1
00:00:00,910 --> 00:00:09,520
‫Let's see how we can create a basic malicious Windows executable using the MSF Thanom tool 64 bit Windows

2
00:00:09,520 --> 00:00:11,130
‫eight is the victim's system.

3
00:00:11,980 --> 00:00:14,920
‫Choose an executable to use as a template.

4
00:00:15,460 --> 00:00:17,950
‫The output malware will be the same size.

5
00:00:17,950 --> 00:00:23,020
‫With this template file, I'm going to use Puti dot exec file as the template.

6
00:00:23,680 --> 00:00:26,430
‫Let's copy Pooty Dot exec to Calli to work on it.

7
00:00:27,010 --> 00:00:31,840
‫First, look at the IP address of the target machine here Kawi.

8
00:00:33,440 --> 00:00:41,510
‫You can use win SICP tool to transfer a file from a Windows system to a Linux system, SICP secure a

9
00:00:41,510 --> 00:00:48,140
‫copy as a means of securely transferring computer files between a localhost and a remote host or between

10
00:00:48,140 --> 00:00:49,280
‫two remote hosts.

11
00:00:49,460 --> 00:00:53,420
‫It's based on the S.H. Secure Shell protocol.

12
00:00:54,050 --> 00:01:00,980
‫Now, since when SICP uses SSL protocol, you'll be sure the Secret Service is running on Calli.

13
00:01:01,670 --> 00:01:06,770
‫Check the status of the search service using the service SSA Status Command.

14
00:01:08,850 --> 00:01:17,280
‫It's already active on Micheli, if it's not running news service, S.H. start to start the SSA service

15
00:01:17,280 --> 00:01:18,600
‫in your cauli machine.

16
00:01:27,470 --> 00:01:34,490
‫If you try to log in when SICP using route user, you may see the access denied message, that means

17
00:01:34,490 --> 00:01:39,020
‫using S.H. service with route user is denied in your Calli machines.

18
00:01:39,020 --> 00:01:47,150
‫S.H. Service configurations either change the S.H. service config to be able to connect with route user

19
00:01:47,360 --> 00:01:50,930
‫or create a new user to use SSL connections.

20
00:01:52,090 --> 00:02:00,310
‫I choose to create a new user you can use, add user or user, add commands on the terminal screen or

21
00:02:00,400 --> 00:02:02,900
‫users interface to add a new user.

22
00:02:03,460 --> 00:02:06,850
‫I've already added a user before S.H. user.

23
00:02:06,850 --> 00:02:10,660
‫For this purpose, you can add a similar user to your system.

24
00:02:17,370 --> 00:02:21,090
‫Connect with SICP using S.H. user credentials.

25
00:02:40,770 --> 00:02:48,390
‫Find the exact file at the Windows side in this example, it's on the desktop of a current user, copy

26
00:02:48,390 --> 00:02:57,630
‫it to the Kawi machine in here to the home folder of S.H. User in Calli Use is command in the terminal

27
00:02:57,630 --> 00:03:00,390
‫screen to see if the file is transferred successfully.

28
00:03:09,710 --> 00:03:14,990
‫Now we're ready to create a malicious executable using the Puti dot exact file as a template.

29
00:03:18,660 --> 00:03:26,730
‫Prepare the appropriate MSF venom command, the first parameter is Dasch P, which specifies the payload

30
00:03:26,730 --> 00:03:31,040
‫used, you have to find the correct payload according to your target.

31
00:03:31,650 --> 00:03:38,160
‫Don't forget to choose a payload with the correct platform, correct architecture, correct connection,

32
00:03:38,160 --> 00:03:39,630
‫method, etc..

33
00:03:40,900 --> 00:03:45,970
‫You can see the available payload using NSF, Darelle Payloads Command.

34
00:03:49,460 --> 00:03:56,150
‫There are a lot of payloads available, and since the target machine is 64 bit, we can filter the results

35
00:03:56,150 --> 00:03:58,070
‫using grep command with pipe.

36
00:04:09,300 --> 00:04:17,850
‫We use the windows for interpreter reverse, underscore TCP payload for this example.

37
00:04:21,020 --> 00:04:25,460
‫Let's have a pause here and have a small introduction to the world of Métis Voit.

