Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. And welcome to the episode number nine of the Our Speakers By and reverse Shells.
00:07
My name is Alejandro Gina, and I'll begin instructor for today's session.
00:11
Learning objectives is to understand what is buying and rubber shell Understand how to apply and buying reversals inter penetration testing process and use different programming languages to create buying and ruler shells.
00:25
That sketch stunner.
00:29
Okay, so, first, um, we can try to, you know, show you our net cat connections,
00:36
you know? And even though Net get is such a great tool, there's a real important feature mason from that cat. As I told you before in the previous video Net Cat is known to be the this Reserve the knife off the TCP Protocol as it can execute and create. Um, several. You can
00:55
performed several task
00:57
using Onley net cat. But you know, before I tell you Ah, what's the future, Mason. Let me give you an example first. Let's start by, you know,
01:08
implementing a chat us we saw before in previous video. Um, how can we simply put the cup of commands in windows there? Andi window on drilling rigs machine. And you know, we can type whatever we want. So
01:27
let me just
01:32
I will start to like it. Then I got a listener here.
01:36
Ah, I said to us, as you can see on this up, it is different because I already installed and cat, which, you know, I'll explain later in the video. But, you know, if you go back to a previous video what we actually implemented the chat between two machines, um,
01:55
were using Net cat
01:57
this time. I using the same alias. Antsy. But that is calling and can't instead of net cat.
02:05
So it's just
02:08
an implement or connect to my Callum missions from a wind machine.
02:14
I'm not showing you the Windows machine because we already, you know, did this in the previous video. If you have any questions, you can go back to that video.
02:23
So yeah, we have the connection here. And let me just type in my Windows machine. Hello, Callie.
02:29
And there you we have our child going on. So you know, after this I will up in a new a new
02:38
and I will you know, I start you could do this. All started. Sippy dump command to use. This will really sound is this is just for an example of this video.
02:49
Um, you know, you can also use a wire shark, you know, with the nicer interface. And I know that Ah, but as you go further in your penetration penetration testing career, you will see that most of the time you end up using determine out before all the task. So maybe getting used thio
03:07
graphic user interface It's not the best idea
03:12
for penetration testers. I'm not saying that there's something wrong with my shirt. As a matter of fact, we'll see a really cool application that comes with a shark that you can use actually using the terminal A swell. But for now, let me just capture traffic. Um, vorticity dump
03:30
Disa P
03:32
dump
03:34
and Josh X
03:37
X. This is just a troll and showed that the package payloads
03:44
thing, which in with interface it the Internet syrah and just say poor
03:50
4444 said the boards that were using And there you go. So let me just send by air.
03:58
Hello? Win those
04:02
and windows give, you know, I don't really see here. Um,
04:06
hi again.
04:10
And you know, if we go here, you can see that they
04:14
text. I can see it right here.
04:16
There's no encryption high again. Hello, Windows.
04:20
There's not no encryption at all in this connection. And that's the main feature Mason from Ned Cut Net that doesn't have encryptions. Or if you're trying to be, ah, having stealth Er, um,
04:35
they look coming back or going forward. I mean, if you're trying, you really shell back to your machine or you're actually trying to up in the band shell. But you don't want the I PS or defy rubble to actually see what the pale contains.
04:51
Maybe you see net God will not be a grated idea because you know it is missing that the inclusion part. Um, don't get me wrong. I love not God, but just, you know, this tiny thing. Well, maybe not that tiny. Ah, but you know, it's missing
05:08
encryption. So this is where N cat comes into place. I just kill the connection, and cat is more, um,
05:18
I wasn't in advance, but, you know, he has a lot of features that Ned Cat is missing in One of them is encryption. Um, so let's use net. Got I'm sorry and can't you see what's the real difference then, Um
05:35
then can have several little original features to just just encryption. But, you know, for this video will see this capability. First, let me just start my
05:47
and cut nor net cat but and cat a listener and cat. Ah,
05:55
miners or dash L V P. Port 14444 on this will actually start again
06:04
with zero encryption. So basically, you just have the same capabilities. Ah, snet cat Just to show you real quick here Connection. Hello?
06:15
And I see here. And if I go by here, um,
06:20
I should see the hello message. There you go. Ah, here. So same exact same thing is net cut.
06:28
Is he here?
06:30
Ah, that
06:31
if you're actually going to need encryption, you can just go. And at the SSL Dash s s I'm sorry.
06:41
Just Dash s Cecil.
06:43
So your connection would be encrypted
06:46
if I What? What happens if I tried to Gannett using Net gods from my windowless shell?
06:55
Just stop here.
