1
00:00:00,210 --> 00:00:03,480
Welcome to Part Twelve of this module.

2
00:00:03,480 --> 00:00:09,210
In this lesson we're going to be looking at how to achieve persistent access against a Windows machine

3
00:00:09,210 --> 00:00:10,320
with mature spitter.

4
00:00:10,320 --> 00:00:15,750
We're going to be picking up right where we left off in the last video so as to avoid any unnecessary

5
00:00:15,750 --> 00:00:16,730
repetition.

6
00:00:16,770 --> 00:00:20,580
That means we're starting off with more turpitude open right off the bat.

7
00:00:20,730 --> 00:00:26,910
I realize in the past I've spoken somewhat glibly about possible ways of achieving persistent access

8
00:00:27,060 --> 00:00:31,470
to an infected machine and that is what we're going to be covering here today.

9
00:00:31,470 --> 00:00:37,140
There are many ways of doing this and before we even begin you need to be aware that this is not an

10
00:00:37,200 --> 00:00:41,310
easy thing to do over the long term for many reasons.

11
00:00:41,430 --> 00:00:47,670
Gaining and keeping a foothold on a system indefinitely is the sort of thing that nation states devote

12
00:00:47,670 --> 00:00:51,160
considerable resources to being able to accomplish.

13
00:00:51,180 --> 00:00:57,430
That being said there is a method built right into my turpitude or that will work for our purposes.

14
00:00:57,480 --> 00:01:02,070
It's quick and dirty and very likely to be detected over time.

15
00:01:02,100 --> 00:01:08,880
But if you just need to ensure future access and you aren't too worried about making it last a lifetime

16
00:01:08,910 --> 00:01:11,660
then this technique should work well enough for you.

17
00:01:11,700 --> 00:01:17,640
I should add that the maturity session we are using here does in fact have escalated privileges.

18
00:01:17,730 --> 00:01:23,850
It is recommended that you escalate your privileges before attempting to gain persistence to avoid both

19
00:01:23,910 --> 00:01:28,730
errors and any prompts asking for authentication from the user.

20
00:01:28,830 --> 00:01:35,010
That is to say that the user of the target computer that might alert them that something is up it isn't

21
00:01:35,010 --> 00:01:41,640
absolutely necessary in all cases but for the method used in this example it is the best way to go.

22
00:01:41,760 --> 00:01:48,600
Our target is still going to be are Windows 10 64 bit professional virtual machine.

23
00:01:48,630 --> 00:01:52,560
This is a virgin installation with no updates.

24
00:01:52,590 --> 00:01:59,160
Now we're going to get persistence as you have no doubt realized by now the biggest weakness getting

25
00:01:59,160 --> 00:02:05,070
a maternity session is that as soon as the target computer goes off line for any reason the session

26
00:02:05,070 --> 00:02:09,230
closes down and the target has to be reinvented to get a new session.

27
00:02:09,240 --> 00:02:15,630
You do all this work and the stars line up and you have your admin access and the user decides to turn

28
00:02:15,630 --> 00:02:17,030
off the computer.

29
00:02:17,040 --> 00:02:20,400
I know it's frustrating and it it's happened to all of us.

30
00:02:20,430 --> 00:02:23,660
So here is an easy built in way to deal with that.

31
00:02:23,670 --> 00:02:37,710
So if we type run persistence TAC H for help we're greeted with this thoroughly unhelpful output in

32
00:02:37,710 --> 00:02:40,260
the old pre Cali days of backtrack.

33
00:02:40,260 --> 00:02:44,730
This was a helpful menu detailing all of the persistence options.

34
00:02:44,730 --> 00:02:46,380
Why did they change this.

35
00:02:46,470 --> 00:02:48,780
I really couldn't begin to guess.

36
00:02:48,960 --> 00:02:53,050
This is the help menu that we were supposed to be greeted with.

37
00:02:53,070 --> 00:02:57,780
Maybe they hit it somewhere else when they made the switch to Cali and I'm just missing a really obvious

38
00:02:57,780 --> 00:02:59,110
Commander switch.

39
00:02:59,370 --> 00:03:06,240
But heck if I can find it regardless let's go over these options now in the simplest form you can just

40
00:03:06,240 --> 00:03:12,480
type run persistence without any switches and this will write a script into the target's local temp

41
00:03:12,480 --> 00:03:14,010
folder and windows.

42
00:03:14,010 --> 00:03:16,910
And in theory that will work just fine.

