1
00:00:00,960 --> 00:00:07,140
‫OK, let's persist, our Métis Boite framework session in the first example will see how to persist.

2
00:00:07,140 --> 00:00:08,280
‫Amateur operators session.

3
00:00:10,600 --> 00:00:15,610
‫OK, I'm in Cali, so first I checked the IP address, it's two to two.

4
00:00:17,580 --> 00:00:24,830
‫Now, this is the first victim, a Windows XP system, so I'll check its I.P. address as well, it's

5
00:00:24,840 --> 00:00:25,710
‫two zero seven.

6
00:00:27,420 --> 00:00:34,050
‫So now back to Cali, let's have an interpreter session on the victim's system, first start the MSF

7
00:00:34,050 --> 00:00:38,520
‫console since we've already seen all this before, I'll try and keep it as far as I can.

8
00:00:38,520 --> 00:00:42,000
‫But remember, the more practice you get, the more you are able to learn.

9
00:00:44,110 --> 00:00:51,010
‫From the previous lectures, we know that the system has M0 wait 067 vulnerability, so the search for

10
00:00:51,010 --> 00:00:51,340
‫now.

11
00:00:54,460 --> 00:00:56,860
‫And here's the exploit, so let's use it.

12
00:00:58,440 --> 00:01:00,900
‫I said the reverse DCP material payload.

13
00:01:05,760 --> 00:01:06,870
‫So the options.

14
00:01:07,930 --> 00:01:10,060
‫Set the options, remote host.

15
00:01:11,320 --> 00:01:12,070
‫Listen, host.

16
00:01:15,690 --> 00:01:19,130
‫We have the ports with the default values and run the export.

17
00:01:19,700 --> 00:01:22,030
‫OK, so now we have an interpreter session.

18
00:01:22,040 --> 00:01:25,490
‫Now this info to check the connection and the target.

19
00:01:26,590 --> 00:01:27,580
‫Everything seems OK.

20
00:01:28,770 --> 00:01:31,170
‫Interpretor has a persistance method.

21
00:01:32,280 --> 00:01:37,680
‫So let's look at the help menu of the method first using the parameter.

22
00:01:39,000 --> 00:01:45,150
‫Now, the beginning of the help page, it says The method is deprecated and it suggests to us to use

23
00:01:45,150 --> 00:01:51,060
‫persistance XY post module, so we'll use that module as well.

24
00:01:51,070 --> 00:01:57,810
‫But first, I want to show you how to persist Immaturities session using the persistance interpreter

25
00:01:57,810 --> 00:02:06,570
‫method because the persistance key post module requires a malicious executable, whereas persistance

26
00:02:06,570 --> 00:02:09,160
‫method creates the malware itself.

27
00:02:10,020 --> 00:02:12,870
‫So let's create a valid persistance method.

28
00:02:14,570 --> 00:02:20,480
‫First, we need to have a handler to be able to reply to the connection request that will be requested

29
00:02:20,480 --> 00:02:21,620
‫by the victim systems.

30
00:02:22,650 --> 00:02:28,140
‫Well, at this point, I guess I better explain what the handler is in a back door, use a payload with

31
00:02:28,290 --> 00:02:33,630
‫the reverse connection to let the victim connect to your system when the back door binary is executed.

32
00:02:34,440 --> 00:02:40,530
‫If you use a payload with a reverse connection, also known as a connect back, you, the attacker,

33
00:02:40,710 --> 00:02:42,200
‫have to set up a handler.

34
00:02:42,810 --> 00:02:46,950
‫We can also use a word listener first on your box.

35
00:02:47,730 --> 00:02:52,140
‫The victim or target machine acts as a client connecting to that listener.

36
00:02:52,440 --> 00:02:54,480
‫And then finally, you receive this session.

37
00:02:55,600 --> 00:03:01,480
‫So in the persistance module, we can start a listener automatically using a parameter.

38
00:03:02,650 --> 00:03:07,990
‫The el parameter is to define the location in the victim system, to put the back door binary file.

39
00:03:08,500 --> 00:03:12,420
‫It's the temp folder by default, which is OK by me.

40
00:03:13,830 --> 00:03:20,400
‫So you set the payload that will be used to connect to the victim, it's interpreter's reverse TCP by

41
00:03:20,400 --> 00:03:25,650
‫default, which is the same with the payload we used while creating an interpretive session so we can

42
00:03:25,650 --> 00:03:29,430
‫leave it as is or let's just set it in this example.

43
00:03:30,740 --> 00:03:34,160
‫Access to start agent automatically when the target system is booted.

44
00:03:35,400 --> 00:03:41,400
‫I is to set the interval of the TREIS in seconds between the connection attempts, I don't actually

45
00:03:41,400 --> 00:03:42,200
‫know the default.

46
00:03:42,210 --> 00:03:44,850
‫So let's set it, for example, 10 seconds.

47
00:03:46,240 --> 00:03:51,700
‫Now, these are the most important parameters of the method P is to set the listen all, set it to five

48
00:03:51,700 --> 00:03:58,930
‫five, five five, and R is to set the listen host, which is running the meds midpoint and ready to

49
00:03:58,930 --> 00:04:00,850
‫listen for the connection requests.

50
00:04:00,850 --> 00:04:02,350
‫And that's my colleague to.

51
00:04:02,350 --> 00:04:02,770
‫To to.

52
00:04:03,880 --> 00:04:07,600
‫Now we are ready to run the persistance method, so hit enter.

53
00:04:13,030 --> 00:04:16,340
‫And that's finished, so let's look at the messages to see what happened.

54
00:04:16,900 --> 00:04:22,030
‫So this method looks like it put the back door under the Windows temp folder of the victim's system.

