1
00:00:00,890 --> 00:00:03,980
‫So now is it time to persist on the Windows eight system?

2
00:00:05,080 --> 00:00:11,500
‫As we've seen before, the persistence method of interpretor suggests to us to use post windows managed

3
00:00:11,500 --> 00:00:13,180
‫persistence, Emmanuel.

4
00:00:14,230 --> 00:00:21,340
‫Now we can use the manual directly with the run command as seen in the example in this regard, we have

5
00:00:21,340 --> 00:00:23,200
‫to set the options in the command line.

6
00:00:24,500 --> 00:00:31,040
‫So I prefer using the module with use command to be able to interrogate the options in detail.

7
00:00:32,030 --> 00:00:39,320
‫So I'll use the background command to drop back to MSF console interface.

8
00:00:40,220 --> 00:00:43,400
‫And I use the use command to use the module.

9
00:00:44,650 --> 00:00:46,270
‫Now, let's look at the options.

10
00:00:48,270 --> 00:00:54,850
‫RISC path is the option where we set the executable file, which will be used as the back door.

11
00:00:55,560 --> 00:00:59,910
‫My pretty back door was under the output folder of the fat rat.

12
00:01:00,910 --> 00:01:09,010
‫So we need a session and we have one, let's list the sessions to see its ID number, the ID number

13
00:01:09,010 --> 00:01:10,180
‫of our session is one.

14
00:01:11,810 --> 00:01:15,950
‫Start-Up Option asks when to trigger the back door.

15
00:01:16,370 --> 00:01:20,840
‫It can be triggered when the user system or service is started.

16
00:01:22,240 --> 00:01:28,090
‫And as you see in the session details, our session runs with the system privileges, so we'd better

17
00:01:28,090 --> 00:01:30,520
‫use system for the Start-Up option.

18
00:01:31,510 --> 00:01:38,270
‫Now, let's look at the options once again, just to double check that we have them properly back doors.

19
00:01:38,290 --> 00:01:38,890
‫OK.

20
00:01:40,370 --> 00:01:46,280
‫Session is one RISC name is the name of our back door in the victim system.

21
00:01:46,910 --> 00:01:54,080
‫I left it as default, but you can change it anywhere you want and startup is system great.

22
00:01:54,950 --> 00:01:56,360
‫We are ready to run the module.

23
00:01:58,370 --> 00:01:59,770
‫OK, let's see what happened.

24
00:02:01,140 --> 00:02:06,660
‫So it says the back door has been written as default you under the tent folder.

25
00:02:07,510 --> 00:02:13,390
‫So now I go to the victim to verify it, open the Windows Explorer, go to the Tim folder under the

26
00:02:13,390 --> 00:02:14,230
‫Windows folder.

27
00:02:14,590 --> 00:02:17,620
‫Default audio file is right here, as expected.

28
00:02:18,960 --> 00:02:25,070
‫OK, so now is it time to examine whether we are able to persist on the victim's system or not?

29
00:02:26,070 --> 00:02:33,420
‫It's all use sessions I command to interact with an interpreter, says info to check the connection

30
00:02:33,420 --> 00:02:34,200
‫and the system.

31
00:02:35,200 --> 00:02:39,560
‫Now, let's reboot the victim system using interpreters reboot command.

32
00:02:40,360 --> 00:02:41,890
‫Now look at the Windows eight VM.

33
00:02:42,310 --> 00:02:43,990
‫Yep, that's restart.

34
00:02:44,860 --> 00:02:51,490
‫So now we're going to lose the interpreter session in a second, but remember, from the first method,

35
00:02:51,760 --> 00:02:54,270
‫the back door will try to connect back to us.

36
00:02:54,550 --> 00:03:00,340
‫So we need a listener, also known as a handler, to listen to the connect back requests.

37
00:03:01,090 --> 00:03:07,870
‫So I'll draw back to the MSF console interface using the back door command to create a handler.

38
00:03:08,900 --> 00:03:11,870
‫So use exploit multi handler.

39
00:03:13,080 --> 00:03:16,170
‫A lot has to be the same as a payload used in the back door.

40
00:03:16,190 --> 00:03:20,950
‫And remember, that is Windows Interpretor Reverse TCP.

41
00:03:23,470 --> 00:03:24,790
‫OK, let's look at the options.

42
00:03:25,770 --> 00:03:27,600
‫Set El Hostis Carly.

43
00:03:28,750 --> 00:03:32,450
‫Airport was for three to one in our back door.

44
00:03:32,730 --> 00:03:36,970
‫Remember, the airport has to be the same as you used in back door.

45
00:03:38,400 --> 00:03:41,570
‫So I start the handler using the exploit command.

46
00:03:41,790 --> 00:03:44,450
‫OK, so go back to Windows eight.

47
00:03:45,120 --> 00:03:49,530
‫Yeah, it's restarted and we're ready to log in now.

48
00:03:49,680 --> 00:03:51,180
‫I log into this system.

49
00:03:55,630 --> 00:03:56,950
‫And back to Carly.

50
00:03:58,350 --> 00:04:03,180
‫So we're supposed to have a session in seconds, so wait for it.

51
00:04:13,400 --> 00:04:22,910
‫Yes, the materialisation opened well for sessions are open, so double check, triple check, quadruple

52
00:04:22,910 --> 00:04:24,580
‫check then.

53
00:04:24,590 --> 00:04:25,520
‫Now we've got the answer.

54
00:04:26,510 --> 00:04:30,380
‫We have a persistent back door on Windows eight victim.