1
00:00:00,480 --> 00:00:05,250
‫Let's try to create malware which cannot be detected by the security systems.

2
00:00:06,180 --> 00:00:10,290
‫I'd like to try to create a backdoor with the MSF venom first.

3
00:00:13,780 --> 00:00:17,230
‫Go to the fat rat folder and run fat rat script.

4
00:00:18,360 --> 00:00:24,900
‫If you let the tool add a shortcut to the system, you don't need to go to the fat rat folder.

5
00:00:25,230 --> 00:00:26,810
‫You can run it from anywhere.

6
00:00:28,510 --> 00:00:33,640
‫It checks all dependent applications in conditions such as internet connection at the beginning.

7
00:00:39,840 --> 00:00:42,600
‫Don't upload to VirusTotal warning.

8
00:00:47,490 --> 00:00:53,880
‫OK, there are several different methods to create backdoors using the fact that you can create backdoors

9
00:00:53,880 --> 00:01:00,380
‫here using MSF Venom Food, Win, avoid P.W. in, et cetera.

10
00:01:01,020 --> 00:01:06,420
‫In addition, you can add backdoors into the original Android APK packages.

11
00:01:07,230 --> 00:01:14,220
‫Let's create a malware with a backdoor using the MSF Venom in this example, type one and hit enter

12
00:01:14,220 --> 00:01:15,240
‫into the main menu.

13
00:01:16,700 --> 00:01:19,430
‫MSF Venom creator module menu appears.

14
00:01:20,790 --> 00:01:26,700
‫Now, since our victim's machine's operating system is Windows, I chose here the second option in this

15
00:01:26,700 --> 00:01:27,120
‫menu.

16
00:01:27,840 --> 00:01:34,320
‫It first gives me the IP information of my local machine, then asks for the listener IP address.

17
00:01:34,800 --> 00:01:36,030
‫Thanks for the kindness.

18
00:01:37,520 --> 00:01:44,750
‫Since I use this machine as the listener, I enter its IP address, asking for the listener port, I'll

19
00:01:44,750 --> 00:01:47,630
‫choose double five, double five for this time.

20
00:01:48,790 --> 00:01:55,600
‫Now it wants me to enter the base name for the output files that the tool is going to generate while

21
00:01:55,600 --> 00:01:58,750
‫trying to find the correct payload and malware.

22
00:01:58,960 --> 00:02:01,150
‫You may need to try a lot of different options.

23
00:02:01,630 --> 00:02:07,870
‫So to be able to recognize which file I generate for this time, I use the day of the month and the

24
00:02:07,870 --> 00:02:09,400
‫time in file names.

25
00:02:10,210 --> 00:02:15,250
‫For this example, since today is the first day of the month and it's 22 55.

26
00:02:15,520 --> 00:02:21,430
‫I use oh one Dash 22 Dash 55 as the file name base.

27
00:02:22,520 --> 00:02:24,320
‫Next step is to choose the payload.

28
00:02:25,010 --> 00:02:31,190
‫Let's choose Windows Sigma interpreter slash reverse underscore TCP number three.

29
00:02:31,940 --> 00:02:34,910
‫It uses almost all facilities of MSFT venom.

30
00:02:39,140 --> 00:02:46,430
‫It encodes the payload with 10 iterations with Shikata underscored G.A. underscore and A.I. encoding

31
00:02:46,430 --> 00:02:54,080
‫method first, then encodes with another method eight times and three other encoding follow.

32
00:02:54,860 --> 00:02:57,020
‫The malicious executable was created.

33
00:02:57,440 --> 00:03:00,890
‫It's in the output folder under the fat rat folder.

34
00:03:01,940 --> 00:03:09,140
‫Now, let's go to the victim machine and transfer the file using when ACP connect to your county machine.

35
00:03:09,620 --> 00:03:16,370
‫Remember, ACP protocol uses the SSA, so be sure that the SSA is running in calling.

36
00:03:18,230 --> 00:03:21,740
‫My colleagues, S.H. is serving from four, four three.

37
00:03:22,100 --> 00:03:23,150
‫Don't ask why.

38
00:03:26,500 --> 00:03:27,190
‫OK.

39
00:03:27,310 --> 00:03:28,270
‫We connected.

40
00:03:28,720 --> 00:03:34,480
‫Go to the folder and where our file is root fat rat output.

41
00:03:34,840 --> 00:03:35,770
‫And here it is.

