WEBVTT

00:00.000 --> 00:01.980
>> Hey guys, welcome back

00:01.980 --> 00:04.215
to the cyber kill chain
costs on Cybrary.

00:04.215 --> 00:06.120
This is Abdulrahman
A. Alnaim and

00:06.120 --> 00:09.855
today we're covering
command and control.

00:09.855 --> 00:12.315
We went through the
cyber kill chain,

00:12.315 --> 00:13.830
we did our constants,

00:13.830 --> 00:16.395
we gathered as much
information as possible.

00:16.395 --> 00:19.020
We moved on to
optimization where we

00:19.020 --> 00:21.570
created our payload
using MSFVenom,

00:21.570 --> 00:24.150
and then we moved on to
delivery where we created

00:24.150 --> 00:25.350
a social engineering attack

00:25.350 --> 00:28.440
using the social
engineering toolkit.

00:28.440 --> 00:32.510
Then we exploited the human
weakness in our systems.

00:32.510 --> 00:35.300
Every company, every entity,

00:35.300 --> 00:40.205
every organization has
the human weakness,

00:40.205 --> 00:42.470
vulnerability so
we exploited that,

00:42.470 --> 00:44.480
and then we moved on
to installation and we

00:44.480 --> 00:47.645
installed our payload on
the victim's machine.

00:47.645 --> 00:50.120
Now that the payload
is installed

00:50.120 --> 00:51.289
>> on the victim machine,

00:51.289 --> 00:53.660
>> we need to start
communicating with that.

00:53.660 --> 00:57.020
That's when command and
control came in the picture.

00:57.020 --> 01:00.080
What we're trying to do is
we're trying to continue

01:00.080 --> 01:01.760
our target attack and

01:01.760 --> 01:04.855
communicate with the payload
to get more information.

01:04.855 --> 01:09.140
Now my payload is inside
the victim's machine

01:09.140 --> 01:11.314
>> or zoomed the victim machine.

01:11.314 --> 01:15.140
>> You can imagine
this as an extension

01:15.140 --> 01:18.515
of the victim's keyboard
on the attacker's side.

01:18.515 --> 01:23.930
I can command as I like,
I can scan the network,

01:23.930 --> 01:27.730
I can scan the
victim's work station,

01:27.730 --> 01:29.540
and that's the whole
purpose of command and

01:29.540 --> 01:32.680
control continue my operations.

01:32.680 --> 01:35.315
There's a number of
ways to do that.

01:35.315 --> 01:38.150
Remote administration
tool is one of them, RAT.

01:38.150 --> 01:39.380
There's a tool called

01:39.380 --> 01:41.315
RAT and it's one of
the most popular.

01:41.315 --> 01:44.180
The one we're using the MS

01:44.180 --> 01:48.050
console and interpreter
is a very popular.

01:48.050 --> 01:51.605
Another popular example however,

01:51.605 --> 01:54.590
and a lot of companies
going through

01:54.590 --> 01:56.855
this option is
extremely difficult

01:56.855 --> 01:59.405
because they have
good protection tools

01:59.405 --> 02:02.535
and good security on their side.

02:02.535 --> 02:04.460
So hackers have to be creative.

02:04.460 --> 02:06.920
They came up with an
idea to use IRC protocol

02:06.920 --> 02:11.660
>> and kind of chat with
their basically payload

02:11.660 --> 02:14.255
>> or that asset
inside the network.

02:14.255 --> 02:16.760
So what they're doing is they're

02:16.760 --> 02:21.710
using the protocol to chat
with the payload and send

02:21.710 --> 02:24.290
the commands to it for
the payload to run.

02:24.290 --> 02:26.165
However, not a lot of companies

02:26.165 --> 02:28.880
and organizations
use IRC protocols,

02:28.880 --> 02:32.095
it's not that popular
in the corporate world.

02:32.095 --> 02:37.295
So if a company has a good
security operations center,

02:37.295 --> 02:39.680
they will easily
discover something or

02:39.680 --> 02:41.330
communication going out of

02:41.330 --> 02:43.505
the environment
using IRC protocol.

02:43.505 --> 02:45.050
However, if there's
something that

02:45.050 --> 02:48.800
is not really detected, or
even if it was detected,

02:48.800 --> 02:50.090
a lot of people would
assume it would

02:50.090 --> 02:53.630
be a legitimate connectivity,

02:53.630 --> 02:56.300
and that's social media.

02:56.300 --> 02:58.640
If a machine within

02:58.640 --> 03:01.100
an environment is
communicating with Twitter,

03:01.100 --> 03:03.920
a lot of people would
not assume that it is

03:03.920 --> 03:07.970
communicating with an
adversity or an attacker,

03:07.970 --> 03:10.790
and that's exactly
what hacker did.

03:10.790 --> 03:14.330
They created a Twitter
account that would publish

03:14.330 --> 03:17.420
or tweet commands that are

03:17.420 --> 03:21.890
then read by the payload and run

03:21.890 --> 03:23.220
within the victim's environment

03:23.220 --> 03:26.460
the connectivity is
through Twitter.

03:26.460 --> 03:29.550
So even if the payload wants
to return something, it

03:29.550 --> 03:34.380
will tweet it on Twitter.

03:34.380 --> 03:37.865
This is one of the
more creative ways

03:37.865 --> 03:39.755
of doing command and controls.