38
00:04:26,430 --> 00:04:31,110
‫Metastable project is the most used penetration testing framework in the world.

39
00:04:31,560 --> 00:04:38,450
‫It can be used to test the vulnerability of computer systems or to break into remote systems metastable.

40
00:04:38,490 --> 00:04:44,670
‫It was created by HD Moore in 2003 using Perl by 2007.

41
00:04:44,820 --> 00:04:50,860
‫The Métis Foyt framework had been completely rewritten in Ruby in 2009.

42
00:04:51,060 --> 00:04:53,690
‫The project was acquired by Rapide seven.

43
00:04:54,300 --> 00:05:00,570
‫Now they have a free and open source version, Métis flight framework and a commercial version.

44
00:05:00,870 --> 00:05:02,370
‫Métis Boyd Pro.

45
00:05:03,350 --> 00:05:11,090
‫It's best known sub project is the open source Métis Boite framework, a tool for developing and executing

46
00:05:11,090 --> 00:05:14,740
‫exploit code against a remote target machine?

47
00:05:15,840 --> 00:05:24,420
‫The mSv console is probably the most popular interface to the Métis Plate Framework MSF, it provides

48
00:05:24,420 --> 00:05:31,770
‫an all in one centralized console and allows you efficient access to virtually all of the options available

49
00:05:31,770 --> 00:05:32,820
‫in the MSF.

50
00:05:33,600 --> 00:05:40,560
‫MSF console may seem intimidating at first, but once you learn the syntax of the commands, you will

51
00:05:40,560 --> 00:05:44,130
‫learn to appreciate the power of utilizing this interface.

52
00:05:45,530 --> 00:05:51,970
‫Mature too short for the matter, interpreter is an advanced payload that is included in the medicine

53
00:05:51,970 --> 00:05:52,670
‫sport framework.

54
00:05:53,540 --> 00:05:59,840
‫Its purpose is to provide complex and advanced features that would otherwise be tedious to implement

55
00:05:59,960 --> 00:06:01,120
‫purely in assembly.

56
00:06:02,000 --> 00:06:07,370
‫The way that it accomplishes this is by allowing developers to write their own extensions in the form

57
00:06:07,370 --> 00:06:15,500
‫of shared object DL files that can be uploaded and injected into a running process on a target computer

58
00:06:15,800 --> 00:06:17,960
‫after exploitation has occurred.

59
00:06:18,800 --> 00:06:26,540
‫Masturbator and all of the extensions that it loads are executed entirely from memory and never touch

60
00:06:26,540 --> 00:06:27,170
‫the disk.

61
00:06:29,110 --> 00:06:34,010
‫Let's continue to create a malicious executable using the MSF venom tool.

62
00:06:34,690 --> 00:06:36,700
‫Now the first parameter was the payload.

63
00:06:37,150 --> 00:06:44,170
‫We can choose the platform here, Windows, but since we chose a Windows payload, the tool will already

64
00:06:44,170 --> 00:06:47,410
‫understand the platform, same as the platform.

65
00:06:47,410 --> 00:06:56,730
‫We can set the architecture x 64 using the dash arch parameter because we use a payload for X 64 architecture.

66
00:06:57,100 --> 00:07:03,520
‫The two already understand the architecture, so we don't need to use arch and platform parameters in

67
00:07:03,520 --> 00:07:04,270
‫this example.

68
00:07:05,340 --> 00:07:10,500
‫The next parameter is dash F to determine the format of the output file.

69
00:07:11,110 --> 00:07:16,410
‫You can use MSF venom, dash, help dash formats to see the available formats.

70
00:07:25,000 --> 00:07:27,910
‫We only use the exec in this example.

71
00:07:34,290 --> 00:07:39,060
‫Then specify the template file using a dashikis parameter with the template file.

72
00:07:46,340 --> 00:07:49,760
‫Name the output file with the dash o parameter.

73
00:08:00,480 --> 00:08:07,110
‫Now is the time to define the options of the payload, to see the options of the payload, you can use

74
00:08:07,110 --> 00:08:10,140
‫the dash payload dash options parameter with the payload.

75
00:08:16,230 --> 00:08:21,090
‫We have to decide the host and the airport options of the payload here.

76
00:08:26,130 --> 00:08:29,670
‫Complete the command again, output file format.

77
00:08:41,010 --> 00:08:42,660
‫And output file name.

78
00:08:58,300 --> 00:09:04,930
‫Now, a sign will host an airport options of the payload el hostas, the IP address of the listener

79
00:09:04,930 --> 00:09:05,530
‫machine.

80
00:09:05,830 --> 00:09:12,250
‫In this example, our Calli machine, El Port is the port which will be open to listen to the sessions.

81
00:09:16,360 --> 00:09:18,250
‫Hit enter to create the malware.

82
00:09:27,320 --> 00:09:35,810
‫As you see, no arch has selected the tools selected x 64 from the payload and no platform is selected,

83
00:09:36,080 --> 00:09:39,410
‫the tool automatically selected windows from the payload.

84
00:09:39,410 --> 00:09:44,720
‫Again, to be sure, go to the folder and see the created malware.

85
00:09:46,750 --> 00:09:52,390
‫The attackers should find a way to make the victim accept and run the malware, let's just copy the

86
00:09:52,390 --> 00:09:58,210
‫malware to the victim's machine at the moment and suppose that we send it as an attachment to a phishing

87
00:09:58,210 --> 00:09:58,660
‫email.

88
00:09:59,810 --> 00:10:04,370
‫First, let's try to copy the files of the Windows machine while Windows Defender is running.

89
00:10:16,150 --> 00:10:19,990
‫As you can see, Windows Defender recognized the malware.

90
00:10:38,380 --> 00:10:40,170
‫And deleted it in seconds.

91
00:10:41,340 --> 00:10:42,430
‫Can you guess why?

92
00:10:43,170 --> 00:10:49,590
‫Because we use the standard medicinally payload, which is very well known, and Windows Defender recognized

93
00:10:49,590 --> 00:10:50,310
‫it easily.

94
00:10:51,540 --> 00:10:58,520
‫To see the payload in action, let's turn Windows Defender off and send the malware again.

95
00:11:14,670 --> 00:11:20,700
‫As an attacker, we need to listen to capture the sessions of the victims who run the malware.

96
00:11:22,150 --> 00:11:23,980
‫Start MSF console.

97
00:11:27,950 --> 00:11:29,990
‫You'll have a media support framework show.

98
00:11:31,540 --> 00:11:32,980
‫Search for the Handley's.

99
00:11:39,010 --> 00:11:43,240
‫Use exploit multi handler for this example.

100
00:11:50,930 --> 00:11:55,160
‫In handler, we have to use the same payload that we use in the malware.

101
00:12:06,360 --> 00:12:09,300
‫List the options with Show Options command.

102
00:12:10,590 --> 00:12:12,510
‫Set the listener address in port.

103
00:12:17,330 --> 00:12:24,140
‫Since the default port is the same with the port we assigned in the malware, we can leave it as is.

104
00:12:25,100 --> 00:12:29,120
‫And run the handler, it starts to listen at that moment.

105
00:12:30,300 --> 00:12:33,660
‫Now go back to the victim machine and run the malware.

106
00:12:38,610 --> 00:12:46,530
‫Voila, we got the session from the victim machine, look at the system info using this info interpreter

107
00:12:46,530 --> 00:12:46,970
‫command.

108
00:12:47,670 --> 00:12:50,030
‫It's a 64 bit Windows machine.

109
00:12:50,700 --> 00:12:57,410
‫Look at the user ID interpreter has a lot of excellent commands to compromise the victim's machine,

110
00:12:58,200 --> 00:13:00,630
‫use help command to see some of them.

111
00:13:10,820 --> 00:13:13,790
‫Let's take a screenshot of the victim machine.

112
00:13:32,420 --> 00:13:38,630
‫When we list the currently running processes using task list command and the victim machine, we see

113
00:13:38,630 --> 00:13:39,800
‫the malware running.

114
00:13:40,520 --> 00:13:46,550
‫You can kill it using the task kill command with rapid parameter.

115
00:13:52,890 --> 00:13:56,310
‫Use the F parameter to force it to be killed.

116
00:14:01,420 --> 00:14:07,150
‫As soon as the malware process is killed, the interpreter session dies as well.