1
00:00:03,100 --> 00:00:07,330
Welcome to Hacking Windows, Tim Command and control phase.

2
00:00:07,990 --> 00:00:14,530
Before we get into commanding, controlling or taking over control of Windows 10 machine through the

3
00:00:14,530 --> 00:00:20,530
malware that we created in the previous section, let's do a quick recap of that attack phase, because

4
00:00:20,530 --> 00:00:26,770
that's what we're going to need to do every time we want to create a new virus from a new IP address.

5
00:00:27,280 --> 00:00:35,350
So what we did in the last section was we created an executable file using MSF venom to create a reverse

6
00:00:35,350 --> 00:00:38,110
TCAP Materne critter virus.

7
00:00:38,230 --> 00:00:44,890
So we created what we call a remote access Trojan, a piece of malware that when the person runs it

8
00:00:44,950 --> 00:00:52,510
on their machine because we named it something like some cool name a fortnight, all skins or important

9
00:00:52,510 --> 00:00:54,010
PDAF Daddy XY.

10
00:00:55,030 --> 00:01:02,850
As soon as they run that file on their P.C., they're going to do a reverse TCAP or a call back to my

11
00:01:02,860 --> 00:01:09,400
Kelly Linux box and my Kelly Linux box will be able to take control of a Materne critter, a Metis Boit

12
00:01:09,400 --> 00:01:14,470
interpreter, remote shell that will give me full access to that Windows computer.

13
00:01:15,220 --> 00:01:16,840
So we did that with these four commands.

14
00:01:17,380 --> 00:01:21,370
Go back to the previous section if you need to create this Trojan.

15
00:01:23,010 --> 00:01:29,670
Then on our Kelly Linux box, we needed to listen for the exploit to call back.

16
00:01:30,030 --> 00:01:36,180
So our Windows Mateparae to reverse TCAP needs a handler, a listener running on this Caleigh Linux

17
00:01:36,180 --> 00:01:38,880
box to listen for incoming connections.

18
00:01:39,240 --> 00:01:42,960
And we can use just three or four commands to make that possible.

19
00:01:43,270 --> 00:01:48,720
The use exploit multi handler set the payload and then set the local host to your Caleigh IP address.

20
00:01:48,750 --> 00:01:54,090
You just have to tell it what IP address to listen for and then run the exploit with the command exploit

21
00:01:54,090 --> 00:01:54,870
dash jazy.

22
00:01:55,440 --> 00:01:57,150
So we're going to check in here.

23
00:01:57,600 --> 00:02:00,840
I have let it sit between lessons for just a few minutes.

24
00:02:01,140 --> 00:02:03,060
So my interpreter session closed.

25
00:02:03,090 --> 00:02:06,390
That means my Windows computer is no longer communicating.

26
00:02:06,390 --> 00:02:08,370
And in fact, you can see in my downloads folder.

27
00:02:09,060 --> 00:02:11,040
Windows Defender started back up.

28
00:02:11,400 --> 00:02:17,250
So I'd need to reinfect this machine, but I'm going to run those four steps just so that you can see

29
00:02:17,250 --> 00:02:18,060
them one more time.

30
00:02:18,600 --> 00:02:27,120
So if I press enter and I'll use control l to clear the screen, you can see that I'm already using

31
00:02:27,120 --> 00:02:28,710
the exploit multi handler.

32
00:02:28,800 --> 00:02:36,180
So if I just fuse my up arrow, you can see these four important commands use exploit multi handler

33
00:02:36,450 --> 00:02:36,950
anytime.

34
00:02:37,710 --> 00:02:38,970
This is a great thing to point out.

35
00:02:39,660 --> 00:02:43,380
Anytime we want to reuse this same remote access Trojan.

36
00:02:43,740 --> 00:02:46,980
So I created it in the last section and I'm going to use it right now.

37
00:02:47,520 --> 00:02:52,380
But I'm still might lose a connection with that Windows box every now and then, or I might send it

38
00:02:52,380 --> 00:02:56,880
to a new host machine on the network that I'm doing penetration testing for.

39
00:02:57,330 --> 00:02:59,790
And so I need to run this part.

40
00:02:59,850 --> 00:03:04,560
The the virus itself can stay the same as long as your IP address stays the same on Kalli.

41
00:03:05,070 --> 00:03:10,680
But you need to run these four commands inside Materne Critter inside our midst boy framework.

42
00:03:11,070 --> 00:03:16,230
In fact, let's go ahead and show how we would reconnect if you're coming back to this fresh or if you're

43
00:03:16,530 --> 00:03:18,540
infecting a new machine on your network.

44
00:03:18,900 --> 00:03:21,190
First we run the Metis Play Framework console.

45
00:03:21,210 --> 00:03:22,020
So that's M.

46
00:03:22,050 --> 00:03:23,370
S F console.

47
00:03:23,880 --> 00:03:31,200
Or you can come up to your Kalli box here, come down to exploitation tools and find the midpoint framework.

48
00:03:31,710 --> 00:03:34,980
MSF console takes just a moment to get up and running.

49
00:03:36,400 --> 00:03:44,350
Once Miss Boyd opens up, we just need to say use, exploit, slash, multi slash handler.

50
00:03:47,130 --> 00:03:49,170
And we can put back to our screen here.