43
00:03:16,920 --> 00:03:23,310
We can do a little better than that though so tack a will automatically start a matching exploit multi

44
00:03:23,310 --> 00:03:25,800
handler connect to the to connect to the agent.

45
00:03:25,800 --> 00:03:29,940
Pretty self-explanatory Tak L is a good one to remember.

46
00:03:29,970 --> 00:03:35,280
It allows you to write the payload to something a bit more subtle than the windows temp folder.

47
00:03:35,280 --> 00:03:41,370
Keep in mind every antivirus worth the name knows to check the temp folder and it's also going to be

48
00:03:41,370 --> 00:03:45,620
one of the first places that a system administrator is going to look for trouble.

49
00:03:45,710 --> 00:03:53,370
Tack P lets you set the payload in our case it will of course be mature spitter but it doesn't have

50
00:03:53,370 --> 00:03:54,020
to be.

51
00:03:54,060 --> 00:04:00,840
Maybe you want to use a payload that simply runs at a certain time and all it does is add a second user

52
00:04:00,840 --> 00:04:03,690
with Admin privileges on the Windows system.

53
00:04:03,690 --> 00:04:05,640
So why would you want to do something like that.

54
00:04:05,640 --> 00:04:12,000
Well there is a high probability in an office environment that a mature spitter or a reverse shell of

55
00:04:12,000 --> 00:04:16,950
any kind or any kind of strange connection is going to be noticed sooner or later.

56
00:04:16,950 --> 00:04:24,290
Maybe you just want to get access to the target computer for a few seconds drop a payload on a timer

57
00:04:24,300 --> 00:04:31,680
that creates a second admin account say 15 minutes after everyone else goes home and then walk over

58
00:04:31,680 --> 00:04:32,660
to the computer.

59
00:04:32,670 --> 00:04:38,400
You now have an account on and access it remembering to delete the account and the payload when you're

60
00:04:38,400 --> 00:04:40,470
done a bit James Bond.

61
00:04:40,470 --> 00:04:46,680
I know but my point is there are a lot of exploits and it may not always be your objective to gain a

62
00:04:46,680 --> 00:04:49,260
constant reoccurring connection.

63
00:04:49,260 --> 00:04:55,350
This class focuses on the main line stuff that most people care about but that doesn't mean you shouldn't

64
00:04:55,350 --> 00:04:59,510
explore the subtle unorthodox uses of metal split.

65
00:04:59,520 --> 00:05:06,480
Once you master the basics the TAC s option will toggle whether or not the agent is going to start on

66
00:05:06,480 --> 00:05:08,570
boot with system privileges.

67
00:05:08,580 --> 00:05:10,580
Now be careful with this.

68
00:05:10,590 --> 00:05:17,040
This is very likely to stand out to any system administrator who does a routine check and it is certainly

69
00:05:17,160 --> 00:05:21,190
more likely to be picked up by antivirus or malware detection.

70
00:05:21,210 --> 00:05:28,470
Any user who uses a common program like C cleaner and notices a file that is just a weird string of

71
00:05:28,470 --> 00:05:32,560
letters and numbers in their system boot list is going to raise an eyebrow.

72
00:05:32,670 --> 00:05:36,720
T lets you use a different executable template.

73
00:05:36,780 --> 00:05:40,130
Not really within the scope of this tutorial but the option is there.

74
00:05:40,140 --> 00:05:45,930
Nevertheless tack you starts the user agent when the user actually logs on.

75
00:05:45,930 --> 00:05:52,200
This does differ significantly from TAC s because it doesn't leave a glaringly obvious fingerprint in

76
00:05:52,200 --> 00:05:53,100
the boot order.

77
00:05:53,100 --> 00:05:55,360
Given a choice between S and U.

78
00:05:55,410 --> 00:05:58,800
I personally prefer the latter but it is your option.

79
00:05:58,800 --> 00:06:06,270
If you run persistence without any switches I do believe it defaults to tack s the tack X switch is

80
00:06:06,270 --> 00:06:14,100
basically Tak s except the agent isn't going to have admin privileges so the user isn't going to get

81
00:06:14,100 --> 00:06:17,760
prompted and in theory it's a bit more quiet.

82
00:06:17,970 --> 00:06:21,960
But then again your session will automatically have authority system.

83
00:06:22,050 --> 00:06:27,720
It's still going to show up is something funny in the boot list though so it's really no less likely

84
00:06:27,870 --> 00:06:32,050
that it will be detected if somebody goes in and eyeballs the boot sequence.

85
00:06:32,160 --> 00:06:38,900
Lowercase h is the useless help menu we just saw and not this nice one pulled from backtrack tack lowercase

86
00:06:38,980 --> 00:06:39,620
I.