55
00:04:22,330 --> 00:04:28,720
‫And let's go to the victim's system and look at the temp folder open in Windows Explorer and go to the

56
00:04:28,720 --> 00:04:30,430
‫folder Windows Temp.

57
00:04:33,490 --> 00:04:37,090
‫And here is the back door, it's a visual basic script file.

58
00:04:38,370 --> 00:04:42,420
‫Now I turn back to Cali to continue to look at the messages.

59
00:04:43,290 --> 00:04:49,230
‫Now, the method has started the handler, which is required to listen for the request of the victim's.

60
00:04:50,310 --> 00:04:55,830
‫And lastly, it's installed a key into the registry, which will be used to ought to run the back door

61
00:04:55,980 --> 00:04:57,110
‫when the system boots.

62
00:04:57,960 --> 00:05:04,410
‫So now go into the victim's system and look at the registry to check if the auto run key is installed.

63
00:05:05,920 --> 00:05:11,110
‫Now, from the start menu, click, run, type, rejected and hit enter.

64
00:05:12,210 --> 00:05:16,930
‫So now we're in the registry, Ed I'll follow the path written into the message.

65
00:05:17,440 --> 00:05:23,590
‫Each key local machine software, Microsoft Windows current version.

66
00:05:25,320 --> 00:05:25,800
‫Run.

67
00:05:26,730 --> 00:05:32,670
‫And here it is, here's the inside key and its value to Rex, to the installed back door file.

68
00:05:34,720 --> 00:05:39,610
‫And finally, last message says that the method has created another maturity's session.

69
00:05:40,680 --> 00:05:49,410
‫So I'll go back to the MSF console interface using the background function, list the sessions and jump

70
00:05:49,410 --> 00:05:52,470
‫into the session that's created by the persistence method.

71
00:05:54,840 --> 00:06:00,450
‫So let's just say that as the user of the victim machine, I decided to restart the computer.

72
00:06:01,400 --> 00:06:08,660
‫Without the persistent step, we would lose the interpreter session forever and we would have to exploit

73
00:06:08,660 --> 00:06:10,070
‫the system all over again.

74
00:06:10,980 --> 00:06:19,260
‫But now we have run the persistance, let's see what happens when the victim system reboots, the victim

75
00:06:19,260 --> 00:06:20,550
‫system is shutting down.

76
00:06:23,190 --> 00:06:29,640
‫Now, let's look at our interpretor session, a command sis info, for instance, and as expected,

77
00:06:29,640 --> 00:06:30,540
‫it doesn't respond.

78
00:06:31,320 --> 00:06:32,510
‫And yeah, there it is.

79
00:06:32,520 --> 00:06:35,310
‫It says a session died control.

80
00:06:35,310 --> 00:06:37,950
‫See back to the MSF console.

81
00:06:38,250 --> 00:06:42,390
‫Now look at the active sessions using sessions and command session.

82
00:06:42,400 --> 00:06:45,390
‫One seems active, but it's not.

83
00:06:45,750 --> 00:06:52,260
‫So try to interact with a session using sessions, Eichman run a command such as Cesan.

84
00:06:53,220 --> 00:06:54,090
‫Now look at that.

85
00:06:54,090 --> 00:06:56,790
‫You see that the session is already dead.

86
00:06:57,720 --> 00:07:01,830
‫So use control, see to drop back to MSF console interface.

87
00:07:03,020 --> 00:07:04,460
‫So we have no session at the moment.

88
00:07:07,410 --> 00:07:09,240
‫So go to the vector machine and log in.

89
00:07:10,570 --> 00:07:15,400
‫Well, do you know how to press control alt delete in a virtual machine?

90
00:07:16,570 --> 00:07:22,420
‫In most cases, one of these buttons has a special meaning in the virtual environment, so you cannot

91
00:07:22,420 --> 00:07:23,700
‫simply press the buttons.

92
00:07:24,040 --> 00:07:29,230
‫Instead, you can find a menu item to send control of the leak to the VM.

93
00:07:30,180 --> 00:07:37,980
‫In VMware, Fusion in the main menu, go to virtual machine and select control elite.

94
00:07:43,680 --> 00:07:50,040
‫So back to Cali, as you see, a new interpretor session is opened as soon as the victim is logged into

95
00:07:50,040 --> 00:07:50,500
‫the system.

96
00:07:51,330 --> 00:07:52,920
‫So now Sessions L.

97
00:07:53,160 --> 00:07:56,070
‫And here is the new maturity session.

98
00:07:56,220 --> 00:07:58,470
‫Youth sessions, how to interact with a session.

99
00:07:59,340 --> 00:08:01,350
‫Send the command to check the connection.

100
00:08:02,370 --> 00:08:06,390
‫And look at that, we now have a back door on the victim machine.

101
00:08:07,850 --> 00:08:13,760
‫So let's try to log off and log on again to just to test the persistance, so log off the victim.

102
00:08:18,270 --> 00:08:19,920
‫And the interpreter session dies.

103
00:08:21,930 --> 00:08:22,920
‫Log in again.

104
00:08:29,410 --> 00:08:31,000
‫Yet another session has created.

105
00:08:31,900 --> 00:08:37,700
‫And if the system is in use and is attached to the network, we have a maturity session on it.

106
00:08:38,620 --> 00:08:43,990
‫So I'd like to remind you once again that persistence might be out of the scope in your penetration

107
00:08:43,990 --> 00:08:51,580
‫test, read the conditions of the agreement carefully and do not attempt to persist on any system unless

108
00:08:51,580 --> 00:08:52,510
‫you're allowed to.

109
00:08:53,750 --> 00:08:55,130
‫Very important to remember that.