00:03
>> Now we're going to use the msfvenom command.
00:03
We can see what options this command takes.
00:03
As we can see this as our standalone payload generator.
00:03
Replaces msfpayload and msfencode.
00:03
They bundle the other functionality into this one tool.
00:03
We can specify which payload we want to use.
00:03
We can look at different output formats,
00:03
choose the architecture.
00:03
We can also eliminate characters to
00:03
avoid which we do have to do
00:03
>> for this particular example.
00:03
>> The command is lengthy to type in.
00:03
Let's make my window a little bit bigger.
00:03
It's going to wrap around anyway
00:03
but I'll explain the options
00:03
that we need as we go through this.
00:03
to tell it that my architecture is X86.
00:03
The platform is Linux and I will specify my payload.
00:03
It's a Linux payload
00:03
and I've already looked up this path,
00:03
so I know this is here,
00:03
but you might have to go into
00:03
your payloads and do
00:03
some searches to find the right payload to use.
00:03
This should work on DEBIAN Linux system.
00:03
As long as it's X86 architecture.
00:03
If it was AMD architecture,
00:03
I'll have to specify different architecture for dash
00:03
a as well as the payload would be different.
00:03
Now I'm going to specify my local host.
00:03
That is 192.168.26.129.
00:03
Then I'm going to specify
00:03
the local port and I'm going to use 443.
00:03
That way it doesn't look like a suspicious port when
00:03
the victim system is connected to this website.
00:03
I'm going to exclude hex 0.
00:03
This example needs this a technical discussion
00:03
to why we need to exclude that
00:03
but sometimes when you're encoding a payload,
00:03
certain characters cause problems with compatibility.
00:03
In this one I know I need to exclude this.
00:03
your own research and a little bit of trial and
00:03
error to get your encoding process to work correctly.
00:03
My output format is going to be
00:03
F. We'll look at the help for formats,
00:03
look at the list after I generate the payload,
00:03
and then my output file.
00:03
Root, backdir, workdir.
00:03
Then I want user games, xbomb_scores.
00:03
That's part of the package I'm replacing it with
00:03
my file that has this payload bundled into it.
00:03
Running the command this takes a few seconds.
00:03
It tells me that it was able to
00:03
encode with the shikata_ga_nai encoder.
00:03
Their popular encoder works quite often.
00:03
Here it tells me that it was 98 bytes and
00:03
the work or create the payload.
00:03
I'll look at the formats real quick.
00:03
There's executable formats
00:03
and then transformation formats.
00:03
Executable formats, I've got
00:03
a lot of different options here.
00:03
F just happens to be the one that
00:03
works correctly for this example.
00:03
You have to trust me on that.
00:03
Now what I need to do is start
00:03
my web server because I want to make sure that I've
00:03
got the webpage in place or
00:03
>> rather available when I want
00:03
>> to get the victim
00:03
to click a link which helps them to visit the website.
00:03
My next step is to create a handler.
00:03
The victim system is going to be,
00:03
when they install the package,
00:03
they will generate a reverse shell
00:03
back to the attack machine.
00:03
So I need to have a handler
00:03
to listen for this connection.
00:03
I can do this from another command line option using
00:03
msfconsole to help for this real quick.
00:03
We see for msfconsole,
00:03
I can specify a lots of different options
00:03
to run commands from
00:03
the command line without having to get into
00:03
the console framework itself.
00:03
We're going to tell it, for instance,
00:03
that we want it to be in
00:03
quiet mode so we don't see the star of
00:03
banner and then I'll
00:03
specify the command I want to execute.
00:03
I'll close that [inaudible] quote,
00:03
so it runs as a complete grant.
00:03
Quiet mode and I'm going to say
00:03
use exploit multi handler.
00:03
If I separate my commands with a semicolon,
00:03
I can run several commands on one line effectively.
00:03
do a lot of work with one simple command.
00:03
Of course, if you were doing this work regularly,
00:03
you would save these commands
00:03
in a file which you could say you
00:03
can just copy and paste them
00:03
or you could find them on your shell history as well.
00:03
Now I want to set the payload.
00:03
Helps if you spell right.
00:03
[LAUGHTER] Payload is going
00:03
to be Linux because we know it's a Linux machine.
00:03
The shell if you recall,
00:03
was an X86 shell, reverse TCP.
00:03
This has to match the pillow that I encoded so that
00:03
the shell will connect to
00:03
the proper handler then the connection should work.
00:03
I need to set my local host and
00:03
that's going to be 192.168.26.129.
00:03
That's the attacker system. Another semicolon.
00:03
I need to set my local port
00:03
and that's going to be 443 as we previously seen.
00:03
Then I'm going to run the exploit itself
00:03
>> I will exit with a -y so that it doesn't prompt
00:03
me for a connection.
00:03
When this finishes running,
00:03
it should tell me that it's
00:03
binding to my current address.
00:03
My local host is 129 port 443.
00:03
I see which [inaudible] I've
00:03
got my local host, my local port,
00:03
and now the handler is running on
00:03
that website because I
00:03
started up my default apache service on port 443.
00:03
Now what I need to do is go to
00:03
my victim system and startup my web browser.
00:03
I'll go ahead and launch ISE Weasel.
00:03
I can verify that the web server is there
00:03
by typing in it's address.
00:03
There's my default page that you get
00:03
when debit installs Apache.
00:03
I know the website is reachable.
00:03
As I mentioned before,
00:03
through social engineering techniques,
00:03
you would send an email to the victim say,
00:03
"Hey, try this new mind sweeper game
00:03
that I created xbomb."
00:03
As a lot of fun maybe show some screenshots,
00:03
make it look interesting.
00:03
What we're going to do is
00:03
get the file directly by using the wget command.
00:03
I'm going to specify my address.
00:03
This could be in the link, of course,
00:03
that you would send to your victim.
00:03
I have to make sure I get this exactly right.
00:03
2.2a-1_i386.deb. Double check that.
00:03
On the victim machine, they click the link.
00:03
It's not what I was expecting.