1 00:00:00,910 --> 00:00:09,460 ‫Let's see how we can create a basic malicious windows executable using the MSF Venom tool, 64 bit Windows 2 00:00:09,460 --> 00:00:11,080 ‫eight is the victim system. 3 00:00:11,920 --> 00:00:14,830 ‫Choose an executable to use as a template. 4 00:00:15,400 --> 00:00:17,890 ‫The output malware will be the same size. 5 00:00:17,890 --> 00:00:22,970 ‫With this template file, I'm going to use Putty Dot Exec File as the template. 6 00:00:23,650 --> 00:00:26,380 ‫Let's copy Putty Dot Exact actually to work on it. 7 00:00:26,950 --> 00:00:30,970 ‫First, look at the IP address of the target machine here. 8 00:00:31,330 --> 00:00:31,810 ‫Callie. 9 00:00:33,410 --> 00:00:41,930 ‫You can use Wynn as a tool to transfer a file from a Windows system to a Linux system NCP secure copy 10 00:00:42,110 --> 00:00:48,080 ‫as a means of securely transferring computer files between a local host and a remote host, or between 11 00:00:48,080 --> 00:00:49,220 ‫two remote hosts. 12 00:00:49,460 --> 00:00:53,370 ‫It's based on the Sage Secure Shell protocol. 13 00:00:54,020 --> 00:01:00,920 ‫Now, since when FCP uses SSL protocol, you'll be sure the Secret Service is running on Caylee. 14 00:01:01,640 --> 00:01:06,740 ‫Check the status of the Secret Service using the Service SSA Status Command. 15 00:01:08,810 --> 00:01:10,850 ‫It's already active on my Ali. 16 00:01:11,750 --> 00:01:18,560 ‫If it's not running U.S service, as I say, start to start the SSA service in your county machine. 17 00:01:27,450 --> 00:01:32,880 ‫If you try to log in win, keep using root user, you may see the access denied message. 18 00:01:33,750 --> 00:01:38,960 ‫That means using SSA servers with root user is denied in your county machines. 19 00:01:38,970 --> 00:01:47,100 ‫SSA servers configurations either change the S-H servers config to be able to connect with root user 20 00:01:47,340 --> 00:01:50,850 ‫or create a new user to use SSL connections. 21 00:01:52,060 --> 00:01:54,400 ‫I choose to create a new user. 22 00:01:54,880 --> 00:02:02,860 ‫You can use add user or user add commands on the terminal screen or users interface to add a new user. 23 00:02:03,490 --> 00:02:07,780 ‫I've already added a user before SSA to user for this purpose. 24 00:02:08,200 --> 00:02:10,600 ‫You can add a similar user to your system. 25 00:02:17,310 --> 00:02:21,000 ‫Connect with Skype using associates user credentials. 26 00:02:40,790 --> 00:02:47,390 ‫Find the exact file at the Windows side in this example, it's on the desktop of a current user. 27 00:02:47,840 --> 00:02:57,590 ‫Copy it to the Kalli machine in here to the home folder of SSA user in Kalli use is command in the terminal 28 00:02:57,590 --> 00:03:00,350 ‫screen to see if the file is transferred successfully. 29 00:03:09,660 --> 00:03:14,940 ‫Now we're ready to create a malicious executable using the Putty Dart exec file as a template. 30 00:03:18,630 --> 00:03:26,670 ‫Prepare the appropriate MSF venom command, the first parameter is Dash P, which specifies the payload 31 00:03:26,670 --> 00:03:27,150 ‫used. 32 00:03:27,810 --> 00:03:30,990 ‫You have to find the correct payload according to your target. 33 00:03:31,590 --> 00:03:38,130 ‫Don't forget to choose a payload with the correct platform, correct architecture, correct connection 34 00:03:38,130 --> 00:03:39,570 ‫method, etc.. 35 00:03:40,850 --> 00:03:44,560 ‫You can see the available payload using MSF &mdash. 36 00:03:44,570 --> 00:03:45,890 ‫L payloads command. 37 00:03:49,490 --> 00:03:51,350 ‫There are a lot of payloads available. 38 00:03:51,740 --> 00:03:58,010 ‫And since the target machine is 64 bit, we can filter the results using grep command with pipe. 39 00:04:09,260 --> 00:04:17,810 ‫We use the Windows x64 slash metro to slash reverse underscored TCP payload for this example. 40 00:04:20,960 --> 00:04:25,400 ‫Let's have a pause here and have a small introduction to the world of Metasploit. 