1
00:00:00,420 --> 00:00:06,360
Throughout the section, you're going to learn about an interpreter and examine what it's capable of

2
00:00:06,360 --> 00:00:08,970
to reach your most exploitation goals.

3
00:00:10,170 --> 00:00:16,440
So interpretor is a custom, dynamically extensible payload that is developed for MSF.

4
00:00:17,840 --> 00:00:23,090
Comparing that to other payload types, it's the most used and feature rich one.

5
00:00:24,350 --> 00:00:30,950
Generally speaking, with most other payloads, you're pretty much limited to execute one command at

6
00:00:30,950 --> 00:00:34,090
a certain time simply to interact with the system.

7
00:00:35,280 --> 00:00:42,270
If you want to execute some others, such as add a user download or upload a file, jump into another

8
00:00:42,270 --> 00:00:48,650
network, you will see how difficult it is because of exploiting the target again and again and again.

9
00:00:50,040 --> 00:00:58,920
So, oh, additionally, normal payloads are not generally stealthy, and this is also undesirable for

10
00:00:58,920 --> 00:01:01,440
any pin tester, on the other hand.

11
00:01:02,370 --> 00:01:10,560
Lucky you have met her, so it's loaded directly into the memory of an exploited process using a technique

12
00:01:10,560 --> 00:01:13,680
called reflexive DRL injection.

13
00:01:15,580 --> 00:01:21,880
It's uploaded into the heap of the compromise process on the target and writes nothing to the disc.

14
00:01:23,270 --> 00:01:29,780
Now, because it worked completely within the memory, doesn't touch the filesystem directly if it's

15
00:01:29,780 --> 00:01:33,500
not necessary and it remains generally undetectable.

16
00:01:34,490 --> 00:01:39,260
Not going to say I guarantee stealthy, but it's pretty much always stealthy.

17
00:01:40,550 --> 00:01:49,430
And yeah, so as I was saying before, it works in memory and injects a pre run process, but usually

18
00:01:49,940 --> 00:01:54,320
something else like adding a user is probably going to send up an alarm, who knows?

19
00:01:55,820 --> 00:02:02,900
Matricular doesn't need to start a new process that might be noticed by an intrusion prevention or detection

20
00:02:02,900 --> 00:02:03,290
system.

21
00:02:04,410 --> 00:02:10,380
And because of that capability, generally, most intrusion detection systems can't detect it.

22
00:02:11,920 --> 00:02:18,660
Now, moreover, the process in which the interpreter is attached can be changed at any time.

23
00:02:19,560 --> 00:02:22,250
And actually, this makes tracking it very hard.

24
00:02:23,270 --> 00:02:30,470
Another important thing about an interpreter is that it communicates with Métis point using transport

25
00:02:30,470 --> 00:02:32,120
layer security, encryption.

26
00:02:33,400 --> 00:02:40,150
So it communicates over the stagers socket and provides a comprehensive client side Ruby API.

27
00:02:41,410 --> 00:02:49,600
And to me, the best of the best my interpreter allows for multitasking by creating multiple sessions.

28
00:02:50,690 --> 00:02:58,010
And it also provides a bash style shell and has features such as command history, tab, completion

29
00:02:58,010 --> 00:02:59,810
channels and many more.