06:57
And if I type something Hello,
07:00
you will, of course, fail because you know, you were not easy encryption. So it's like trying to connect. Ah, an http to an https server. It doesn't have encryption, so I have to transfer that.
07:15
Ah, Net. Got to my windows machine. Um, I can just just again, the recipe commander, which is, you know, again transferring data through the S H protocol. I already have, um, the net cat file sip here. I don't allow it from that. From this this
07:34
and cat is provided,
07:35
but the same guys who great and map. So you can download that from the page and send it over to windows. Or you can just don't love it directly to your machine. That's okay,
07:46
s So I will just copy base here, the command,
07:55
and basically just send in this file to the Windows server on. I wanted to go to the desktop machine,
08:07
and it's okay. I have it here
08:11
and let me just
08:16
Ah,
08:28
okay. So I just I just wanted to show you that.
08:35
Thank you.
08:37
We're here
08:39
and here so you can see
08:43
both at the same time. So, um,
08:46
as you can see, I don't have a hat, and I got here.
08:48
Um,
08:50
that sip and I really extracted it. Then. Cat, that cat. I'm sorry that uh, X file, so you can, you know, run encrypt connections. So
09:03
Oh,
09:03
sorry about that.
09:11
I go to this other
09:13
and I'll start again
09:16
Disco
09:18
start listener and again of the Mississippi Dump and Start and Cat Command again.
09:33
And now I just type in this side of, you know, we're in the windows machine. I just type.
09:41
I want to connect death machine
09:43
and cat that X
09:54
and the connection fail. It says that the unsub Porter protocol. That's probably because, uh the cat version for Kali is way more up to date than an end conversion for Windows. There's a missing things,
10:09
or maybe just, you know, our version thing. But, you know, it's it can be
10:13
fix really easily. First, I will I will see what protocol is being supported by the open SSL configuration file.
10:24
Just type this here.
10:26
And that's the problem. The minimum protocol to use his Teyla's version of wonder to which is the latest one. The trees in the making of it. You know, that's the latest us for now.
10:37
Eso I'll have changed changed that. So
10:43
go to or
10:46
really love text editor, go to the very end
10:50
of the page. And I changed that to tell his version one,
10:54
and I save it. And
10:58
I restored the connection right here. Just just see clear data
11:09
and
11:09
hostile listener execute sanctum in windows
11:15
and that you go the hand *** worked. And I have I don't have any quick connection. Hello.
11:22
And the chat.
11:22
Hi.
11:24
Hi. Again.
11:26
If I go here, I'm just put it
11:28
a little bit bigger.
11:31
If I go here, I can see ah, lot off information. But
11:35
none of them isn't clear. Dext. I don't see the hello message.
11:39
I didn't see anything, you know, just as you will see. Ah, handshake or a tail? Attila's version One handshake.
11:48
So this is a really cool feature that was introduced by and cat. Ah, and I highly recommended that you know, And you know, the important thing here is that you can actually throw You are river shell
12:03
using and get us well, and as you can imagine, we'll just up that here.
12:09
As you can imagine, it will be in creep come in. Any payload you went to upload? Remember that We said that we can actually upload files with and would net cut Well, you could do the same with Anna Kat. But this time you can encrypt our connection. So the firewall or the ideas will know will not notice
12:26
what you're actually sending over where there is a message or an equipment file, or I'm sorry
12:33
I pay load or whatever you're trying to transfer. It will be in crypt. So that's a cool feature. So, uh, right now,
12:41
let me just send back Ah, shell back to the windows machine so the windows machine can take control over the collar machine. So
12:52
at this point, I just add
12:54
dash E to execute distressing net cut.
12:58
And I say, Okay, I wanted to execute being
13:03
bash
13:03
Dash e.
13:07
And if I connect here in your windows machine isn't exact same comment as before.
13:15
Oh.
13:18
Oh, Did you go? Who am I?
13:22
Oh, I'm really You can see that exception Libyan written here. Ah,
13:26
if config
13:28
Oh, I haven't here.
13:31
So, uh, this is a really cool again cool feature with net cat. I'm sorry. And cat because a d n um,
13:37
you're getting a real shell, but encrypt. Ah, but in kind of neck are not the only thing you can use to send back a realer shells. You can do that by using programming languages like GHB, Pearl and fighting, for example. Let's start by checking beach beef by the fall.
13:56
Connelly has these so called web shells
13:58
in the following directory. I'm just
14:03
grab it here. I'm putting here. Ah,
14:07
in this directory,
14:13
as you can see, contains a SPX for windows. Jsp PERL PHP. Let's start with BHP.