51
00:03:49,600 --> 00:03:50,790
There we go.

52
00:03:51,270 --> 00:03:52,760
We can say use, exploit, multi handler.

53
00:03:52,770 --> 00:03:59,340
We need to set the payload to match that maternal or reverse TCAP Trojan that we have on our other machine.

54
00:03:59,370 --> 00:04:00,540
I'll control L.

55
00:04:01,560 --> 00:04:03,600
So we did the use exploit multi handler.

56
00:04:04,770 --> 00:04:07,560
It remembers our last few commands from the last time we logged in.

57
00:04:07,570 --> 00:04:11,940
So that's a really nice thing to be able to just scroll back through those, set the payload to windows,

58
00:04:11,940 --> 00:04:14,400
slash mature operator slash reverse TCAP.

59
00:04:16,170 --> 00:04:27,870
And then we need to set the L host the local host parameter so I can double check with IPA that my address

60
00:04:27,870 --> 00:04:30,780
is still tendo dot nine dot seven on this Caleigh box.

61
00:04:30,800 --> 00:04:33,060
You need to make sure you set your local host to the correct one.

62
00:04:33,570 --> 00:04:35,820
And the last command that we need is just exploit.

63
00:04:36,060 --> 00:04:39,120
So you can run, exploit, dash J, dash Z, exploit X.

64
00:04:39,900 --> 00:04:42,600
Those are options to background multiple sessions.

65
00:04:42,600 --> 00:04:46,950
If we want to we can just say exploit and we are listening.

66
00:04:47,010 --> 00:04:50,130
At that point actively for connections from windows.

67
00:04:50,670 --> 00:04:55,380
So over here on our Windows box, we probably want to do two quick things will turn off that virus protection.

68
00:04:55,410 --> 00:04:56,660
I'm sure it started back up.

69
00:04:58,050 --> 00:05:03,280
Virus and threat protection settings, we can open that every now and then it will automatically start

70
00:05:03,280 --> 00:05:03,880
back up.

71
00:05:04,780 --> 00:05:06,190
Go to our Manege settings.

72
00:05:06,850 --> 00:05:08,980
We'll make sure that Real-Time protection is turned off.

73
00:05:09,640 --> 00:05:12,790
And we might want to add an exclusion.

74
00:05:13,570 --> 00:05:15,310
And I've added our documents folder.

75
00:05:15,310 --> 00:05:20,500
So this time when I get into that Windows machine, I'm actually going to upload another copy of this

76
00:05:20,500 --> 00:05:22,600
virus to that documents folder.

77
00:05:23,110 --> 00:05:25,750
And Windows shouldn't close it out.

78
00:05:26,140 --> 00:05:29,450
And I'm going to double check here that my Windows firewall is off.

79
00:05:29,470 --> 00:05:31,540
This command net S.H. Advance firewall set.

80
00:05:31,540 --> 00:05:32,770
All profiles stayed off.

81
00:05:33,990 --> 00:05:39,810
Now, there are ways that we can get around antivirus using a veil of Asian or some of the other tools

82
00:05:39,810 --> 00:05:42,600
to encode our exploit.

83
00:05:43,680 --> 00:05:50,880
And there are ways that you can mess with the Windows firewall or get packets out using a commonly open

84
00:05:50,880 --> 00:05:52,080
port like secure shell.

85
00:05:52,410 --> 00:05:55,530
So it makes it look like you're just surfing for a Web page.

86
00:05:55,890 --> 00:06:00,180
But what we're doing right now is just to make it a little easier for this first command and control

87
00:06:00,180 --> 00:06:00,840
experience.

88
00:06:01,170 --> 00:06:07,560
With those few things in place, I should be able to download my fortnight all skins one more time.

89
00:06:07,710 --> 00:06:08,250
Save it.

90
00:06:10,610 --> 00:06:11,530
Open the folder.

91
00:06:13,580 --> 00:06:16,490
And then double click to run that executable.

92
00:06:18,330 --> 00:06:24,460
And it says, hey, this may be an unrecognized app, but if you click more info, you can run anyway.

93
00:06:25,960 --> 00:06:29,260
And you can see we have started a Turtur session.

94
00:06:29,740 --> 00:06:38,950
And if I say help, interpreter will give me dozens of commands that I can run on this Windows host

95
00:06:39,040 --> 00:06:39,910
that is infected.

96
00:06:40,600 --> 00:06:43,330
When we come back in the next section, we're going to add the next lesson.

97
00:06:43,480 --> 00:06:46,640
We're going to see how to take command and control.

98
00:06:46,660 --> 00:06:54,640
We'll be able to do everything from upload and download files, look for Web cameras, webcams attached

99
00:06:54,640 --> 00:06:55,750
to the computer.

100
00:06:56,110 --> 00:06:58,930
We'll be able to sniff keystrokes.

101
00:06:59,230 --> 00:07:01,890
Just about everything that you've ever feared or seen in a movie.

102
00:07:01,970 --> 00:07:03,670
We'll show you that most of it is real.

103
00:07:03,970 --> 00:07:08,110
You're going to see why you never want to download and run a file from a suspicious source.

104
00:07:08,290 --> 00:07:09,730
We'll see you in the next lesson.