87
00:06:39,780 --> 00:06:45,510
Lets you set the interval between connection attempts this is recommended and you'll see it used in

88
00:06:45,510 --> 00:06:51,360
the example TAC lowercase P and lowercase are pretty self-explanatory.

89
00:06:51,390 --> 00:06:54,320
They allow you to set your port an IP.

90
00:06:54,420 --> 00:07:00,360
Again I know it's been said before but if you're doing this over the Internet and not on a local network

91
00:07:00,420 --> 00:07:03,330
you will have need to setup port forwarding.

92
00:07:03,330 --> 00:07:06,030
Please see the video on that for more information.

93
00:07:06,030 --> 00:07:08,860
And remember one more thing about these options.

94
00:07:08,880 --> 00:07:15,690
Whatever IP address you give the payload that is the IP address the payload is going to be constantly

95
00:07:15,690 --> 00:07:17,490
trying to dial home too.

96
00:07:17,580 --> 00:07:25,230
If it gets discovered it is a very easy thing to look at outgoing connections and see exactly where

97
00:07:25,230 --> 00:07:27,200
it is trying to connect to.

98
00:07:27,240 --> 00:07:33,760
This is where virtual private servers proxies command and control centers and the light come into play.

99
00:07:33,760 --> 00:07:36,010
We will be talking about these more later.

100
00:07:36,010 --> 00:07:38,890
One more thing before we see this in action.

101
00:07:38,930 --> 00:07:44,320
I'm sure that anyone watching these videos are doing so because they are either penetration testers

102
00:07:44,650 --> 00:07:50,980
hoping to hone their craft for legal use or system administrators looking to see how hackers operate.

103
00:07:50,980 --> 00:07:56,770
Remember that even if you're doing a lawful pen test with written permission that permission may not

104
00:07:56,770 --> 00:07:58,170
extend indefinitely.

105
00:07:58,210 --> 00:08:03,640
It is your responsibility to remove any back doors you place on a system leaving something like this

106
00:08:03,640 --> 00:08:08,730
in place after the test is over may create a legal liability for you.

107
00:08:08,740 --> 00:08:10,110
OK enough preamble.

108
00:08:10,180 --> 00:08:11,880
Let's see this in action.

109
00:08:11,920 --> 00:08:14,050
Going to go ahead and I'm going to clear the screen

110
00:08:17,260 --> 00:08:27,370
and return to our session and then we're going to type run persistence TAC uppercase U which specifies

111
00:08:27,370 --> 00:08:37,180
that we want the the agent to essentially dial home as soon as the user logs on TAC ie lowercase for

112
00:08:37,180 --> 00:08:43,480
the interval we're going to set this for five seconds which means that after the user logs on every

113
00:08:43,480 --> 00:08:50,200
five seconds the user agent will attempt to dial home TAC lowercase P for port it's going to remain

114
00:08:50,200 --> 00:08:56,920
for 4 4 4 TAC lowercase r for our own IP address.

115
00:08:57,100 --> 00:09:04,380
This will be a network IP if you're doing this on a network which I am or your public IP.

116
00:09:04,390 --> 00:09:08,980
If you're doing it over the Internet keeping in mind the need to setup port forwarding for non-local

117
00:09:08,980 --> 00:09:11,290
hosts and then we press enter.

118
00:09:11,290 --> 00:09:13,340
This may require a few moments.

119
00:09:13,390 --> 00:09:13,670
Okay.

120
00:09:13,680 --> 00:09:14,740
And there we go.

121
00:09:14,740 --> 00:09:23,890
This funky looking VB s file has just been written to users admin app data local temp and the auto run

122
00:09:24,100 --> 00:09:28,000
we can see has been installed right down here to this directory

123
00:09:30,740 --> 00:09:36,570
so now I'm going to go over here real quick and I'm going to shut down windows causing our current mature

124
00:09:36,570 --> 00:09:39,500
operators session to die before I do that though.

125
00:09:39,500 --> 00:09:41,640
Let's just real quick.

126
00:09:41,750 --> 00:09:50,210
Press are windows plus are key to open up the run menu and we'll search for the temp folder that's a

127
00:09:50,210 --> 00:09:52,480
percent temp percent.

128
00:09:52,670 --> 00:09:54,350
Now inside our temp folder.

129
00:09:54,410 --> 00:10:00,500
Notice that we can find this VB script file in my case there are three because I've tested this a few

130
00:10:00,500 --> 00:10:02,670
times prior to making this video.

