1 00:00:00,060 --> 00:00:01,390 All right, so welcome back, everyone. 2 00:00:01,410 --> 00:00:04,770 This is a nation the session is about relaunching the beat. 3 00:00:05,130 --> 00:00:06,000 Let's get started. 4 00:00:06,900 --> 00:00:16,230 OK, so let's go to our candy machine, because that's where the all the magic happens will have to 5 00:00:16,230 --> 00:00:18,150 launch the dominant first. 6 00:00:18,540 --> 00:00:20,970 Let's get access as a route. 7 00:00:25,010 --> 00:00:25,830 Oh, sorry. 8 00:00:27,870 --> 00:00:28,800 That's bad. 9 00:00:29,520 --> 00:00:30,390 All right, wonderful. 10 00:00:30,660 --> 00:00:37,710 So we got the access and now first thing that you need to do is you need to install the beep on your 11 00:00:37,710 --> 00:00:38,210 system. 12 00:00:38,910 --> 00:00:48,720 And to do that, what you have to do is you can straight away make use of a BP package manager and install 13 00:00:48,720 --> 00:00:49,710 the beef right away. 14 00:00:50,490 --> 00:00:52,440 In my case, it's already installed. 15 00:00:52,440 --> 00:00:59,700 So it should be showing me as beef is already with the newest version and I should be good enough with 16 00:00:59,700 --> 00:00:59,850 it. 17 00:01:00,660 --> 00:01:07,530 Another way is you can clone the package from the GitHub site itself so you can go to the GitHub. 18 00:01:07,580 --> 00:01:11,430 Such for beef, that's where you get the dibs. 19 00:01:11,760 --> 00:01:18,750 I mean, basically the you don't get file, you can make use of get blown and get to command and that 20 00:01:18,750 --> 00:01:20,740 file, that package will be installed. 21 00:01:20,970 --> 00:01:21,370 All right. 22 00:01:21,720 --> 00:01:22,870 So this is pretty quick. 23 00:01:23,220 --> 00:01:23,980 Now let's go. 24 00:01:25,140 --> 00:01:29,520 Once you do this, the package will because we are in route a route directly. 25 00:01:29,820 --> 00:01:33,460 So the package is supposed to be in the room itself. 26 00:01:33,480 --> 00:01:36,220 And this is what the package really looks like, the beef. 27 00:01:36,780 --> 00:01:39,480 Now, we have to get into this. 28 00:01:41,490 --> 00:01:46,740 I'm sorry, we have to get into this, but. 29 00:01:51,260 --> 00:01:57,890 In this victory, and you see, once you get this, you have to install and you have to initiate the 30 00:01:57,890 --> 00:02:02,750 installation of it for four installation, too, you need to be initiated. 31 00:02:02,750 --> 00:02:07,690 We have to make use of a script, which is this one installed script. 32 00:02:07,700 --> 00:02:11,390 You can do this by this. 33 00:02:11,720 --> 00:02:19,280 And the moment you do that will be getting started now, because in my case, it's already done. 34 00:02:19,280 --> 00:02:23,390 It just it's just auto it just get auto completed. 35 00:02:23,690 --> 00:02:29,780 You don't have to do anything with it because in my case I have already completed I can do no. 36 00:02:29,780 --> 00:02:30,560 And Gummow. 37 00:02:31,010 --> 00:02:36,350 Now, once the installation is complete, you have to launch the dashboard. 38 00:02:36,350 --> 00:02:36,670 Right. 39 00:02:37,040 --> 00:02:40,170 But beef won't allow you to access it. 40 00:02:40,400 --> 00:02:41,210 So let me show you. 41 00:02:41,810 --> 00:02:46,220 I have once it is done, I have to be in the same directory. 42 00:02:46,580 --> 00:02:53,630 And if I show you in the same direction, it said we made use of install in order to launch, we have 43 00:02:53,630 --> 00:02:55,890 to made you make use of beef as well. 44 00:02:55,970 --> 00:02:58,560 So I make use of dogs. 45 00:02:58,760 --> 00:03:00,170 Beef that again a script. 