42
00:03:36,730 --> 00:03:40,270
‫Drop it and drag to the desktop of the Windows system.

43
00:03:41,110 --> 00:03:48,390
‫But first, let's start Windows Defender and see if our malware is able to avoid it or not.

44
00:03:50,580 --> 00:03:50,950
‫OK.

45
00:03:50,970 --> 00:03:51,990
‫It's already running.

46
00:03:52,900 --> 00:03:56,040
‫Now let's transfer the malware into the Windows system.

47
00:03:57,380 --> 00:03:57,800
‫Oops!

48
00:03:58,520 --> 00:04:01,490
‫Our malware is detected by Windows Defender.

49
00:04:03,730 --> 00:04:05,770
‫And deleted in a few seconds.

50
00:04:06,730 --> 00:04:11,140
‫Anyway, there are always some computers which do not have any security protection.

51
00:04:11,710 --> 00:04:14,440
‫Let's examine our malware that works on them.

52
00:04:15,100 --> 00:04:22,540
‫Go to Settings Administrator pane and uncheck the turn on this app checkbox to disable Windows Defender

53
00:04:23,290 --> 00:04:25,300
‫and press save changes.

54
00:04:26,600 --> 00:04:29,720
‫Now drag the malware again and drop into the desktop.

55
00:04:30,650 --> 00:04:35,660
‫For running the application and the victim machine, let's think about the hackers side.

56
00:04:36,370 --> 00:04:37,790
‫Are we ready as a hacker?

57
00:04:38,510 --> 00:04:42,350
‫What do we need to connect to the back door if the malware succeeds?

58
00:04:44,520 --> 00:04:46,320
‫Sure, we don't have a listener at the moment.

59
00:04:46,890 --> 00:04:48,930
‫Go to Kalli Machine to start a listener.

60
00:04:50,250 --> 00:04:54,360
‫Start Metasploit Framework Council using MSV Console Command.

61
00:04:55,930 --> 00:04:59,950
‫While Metasploit Framework is starting, I look at the information of the back door in the terminal

62
00:04:59,950 --> 00:05:03,520
‫where I create it to make sure the payload is the one I used.

63
00:05:03,910 --> 00:05:04,450
‫Why?

64
00:05:04,720 --> 00:05:09,250
‫Because I have to use the exact same payload while creating the listener.

65
00:05:10,540 --> 00:05:15,520
‫MSF started type use, exploit slash multi slash handler first.

66
00:05:19,590 --> 00:05:22,620
‫And then set the payload that we used in the malware.

67
00:05:26,480 --> 00:05:33,020
‫Look at the options using the show options command, set the Elle host again, I use the information

68
00:05:33,020 --> 00:05:33,680
‫of the malware.

69
00:05:40,760 --> 00:05:44,720
‫Set the port, which was five, five, five five on my malware.

70
00:05:49,180 --> 00:05:51,460
‫Now, type exploit to start the handler.

71
00:05:53,350 --> 00:05:55,000
‫Go to the victim machine now.

72
00:05:55,950 --> 00:06:00,550
‫And run, the malware we copied a few minutes ago turned back to Carly.

73
00:06:00,570 --> 00:06:05,670
‫You see that a Metro operator session is opened once again, the victory is ours.

74
00:06:07,840 --> 00:06:08,620
‫But wait a second.

75
00:06:09,670 --> 00:06:13,000
‫Windows Defender and Windows eight has detected our malware.

76
00:06:14,180 --> 00:06:18,140
‫We should find another way to create an undetectable malware.

77
00:06:19,250 --> 00:06:25,370
‫This time, I'd like to create a malware using P.W. and wins the option six, we are now in the main

78
00:06:25,370 --> 00:06:32,490
‫menu of the fat rat to type six and hit Enter to use P.W. in Windows to create the malware at this time.

79
00:06:33,490 --> 00:06:35,470
‫P.W. in module menu appears.

80
00:06:35,770 --> 00:06:40,030
‫There are different options here to create an exact batch or PDF file.

81
00:06:41,020 --> 00:06:44,770
‫I'd like to use the second option to create an executable malware.

82
00:06:45,860 --> 00:06:51,980
‫Now, when I type two and hit enter, it gives the IP information of my system and asks for the listener

83
00:06:51,980 --> 00:06:52,340
‫host.

84
00:06:53,410 --> 00:07:00,700
‫And to the ELLE host, the IP of your Kauai and L port, this time I use double six, double six.

