1
00:00:00,090 --> 00:00:07,080
Before we could start the cool exploitation phase we have to first define a couple things.

2
00:00:07,170 --> 00:00:11,400
So we're going to quickly define different shell types we're going to see and then we're going to define

3
00:00:11,400 --> 00:00:12,600
different types of payloads.

4
00:00:12,600 --> 00:00:13,760
We're gonna see.

5
00:00:13,800 --> 00:00:15,840
So let's first start with the shells.

6
00:00:15,990 --> 00:00:21,440
The most common shell you're going to see is what is called a reverse shell.

7
00:00:21,450 --> 00:00:28,620
Now in this example it is using a tool called Net cat which you're going to see here shortly and a shell

8
00:00:28,650 --> 00:00:31,730
all the shell is is access to a machine.

9
00:00:31,740 --> 00:00:35,530
So when we say we pop a shell that means we get access to a machine.

10
00:00:35,580 --> 00:00:41,040
Now reverse shell or reverse shell means that a victim connects to us.

11
00:00:41,100 --> 00:00:46,980
Here you see it says Target connecting to attack box and you may get asked this question about shells

12
00:00:47,010 --> 00:00:48,100
in an interview.

13
00:00:48,150 --> 00:00:49,170
What is a reverse shell.

14
00:00:49,170 --> 00:00:50,460
What is a buying shell.

15
00:00:50,520 --> 00:00:52,090
So a reverse shell means again.

16
00:00:52,110 --> 00:00:53,840
A victim connects to us.

17
00:00:53,850 --> 00:00:58,440
You see that it says Target is connecting attack box is listening.

18
00:00:58,440 --> 00:01:03,860
So what's happening here is that on the attack box you can see that we have net cat.

19
00:01:03,870 --> 00:01:12,230
This is NC and we're just listening on a port here LDP means listening verbose part so we're listening

20
00:01:12,240 --> 00:01:14,280
on port four four four four.

21
00:01:14,280 --> 00:01:19,950
That means on our machine we're opening up that port when we use net cat on this machine.

22
00:01:20,050 --> 00:01:25,120
It's going to say hey net cat I want to connect to this IP address here.

23
00:01:25,360 --> 00:01:28,730
I want to connect to it on port for four four four.

24
00:01:28,840 --> 00:01:35,950
And when I do that I'm going to establish this bean shell here some and execute bean shell which is

25
00:01:35,950 --> 00:01:36,910
a Linux machine.

26
00:01:36,910 --> 00:01:40,800
If this was Windows it would be command EMC.

27
00:01:41,080 --> 00:01:45,790
So what we're going to do is we're gonna say hey let's connect over here and this is going to connect.

28
00:01:45,910 --> 00:01:51,790
So all we're going to do with reverse Shell is we're going to listen now with the bind shell a little

29
00:01:51,790 --> 00:01:53,200
bit different.

30
00:01:53,320 --> 00:01:57,070
We have our attack box and then our target.

31
00:01:57,100 --> 00:02:03,020
So with the bind shell we actually open up a port on the machine then we connect to it.

32
00:02:03,100 --> 00:02:09,580
So we fire off and exploit that exploit goes in and it opens up at Port and then it's listening for

33
00:02:09,580 --> 00:02:10,260
us to connect.

34
00:02:10,300 --> 00:02:16,330
When we connect on that specific port to that specific machine with net cat then we're gonna go ahead

35
00:02:16,360 --> 00:02:17,370
and get that shell.

36
00:02:17,380 --> 00:02:22,480
And on this side it's going to execute for us that been sdh.

37
00:02:22,480 --> 00:02:23,410
Now if we go back.

38
00:02:23,440 --> 00:02:25,100
Same thing here.

39
00:02:25,150 --> 00:02:32,230
We're going to send some sort of exploit that's going to talk back and say hey I want to when you exploit

40
00:02:32,230 --> 00:02:36,070
this go ahead and just connect to 4 4 4 4 on this machine.

41
00:02:36,070 --> 00:02:42,340
Now this is going to come together very clearly when we get into our exploit development part here in

42
00:02:42,340 --> 00:02:43,500
just a little bit.

43
00:02:43,600 --> 00:02:49,180
But all you need to know right now is that a reverse shell means the target can expect to us a bind

44
00:02:49,180 --> 00:02:51,580
shell means we connect to the target.

45
00:02:51,580 --> 00:02:55,620
Now a little bit more about reverse shells you're going to use reverse shells.

46
00:02:55,630 --> 00:03:01,980
Ninety five percent of the time there are instances where you're going to use buying shells buying shells

47
00:03:01,980 --> 00:03:05,520
most likely are going to be on an external assessment.

48
00:03:05,610 --> 00:03:11,790
If you think about it a reverse shell you're sitting in your home network and you are sitting on a VM

49
00:03:12,030 --> 00:03:16,040
in that VM is using an internal IP address is talking out through net.

50
00:03:16,200 --> 00:03:19,850
It's going through your public IP address and you're attacking a target.

51
00:03:20,340 --> 00:03:27,870
Well how are you going to connect that public IP address of the target back to yourself on an internal

52
00:03:27,870 --> 00:03:28,740
IP.

