1
00:00:00,440 --> 00:00:06,860
‫So another important thing to remember is it's vital to remove the back door once you put a back door

2
00:00:06,860 --> 00:00:10,520
‫on a system, anyone can use that back door to compromise the system.

3
00:00:11,410 --> 00:00:16,120
‫Of course, there are some methods to prevent unintended usages of a back door, but still.

4
00:00:17,290 --> 00:00:19,930
‫You have to remove the back door when you finish with it.

5
00:00:21,530 --> 00:00:27,170
‫There are two plus one steps to remove the back door we put in the previous lecture.

6
00:00:29,290 --> 00:00:33,220
‫Now, in the first step, we're going to remove the back door within the interpreter session.

7
00:00:34,390 --> 00:00:40,900
‫Now, as you know, there are different filesystem commands, interpretor that you can use on the remote

8
00:00:40,900 --> 00:00:46,960
‫host and one of them is R.M., which is used to remove the specified file.

9
00:00:48,900 --> 00:00:57,960
‫Now, the R.M. commands need the full file name, so let's roll up to find the installed file path and

10
00:00:57,960 --> 00:00:58,380
‫the name.

11
00:00:59,730 --> 00:01:05,670
‫Here are the messages of the persistance command and here is the file and the full pat.

12
00:01:06,860 --> 00:01:13,130
‫So as you imagine, the path is different from the previous lecture, because this is another back door

13
00:01:13,130 --> 00:01:14,580
‫that I created off the record.

14
00:01:15,080 --> 00:01:16,780
‫So no matter what.

15
00:01:16,820 --> 00:01:19,490
‫Just find the back door file and its location.

16
00:01:20,610 --> 00:01:27,450
‫Now, let me find the file in the victim machine documents and settings, Administrator Dalziell to

17
00:01:27,990 --> 00:01:29,790
‫local settings temp.

18
00:01:31,520 --> 00:01:32,390
‫This is the file.

19
00:01:34,310 --> 00:01:37,310
‫So I'll copy the full file path.

20
00:01:38,590 --> 00:01:42,230
‫And give it the perimeter of the R.M. command.

21
00:01:43,000 --> 00:01:45,750
‫Now, don't forget to duplicate the back slashes.

22
00:01:46,510 --> 00:01:51,940
‫As I mentioned before, the first backslash is the indicator of a special character, and the second

23
00:01:51,940 --> 00:01:54,010
‫one is that special character.

24
00:01:55,020 --> 00:01:56,860
‫Now it says that the access is denied.

25
00:01:57,030 --> 00:02:04,380
‫So maybe I don't have the necessary rights, so I'll want to use get system interpreter command to gain

26
00:02:04,380 --> 00:02:05,760
‫the system privileges.

27
00:02:06,360 --> 00:02:07,350
‫So I got the system.

28
00:02:08,270 --> 00:02:10,070
‫Now, try to delete the file again.

29
00:02:11,030 --> 00:02:12,350
‫Oh, my mistake.

30
00:02:12,800 --> 00:02:15,380
‫I put the path but didn't put the file name.

31
00:02:16,710 --> 00:02:20,260
‫So now I copy the file name and pasted at the end of the path.

32
00:02:24,620 --> 00:02:27,290
‫OK, the file is now deleted.

33
00:02:28,570 --> 00:02:34,660
‫So the first step is pretty much enough to destroy the back door, but, you know, it's better to be

34
00:02:34,660 --> 00:02:38,290
‫safe than sorry, so let's just clean the system.

35
00:02:39,300 --> 00:02:44,280
‫So I'd like to delete the registry key that is created by the persistence method.

36
00:02:46,410 --> 00:02:48,900
‫Roll up to find their created register key.

37
00:02:49,800 --> 00:02:56,370
‫Here, I'll copy the full path and name, so we're going to use the Regg command to delete the registry

38
00:02:56,380 --> 00:02:59,850
‫key when we type Regg and hit enter.

39
00:03:00,790 --> 00:03:02,770
‫We reached the help page of the command.

40
00:03:04,850 --> 00:03:08,160
‫Well, I made millions of unsuccessful attempts.

41
00:03:08,540 --> 00:03:13,640
‫I don't want to lead these attempts just to show you that you shouldn't give up easily to succeed.

42
00:03:21,890 --> 00:03:27,470
‫OK, so here's the correct Vrej Command to delete a key is Reg.

43
00:03:28,500 --> 00:03:34,950
‫They'll let eval take the full path of the key, the the name of the key.

44
00:03:39,110 --> 00:03:41,330
‫I think we finally deleted the registry key.

45
00:03:42,350 --> 00:03:48,140
‫So let's go to the victim's system and just check to make sure it's deleted, refresh the registry,

46
00:03:48,140 --> 00:03:51,410
‫Ed, and yeah, the key has gone.

47
00:03:52,520 --> 00:03:56,090
‫So the next step is not related to the victim machine.

48
00:03:56,390 --> 00:03:59,030
‫I just wanted to clean up my own system, Carly.

49
00:04:00,680 --> 00:04:06,710
‫So when I run the persistence method, a folder's created to keep the logs of that persistent session,

50
00:04:07,100 --> 00:04:09,530
‫so let's delete the folder for perfect cleaning.

51
00:04:10,940 --> 00:04:16,190
‫I now open a new terminal screen, I'm in the home folder of the current user route.

52
00:04:17,820 --> 00:04:21,880
‫She held to see all the files and folders, including the hidden ones.

53
00:04:22,870 --> 00:04:29,140
‫Now, there is a folder named MSF for Use the CD command to go inside that folder.

54
00:04:30,410 --> 00:04:37,210
‫Now go to the logs folder, there is a folder called Persistance in it, go to that folder as well.

55
00:04:38,110 --> 00:04:44,650
‫As you see, there's a folder here, the first part of the folder is the domain name of our victim machine

56
00:04:44,890 --> 00:04:50,400
‫and the rest is the date and time of the first usage of the persistance method.

57
00:04:51,680 --> 00:04:59,660
‫So here you can use the R.M. command with RF as the parameter to delete any non-empty folder, and that's

58
00:04:59,660 --> 00:04:59,810
‫a.