1
00:00:00,060 --> 00:00:00,870
Welcome back, everyone.

2
00:00:00,900 --> 00:00:08,910
This is news and you are watching the session on the financial resources Bush.

3
00:00:09,090 --> 00:00:16,080
So we will be understanding both of the show, understand which one to use and which one really works,

4
00:00:16,080 --> 00:00:17,820
what the other in a better way.

5
00:00:18,360 --> 00:00:19,270
Let's get started.

6
00:00:20,070 --> 00:00:28,530
Let's first understand the bombshell before we jump into the financial understand where exactly are

7
00:00:28,530 --> 00:00:29,460
we going to use it?

8
00:00:29,910 --> 00:00:39,150
At the moment, we select any payload when you either create a payload through or tools like NASA Venom

9
00:00:39,600 --> 00:00:49,640
that will be docking in the next station or you are making use or you are ready to listen on the next

10
00:00:49,710 --> 00:00:50,700
flight framework.

11
00:00:51,900 --> 00:00:55,650
In both the situation, it is important to select the right payload.

12
00:00:56,100 --> 00:01:03,750
OK, if you if you end up selecting the wrong payload, you might not establish the connection with

13
00:01:03,750 --> 00:01:09,380
the target and you might you might not be able to perform your exploration as well.

14
00:01:10,140 --> 00:01:12,720
So that's before you choose.

15
00:01:12,720 --> 00:01:15,240
You have to be very cautious about it.

16
00:01:15,410 --> 00:01:20,310
OK, and I'll tell you which one to go without thinking twice.

17
00:01:21,180 --> 00:01:22,020
Let's get started.

18
00:01:22,170 --> 00:01:25,260
Let's first understand the bandshell in the bandshell.

19
00:01:25,620 --> 00:01:32,220
You have your Harker's you are sitting on the right side and you have your victim that you're targeting,

20
00:01:32,230 --> 00:01:32,830
basically.

21
00:01:33,240 --> 00:01:34,560
Now, what are you going to do?

22
00:01:34,590 --> 00:01:41,790
What are you going to do is first thing is you would be delivering a malware that would be that would

23
00:01:41,790 --> 00:01:45,060
be delivered to your target machine through many any medium.

24
00:01:45,060 --> 00:01:45,400
Right.

25
00:01:45,660 --> 00:01:50,490
So you have delivered a malware on your target machine through phishing email, through USB or maybe

26
00:01:50,500 --> 00:01:51,090
animatics.

27
00:01:51,450 --> 00:01:55,690
Your job is just to deliver a now in the financial method.

28
00:01:56,190 --> 00:02:03,360
It's a job of a malware to open up a listen to open up a listening sessions on Ineradicable.

29
00:02:03,620 --> 00:02:10,920
OK, so that's where the moment the malware get install, it started listening on a board, just like

30
00:02:10,920 --> 00:02:11,370
a server.

31
00:02:11,580 --> 00:02:18,100
So in case of MindShift, the victim itself becomes a server, OK, and it starts listing on a book.

32
00:02:18,450 --> 00:02:23,460
So that means anybody can connect and so do hackers.

33
00:02:24,030 --> 00:02:32,400
So what happened is the hackers start establishing or start to establish a connection with the victim

34
00:02:32,400 --> 00:02:37,200
machine or on board ADT because it can become a client in that case.

35
00:02:37,210 --> 00:02:37,440
Right.

36
00:02:37,770 --> 00:02:44,070
So in that case, it sends that connection request and the connection get accepted by the victim machine

37
00:02:44,520 --> 00:02:52,680
and then the hacker get the complete access to the machine and it becomes the objective accordingly.

38
00:02:53,370 --> 00:03:02,340
But remember this, in case of bandshell method, the victim itself start listening on a certain point.

39
00:03:02,520 --> 00:03:02,990
All right.

40
00:03:03,330 --> 00:03:05,420
So that's what happened in the bunch.

41
00:03:05,980 --> 00:03:08,450
Now, what's the downside of it?

42
00:03:08,850 --> 00:03:16,020
The downside is this will never going to work or mostly will not work in a situation when the Target

43
00:03:16,020 --> 00:03:23,820
and Wal-Mart is having a firewall because usually firewall by default deny all the incoming traffic.

44
00:03:24,090 --> 00:03:24,500
All right.