85
00:07:01,360 --> 00:07:02,530
‫Use whatever you want.

86
00:07:03,430 --> 00:07:05,050
‫Based name four output files.

87
00:07:05,230 --> 00:07:06,940
‫I use the same format.

88
00:07:06,950 --> 00:07:15,570
‫Oh, one Dash two three Dash O2 again, I choose the third payload reverse underscore TCP.

89
00:07:25,920 --> 00:07:28,470
‫The back door is saved to the output folder.

90
00:07:29,040 --> 00:07:33,580
‫Now let's go to the victim machine and transfer the file using Win ACP.

91
00:07:35,040 --> 00:07:41,340
‫Cowley's side of win FCP, we're in the output folder of the fat rat application before transferring

92
00:07:41,340 --> 00:07:43,290
‫the new malware into the victim machine.

93
00:07:43,920 --> 00:07:46,230
‫Be sure that Windows Defender is running.

94
00:07:47,160 --> 00:07:49,920
‫I opened the action center and turn on Windows Defender.

95
00:07:58,430 --> 00:07:58,770
‫OK.

96
00:07:58,790 --> 00:08:02,450
‫It's running, I can transfer our new malware now.

97
00:08:07,950 --> 00:08:12,480
‫No, not again, defender detected our new malware as well.

98
00:08:13,440 --> 00:08:20,130
‫We should try another method the fat rat is very powerful and I'm sure we can find a way to bypass the

99
00:08:20,130 --> 00:08:20,700
‫defender.

100
00:08:21,900 --> 00:08:27,120
‫I'll try another method of P.W. and wins the sixth option of the main menu.

101
00:08:30,830 --> 00:08:34,520
‫This time, I choose the fourth option in P.W. Wins menu.

102
00:08:34,970 --> 00:08:39,020
‫I'll again create a malicious executable with a different method.

103
00:08:39,680 --> 00:08:47,750
‫Inputs are all the same AL host first, then L Port I choose double seven, double seven this time and

104
00:08:47,750 --> 00:08:49,700
‫the base name of the output files.

105
00:08:55,750 --> 00:08:59,710
‫I chose the reverse TCP as the payload, the third option.

106
00:09:06,130 --> 00:09:09,640
‫And done, the output file is created.

107
00:09:10,450 --> 00:09:12,250
‫Let's go back to the victim machine.

108
00:09:12,580 --> 00:09:19,780
‫Refresh the Kali side of when CP and drag the newest malware and Astrup into Windows desktop.

109
00:09:21,250 --> 00:09:27,790
‫As you see at the lower right hand corner, Windows Defender is running and it couldn't detect our malware

110
00:09:27,790 --> 00:09:28,330
‫this time.

111
00:09:28,600 --> 00:09:29,740
‫Well done.

112
00:09:30,100 --> 00:09:32,440
‫We overcame it with the first problem.

113
00:09:32,680 --> 00:09:34,690
‫Bypass the security system.

114
00:09:35,800 --> 00:09:40,090
‫Now, the main question is, does the malware work?

115
00:09:40,150 --> 00:09:42,340
‫I mean, do we have the back door?

116
00:09:43,120 --> 00:09:48,460
‫So at this point, we go back to Carly and start a listener, start the MSFT console.

117
00:09:56,770 --> 00:10:01,210
‫Use exploit, multi slash handler to use the handler.

118
00:10:02,850 --> 00:10:07,710
‫Set the payload, the same one we used in the malware, to be sure.

119
00:10:08,100 --> 00:10:15,840
‫I prefer to copy the payload from the fat rat terminal and paste it, said L host the IP address of

120
00:10:15,840 --> 00:10:16,350
‫Carly.

121
00:10:19,200 --> 00:10:22,140
‫And L Port, remember that was seven, seven, seven seven.

122
00:10:27,710 --> 00:10:36,830
‫I want to look at the open ports using Netstat, Dash and LP Linux Command Double seven seven is not

123
00:10:36,830 --> 00:10:37,820
‫in use at the moment.

124
00:10:38,270 --> 00:10:42,920
‫Back we go to MSV consoles terminal and type execute to start the handler.

125
00:10:44,240 --> 00:10:47,930
‫Go to the Windows machine and run the malware by double clicking on it.

126
00:10:51,970 --> 00:10:58,540
‫Back to the Cowley machine and a new maturity session is open now, we can say.

127
00:10:58,720 --> 00:11:00,460
‫Victory is ours.