41 00:04:26,430 --> 00:04:31,050 ‫Metasploit Project is the most used penetration testing framework in the world. 42 00:04:31,530 --> 00:04:37,140 ‫It can be used to test the vulnerability of computer systems or to break into remote systems. 43 00:04:37,890 --> 00:04:44,610 ‫Metasploit was created by H.D. Moore in 2003, using Perl by 2007. 44 00:04:44,820 --> 00:04:48,690 ‫The Metasploit Framework had been completely rewritten in Ruby. 45 00:04:49,500 --> 00:04:53,670 ‫In 2009, the project was acquired by Rapid7. 46 00:04:54,270 --> 00:05:00,510 ‫Now they have a free and open source version, Metasploit Framework and a commercial version. 47 00:05:00,840 --> 00:05:02,310 ‫Metasploit Pro. 48 00:05:03,340 --> 00:05:11,050 ‫It's best known sub project is the open source Metasploit Framework, a tool for developing and executing 49 00:05:11,050 --> 00:05:14,710 ‫exploit code against a remote target machine. 50 00:05:15,780 --> 00:05:22,830 ‫The MSFT console is probably the most popular interface to the Metasploit Framework MSF. 51 00:05:23,610 --> 00:05:30,630 ‫It provides an all in one centralized console and allows you efficient access to virtually all of the 52 00:05:30,630 --> 00:05:32,730 ‫options available in the MSF. 53 00:05:33,600 --> 00:05:40,500 ‫MSF console may seem intimidating at first, but once you learn the syntax of the commands, you will 54 00:05:40,500 --> 00:05:44,070 ‫learn to appreciate the power of utilizing this interface. 55 00:05:45,510 --> 00:05:52,140 ‫Metro operator short for the meter interpreter is an advanced payload that is included in the Metasploit 56 00:05:52,140 --> 00:05:52,680 ‫Framework. 57 00:05:53,520 --> 00:05:59,760 ‫Its purpose is to provide complex and advanced features that would otherwise be tedious to implement 58 00:05:59,910 --> 00:06:01,080 ‫purely in assembly. 59 00:06:01,980 --> 00:06:07,350 ‫The way that it accomplishes this is by allowing developers to write their own extensions in the form 60 00:06:07,350 --> 00:06:15,450 ‫of shared object DLL files that can be uploaded and injected into a running process on a target computer 61 00:06:15,780 --> 00:06:17,880 ‫after exploitation has occurred. 62 00:06:18,750 --> 00:06:26,130 ‫Mature operator and all of the extensions that it loads are executed entirely from memory and never 63 00:06:26,130 --> 00:06:27,120 ‫touch the disk. 64 00:06:29,090 --> 00:06:34,010 ‫Let's continue to create a malicious executable using the NSFW Venom tool. 65 00:06:34,730 --> 00:06:36,640 ‫Now the first parameter was the payload. 66 00:06:37,100 --> 00:06:39,860 ‫We can choose the platform here windows. 67 00:06:40,070 --> 00:06:45,530 ‫But since we chose a Windows payload, the tool already understand the platform. 68 00:06:46,220 --> 00:06:47,360 ‫Same as the platform. 69 00:06:47,360 --> 00:06:56,690 ‫We can set the architecture x64 using the Dash charge parameter because we use a payload for x64 architecture. 70 00:06:57,050 --> 00:07:03,470 ‫The two already understand the architecture, so we don't need to use arch and platform parameters in 71 00:07:03,470 --> 00:07:04,220 ‫this example. 72 00:07:05,310 --> 00:07:10,500 ‫The next parameter is Dash F to determine the format of the output file. 73 00:07:11,070 --> 00:07:16,380 ‫You can use MSFT Venom Dash help dash formats to see the available formats. 74 00:07:24,970 --> 00:07:27,880 ‫We only use the exec in this example. 75 00:07:34,290 --> 00:07:39,030 ‫Then specified the template file using a Dash X parameter with the template file. 76 00:07:46,330 --> 00:07:49,720 ‫Named the output file with the Dash O parameter. 77 00:08:00,480 --> 00:08:07,050 ‫Now is the time to define the options of the payload, to see the options of the payload, you can use 78 00:08:07,050 --> 00:08:10,080 ‫the Dash payload dash options parameter with the payload. 