1
00:00:00,510 --> 00:00:05,310
‫Let's try to create malware which cannot be detected by the security systems.

2
00:00:06,210 --> 00:00:10,350
‫I'd like to try to create a back door with the MSF venom first.

3
00:00:13,830 --> 00:00:17,300
‫Go to the fat rat folder and run fat rat script.

4
00:00:18,410 --> 00:00:25,490
‫If you let the tool add a shortcut to the system, you don't need to go to the fat rat folder, you

5
00:00:25,490 --> 00:00:26,840
‫can run it from anywhere.

6
00:00:28,520 --> 00:00:33,680
‫It checks all dependent applications in conditions such as Internet connection at the beginning.

7
00:00:39,870 --> 00:00:42,630
‫Don't upload to virus total warning.

8
00:00:47,500 --> 00:00:53,530
‫OK, there are several different methods to create back doors using the fat rat, you can create back

9
00:00:53,530 --> 00:01:00,460
‫doors here using MSF Venom food when avoid Puan winds, etc..

10
00:01:01,000 --> 00:01:06,490
‫In addition, you can add back doors into the original Android apk packages.

11
00:01:07,270 --> 00:01:14,500
‫Let's create a malware with a backdoor using the MSF venom in this example type one and hit enter into

12
00:01:14,500 --> 00:01:15,280
‫the main menu.

13
00:01:16,700 --> 00:01:19,490
‫MSF Venom creator, Modu Menu Appears.

14
00:01:20,810 --> 00:01:26,570
‫Now, since our victim's machines operating system is windows, I chose here, the second option in

15
00:01:26,570 --> 00:01:33,830
‫this menu, it first gives me the IP information of my local machine, then asks for the listener IP

16
00:01:33,830 --> 00:01:34,350
‫address.

17
00:01:34,820 --> 00:01:36,080
‫Thanks for the kindness.

18
00:01:37,530 --> 00:01:44,790
‫Since I use this machine as the listener, I enter its IP address asking for the listener port, I'll

19
00:01:44,790 --> 00:01:47,670
‫choose double five, double five for this time.

20
00:01:48,840 --> 00:01:55,650
‫Now it wants me to enter the base name for the output files that the tool is going to generate while

21
00:01:55,650 --> 00:02:01,200
‫trying to find the correct payload and malware, you may need to try a lot of different options.

22
00:02:01,650 --> 00:02:07,890
‫So to be able to recognize which file I generate for this time, I use the day of the month and the

23
00:02:07,890 --> 00:02:09,450
‫time in file names.

24
00:02:10,260 --> 00:02:19,050
‫For this example, since today is the first day of the month and it's 22 55, I use 01 Dash 22, dash

25
00:02:19,050 --> 00:02:21,480
‫55 as the file name base.

26
00:02:22,530 --> 00:02:29,610
‫Next step is to choose the payload, let's choose Windows slash Metropia to slash reverse underscore

27
00:02:29,610 --> 00:02:30,410
‫TCP.

28
00:02:30,510 --> 00:02:34,980
‫Number three, it uses almost all facilities of MSF venom.

29
00:02:39,160 --> 00:02:46,480
‫It encodes the payload with 10 iterations with Shikata, underscore Geet, underscore NHIN encoding

30
00:02:46,480 --> 00:02:55,510
‫method first, then encodes with another method eight times and three other encodings follow the malicious

31
00:02:55,510 --> 00:02:57,060
‫executable was created.

32
00:02:57,430 --> 00:03:00,910
‫It's in the output folder under the fat rat folder.

33
00:03:01,940 --> 00:03:09,200
‫Now let's go to the victim machine and transfer the file using win SICP, connect to your county machine.

34
00:03:09,630 --> 00:03:16,430
‫Remember, SICP protocol uses the SSA, so be sure that the SSA is running in Kalli.

35
00:03:18,280 --> 00:03:23,170
‫Michael DSH is serving from 443, don't ask why.

36
00:03:26,470 --> 00:03:35,830
‫OK, we connected go to the folder and where our file is root, fat rat output and here it is.

37
00:03:36,760 --> 00:03:40,320
‫Drop it and drag to the desktop of the Windows system.

38
00:03:41,110 --> 00:03:48,420
‫But first, let's start Windows Defender and see if our malware is able to avoid it or not.

39
00:03:50,550 --> 00:03:56,070
‫OK, it's already running now let's transfer the malware into the Windows system.

40
00:03:57,410 --> 00:04:01,520
‫Oops, our malware is detected by Windows Defender.

41
00:04:03,770 --> 00:04:10,640
‫And deleted in a few seconds anyway, there are always some computers which do not have any security

42
00:04:10,640 --> 00:04:11,190
‫protection.

43
00:04:11,690 --> 00:04:19,220
‫Let's examine our malware that works on them, go to Settings Administrator Pain and uncheck the turn

44
00:04:19,220 --> 00:04:25,370
‫on this app checkbox to disable Windows, defender and press save changes.

45
00:04:26,650 --> 00:04:29,770
‫Now, drag the malware again and drop into the desktop.

46
00:04:30,670 --> 00:04:35,740
‫For running the application in the victim machine, let's think about the hacker side.

47
00:04:36,340 --> 00:04:42,400
‫Are we ready as a hacker, what do we need to connect to the back door of the malware succeeds?

48
00:04:44,550 --> 00:04:48,960
‫Sure, we don't have a listener at the moment go to Calli machine to start a listener.

49
00:04:50,300 --> 00:04:54,410
‫Start Métis framework console using MSF console command.

50
00:04:55,960 --> 00:05:00,190
‫While metabolite framework is starting to look at the information of the back door in the terminal where

51
00:05:00,190 --> 00:05:04,510
‫I create it to make sure the payload is the one I used, why?

52
00:05:04,690 --> 00:05:09,310
‫Because I have to use the exact same payload while creating the listener.

53
00:05:10,530 --> 00:05:15,600
‫MSF started type use exploits, multistage handler first.

54
00:05:19,560 --> 00:05:22,650
‫And then set the payload that we used in the malware.

55
00:05:26,490 --> 00:05:33,210
‫Look at the options using the show options command set the host again, I use the information of the

56
00:05:33,210 --> 00:05:33,720
‫malware.

57
00:05:40,780 --> 00:05:44,740
‫Set the port, which was five five five five on my malware.

58
00:05:49,210 --> 00:05:51,520
‫Now, type exploit to start the handler.

59
00:05:53,380 --> 00:05:55,060
‫Go to the victims machine now.

60
00:05:55,970 --> 00:06:02,030
‫And run, the malware we copied a few minutes ago turned back to Cali, you see that in the temperature

61
00:06:02,030 --> 00:06:05,750
‫section is opened once again, the victory is ours.

62
00:06:09,720 --> 00:06:13,020
‫Windows Defender and Windows eight has detected our malware.

63
00:06:14,200 --> 00:06:18,160
‫We should find another way to create an undetectable malware.

64
00:06:19,320 --> 00:06:25,710
‫This time, I'd like to create a malware using and wins the option six, we are now in the main menu

65
00:06:25,710 --> 00:06:32,550
‫of the fat rat to type six and hit enter to use PWI in Windows to create the malware at this time.

66
00:06:33,520 --> 00:06:40,080
‫Pwint Modu menu appears there are different options here to create an exact batch or PDF file.

67
00:06:41,040 --> 00:06:44,820
‫I'd like to use the second option to create an executable malware.

68
00:06:45,850 --> 00:06:52,030
‫Now, when I type two and hit enter, it gives the IP information of my system and asks for the listener

69
00:06:52,030 --> 00:06:52,390
‫host.

70
00:06:53,390 --> 00:07:02,030
‫Enter the L, host the IP of your Cali and L Port, this time I use double six, double six, use whatever

71
00:07:02,030 --> 00:07:05,090
‫you want base name for output files.

72
00:07:05,270 --> 00:07:09,470
‫I use the same format oh one dash two three dash zero two.

73
00:07:10,490 --> 00:07:15,610
‫Again, I choose the third payload reverse underscore TCP.

74
00:07:25,970 --> 00:07:28,520
‫The back door is saved to the output folder.

75
00:07:29,060 --> 00:07:33,650
‫Now let's go to the victim machine and transfer the file using when SICP.

76
00:07:35,100 --> 00:07:36,080
‫Kawi side of win.

77
00:07:37,050 --> 00:07:42,480
‫We're in the output folder of the Fat Ra'ed application before transferring the new malware into the

78
00:07:42,480 --> 00:07:43,320
‫victim's machine.

79
00:07:43,980 --> 00:07:46,290
‫Be sure that Windows Defender is running.

80
00:07:47,150 --> 00:07:49,970
‫I opened the action center and turn on Windows Defender.

81
00:07:58,420 --> 00:08:02,500
‫OK, it's running, I can transfer our new malware now.

82
00:08:07,950 --> 00:08:15,570
‫No, not again, defender detected our new malware as well, and we should try another method, the

83
00:08:15,570 --> 00:08:20,760
‫fat rat is very powerful and I'm sure we can find a way to bypass the defender.

84
00:08:21,920 --> 00:08:27,170
‫I'll try another method of PWI and wins the sixth option of the main menu.

85
00:08:30,850 --> 00:08:37,330
‫This time, I choose the fourth option in P.W. Wynn's menu, I'll again create a malicious executable

86
00:08:37,660 --> 00:08:39,070
‫with a different method.

87
00:08:39,700 --> 00:08:40,990
‫Inputs are all the same.

88
00:08:41,440 --> 00:08:44,200
‫I'll host first, then Laport.

89
00:08:44,560 --> 00:08:49,780
‫I choose double seven, double seven this time, and the base name of the output files.

90
00:08:55,750 --> 00:08:59,770
‫I chose the reverse Tsipi as the payload, the third option.

91
00:09:06,150 --> 00:09:14,160
‫And done the output file is created, let's go back to the victim machine, refresh the Calli side of

92
00:09:14,160 --> 00:09:19,830
‫Witness UQP and drag the newest malware and Esraa up into Windows desktop.

93
00:09:21,300 --> 00:09:27,810
‫As you see at the lower right hand corner, Windows Defender is running and it couldn't detect our malware

94
00:09:27,810 --> 00:09:28,360
‫this time.

95
00:09:28,650 --> 00:09:29,780
‫Well done.

96
00:09:30,150 --> 00:09:34,730
‫We overcame it with the first problem, bypass the security system.

97
00:09:35,820 --> 00:09:40,120
‫Now, the main question is, does the malware work?

98
00:09:40,170 --> 00:09:42,380
‫I mean, do we have the back door?

99
00:09:43,110 --> 00:09:48,510
‫So at this point we go back to Cali and start a listener, start the MSF console.

100
00:09:56,820 --> 00:10:01,230
‫Use exploited multi handler to use the handler.

101
00:10:02,870 --> 00:10:10,310
‫Set the payload, the same one we used in the malware, to be sure, I prefer to copy the payload from

102
00:10:10,310 --> 00:10:16,400
‫the fat rat terminal and paste it set l host the IP address of Kali.

103
00:10:19,220 --> 00:10:22,190
‫And airport, remember, that was seven seven seven seven.

104
00:10:27,710 --> 00:10:36,530
‫I want to look at the open ports using Net Stat Dashti and LPI Linux Command double seven, double seven

105
00:10:36,530 --> 00:10:37,830
‫is not in use at the moment.

106
00:10:38,300 --> 00:10:42,980
‫Back we go to mSv console's terminal and type execute to start the handler.

107
00:10:44,260 --> 00:10:47,980
‫Go to the Windows machine and run the malware by double clicking on it.

108
00:10:51,870 --> 00:11:00,490
‫Back to the Calli machine and a new metro picture session is open now we can say victory is ours.