131
00:10:02,720 --> 00:10:08,590
Again this will stand out like a sore thumb to anyone who knows what to look for.

132
00:10:08,600 --> 00:10:15,140
If you are a system administrator and you see any sketchy VB script files sitting in your temp folder

133
00:10:15,170 --> 00:10:20,660
Well you have a pretty good idea of what has been causing those network anomalies you've been noticing.

134
00:10:20,660 --> 00:10:25,040
This is why writing to better locations is advisable.

135
00:10:25,040 --> 00:10:28,910
But again this is good enough for demonstration purposes.

136
00:10:28,910 --> 00:10:34,460
It's not really like the average user goes digging through their temp file looking for on scripts that

137
00:10:34,460 --> 00:10:37,240
don't belong there but it's something to keep in mind.

138
00:10:37,250 --> 00:10:41,090
So now what I'm going to do is I'm going to power off the Windows system

139
00:10:46,170 --> 00:10:51,750
so here we're shutting down and if we come back over to Cali we can see that our fritter session has

140
00:10:51,750 --> 00:10:53,640
just died.

141
00:10:53,640 --> 00:10:59,430
So now we've shut down Windows 10 and we've closed out of our interpreter session.

142
00:10:59,460 --> 00:11:04,560
So now that we've closed everything down are Windows 10 are dead mature fritter the whole thing we've

143
00:11:04,560 --> 00:11:14,060
cleared the screen now we're going to once again use exploit forward slash multi force slash handler

144
00:11:16,490 --> 00:11:29,500
any options shouldn't have changed good going to exploit and our TGP handlers now listening so

145
00:11:32,650 --> 00:11:34,450
we're going to start up Windows 10 again

146
00:11:44,840 --> 00:11:46,120
and there we go.

147
00:11:46,520 --> 00:11:53,940
As seen in real time if we flip over to our session now I think that took a little longer than five

148
00:11:53,940 --> 00:11:54,480
seconds.

149
00:11:54,480 --> 00:11:59,900
It's supposed to dial home every five seconds but this is virtual box.

150
00:11:59,910 --> 00:12:09,700
So some allowances have to be made I suppose now in a perfect world the target user will never run antivirus

151
00:12:09,730 --> 00:12:15,260
never check their temp folder and never notice any open connections that shouldn't be there.

152
00:12:15,370 --> 00:12:21,700
In which case you can expect to maintain a persistent foothold on the target system over the long term

153
00:12:22,710 --> 00:12:23,480
as I said.

154
00:12:23,490 --> 00:12:29,430
The reality is sooner or later this method will be discovered and shut down.

155
00:12:29,430 --> 00:12:32,310
Long term access is a challenge.

156
00:12:32,340 --> 00:12:35,400
Also keep in mind there are other ways to do this.

157
00:12:35,430 --> 00:12:42,240
Once you have a mature spitter you could again in theory use the upload command to send the target a

158
00:12:42,600 --> 00:12:48,360
better piece of malware like a rootkit that you've put through multiple corruptors or whatever.

159
00:12:48,390 --> 00:12:54,150
Although it is well outside the scope of this tutorial some pen testers like to use them interpreter

160
00:12:54,510 --> 00:13:01,530
to setup some extremely well scripted malware that includes a secure connection like open VPN leading

161
00:13:01,530 --> 00:13:05,210
to a command and control center on a virtual private server.

162
00:13:05,220 --> 00:13:08,760
These concepts will be covered in more detail later in this class.

163
00:13:08,760 --> 00:13:15,540
For now it is enough to know that while this is not the best way of getting long term access this technique

164
00:13:15,810 --> 00:13:23,340
which is entirely within met a split can be used to gain a reoccurring foothold which which should hopefully

165
00:13:23,340 --> 00:13:26,070
be enough for you to be able to leverage.

166
00:13:26,130 --> 00:13:32,580
Just remember to clean up those scripts and payloads when you're done because they are a dead giveaway

167
00:13:32,760 --> 00:13:39,120
to a system administrator that a pen test is taking place using met a split of course not to the average

168
00:13:39,120 --> 00:13:44,430
user but anyone with any skill in cyber forensics will be able to spot it right away.

169
00:13:44,580 --> 00:13:46,860
Thank you for your attention as always.

170
00:13:46,860 --> 00:13:52,290
Never use anything shown in these videos against any system that you do not have written permission

171
00:13:52,290 --> 00:13:58,200
from the owner to penetration test be ethical and lawful at all times and I'll see you in the next session.