03:39.755 --> 03:42.530
But the idea here
is to show you how

03:42.530 --> 03:47.265
creative hackers and
attackers can get.

03:47.265 --> 03:49.500
Let's go back to our example.

03:49.500 --> 03:53.070
We have our session here opened,

03:53.070 --> 03:54.850
and what I want to do

03:54.850 --> 03:58.000
is I want to see the
options that I have.

03:58.000 --> 04:01.355
As I said, there's
a lot of options.

04:01.355 --> 04:04.455
I can record, I can webcam chat,

04:04.455 --> 04:07.200
list to webcams if there's
any webcam of available.

04:07.200 --> 04:10.630
I can run a key scan
and see what kind of

04:10.630 --> 04:15.305
things the person is writing.

04:15.305 --> 04:19.660
I can get this info and shut

04:19.660 --> 04:21.460
down the machine,
plant a shell on

04:21.460 --> 04:23.440
the victim's side, and so on.

04:23.440 --> 04:26.295
So there's a lot of things
that I can do here.

04:26.295 --> 04:29.090
Some of them, such as hash dump,

04:29.090 --> 04:31.220
I can get the hash dump

04:31.220 --> 04:33.260
of the contexts of the
sum database and then

04:33.260 --> 04:35.330
start cracking on
my side hoping to

04:35.330 --> 04:38.790
get the local admin password.

04:38.870 --> 04:43.385
Just to ensure connectivity,
let's do with this info,

04:43.385 --> 04:47.705
so I do have a connectivity
with a Windows 10 machine.

04:47.705 --> 04:50.090
I have the good
information and so on.

04:50.090 --> 04:54.290
But let's do a screenshot
to ensure that I'm

04:54.290 --> 04:57.530
actually running
an actual machine

04:57.530 --> 05:00.665
and not just a honeypot.

05:00.665 --> 05:04.890
So we have the screenshot now.

05:04.890 --> 05:12.670
Let's copy it and display it.

05:14.390 --> 05:18.860
That's a screenshot of
the victim's machine.

05:18.860 --> 05:20.930
As you sure you remember,

05:20.930 --> 05:24.085
this was the last
page that we went to.

05:24.085 --> 05:28.730
Okay, so I can run
shell and then I have

05:28.730 --> 05:34.980
a connectivity to the
machine shell-code.

05:34.980 --> 05:37.055
So I can run command prompt

05:37.055 --> 05:41.780
from this machine on the
machine on the other side.

05:41.780 --> 05:44.270
Okay, so we're going
to get more into

05:44.270 --> 05:46.910
this in action on objectives.

05:46.910 --> 05:49.040
However, to make sure

05:49.040 --> 05:51.215
that we covered command
and control correctly,

05:51.215 --> 05:54.830
Let's go through these
post-assessment questions.

05:54.830 --> 05:56.090
So what is the main purpose

05:56.090 --> 05:57.835
of the command and
control phase?

05:57.835 --> 06:00.255
As I said, the command
that control phase,

06:00.255 --> 06:02.810
main goal or main
purpose is to have

06:02.810 --> 06:05.540
connectivity to my
asset and side,

06:05.540 --> 06:06.949
>> the victim's network.

06:06.949 --> 06:10.880
>> This would give me the
opportunity to continue

06:10.880 --> 06:12.680
my operations and continue

06:12.680 --> 06:16.820
the attack from my
remote session.

06:16.820 --> 06:20.000
Second question is, why do
I need command and control?

06:20.000 --> 06:23.925
Because if I don't have
command and controls,

06:23.925 --> 06:28.040
I would have to design
my malware in a way

06:28.040 --> 06:29.810
that would go through
everything that I

06:29.810 --> 06:32.030
want and send it
back to education.

06:32.030 --> 06:34.415
I won't have the capability

06:34.415 --> 06:38.105
to explore or extend
my explanation.

06:38.105 --> 06:40.700
So I can't go and get one
thing out and come back,

06:40.700 --> 06:41.900
and that's one thing.

06:41.900 --> 06:44.150
However, if I can
get more information

06:44.150 --> 06:47.270
as an attacker and
expand my attack,

06:47.270 --> 06:48.980
that would be a lot better

06:48.980 --> 06:51.665
from the attacker's
obviously point of view.

06:51.665 --> 06:54.920
Finally, direct access is a must

06:54.920 --> 06:58.000
to have a successful
command and control.

06:58.000 --> 07:01.360
As we discussed, this
is not really the case.

07:01.360 --> 07:03.470
Remember the Twitter
account and the

07:03.470 --> 07:07.670
Twitter tweeting the commands

07:07.670 --> 07:10.819
>> from the command
and control center

07:10.819 --> 07:14.300
>> to the payload
inside the network.

07:14.300 --> 07:17.300
So connectivity
between the payload

07:17.300 --> 07:22.625
and the attacker is not
necessary at all time.

07:22.625 --> 07:27.665
Hackers are more
creative than just

07:27.665 --> 07:30.680
basically used one way of

07:30.680 --> 07:35.365
communicating with their
assets inside the environment.

07:35.365 --> 07:38.360
Okay, so on today's episode

07:38.360 --> 07:40.740
we covered command and control.

07:40.740 --> 07:42.170
In the next episode,

07:42.170 --> 07:46.850
we move on to the last phase
of the cyber kill chain.

07:46.850 --> 07:52.600
We will cover action on
objectives. See you then.