46 00:03:00,380 --> 00:03:05,610 Once I hit that hit Enter the beef will be initiated, will be launched as well. 47 00:03:05,930 --> 00:03:12,890 Now if it, if it's the first time you are doing this, you would be getting an error saying that change 48 00:03:12,890 --> 00:03:13,970 the default password. 49 00:03:14,690 --> 00:03:17,680 I mean, if you don't do that, the beef won't be initiated. 50 00:03:18,230 --> 00:03:20,240 How how can you change the password then? 51 00:03:20,900 --> 00:03:24,950 What you can do is you can go to the config script. 52 00:03:24,960 --> 00:03:27,860 This is the file where all the settings are really the sites. 53 00:03:28,190 --> 00:03:32,990 So you can do Nanoha and can fake one script. 54 00:03:32,990 --> 00:03:38,000 And once you go and do it, this is where the credentials are defined. 55 00:03:38,000 --> 00:03:39,350 Usually does bbf. 56 00:03:39,350 --> 00:03:44,240 I have Gene to Roger, Roger, you can come out and that's easy. 57 00:03:44,630 --> 00:03:45,560 That's what it is. 58 00:03:45,860 --> 00:03:54,290 Once you do that then you can again go make use of that dart slash beef and beef will be initiated by 59 00:03:54,350 --> 00:03:59,720 the beef tool, will take some time to load the package and then only it will get started with it. 60 00:04:00,350 --> 00:04:00,790 All right. 61 00:04:00,800 --> 00:04:02,780 Oh, we have some error here. 62 00:04:03,200 --> 00:04:03,860 Look at this. 63 00:04:04,100 --> 00:04:10,880 This might might occur and many of the situation and not just in case of beef, many other cases as 64 00:04:10,880 --> 00:04:11,070 well. 65 00:04:11,180 --> 00:04:18,530 So it seems like there is some process running or I might have tried earlier as well because of that. 66 00:04:18,530 --> 00:04:26,030 There is still some those same same process or some services running on the same border. 67 00:04:26,040 --> 00:04:31,460 So what you can do is you can search for what exactly the process item. 68 00:04:31,670 --> 00:04:36,620 OK, if there is any duplicate process already on the same board, I haven't really done so. 69 00:04:36,620 --> 00:04:38,800 We have to kill the process. 70 00:04:39,650 --> 00:04:43,160 So how how we identify which process already has a trouble. 71 00:04:43,400 --> 00:04:49,400 So to be very honest, you won't find, you know, regularly this problem. 72 00:04:49,730 --> 00:04:53,120 You'll find it when you make use of it very often. 73 00:04:53,150 --> 00:05:00,770 OK, so what you can do is you can simply go to and get the idea about what is the what is the number 74 00:05:00,770 --> 00:05:09,500 to it so you can make Gewgaws of l'Est Hellersdorf and then make use of minus T minus and you can define 75 00:05:09,770 --> 00:05:11,780 which is the process identifier. 76 00:05:12,020 --> 00:05:18,200 In our case we have a trouble with three thousand so we can mention about three thousand board number. 77 00:05:18,470 --> 00:05:22,280 This will give us this will give us the process idea of three thousand four. 78 00:05:23,430 --> 00:05:25,970 Oh we have some chop. 79 00:05:25,970 --> 00:05:30,350 OK, sorry I it has to be minus I to wonderful. 80 00:05:30,530 --> 00:05:31,760 So this is the process. 81 00:05:32,690 --> 00:05:35,720 Once you get the process already we have to tell this process. 82 00:05:35,990 --> 00:05:40,150 OK, so once we cleared Gilda's we can initiate decision. 83 00:05:40,820 --> 00:05:47,210 So in order to do this we can make use of command kill and then the minus nine. 84 00:05:47,210 --> 00:05:52,220 That's the idea for killing the process idea and then define what is the process. 85 00:05:52,220 --> 00:05:55,770 Say no to the string to fight them once you hit, enter. 