14:22
We have several backdoors here. Um, at the PHP language that it's actually executed at the server side. We would use that for the for example.
14:33
Eso Let's copy the pitch B dash River Star Shell Thio, Apache Webroot
14:39
So I just
14:41
well copied out here.
14:43
Sorry,
14:46
Okabe,
14:46
The commander is just a simple copy command. I will copy from this location to this location
14:54
and now modify the text added what is text editor s O? I can't actually put the ports and that will be listening to that.
15:05
I'm sorry
15:11
and has just changed the i p.
15:15
As you can imagine. Let me just just win those for this example So you can change our spice things up a little bit, Tim, that
15:24
the a p of the windows and it will be listening and pour 12 to 4. That's okay.
15:30
So
15:31
Ah,
15:33
I copy that to our earth,
15:35
actually, however, that this will true a reversal. We have to put an ID be important as I did. Listen, once the victim hits the web page this You know, we can say that that link in this case,
15:48
this link I'm sorrys for another exercise. You can say send this link,
15:54
Thio.
15:58
Oh, but let's put the link.
16:02
You can see the consenting is linked to your victim through a phishing email or whatever. Ah, we not see that you're ill. And as you can see, it has ah, common are not fatal. Error failed to demonstrate is because I don't have any actual listener on the on the window size. So let me just start
16:22
listener here.
16:23
Oh, my Windows machine
16:26
without encryption, of course.
16:30
Oh,
16:33
sorry about that.
16:33
Let's just net cut.
16:45
And there you have it. A reversal
16:48
with my route. If I'm sorry, since we're accessing through the Apache, look where my data on Then we will have to escalate privileges to get route. But at this point will really have remote control in her Windows machine from work Allah machine. So that's really cool. Um,
17:07
and that's how you get down on river Shell.
17:10
Um, that's a species that but, you know, you can also use, um,
17:17
others. Web sales are really quite simple to implement, but how about other problem languages? As I told you, you can actually, uh, use other problem languages to troll reverse shells to you. Back to you, for example. Weaken even use bash commands. I'm just
17:36
started listening here again. And you can just type
17:38
this simple yet effective command.
17:42
Um,
17:44
here.
17:45
So I will just throw a reverse shell and looky, looky
17:49
when my
17:52
road if can fake. Remember this. Remember, this is a windows machine, so I'm trying back this reversal back to the window mission, so Ah, simple bash command can actually show you our shells. Well,
18:04
And what are Pearl? Berle has a little bit more complicated command.
18:10
Um,
18:11
but all of them were just copy paste from a really cool reference. I will give you just at the end of this video.
18:18
So again, just you know that p and port, which is basically what I changed from this command
18:25
and
18:26
guess he had entered.
18:27
Answer. Oh,
18:30
it seems that I have an exception here.
18:34
So sorry about that. I copy pays the run, command.
18:41
Let me just
18:45
and there you have it.
18:47
If config again, who am I? And, you know, again, a reversal. A simple as that,
18:52
Uh, I'm just kill sort of killing a man here
18:56
and Piketon when our pipeline. Yeah, you can do the exact same thing with bison.
19:02
I just I can copy paste a command from the really cool reference I will give you
19:07
and
19:08
execute the listener,
19:11
execute the command. And again,
19:15
um,
19:25
I can see and can do a lot of things from the windows inside, since I have River Shell.
19:34
Well, uh, what is the difference between reversal on band shells? Basically, they're just how there were there. Executed. Rochelle is when you're waiting for the connection. And buying shell is when you connect to the server or to the victim. In this case, in this video, we saw a reversal because those are, um,
19:55
what we use most of the time. But there are occasions when there traffic's blocked in wine duration so you can just use buying shells. Eso this buying shares were up in the port on the victim's machines that you can actually actually connect to to that port.
20:14
Can you actually use PHP to take more control of the machine? Will we saw that? And yes, you can.
20:18
What is the difference between an cat and net? Cat wall and cat has more features in Mankato. One of them is encryption.
20:29
We saw several tunics to execute reverse man shells. We execute commands in different prime programming languages to send back a reversal. We saw one of the main difference between net cat and and cat
20:42
and supplement materials. ***. Monkey Reversal, Chichen. There's no other way to go here. These dispatches really coolly contain all the man that I show you and way more commands than that. So I will highly recommend you to go that to the webpage
20:59
and looking forward. In the next video, we'll cover some basic knowledge of Mississippi dump wire, shark and T shirt.
21:04
Well, that's it for today, folks, I hope in your the video and talk to you soon

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor