port 47 00:03:52,850 --> 00:03:55,410 that we want the connection to be done through. 48 00:03:55,430 --> 00:03:59,110 So to get the IP address of my computer I'm just going to run if config 49 00:04:02,370 --> 00:04:13,540 and you can see that my IP address is 10 20 14 to 13 so I'm going to close this. 50 00:04:13,770 --> 00:04:20,380 And then we're going to give it forward and I'm going to set the port to 80 80 so the command is very 51 00:04:20,380 --> 00:04:21,610 simple. 52 00:04:21,630 --> 00:04:28,990 After the first ECP vector which is going to be netcat and then we put our current IP address followed 53 00:04:28,990 --> 00:04:29,750 by the port. 54 00:04:29,750 --> 00:04:32,170 So we want the connection to be done through. 55 00:04:32,470 --> 00:04:33,230 I'm going to head into 56 00:04:36,830 --> 00:04:42,580 and now the connection established So now we can run any commands we want and keep in mind that these 57 00:04:42,580 --> 00:04:45,880 commands will be executed through netcat. 58 00:04:45,880 --> 00:04:52,510 So the connection is coming back now from the server to us and now we're communicating with it through 59 00:04:52,510 --> 00:04:54,150 a completely different port. 60 00:04:54,160 --> 00:04:58,340 It's not going to go through really it's actually going to go through and that's cut. 61 00:04:58,360 --> 00:05:03,880 So if there was some sort of security that didn't allow us to run commands through weekly then we'll 62 00:05:03,880 --> 00:05:05,600 be able to bypass them now. 63 00:05:05,860 --> 00:05:07,120 So now we can use it. 64 00:05:07,120 --> 00:05:12,310 We're going to do W.D. for example and we have to add a semicolon after it. 65 00:05:12,310 --> 00:05:14,650 You can see that where we are we can do all my 66 00:05:20,190 --> 00:05:25,160 Seems like we've lost our connection so I'm just going to do it back. 67 00:05:25,170 --> 00:05:26,450 So again we can do. 68 00:05:26,470 --> 00:05:27,340 Who are. 69 00:05:31,280 --> 00:05:34,150 We can pretty much do any commands we want. 70 00:05:34,160 --> 00:05:39,160 Now again if this didn't really work for you you can go ahead and try a different vector. 71 00:05:39,160 --> 00:05:40,420 You can try the python. 72 00:05:40,490 --> 00:05:47,560 You can try the Prawle after each of these vectors try to see who are my and see the current permissions 73 00:05:47,560 --> 00:05:54,190 or the current user that you're ionised because you might actually be Arayan under a different user. 74 00:05:54,190 --> 00:06:00,320 One thing to keep in mind here is your IP because the connection is is a reverse connection. 75 00:06:00,320 --> 00:06:05,420 So it's coming back from the target web server to your computer. 76 00:06:05,420 --> 00:06:11,420 Therefore at the moment I'm actually using a private IP within my county network but it works because 77 00:06:11,420 --> 00:06:13,960 the website is on the same network. 78 00:06:14,030 --> 00:06:20,240 If I was doing this against a real Web site this won't work because my private IP is not accessible 79 00:06:20,240 --> 00:06:23,620 publicly because it's hidden behind the router. 80 00:06:23,690 --> 00:06:30,830 So if you want to receive connections if you receive reverse connections from an actual web server and 81 00:06:30,830 --> 00:06:37,070 if you're not on the same network as that web server then you need to either set up your Cali machine 82 00:06:37,100 --> 00:06:43,850 as a DMZ host or you need to enable IP forwarding to enable the poor at the port that you're using here. 83 00:06:43,850 --> 00:06:53,060 So 88 in this case to be forwarded to your private IP you can do both of these things from the Control 84 00:06:53,060 --> 00:06:58,790 Panel of your router your router is usually located at the first IP. 85 00:06:58,790 --> 00:07:05,270 So my IP now is Dan 20:14 and 2:13. 86 00:07:05,490 --> 00:07:12,040 The router is usually at the first IP so it will be at the one so he can access that through the browser. 87 00:07:12,490 --> 00:07:20,830 Look for the option called DMZ and said the Callimachi in the DMZ host another option is to go to Port 88 00:07:20,830 --> 00:07:29,460 forwarding other will to forward port 80 80 to the IP of the Callimachi and also make sure the IP the 89 00:07:29,460 --> 00:07:35,280 Kalli machine is connected to your actual network and it's not set up as a network like this. 90 00:07:35,290 --> 00:07:40,360 So make sure you have a wireless card connected to your home network and from there you will have an 91 00:07:40,360 --> 00:07:45,110 actual IP in your network instead of a private virtual IP like we have here.