86 00:05:56,240 --> 00:05:58,010 Now, this process already has been carried. 87 00:05:58,460 --> 00:06:02,810 And now one, you can try making use of the beef command again. 88 00:06:02,810 --> 00:06:04,370 And it worked this time. 89 00:06:04,370 --> 00:06:07,370 Let's beef is loading. 90 00:06:07,550 --> 00:06:09,890 Wait for wait a few seconds. 91 00:06:10,730 --> 00:06:11,240 Lovely. 92 00:06:12,590 --> 00:06:13,880 It worked all right. 93 00:06:14,840 --> 00:06:15,130 Huh. 94 00:06:15,590 --> 00:06:22,070 So now you can see beef is giving some information about it, right. 95 00:06:22,070 --> 00:06:23,780 There are three zero five modules. 96 00:06:23,900 --> 00:06:29,060 April eight Xingjian enable events proxy admin UI. 97 00:06:29,090 --> 00:06:37,070 This is what we are looking for, to control everything from farm control, everything about the user 98 00:06:37,070 --> 00:06:41,270 activity or post exploitation activity and everything. 99 00:06:41,270 --> 00:06:43,130 So we need to have the admin UI. 100 00:06:43,610 --> 00:06:46,310 There are some social engineering packages as well. 101 00:06:46,940 --> 00:06:48,530 Crosseyed scripting RES. 102 00:06:49,390 --> 00:06:54,790 Many of the staff, there's one more thing which is needed, the malicious script. 103 00:06:55,270 --> 00:07:01,900 We need to have the script that we can, you know, that we can make use of it and give it to the victim 104 00:07:01,900 --> 00:07:02,310 machine. 105 00:07:02,500 --> 00:07:09,370 If you remember the example, we made an email right now, phishing e-mail, which was getting the JavaScript 106 00:07:09,370 --> 00:07:10,270 code into it. 107 00:07:10,780 --> 00:07:15,600 Now, this is something that we we will be building, building up beef tool. 108 00:07:15,940 --> 00:07:17,070 And this is what it is. 109 00:07:17,080 --> 00:07:18,920 It is basically the hook you are. 110 00:07:19,660 --> 00:07:22,520 So this is what we'll be hooking to the user. 111 00:07:22,540 --> 00:07:25,160 It will be injecting this JavaScript to the user. 112 00:07:25,810 --> 00:07:30,230 And this is the dashboard we need to get access to. 113 00:07:30,280 --> 00:07:30,580 Right. 114 00:07:31,330 --> 00:07:36,760 So unless you don't change the password, if you remember, you won't be getting the access to the UI 115 00:07:39,400 --> 00:07:40,300 at CDB. 116 00:07:40,960 --> 00:07:43,040 It's not actually as yet. 117 00:07:43,690 --> 00:07:48,370 And then you define, oh, in this is because we are on the local system itself. 118 00:07:48,380 --> 00:07:56,040 You can make yourself one twenty seven zero zero zero one zero zero one and three thousand port. 119 00:07:56,050 --> 00:08:00,130 And then we have UI and UI directly. 120 00:08:00,130 --> 00:08:07,400 And then panel, let's say you can make use of the same password. 121 00:08:07,840 --> 00:08:08,370 Lovely. 122 00:08:08,830 --> 00:08:15,520 You could see, you could see the dashboard is open and it is full of information. 123 00:08:15,550 --> 00:08:18,720 You can see the logs, zombies and everything. 124 00:08:18,730 --> 00:08:18,960 Right. 125 00:08:19,270 --> 00:08:23,920 These are some of the offline devices, devices which are no longer associated. 126 00:08:24,280 --> 00:08:31,000 Once you have the JavaScript code being used, you could see all the devices online, you know, made 127 00:08:31,000 --> 00:08:31,510 use of them. 128 00:08:32,110 --> 00:08:34,680 So this is the malicious script. 129 00:08:35,560 --> 00:08:41,210 If somebody click on this link, they get compromised that I'll show you how exactly. 130 00:08:41,980 --> 00:08:48,720 So even if somebody tried to click on this link directly, I should be getting their access right. 