WEBVTT

00:00.000 --> 00:01.620
>> Hey, guys. Welcome back to

00:01.620 --> 00:04.050
the cyber kill chain
course on Cybrary.

00:04.050 --> 00:05.610
This is Abdulrahman Alnaim,

00:05.610 --> 00:08.790
and today's episode we
cover up weaponization.

00:08.790 --> 00:11.520
Weaponization is the second step

00:11.520 --> 00:12.870
of the cyber kill chain,

00:12.870 --> 00:15.705
and in this step, we depend
a lot on reconnaissance.

00:15.705 --> 00:17.880
This is why I was saying spend

00:17.880 --> 00:20.760
as much time as you can
doing reconnaissance

00:20.760 --> 00:22.860
because reconnaissance
will give you

00:22.860 --> 00:24.600
the base that you're going to

00:24.600 --> 00:27.075
build the rest of the attack on.

00:27.075 --> 00:29.220
If I go to weaponization

00:29.220 --> 00:31.319
without doing proper
reconnaissance,

00:31.319 --> 00:34.125
I won't be able to
build a weapon or

00:34.125 --> 00:37.610
a payload that would work
on the target machine,

00:37.610 --> 00:41.010
because I'm guessing what
the target machine is.

00:41.010 --> 00:43.945
From now on, our assumptions

00:43.945 --> 00:47.315
are the target
machine is Windows.

00:47.315 --> 00:49.380
We're going to use localhost.

00:49.380 --> 00:52.520
From now on, all of the
attacks are going to

00:52.520 --> 00:54.460
happen within my
virtual environment.

00:54.460 --> 00:55.970
We're not going to
communicate with

00:55.970 --> 00:58.585
anything on the Internet.

00:58.585 --> 01:02.015
Weaponization is a
fairly passive step.

01:02.015 --> 01:05.780
This step happens on my side
or the attacker side only.

01:05.780 --> 01:08.325
We're not going to
communicate with the victim.

01:08.325 --> 01:11.240
What we're trying to
do here, as I said,

01:11.240 --> 01:13.970
is build a payload that
we're going to use later

01:13.970 --> 01:17.750
on or deliver the following
step to the victim,

01:17.750 --> 01:20.210
to be able to install it and

01:20.210 --> 01:23.525
then have control
over the victim side.

01:23.525 --> 01:25.880
There are two tools that
we're going to talk

01:25.880 --> 01:28.855
about today, Metasploit
and Unicorn.

01:28.855 --> 01:32.675
Metasploit comes
built-in in Kali Linux,

01:32.675 --> 01:34.670
it's an extremely popular tool.

01:34.670 --> 01:36.440
There's a lot of
documentation out there.

01:36.440 --> 01:38.450
I'm going to leave a
couple of links in

01:38.450 --> 01:41.660
the resources page that I
highly recommend going to,

01:41.660 --> 01:45.965
because if you're looking
to go into pen testing,

01:45.965 --> 01:48.770
Metasploit is the tool
you want to learn.

01:48.770 --> 01:50.330
The other tool is Unicorn.

01:50.330 --> 01:53.225
It's a tool that I stumbled
upon few weeks ago.

01:53.225 --> 01:56.990
It's a Python tool and
it's extremely good

01:56.990 --> 02:02.160
in evading protection tools.
Let's jump right into it.

02:04.280 --> 02:06.440
The first thing
that we're going to

02:06.440 --> 02:07.820
learn today is MSFvenom,

02:07.820 --> 02:12.055
which is an add-on
to Metasploit,

02:12.055 --> 02:17.560
and our payload is going
to be reverse_tcp.

02:18.910 --> 02:25.445
Reverse_tcp is very
popular because it

02:25.445 --> 02:30.710
bypasses or uses
the statefulness

02:30.710 --> 02:33.185
of a firewall to
bypass the control.

02:33.185 --> 02:36.050
A firewall will block
any communication

02:36.050 --> 02:38.850
coming from the
outside to the inside.

02:38.850 --> 02:40.690
However, ethic communication and

02:40.690 --> 02:42.025
a [inaudible] firewall is

02:42.025 --> 02:43.960
triggered from
behind the firewall,

02:43.960 --> 02:47.720
the return packet will be
automatically allowed.

02:49.850 --> 02:53.575
As I said before, we're
going to use localhost here,

02:53.575 --> 02:57.115
so it's going to be my local IP.

02:57.115 --> 03:02.380
Let me find it here,
and that's my local IP.

03:02.380 --> 03:05.300
That's the IP that I'm
going to use from now on.

03:07.440 --> 03:12.965
We're going to use port 444,

03:12.965 --> 03:15.670
and that you can pick
whatever port you want.

03:15.670 --> 03:19.340
A lot of people tend
to use the defaults,

03:21.540 --> 03:34.285
so i5, and then we're going to

03:34.285 --> 03:38.560
generate an executable
space here,

03:38.560 --> 03:44.385
and we're going to put
it in root desktop.

03:44.385 --> 03:46.080
We're going to call
it payload.exe.