45
00:03:24,780 --> 00:03:32,520
So being a staple behavior, whenever the connection is already generated from outside and comes inside,

46
00:03:32,730 --> 00:03:34,020
it's by default block.

47
00:03:34,440 --> 00:03:42,390
So that's why you have never noticed, you know, applications like Facebook or Google come on your

48
00:03:42,490 --> 00:03:48,930
proactively and asking, hey, you want to browse on my side or hey, you want to look at this and it's

49
00:03:48,930 --> 00:03:52,230
always you who go out and then the response comes back.

50
00:03:52,560 --> 00:03:59,250
So by default, because the purpose of states for behavioral firewall is the by default, the connection

51
00:03:59,250 --> 00:04:06,870
from inside to outside allowed as per the policy and outside to inside is by default block.

52
00:04:07,080 --> 00:04:13,770
And that's why it's kind of a method will not work in the kind of in the in the situation of Enterprise

53
00:04:13,770 --> 00:04:22,320
Network, but it might work in a public network like Web applications, which is open to everyone.

54
00:04:22,340 --> 00:04:22,560
Right.

55
00:04:22,590 --> 00:04:27,960
But this will not work in a situation where it's an enterprise network.

56
00:04:28,270 --> 00:04:33,150
It's the perimeter of the network is protected with the firewall.

57
00:04:33,330 --> 00:04:33,720
All right.

58
00:04:34,590 --> 00:04:37,210
Let's learn about the revolution.

59
00:04:37,380 --> 00:04:41,430
So I hope you got the idea about where to use Bangsa Binzel.

60
00:04:41,430 --> 00:04:47,730
You can use it for the Web applications, which is open for everyone, but it cannot be used for the

61
00:04:47,730 --> 00:04:54,770
targets or windows machines or laptop door, which is inside the perimeter perimeter of the network.

62
00:04:54,780 --> 00:04:55,050
Right.

63
00:04:55,680 --> 00:04:59,940
So let's learn about the revolution and the revolution would have.

64
00:05:00,350 --> 00:05:06,370
You, again, have a good hacker and the victim issue, again, in the same situation you install,

65
00:05:06,380 --> 00:05:08,990
you deliver a malware to the machine.

66
00:05:09,860 --> 00:05:15,280
OK, this is exactly what we have seen in the situation of Punshon.

67
00:05:15,290 --> 00:05:24,050
But this one very interesting difference, in spite of them opening up a listening sessions on a sub

68
00:05:24,050 --> 00:05:32,720
in both the hacker starts that OK, the hacker machine starts a listening session and that means the

69
00:05:32,720 --> 00:05:39,050
hacker becomes a server in that situation and open up a board around the board usually could be added

70
00:05:39,050 --> 00:05:42,950
because it's well known and normally normally get along.

71
00:05:44,240 --> 00:05:52,060
So in that situation, the the malware or the victim machine sends the request to the hacker.

72
00:05:52,880 --> 00:05:53,750
And you know what?

73
00:05:53,870 --> 00:06:01,040
It's mostly going to work, because if you recall earlier what I told about firewall in situation of

74
00:06:01,040 --> 00:06:07,040
firewall, firewall by default, allow a connection from inside to outside.

75
00:06:07,220 --> 00:06:14,690
In our situation, the victim is sitting and do the outside network and the hackers hackers are in the

76
00:06:14,690 --> 00:06:15,440
outside of the world.

77
00:06:15,440 --> 00:06:15,740
Right.

78
00:06:16,040 --> 00:06:22,220
So in this situation, the connection would be allowed to access to the outside world because I would

79
00:06:22,240 --> 00:06:28,310
think, OK, it's a genuine user Internet, a trusted user trying to access any certain Web application,

80
00:06:28,580 --> 00:06:33,200
which is by default allowed in in most of the situation.

81
00:06:33,200 --> 00:06:39,980
If the there's a strict policy about some application like listing everything, it might be blocked

82
00:06:39,980 --> 00:06:40,340
as well.

83
00:06:40,850 --> 00:06:47,270
But in most of the situation, if the hacker is smart enough, you're making use of a good domain name

84
00:06:47,270 --> 00:06:52,720
whitelist and all those all those of good techniques, it might work as well.

85
00:06:53,420 --> 00:06:59,060
So that all depends on the kind of strategies or techniques used by the hacker.

86
00:06:59,240 --> 00:07:00,480
And this mostly works.