131 00:08:50,860 --> 00:08:56,260 Let me go back and let me open up the machine. 132 00:08:56,650 --> 00:09:01,280 This is not the real attack at this point because we'll have to make it more realistic. 133 00:09:01,570 --> 00:09:03,150 I'm just giving you an example. 134 00:09:04,270 --> 00:09:11,210 So even if somebody tried to, let's say, access the stability of CTP 135 00:09:13,510 --> 00:09:24,100 and because this this is the we have to make use of the network IP address in this case, then the reason 136 00:09:24,100 --> 00:09:27,970 is this has to be network discovery. 137 00:09:27,970 --> 00:09:35,260 If somebody is trying to access the any site being in the global system, the local host are 147 zero 138 00:09:35,260 --> 00:09:35,950 zero one. 139 00:09:35,960 --> 00:09:41,770 That would be helpful if somebody access from this another host the real IP address, the network IP 140 00:09:41,770 --> 00:09:45,630 address is needed and that's the real network IP address you can see over here. 141 00:09:46,060 --> 00:09:49,440 And then we can define hope dog G.S.. 142 00:09:49,510 --> 00:09:49,780 Right. 143 00:09:50,300 --> 00:09:51,520 Once you hit enter. 144 00:09:52,930 --> 00:09:58,390 And this would probably be, you know, this would probably be injected into the system. 145 00:09:58,390 --> 00:10:05,880 And this is the way the system, you know, the actors JavaScript get inserted into the platform itself. 146 00:10:06,460 --> 00:10:08,650 And if you could see. 147 00:10:13,140 --> 00:10:19,470 Although it says there's an error and time, error and everything, this is what we'll be inserting 148 00:10:19,470 --> 00:10:20,970 into the real system itself. 149 00:10:21,000 --> 00:10:26,490 OK, so what we made use of is this this who dodgiest file. 150 00:10:26,820 --> 00:10:31,060 And once we tried doing it directly on the browser, it didn't work. 151 00:10:31,170 --> 00:10:31,860 You see this? 152 00:10:32,910 --> 00:10:34,350 Do you want to save this file? 153 00:10:34,350 --> 00:10:37,890 Because this is considering as a file in that case. 154 00:10:38,190 --> 00:10:42,210 So that's why I will be making use of it on a site. 155 00:10:42,330 --> 00:10:44,880 That's why we need a vulnerable site to be accessed. 156 00:10:45,210 --> 00:10:52,530 Because if you see if the user is directly getting the JavaScript file and putting on the URL, it's 157 00:10:52,530 --> 00:10:55,240 not really going to work because this would be taken as a file. 158 00:10:55,950 --> 00:11:03,210 What is really needed, if you remember the example, we need the real well, vulnerable site which 159 00:11:03,210 --> 00:11:09,090 takes the data and give you as it is, throw it as it is, reflected Asmodeus. 160 00:11:09,390 --> 00:11:12,360 That's why I will be making use of DV DPW. 161 00:11:12,610 --> 00:11:21,900 In our case, there will be there will be throwing the same JavaScript code to the Web site, to our 162 00:11:21,900 --> 00:11:27,970 vulnerable site so that it will reflect back to the machine and that's how the system get compromised. 163 00:11:28,260 --> 00:11:33,890 So I hope you got the idea that this is not the way we'll be inserting the code directly into the browser. 164 00:11:34,770 --> 00:11:35,540 You got the idea. 165 00:11:35,540 --> 00:11:41,520 And this is not the way will be directly inserting into the browser, rather, will be inserting on 166 00:11:41,780 --> 00:11:49,200 on to the infected site by the machine directly and will see what the response comes back. 167 00:11:49,230 --> 00:11:49,640 All right. 168 00:11:50,070 --> 00:11:54,900 So let's get started with our lab in the next session and really capture this and think you.