1
00:00:00,470 --> 00:00:06,830
‫So another important thing to remember is it's vital to remove the back door once you put a back door

2
00:00:06,830 --> 00:00:07,520
‫on a system.

3
00:00:07,610 --> 00:00:10,460
‫Anyone can use that backdoor to compromise the system.

4
00:00:11,410 --> 00:00:16,090
‫Of course, there are some methods to prevent unintended usages of a back door, but still.

5
00:00:17,290 --> 00:00:19,900
‫You have to remove the back door when you finish with it.

6
00:00:21,560 --> 00:00:27,110
‫There are two plus one steps to remove the back door we put in the previous lecture.

7
00:00:29,320 --> 00:00:33,220
‫Now, in the first step, we're going to remove the back door with an interpreter session.

8
00:00:34,390 --> 00:00:40,510
‫Now, as you know, there are different file system commands in my interpreter that you can use on the

9
00:00:40,510 --> 00:00:41,410
‫remote host.

10
00:00:41,800 --> 00:00:46,960
‫And one of them is R.M, which is used to remove this specified file.

11
00:00:48,900 --> 00:00:57,570
‫Now, the crime commands need the full file name, so let's roll up to find the installed file path

12
00:00:57,570 --> 00:00:58,380
‫and the name.

13
00:00:59,730 --> 00:01:02,340
‫Here are the messages of the persistence command.

14
00:01:02,910 --> 00:01:05,640
‫And here is the file and the full path.

15
00:01:06,890 --> 00:01:13,100
‫So as you imagine, the path is different from the previous lecture, because this is another backdoor

16
00:01:13,100 --> 00:01:14,570
‫that I created off the record.

17
00:01:15,080 --> 00:01:19,490
‫So no matter what, just find the back door file and its location.

18
00:01:20,640 --> 00:01:28,350
‫Now, let me find the file in the victim machine documents and settings administrator dot seal to local

19
00:01:28,350 --> 00:01:28,890
‫settings.

20
00:01:29,340 --> 00:01:29,760
‫Temp.

21
00:01:31,520 --> 00:01:32,390
‫This is the fire.

22
00:01:34,310 --> 00:01:37,250
‫So I'll copy the full file path.

23
00:01:38,620 --> 00:01:42,220
‫And give it the parameter of the rim command.

24
00:01:43,000 --> 00:01:49,360
‫Now don't forget to duplicate the back slashes, as I mentioned before, the first backslash is the

25
00:01:49,360 --> 00:01:50,920
‫indicator of a special character.

26
00:01:51,130 --> 00:01:54,010
‫And the second one is that special character.

27
00:01:55,050 --> 00:01:56,820
‫Now it says that the access is denied.

28
00:01:57,060 --> 00:02:04,350
‫So maybe I don't have the necessary rights, so I'll want to use get system interpreter command to gain

29
00:02:04,350 --> 00:02:05,730
‫this system privileges.

30
00:02:06,390 --> 00:02:07,320
‫So I got the system.

31
00:02:08,270 --> 00:02:10,040
‫Now, try to delete the file again.

32
00:02:11,660 --> 00:02:12,350
‫My mistake?

33
00:02:12,830 --> 00:02:15,350
‫I put the pair, but didn't put the file name.

34
00:02:16,740 --> 00:02:20,240
‫So now I copy the file name and pasted at the end of the path.

35
00:02:24,650 --> 00:02:25,040
‫OK.

36
00:02:25,670 --> 00:02:27,260
‫The file is now deleted.

37
00:02:28,600 --> 00:02:32,800
‫So the first step is pretty much enough to destroy the back door.

38
00:02:33,220 --> 00:02:35,690
‫But, you know, it's better to be safe than sorry.

39
00:02:35,710 --> 00:02:38,260
‫So let's just clean the system.

40
00:02:39,330 --> 00:02:44,250
‫So I'd like to delete the registry key that is created by the persistence method.

41
00:02:45,170 --> 00:02:45,500
‫Again.

42
00:02:46,410 --> 00:02:48,900
‫Roll up to find their created registry key.

43
00:02:49,830 --> 00:02:52,350
‫Here, I'll copy the full path and name.

44
00:02:53,160 --> 00:02:59,850
‫So we're going to use the reg command to delete the registry key when we type reg and hit enter.

45
00:03:00,760 --> 00:03:02,740
‫We reached the help page of the command.

46
00:03:04,820 --> 00:03:08,120
‫Well, I made millions of unsuccessful attempt.

47
00:03:08,570 --> 00:03:13,610
‫I don't want to lead these attempts just to show you that you shouldn't give up easily to succeed.

48
00:03:21,920 --> 00:03:27,440
‫OK, so here's the correct reg command to delete a key is Reg.

49
00:03:28,470 --> 00:03:34,950
‫The evil take the full path of the key v, the name of the key.

50
00:03:39,170 --> 00:03:41,330
‫I think we finally deleted the registry key.

51
00:03:42,380 --> 00:03:46,310
‫So let's go to the victim system and just check to make sure it's deleted.

52
00:03:47,090 --> 00:03:51,380
‫Refresh the registry editor and yeah, the key has gone.

53
00:03:52,520 --> 00:03:56,090
‫So the next step is not related to the victim machine.

54
00:03:56,420 --> 00:03:59,030
‫I just wanted to clean up my own system, Carly.

55
00:04:00,710 --> 00:04:06,710
‫So when I run the persistence method, a folder is created to keep the logs of that persistent session,

56
00:04:07,100 --> 00:04:09,530
‫so let's delete the folder for perfect cleaning.

57
00:04:11,060 --> 00:04:12,680
‫I now open a new terminal screen.

58
00:04:13,310 --> 00:04:16,130
‫I'm in the home folder of the current user route.

59
00:04:17,320 --> 00:04:21,820
‫Last year, she held see all the files and folders, including the hidden ones.

60
00:04:22,900 --> 00:04:29,110
‫Now there is a folder named Scott MSEC for use, the CD command to go inside that folder.

61
00:04:30,410 --> 00:04:32,300
‫Now go to the logs folder.

62
00:04:33,170 --> 00:04:35,540
‫There is a folder called persistence in it.

63
00:04:36,020 --> 00:04:37,190
‫Go to that folder as well.

64
00:04:38,140 --> 00:04:40,180
‫As you see, there is a folder here.

65
00:04:40,750 --> 00:04:44,620
‫The first part of the folder is the domain name of our victim machine.

66
00:04:44,920 --> 00:04:50,380
‫And the rest is the date and time of the first usage of the persistence method.

67
00:04:51,710 --> 00:04:58,340
‫So here you can use the M Command with R F as the parameter to delete any non empty folder.

68
00:04:59,000 --> 00:04:59,810
‫And that's a.