87
00:07:01,010 --> 00:07:02,870
So this is how the rewards should work.

88
00:07:02,870 --> 00:07:09,860
In spite of the machine opening up the listening, listening session, the hacker open up the listening

89
00:07:09,860 --> 00:07:15,890
station in spite of hackers and the connection request, deal with the machine, send the connection

90
00:07:15,890 --> 00:07:16,550
request.

91
00:07:16,550 --> 00:07:16,960
Right.

92
00:07:17,330 --> 00:07:25,840
And that's why it works very well in a situation of enterprise network, which is pretty widely bounded

93
00:07:26,200 --> 00:07:27,670
with the perimeter security.

94
00:07:27,920 --> 00:07:37,430
So for compromising time machines like windows into the copper network or personal home users or maybe

95
00:07:37,430 --> 00:07:43,460
any machines learning smackeroos, even mobile phones as well, mobile devices as well.

96
00:07:43,580 --> 00:07:45,290
This idea works.

97
00:07:45,290 --> 00:07:52,250
The reverse mechanism works with us and gets every worst decision can be of multiple times where we

98
00:07:52,250 --> 00:07:55,310
can make use of different kind of Sishen.

99
00:07:55,790 --> 00:08:03,560
So you see this kind of position is basically disquisitions, OK, where by default it's going to be

100
00:08:03,560 --> 00:08:09,080
a disk position where the three way handshake happened with the client since the sync request message

101
00:08:09,080 --> 00:08:12,770
and the server send some send and act message.

102
00:08:12,770 --> 00:08:13,740
Finally Glenton.

103
00:08:13,740 --> 00:08:19,730
Deach that's how these Sinak get a three way handshake complete and after that the actual packet moves

104
00:08:19,730 --> 00:08:19,940
on.

105
00:08:19,970 --> 00:08:20,250
Right.

106
00:08:20,660 --> 00:08:28,130
So the first option is the making use of reverse, reverse disposition, which we can make use of the

107
00:08:28,130 --> 00:08:30,790
problem as it is pretty much readable.

108
00:08:30,800 --> 00:08:38,460
Anybody can inside if you have any inspection or any normal firewall as well, it can read what exactly

109
00:08:38,460 --> 00:08:40,670
is going inside of the station.

110
00:08:40,670 --> 00:08:44,000
And if we find any malicious traffic inside, it can detect.

111
00:08:44,270 --> 00:08:44,550
Right.

112
00:08:45,320 --> 00:08:49,580
Who was a as well as most of the organization are fine.

113
00:08:49,580 --> 00:08:51,100
That should be as well known vote.

114
00:08:51,110 --> 00:08:53,500
So you might pass through it.

115
00:08:53,540 --> 00:09:00,600
Your traffic, your malicious traffic or whatever you're talking in the show will be going inside the

116
00:09:00,600 --> 00:09:01,460
EU, keeping traffic.

117
00:09:01,470 --> 00:09:08,240
So it might be might get might bypass some of the devices in between.

118
00:09:09,170 --> 00:09:17,450
But in a situation of reverse DHBs, it is found to be as a tunnel based communication which make use

119
00:09:17,450 --> 00:09:18,230
of SSL.

120
00:09:18,680 --> 00:09:25,850
That's why it is pretty much secure enough so that only the victim and hacker know what exactly happening

121
00:09:25,850 --> 00:09:26,500
in between.

122
00:09:26,810 --> 00:09:36,080
So even if you have a firewall in between and even if there is a firewall in between, it will never

123
00:09:36,080 --> 00:09:44,420
know what kind of conversation or what kind of traffic is going back and forth across this session.

124
00:09:44,720 --> 00:09:53,060
OK, so most of the time, if most of the time the advance or the advanced threats make use of the reverse

125
00:09:53,090 --> 00:09:55,540
suppositions in that situation.

126
00:09:56,060 --> 00:09:56,510
All right.

127
00:09:56,780 --> 00:09:59,270
So we'll be making use of reverse.

128
00:10:00,110 --> 00:10:05,640
Toward the schools and we'll see how how effectively we can make use of it.

129
00:10:05,660 --> 00:10:06,010
All right.

130
00:10:06,410 --> 00:10:08,510
So I hope this was really helpful for you.

131
00:10:08,750 --> 00:10:10,160
Will catch you in the next session.

132
00:10:10,280 --> 00:10:10,870
Thank you.