79 00:08:16,170 --> 00:08:20,940 ‫We have to design the host and the L port options of the payload here. 80 00:08:26,080 --> 00:08:29,620 ‫Complete the command again, output file format. 81 00:08:34,050 --> 00:08:34,920 ‫Template file. 82 00:08:41,010 --> 00:08:42,600 ‫And output file name. 83 00:08:58,270 --> 00:09:05,470 ‫Now a sign Elle host and L Port options of the payload Elle host is the IP address of the listener machine. 84 00:09:05,830 --> 00:09:12,160 ‫In this example, our Carly Machine L Port is the port which will be open to listen to the sessions. 85 00:09:16,360 --> 00:09:18,220 ‫Hit enter to create the malware. 86 00:09:27,250 --> 00:09:35,770 ‫As you see, no watch is selected, the tool selected x64 from the payload and no platform is selected. 87 00:09:36,040 --> 00:09:43,420 ‫The tool automatically selected windows from the payload again, to be sure, go to the folder and see 88 00:09:43,420 --> 00:09:44,680 ‫the created malware. 89 00:09:46,700 --> 00:09:50,660 ‫The attacker should find a way to make the victim accept and run the malware. 90 00:09:51,170 --> 00:09:56,780 ‫Let's just copy the malware to the victim's machine at the moment and suppose that we send it as an 91 00:09:56,780 --> 00:09:58,610 ‫attachment to a phishing email. 92 00:09:59,730 --> 00:10:04,320 ‫First, let's try to copy the file to the Windows machine while Windows Defender is running. 93 00:10:16,160 --> 00:10:19,970 ‫As you can see, Windows Defender recognized the malware. 94 00:10:38,380 --> 00:10:40,120 ‫And deleted it in seconds. 95 00:10:41,340 --> 00:10:42,390 ‫Can you guess why? 96 00:10:43,140 --> 00:10:49,560 ‫Because we used a standard Metasploit payload, which is very well known, and Windows Defender recognized 97 00:10:49,560 --> 00:10:50,220 ‫it easily. 98 00:10:51,520 --> 00:10:58,480 ‫To see the payload in action, let's turn Windows Defender off and send the malware again. 99 00:11:14,640 --> 00:11:20,670 ‫As an attacker, we need to listen to capture the sessions of the victims who run the malware. 100 00:11:22,150 --> 00:11:23,950 ‫Start me off console. 101 00:11:27,940 --> 00:11:29,920 ‫You'll have a Metasploit Framework show. 102 00:11:31,550 --> 00:11:32,930 ‫Search for the handlers. 103 00:11:38,990 --> 00:11:43,160 ‫Use exploit multi slash handler, for this example. 104 00:11:50,900 --> 00:11:55,130 ‫In Handler, we have to use the same payload that we use in the malware. 105 00:12:06,360 --> 00:12:09,240 ‫List the options with show options command. 106 00:12:10,570 --> 00:12:12,460 ‫Set the listener address in port. 107 00:12:17,320 --> 00:12:24,100 ‫Since the default port is the same with the port we assigned in the malware, we can leave it as is. 108 00:12:25,070 --> 00:12:26,390 ‫And run the handler. 109 00:12:26,780 --> 00:12:29,060 ‫It starts to listen at that moment. 110 00:12:30,300 --> 00:12:33,630 ‫Now, go back to the victim machine and run the malware. 111 00:12:38,580 --> 00:12:42,210 ‫Voila, we got the session from the victim machine. 112 00:12:43,140 --> 00:12:46,920 ‫Look at the system info using this info interpreter command. 113 00:12:47,640 --> 00:12:49,980 ‫It's a 64 bit Windows machine. 114 00:12:50,700 --> 00:12:51,960 ‫Look at the User ID. 115 00:12:52,800 --> 00:12:57,360 ‫Metro operator has a lot of excellent commands to compromise the victim's machine. 116 00:12:58,170 --> 00:13:00,570 ‫Use help command to see some of them. 117 00:13:10,860 --> 00:13:13,740 ‫Let's take a screenshot of the victim machine. 118 00:13:32,360 --> 00:13:38,600 ‫When we list the currently running processes using task list command in the victim machine, we see 119 00:13:38,600 --> 00:13:39,740 ‫the malware running. 120 00:13:40,490 --> 00:13:46,490 ‫You can kill it using the task kill command with slash PID parameter. 121 00:13:52,870 --> 00:13:56,230 ‫Use f parameter to force it to be killed. 122 00:14:01,430 --> 00:14:07,130 ‫As soon as the malware process is killed, the Metro Pictures session dies as well.