1 1 00:00:00,517 --> 00:00:01,710 line:15% Introduction to Shellcode. 2 2 00:00:01,710 --> 00:00:02,613 line:15% \\\So in this lecture, we're gonna discuss 3 3 00:00:02,613 --> 00:00:05,452 line:15% what shellcode is and why that's important to us 4 4 00:00:05,452 --> 00:00:08,519 in our Gaining Access phase. 5 5 00:00:08,519 --> 00:00:09,962 So, what is shellcode? 6 6 00:00:09,962 --> 00:00:11,571 Well, shellcode is a small piece of code 7 7 00:00:11,571 --> 00:00:13,584 that's used as a payload in the exploitation 8 8 00:00:13,584 --> 00:00:15,031 of a software vulnerability. 9 9 00:00:15,031 --> 00:00:17,236 So this is that exploit piece we talked about 10 10 00:00:17,236 --> 00:00:19,917 during our gaining access lecture. 11 11 00:00:19,917 --> 00:00:22,436 It's easily reused in other exploits as well, 12 12 00:00:22,436 --> 00:00:24,677 so we can use this over and over and over again. 13 13 00:00:24,677 --> 00:00:26,553 There's lots of different kinds of shellcode, 14 14 00:00:26,553 --> 00:00:28,442 and there's several common ones, 15 15 00:00:28,442 --> 00:00:30,995 such as bind and reverse shells. 16 16 00:00:30,995 --> 00:00:32,734 So what does a shellcode do? 17 17 00:00:32,734 --> 00:00:35,488 Well, it typically is going to start a command shell for us, 18 18 00:00:35,488 --> 00:00:37,098 which is why we call it shellcode. 19 19 00:00:37,098 --> 00:00:38,791 We want that command shell, so in Windows, 20 20 00:00:38,791 --> 00:00:39,948 that would be the Command prompt. 21 21 00:00:39,948 --> 00:00:42,992 In Linux, that would be something like the Terminal. 22 22 00:00:42,992 --> 00:00:44,578 And this is gonna allow the attacker 23 23 00:00:44,578 --> 00:00:46,618 to use interactive command execution on this 24 24 00:00:46,618 --> 00:00:48,981 remote target machine. 25 25 00:00:48,981 --> 00:00:50,192 How do we make shellcode? 26 26 00:00:50,192 --> 00:00:53,085 Well, shellcode is commonly written in machine code, 27 27 00:00:53,085 --> 00:00:55,071 so it's usually written in an assembly language. 28 28 00:00:55,071 --> 00:00:57,012 But any piece of code that performs 29 29 00:00:57,012 --> 00:00:59,325 a similar task can be categorized as shellcode. 30 30 00:00:59,325 --> 00:01:02,187 So it could be written in something like C as well. 31 31 00:01:02,187 --> 00:01:03,813 But most commonly, it's gonna be written in 32 32 00:01:03,813 --> 00:01:05,800 something like assembly or machine code. 33 33 00:01:05,800 --> 00:01:06,956 Now, why is this important? 34 34 00:01:06,956 --> 00:01:10,539 Well, writing in machine code is pretty darn difficult. 35 35 00:01:10,539 --> 00:01:12,032 Now, most of us are not gonna be writing 36 36 00:01:12,032 --> 00:01:13,227 our own shellcode. 37 37 00:01:13,227 --> 00:01:15,511 Now, if you're gonna be a really good hacker 38 38 00:01:15,511 --> 00:01:16,854 and a really good attacker, you're gonna need 39 39 00:01:16,854 --> 00:01:18,213 to learn how to do that. 40 40 00:01:18,213 --> 00:01:19,653 And there's books out there with lots 41 41 00:01:19,653 --> 00:01:21,556 of different examples of shellcode and how to learn 42 42 00:01:21,556 --> 00:01:22,626 how to do the shellcoding. 43 43 00:01:22,626 --> 00:01:24,114 We're not gonna cover that in this class. 44 44 00:01:24,114 --> 00:01:25,558 That's way beyond the scope. 45 45 00:01:25,558 --> 00:01:26,718 So for us though, we just want to be able 46 46 00:01:26,718 --> 00:01:28,164 to talk about shellcode and understand what it is 47 47 00:01:28,164 --> 00:01:30,262 and how it works, and we're gonna show you 48 48 00:01:30,262 --> 00:01:32,316 some examples of that. 49 49 00:01:32,316 --> 00:01:34,210 So there's two examples of shellcode, 50 50 00:01:34,210 --> 00:01:35,786 bind shell and reverse shell. 51 51 00:01:35,786 --> 00:01:36,746 We're gonna talk about these two. 52 52 00:01:36,746 --> 00:01:38,946 In our lab, we're gonna use a reverse shell, 53 53 00:01:38,946 --> 00:01:40,175 and the reason why is because we want that 54 54 00:01:40,175 --> 00:01:42,742 interactive command prompt, we want it to go ahead, 55 55 00:01:42,742 --> 00:01:44,168 we're gonna run the attack and then 56 56 00:01:44,168 --> 00:01:47,404 get ourself back a C prompt when we're attacking Windows, 57 57 00:01:47,404 --> 00:01:51,469 or a terminal prompt in Linux for us to attack with. 58 58 00:01:51,469 --> 00:01:53,948 So let's talk about bind works first. 59 59 00:01:53,948 --> 00:01:56,052 So with bind, the attacker sends an exploit 60 60 00:01:56,052 --> 00:01:57,576 to a vulnerable service. 61 61 00:01:57,576 --> 00:01:59,527 So let's say you're running something vulnerable, 62 62 00:01:59,527 --> 00:02:00,627 like VSFTP. 63 63 00:02:00,627 --> 00:02:02,613 And if you're running that, the attacker sends 64 64 00:02:02,613 --> 00:02:03,879 the exploit to the vulnerable service, 65 65 00:02:03,879 --> 00:02:06,060 the shellcode is gonna bind itself to that port, 66 66 00:02:06,060 --> 00:02:08,520 that port 21 for FTP, and then the attacker 67 67 00:02:08,520 --> 00:02:09,931 will be able to make a connection, 68 68 00:02:09,931 --> 00:02:12,257 a separate connection, to port 21. 69 69 00:02:12,257 --> 00:02:14,779 That's how bind works, it binds itself to a port. 70 70 00:02:14,779 --> 00:02:17,149 Now, the problem with this is that you have to have 71 71 00:02:17,149 --> 00:02:19,866 those ports open in the firewall for this to work. 72 72 00:02:19,866 --> 00:02:22,384 So, if we are the attacker, we're now requiring 73 73 00:02:22,384 --> 00:02:24,888 that the firewall is running FTP and 74 74 00:02:24,888 --> 00:02:26,208 that those ports are open. 75 75 00:02:26,208 --> 00:02:28,188 Now if we're running an FTP service that's vulnerable, 76 76 00:02:28,188 --> 00:02:30,416 there's a high likelihood that that will be open. 77 77 00:02:30,416 --> 00:02:31,611 But if we're trying to attack something 78 78 00:02:31,611 --> 00:02:33,712 like a web server and you're running something 79 79 00:02:33,712 --> 00:02:36,232 like a Windows desktop, the chances are, 80 80 00:02:36,232 --> 00:02:38,625 you're not running port 80 or port 443 81 81 00:02:38,625 --> 00:02:39,947 on your Windows desktop. 82 82 00:02:39,947 --> 00:02:41,388 You're gonna use that for outbound ports, 83 83 00:02:41,388 --> 00:02:42,461 not for inbound ports. 84 84 00:02:42,461 --> 00:02:44,936 So that's why bind shells don't work all the time, 85 85 00:02:44,936 --> 00:02:47,240 but they do work well in a lot of cases. 86 86 00:02:47,240 --> 00:02:48,812 Now, let's talk about how a revere shell works, 87 87 00:02:48,812 --> 00:02:49,844 on the other hand. 88 88 00:02:49,844 --> 00:02:51,372 So, a reverse shell is still gonna send 89 89 00:02:51,372 --> 00:02:53,062 that exploit to the service. 90 90 00:02:53,062 --> 00:02:55,654 But when it gets to that target, the shell code itself 91 91 00:02:55,654 --> 00:02:58,838 spawns a connection and calls back to the attacker. 92 92 00:02:58,838 --> 00:03:00,197 You're gonna see that in our lab. 93 93 00:03:00,197 --> 00:03:03,132 We're gonna set up a listening port on our 94 94 00:03:03,132 --> 00:03:04,664 Kali Linux machine so that when we 95 95 00:03:04,664 --> 00:03:05,943 attack the Windows machine, 96 96 00:03:05,943 --> 00:03:07,679 it will call back to our Linux machine 97 97 00:03:07,679 --> 00:03:09,453 and say hey, I'm ready to talk to you. 98 98 00:03:09,453 --> 00:03:11,147 And the great thing about this is 99 99 00:03:11,147 --> 00:03:12,471 you don't have to pre-open 100 100 00:03:12,471 --> 00:03:13,874 those ports in the firewall. 101 101 00:03:13,874 --> 00:03:15,897 Firewalls are designed so that 102 102 00:03:15,897 --> 00:03:17,176 things from the inside the network 103 103 00:03:17,176 --> 00:03:18,781 can reach out and call out, 104 104 00:03:18,781 --> 00:03:19,896 because, for instance when you 105 105 00:03:19,896 --> 00:03:22,087 go to a web server, you call out on port 80, 106 106 00:03:22,087 --> 00:03:24,952 but you also open a port to come back in 107 107 00:03:24,952 --> 00:03:26,860 on a higher-numbered random port. 108 108 00:03:26,860 --> 00:03:28,387 Now we're going to do the same thing here 109 109 00:03:28,387 --> 00:03:29,580 to try to hide in traffic. 110 110 00:03:29,580 --> 00:03:31,762 Now once we do this, the attacker machine, 111 111 00:03:31,762 --> 00:03:33,622 our Kali box, is going to listen 112 112 00:03:33,622 --> 00:03:34,696 for that call-back, 113 113 00:03:34,696 --> 00:03:35,812 and once it receives that call-back 114 114 00:03:35,812 --> 00:03:38,046 we get that two-way communication. 115 115 00:03:38,046 --> 00:03:39,843 And that's when we can start doing this 116 116 00:03:39,843 --> 00:03:42,665 executable reverse shell that gives us 117 117 00:03:42,665 --> 00:03:45,429 full interactive communication. 118 118 00:03:45,429 --> 00:03:47,039 Now, there's another type of payload out there 119 119 00:03:47,039 --> 00:03:48,565 that we talk about that's called 120 120 00:03:48,565 --> 00:03:49,963 a staged payload. 121 121 00:03:49,963 --> 00:03:51,938 Now what this is usually it's going to be 122 122 00:03:51,938 --> 00:03:54,497 the shellcode itself is too large to pass 123 123 00:03:54,497 --> 00:03:56,093 fully through a single stage. 124 124 00:03:56,093 --> 00:03:57,669 It would be caught too easily. 125 125 00:03:57,669 --> 00:03:58,861 So instead what we do is we break 126 126 00:03:58,861 --> 00:04:01,223 up that shellcode into many smaller stages, 127 127 00:04:01,223 --> 00:04:03,575 sometimes one or two or three, or even four. 128 128 00:04:03,575 --> 00:04:04,842 And what happens, this happens 129 129 00:04:04,842 --> 00:04:06,534 to make the attack quieter. 130 130 00:04:06,534 --> 00:04:09,615 So what happens is I can launch the exploit. 131 131 00:04:09,615 --> 00:04:11,643 The original stage one payload goes 132 132 00:04:11,643 --> 00:04:13,550 and gets loaded on the victim machine. 133 133 00:04:13,550 --> 00:04:15,815 It then reaches out and gets stage two's payload. 134 134 00:04:15,815 --> 00:04:17,467 Stage two then gets stage three, 135 135 00:04:17,467 --> 00:04:18,660 and it keeps building until it gets 136 136 00:04:18,660 --> 00:04:21,264 the entire payload we want to make the full 137 137 00:04:21,264 --> 00:04:23,768 connection for us to be able to do our attack. 138 138 00:04:23,768 --> 00:04:25,104 And that's what a staged payload is. 139 139 00:04:25,104 --> 00:04:26,421 You may hear that come up. 140 140 00:04:26,421 --> 00:04:28,439 So how do staged payloads work? 141 141 00:04:28,439 --> 00:04:30,636 Just like we said, stage one is going to happen. 142 142 00:04:30,636 --> 00:04:32,622 The attacker is going to pass a small piece 143 143 00:04:32,622 --> 00:04:34,482 of code to the target, then stage two 144 144 00:04:34,482 --> 00:04:36,613 is going to reach out, grab the larger portion 145 145 00:04:36,613 --> 00:04:38,918 of that payload, and then it will have the full 146 146 00:04:38,918 --> 00:04:41,471 executable two-way communication once 147 147 00:04:41,471 --> 00:04:43,217 the stage two has been loaded. 148 148 00:04:43,217 --> 00:04:44,975 So in our lab, what are we going to do? 149 149 00:04:44,975 --> 00:04:46,047 We're going to use a reverse shell. 150 150 00:04:46,047 --> 00:04:47,689 So we're going to send out that 151 151 00:04:47,689 --> 00:04:49,130 exploit on the service. 152 152 00:04:49,130 --> 00:04:50,215 It's going to spawn the connection 153 153 00:04:50,215 --> 00:04:52,322 back to the attacker on a given port. 154 154 00:04:52,322 --> 00:04:54,053 In our case, we're going to use 4444, 155 155 00:04:54,053 --> 00:04:56,079 which is the default for Kali Lenux. 156 156 00:04:56,079 --> 00:04:57,603 If we wanted to hide, we could try 157 157 00:04:57,603 --> 00:04:59,127 to make it a random high port, 158 158 00:04:59,127 --> 00:05:00,864 or we could do like 443 so it looks like 159 159 00:05:00,864 --> 00:05:02,471 a secure web tunnel. 160 160 00:05:02,471 --> 00:05:03,876 And then the attacker can listen for 161 161 00:05:03,876 --> 00:05:06,557 a connection back on that port. 162 162 00:05:06,557 --> 00:05:10,137 We're going to use Windows/shell/reversetcp. 163 163 00:05:10,137 --> 00:05:11,427 This is a staged payload, 164 164 00:05:11,427 --> 00:05:12,707 it's a two-staged payload. 165 165 00:05:12,707 --> 00:05:13,780 So you're going to see that 166 166 00:05:13,780 --> 00:05:14,731 we're going to send it, 167 167 00:05:14,731 --> 00:05:15,890 it's going to say stage one received, 168 168 00:05:15,890 --> 00:05:17,289 stage two has done, 169 169 00:05:17,289 --> 00:05:18,778 and then once we get stage two 170 170 00:05:18,778 --> 00:05:20,052 we'll have that two-way communication 171 171 00:05:20,052 --> 00:05:22,246 for us to be able to talk. 172 172 00:05:22,246 --> 00:05:23,805 So all this is going to be occurring again. 173 173 00:05:23,805 --> 00:05:24,955 Once again, we're talking in this 174 174 00:05:24,955 --> 00:05:25,987 gaining-access stage. 175 175 00:05:25,987 --> 00:05:27,764 Once we are in and we have the interactive 176 176 00:05:27,764 --> 00:05:28,597 two-way communication, 177 177 00:05:28,597 --> 00:05:30,565 that's when we can then move on to other stages, 178 178 00:05:30,565 --> 00:05:32,012 such as escalating our privileges, 179 179 00:05:32,012 --> 00:05:33,249 maintaining our access, 180 180 00:05:33,249 --> 00:05:35,249 and covering our tracks.