Part 6 - Establishing the Win Shell

Video Activity

The final step in the Win7 reverse shell exploit is to get the file onto the victim's system. In this example, the attack vector is a USB thumb drive. Once the victim has been enticed to run the executable on the target, the handler running on the client detects the connection requests and establishes a connection with the target. From there, we ha...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

The final step in the Win7 reverse shell exploit is to get the file onto the victim's system. In this example, the attack vector is a USB thumb drive. Once the victim has been enticed to run the executable on the target, the handler running on the client detects the connection requests and establishes a connection with the target. From there, we have full shell access and can perform a host of potentially malicious actions: examine the process list, run the sysinfo command, migrate the connection to another process in order to keep it running, as well as escalate privileges on the target.

Video Transcription
00:02
>> Now on our Windows machine,
00:02
we will catch that thumb-drive [NOISE].
00:02
I don't know why it's saying that.
00:02
Now I can drag this to the desktop.
00:02
As I said before, the trick is to
00:02
get this file to the victim.
00:02
I'm just demonstrating the concept
00:02
>> of getting connected.
00:02
>> The victim thinks they're going
00:02
>> to look at a slide show,
00:02
>> they go ahead and run the program.
00:02
If we go back to Kali,
00:02
we see that we have a connection.
00:02
The handler was listening for this connection.
00:02
It sent the stage over to the remote host,
00:02
and it got connected on the port that I expected to.
00:02
Once I'm connected,
00:02
there's a lot of things I can do, for instance,
00:02
I can look at a process list.
00:02
I could run the sysinfo command,
00:02
shows me a lot of information about
00:02
my remote system, pretty handy.
00:02
Then once you're connected, of course
00:02
you can do other things too,
00:02
like migrate your process somewhere else.
00:02
Let's say the program,
00:02
the payload, that we just generated was
00:02
part of an application, you bundled it in.
00:02
If the person quits the application then
00:02
the connection may die.
00:02
What we can do is migrate
00:02
the connection to another process.
00:02
It looks like it's spawned notepad.exe process,
00:02
and now it's moved
00:02
to process ID 1388 when it was previously 992.
00:02
It's pretty obviously what we just done there.
00:02
We can also try to escalate
00:02
our privileges. I'll try to load it.
00:02
There's other things we can get into,
00:02
but the concept here is to see how
00:02
>> the connection worked.
00:02
>> The trick is to get the infected file
00:02
to the pen testing victim.
00:02
That's all for this section.
00:02
See you in the next one. Thank you.
Up Next