53
00:03:28,800 --> 00:03:34,800
You're going to have to set a port for it or port trigger on your firewall to talk into that specific

54
00:03:34,800 --> 00:03:36,030
machine.

55
00:03:36,060 --> 00:03:40,290
It's a little bit of extra work you're opening some stuff up on your side.

56
00:03:40,290 --> 00:03:47,790
The other idea is to say hey buying shell why don't I just go ahead and open a port up on that target.

57
00:03:47,790 --> 00:03:51,860
All that my way through my public IP address and I'll just connect to that port.

58
00:03:52,020 --> 00:03:55,950
It doesn't care what IP address you're coming from U.S. is just listening.

59
00:03:56,010 --> 00:04:00,060
So we can come from any IP address and connect that port on that machine.

60
00:04:00,060 --> 00:04:04,950
So this is where buying shares are useful when we have to bypass some sort of firewall or just make

61
00:04:04,950 --> 00:04:08,400
sense sometimes a reversal just doesn't work.

62
00:04:08,400 --> 00:04:10,620
And we have to use a buying shell anyway.

63
00:04:10,620 --> 00:04:14,120
So we have to think about the connection and how it's getting to and from us.

64
00:04:14,250 --> 00:04:18,930
Most of the time especially because you're going to practice a lot in labs and you going to do internal

65
00:04:18,930 --> 00:04:20,580
assessments as well.

66
00:04:20,670 --> 00:04:26,100
Most of your shells are going to come in the form of reverse shell however buying shells do exist and

67
00:04:26,100 --> 00:04:27,850
you should know what they are as well.

68
00:04:27,870 --> 00:04:30,840
And again for an interview you should know the difference.

69
00:04:30,840 --> 00:04:37,320
So before we finish here let's go ahead and take a look at what these look like and I'm going to log

70
00:04:37,320 --> 00:04:44,060
back into my machine and I've got two things open here I've got one into.

71
00:04:44,070 --> 00:04:50,130
We're going to play victim and we're going to play target right or attacker.

72
00:04:50,130 --> 00:04:56,010
So on the attacker if we have a reverse Shell we're going to say next that I want to listen and I like

73
00:04:56,010 --> 00:04:59,980
to do envy LP but you can do LV P as well.

74
00:04:59,980 --> 00:05:01,280
The LP it doesn't matter what order.

75
00:05:01,290 --> 00:05:04,460
I just do the MVP and all fours.

76
00:05:04,470 --> 00:05:08,720
So now we're listening on any on all fours right.

77
00:05:09,620 --> 00:05:16,430
So here we're gonna say on the victim's screen we're gonna say Hey net cat I want to connect and this

78
00:05:16,430 --> 00:05:20,200
is a self connection but still I want to connect to the victim machine.

79
00:05:20,420 --> 00:05:26,240
I want to connect to my attacker from the victim machine and our attacker's IP addresses one thirty

80
00:05:26,240 --> 00:05:32,030
nine they've got four four four four open let's establish that connection and we're going to offer them

81
00:05:32,030 --> 00:05:36,820
bin bash only do and here's that connection.

82
00:05:36,920 --> 00:05:38,170
So this is a reverse shell.

83
00:05:38,210 --> 00:05:42,940
We were listening as the attacker and then the victim connected to us and then we could say something

84
00:05:42,940 --> 00:05:43,940
like where am I.

85
00:05:43,940 --> 00:05:50,600
And you could see root and then hostname Calleigh and we have a connection and we offered up that bin

86
00:05:50,600 --> 00:05:51,710
bash here.

87
00:05:51,740 --> 00:05:53,070
So that works.

88
00:05:53,090 --> 00:05:57,150
So that is an example of a reverse shell.

89
00:05:57,170 --> 00:05:59,530
So on the control see this connection kill it.

90
00:05:59,570 --> 00:06:01,400
It dies over here.

91
00:06:01,400 --> 00:06:04,790
Now let's say we wanted to flip the script do we want to bind shell.

92
00:06:05,150 --> 00:06:08,190
Well now guess who needs to be listening.

93
00:06:08,480 --> 00:06:15,590
Now in this instance we're gonna be listening and we're going to be offering up the bin bash because

94
00:06:15,590 --> 00:06:16,510
we are the victim.

95
00:06:17,350 --> 00:06:17,770
OK.

96
00:06:17,780 --> 00:06:22,870
So we still have to offer up whatever command line we are going to have here.

97
00:06:22,940 --> 00:06:29,270
Now all we have to do as the attacker is connect to our victim

98
00:06:32,060 --> 00:06:33,230
and we have the same connection.

99
00:06:33,230 --> 00:06:39,280
You see the connection happens here where my root hostname Colby.

100
00:06:39,470 --> 00:06:46,430
So that is the difference between a find shell and a reverse shell remember reverse shells are most

101
00:06:46,430 --> 00:06:48,770
commonly used but buying shells are important.

102
00:06:48,770 --> 00:06:54,200
Again just to hammer home reverse shell means the victim connects to us by and shell means we connect

103
00:06:54,200 --> 00:06:55,340
to a victim.

104
00:06:55,340 --> 00:06:59,420
So I'll catch you over in the next video when we talk about stage versus non stage payloads.