00:03
>> Hello. Dean Pompilio here
00:03
>> for the Metasploit Cyber class.
00:03
>> In this section we're going to be looking at a way
00:03
to create a reverse connection on a Windows system.
00:03
We already did that on a Linux system using
00:03
an infected game called X-bar.
00:03
In this case, we're just going to
00:03
be sending a simple executable file to the victim.
00:03
Obviously, you could bundle this file,
00:03
this payload with the reverse connection to
00:03
some other program like a game.
00:03
You could basically create a Trojan by wrapping
00:03
a trusted program around this malicious payload.
00:03
But for the purposes of our demonstration,
00:03
we're just going to create
00:03
the payload and show that it works.
00:03
First of all, we need to be on our Kali system.
00:03
What we're going do is run
00:03
some of the Metasploit tools from
00:03
the command lines instead of going into the cancel.
00:03
This is a nice evolution
00:03
to make for the Metasploit practitioner
00:03
because you're going to want to work more
00:03
efficiently and perhaps scripts some of these things.
00:03
You have to start thinking ahead as to how you're
00:03
capturing what work you're doing for possible reuse.
00:03
We're going to run the MSFvenom
00:03
command to create a payload.
00:03
We covered this in the Linux tutorials.
00:03
Well, we're going to use it again.
00:03
Now, I've already saved
00:03
my command in my command history.
00:03
That way I don't have to type it all in
00:03
again. But here it is.
00:03
the payload, windows/meterpreter/reverse_tcp.
00:03
Notice I'm not specifying
00:03
the platform with the architecture.
00:03
the program will figure out what you
00:03
want and we'll make some assumptions.
00:03
If you don't like the assumption,
00:03
then you have to adjust it.
00:03
I'm going to exclude null characters.
00:03
Dash B for bad bites or bad characters,
00:03
specify localhost, specify local port.
00:03
Another thing to start thinking about
00:03
is the encoder that you
00:03
use and how many iterations you want
00:03
to go through to try to evade antivirus.
00:03
That's a little bit beyond the scope of what
00:03
we're working at right here.
00:03
a five iterations of the default encoder,
00:03
which will probably be Shikata ga nai.
00:03
Notice misspecifying a file format at EXE.
00:03
This is so the binary will run on a Windows 7 system,
00:03
it should run plenty of other Windows systems as well.
00:03
Then I just give it the output
00:03
that I want to call the file.
00:03
Maybe I shouldn't call it something so obvious.
00:03
Let's call it something a little bit
00:03
more appealing, secret.photos.exe.
00:03
Think about social engineering ideas.
00:03
didn't specify a platform or an architecture,
00:03
but it figured it out from the payload.
00:03
Five iterations of Shikata ga nai, as I mentioned,
00:03
we see that our payload has been created.
00:03
It's good to be organized.
00:03
Keep all your files in one place if possible.
00:03
Now I've got the payload created.
00:03
My next task is to create a listener.
00:03
The nice thing about doing these reverse connections,
00:03
either through Linux or Windows,
00:03
is the fact that you should be able
00:03
to evade certain firewalls.
00:03
All you have to do is use a port that's
00:03
allowed through the firewall, like 80 or 443.
00:03
I'm just using 4444 out of force of
00:03
habit because that's a port that's not commonly used.
00:03
It's frequently a default port for a lot of
00:03
Metasploit payloads or exploits, I should say.
00:03
Now what I have to do is setup the handler.
00:03
Again, I've already typed this in.
00:03
Someone's going to bring it up from my command history.
00:03
What we see is I'm putting it in quiet mode again.
00:03
The dash x has execute whatever I put
00:03
between the double-quotes as a series of commands.
00:03
I tell it to use the multi-handler,
00:03
which is the most versatile one
00:03
for these types of connections.
00:03
I get the same payload that I put into
00:03
the exploit that I'm going to send to the victim.
00:03
Then the usual things are here, my local host,
00:03
my local port, again, port 4444.
00:03
Make sure this all matches
00:03
>> the payload that you created.
00:03
>> Otherwise, the connection won't work.
00:03
Then there's a run command,
00:03
which is basically the same thing as saying exploit.
00:03
It's a shortcut for exploit, they do the same thing.
00:03
Then exit dash y. Let's go
00:03
ahead and run this to create the listener.
00:03
It takes a few moments. Okay, there we go. Let's see.
00:03
I am actually running IVMs in host only mode.
00:03
thumb drive to get the file to the victim.
00:03
Let's take just a moment here.
00:03
Let's see, we want to go to
00:03
the directory route when
00:03
river show and there's my secret photos.
00:03
I'll copy that and move it to thumb drive.
00:03
This is a convenient way to move things
00:03
between VMs if you don't want to
00:03
enable other security features like copy and paste.
00:03
Just a little bit of extra work to
00:03
do the connect and disconnect.
00:03
Let's now look at our Windows system. That's strange.