03:46.080 --> 03:52.170
[NOISE] Once this
create the payload,

03:52.170 --> 03:56.070
you might notice that
the payload.exe,

03:56.070 --> 03:59.560
which is difficult to send

03:59.560 --> 04:04.380
over email or get
it to the victim,

04:04.380 --> 04:06.620
and that's correct because

04:06.620 --> 04:08.690
a lot of antiviruses
and a lot of

04:08.690 --> 04:13.250
email exchange servers will
block any exe to be sent,

04:13.250 --> 04:15.470
and for that, we're going
to use the other tool

04:15.470 --> 04:17.865
that I'm going to
show you, Unicorn.

04:17.865 --> 04:20.010
But before we get into Unicorn,

04:20.010 --> 04:24.945
we're going to show
you the output

04:24.945 --> 04:31.430
of the payload of Metasploit.

04:31.430 --> 04:33.560
There you go, that's
the payload.exe.

04:33.560 --> 04:34.670
Obviously, I cannot run it here

04:34.670 --> 04:37.655
because I'm running
a Linux machine,

04:37.655 --> 04:45.415
but any protection tool
easily detect a .exe file.

04:45.415 --> 04:47.680
Let's move to Unicorn.

04:47.680 --> 04:52.310
As I said, it's a Python tool.

04:54.920 --> 04:58.830
It's a fairly easy Python tool.

04:58.830 --> 05:03.610
We're going to run this
exact same command that we

05:03.610 --> 05:04.690
run before out of

05:04.690 --> 05:07.795
the exact same payload
that we did before,

05:07.795 --> 05:10.160
the reverse_tcp,

05:10.340 --> 05:14.050
but this time it's going
to be reverse_https,

05:14.750 --> 05:21.510
the same IP 21.

05:21.510 --> 05:25.810
Because it's a reverse_https,
we're going to use 443.

05:27.260 --> 05:30.210
While it's generating,

05:30.210 --> 05:32.250
the payload is going
to generate two files.

05:32.250 --> 05:36.170
The first one is the
text file, which will be

05:36.170 --> 05:39.349
>> delivered in the next
phase to the victim.

05:39.349 --> 05:43.255
>> The other one is the rc
file, as you can see here,

05:43.255 --> 05:46.970
and that's going to
configure MSFconsole or

05:46.970 --> 05:49.370
Metasploit to be able to execute

05:49.370 --> 05:51.259
>> and create the listener.

05:51.259 --> 05:52.730
>> Let's add that here,

05:52.730 --> 06:00.360
and that's the powershell.text,
and that's unicorn.rc.

06:03.470 --> 06:06.740
We have a number of
true or false questions

06:06.740 --> 06:09.770
for our post-assessment
questions.

06:09.770 --> 06:13.200
The first one is
weaponization phase is

06:13.200 --> 06:15.150
independent from
reconnaissance and can

06:15.150 --> 06:18.060
be done in parallel with it,

06:18.060 --> 06:21.075
and the answer here is false.

06:21.075 --> 06:23.480
As I said, reconnaissance

06:23.480 --> 06:25.700
is the most important step.

06:25.700 --> 06:27.710
You cannot go to weaponization.

06:27.710 --> 06:30.095
You won't create
a collect weapon

06:30.095 --> 06:33.295
if you bypass reconnaissance.

06:33.295 --> 06:37.590
The second question is
in weaponization phase,

06:37.590 --> 06:39.290
the attacker is actively trying

06:39.290 --> 06:42.090
to access the victim's node.

06:43.070 --> 06:46.215
Again, that's incorrect.

06:46.215 --> 06:50.180
False because weaponization is

06:50.180 --> 06:54.080
a fairly passive
phase and we're not

06:54.080 --> 06:55.880
going to communicate with

06:55.880 --> 06:59.075
the victim during the
weaponization phase.

06:59.075 --> 07:01.250
Finally, Metasploit will

07:01.250 --> 07:03.820
produce a text
file and .rc file,

07:03.820 --> 07:05.400
and that's also incorrect.

07:05.400 --> 07:08.690
As you saw, Metasploit created

07:08.690 --> 07:10.970
an executable that we are

07:10.970 --> 07:14.075
supposed to get somehow
to the other side.

07:14.075 --> 07:17.240
Obviously, this can
be done if they

07:17.240 --> 07:18.860
have an open FTP port

07:18.860 --> 07:20.885
that has access to
a Windows server,

07:20.885 --> 07:22.670
you might be able
to get it there.

07:22.670 --> 07:27.170
However, any antivirus or

07:27.170 --> 07:31.475
any anti-malware tool, or
IPS, or IDS in the way,

07:31.475 --> 07:35.465
would actually detect
that executable file

07:35.465 --> 07:38.180
and most probably block
it in most cases.

07:38.180 --> 07:41.145
However, in Unicorn,

07:41.145 --> 07:43.310
we created a text
file that we are

07:43.310 --> 07:45.920
going to use to
send to the victim

07:45.920 --> 07:48.470
and a .rc file that
we're going to use to

07:48.470 --> 07:51.415
execute and create the listener.

07:51.415 --> 07:55.490
In today's episode, we cover
the weaponization phase

07:55.490 --> 07:57.530
>> and we went
through a couple of

07:57.530 --> 08:01.190
>> examples in
Metasploit and Unicorn.

08:01.190 --> 08:03.830
In the next episode we
will cover delivery.

08:03.830 --> 08:06.180
>> See you then.