Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:04
Okay, So now we've installed a persistent backdoor to our victim's system, and I showed you how to connect to it using Net cat. Another option that you can use is to just simply tell that
00:15
to that victim's system on the specified port.
00:21
It's for 45 And so there we go again. I am
00:27
connected as an administrator on this system.
00:31
Torment is a little bit easier to use the Net cat. Perhaps we may be more familiar with it, but you have two options.
00:37
Could you net cat dash V or simply just do it telling that.
00:42
Okay, uh, what I'm gonna do now is just a review
00:47
getting to the system level account
00:49
because we've done a bunch of models since that happened. And you may have
00:53
been disconnected, or you had to stop your work and reboot the system so on. So I'll just go through this process again so that you can
01:03
see one more time how that was done.
01:06
All right,
01:07
go back into your meself, counsel.
01:15
First thing we need to do is
01:19
start up our handler, so we'll do a use multi.
01:23
Sorry, I'm remembering myself. Use multi
01:30
handler.
01:33
My options should still be in here from last time,
01:36
and some of my local host is 1 29 and on port 4444
01:41
So I can just run, exploit
01:45
then on the victim's system.
01:48
They have to run the secret photos binary, which we move to their system. As I mentioned before, you probably would want to put this into a startup folder or some other location, maybe in a registry key, like we did with the Net cat listener
02:02
that we'll always be running
02:05
and you just waiting for a connection. It's better to have listener running first before starting the program. It seems to be well reliable that way. It probably will still connect, but it's not as predictable.
02:16
So go ahead and start that
02:20
switch back to Cali and we see that I've got my interpreter shelf.
02:23
And as you'd expect, I am administrator. But I'm not a system
02:29
level account, so
02:30
I need to put this process into the background
02:37
and I'll do a search for bypass USC.
02:42
That's the one we want,
02:52
and my options are set. As before.
02:55
Let's make sure my session number is still shut. Session number one you have to make sure of that because you do have to bind this to the correct session. If you've got multiple sessions open,
03:05
you need to double track.
03:07
You're setting so that you
03:10
connect
03:13
this exploit to the to the session that you want.
03:15
All right, so, otherwise that make sure you specify your local host. Make sure you pick a different port
03:22
just to keep the sessions separate. A different ports better.
03:25
Uh, I've picked 5555 But choose whatever you like.
03:30
And now it can run, exploit
03:36
and the bypass user account controls running. I get a second
03:39
interpreter show,
03:42
so it's open. Obsession number two.
03:45
I'm still
03:46
a demonstrator,
03:49
but now I can run, get system.
03:53
And once that happens now I am the system love. Look up. OK, so that's our starting point for the last several modules and just a refresher to make sure we're all on the same page here.
04:05
All right, so for our next task, since we know we've got the
04:09
Annette cat back door, why not try to get remote desktop
04:13
running? Wouldn't that be something nice?
04:15
Hopefully
04:17
there is a command called Get Gooey, which is part of the interpreter show,
04:26
and we can specify username and password
04:30
or just turned that remote desktop on
04:33
couldn't afford the connection.
04:35
But the beautiful thing is that I can literally create a username and password to log into the system with which is pretty powerful stuff, if you think about it.
04:44
So I'm gonna go ahead and
04:46
use run, get gooey
04:48
for the user name. I'll call this our victim to password password, too.
04:59
And we can see that an additive user with this password
05:03
hidden from the windows log in screen it added me to the group remote desktop users.
05:09
And Victim two was also a part of the administrators group
05:13
because I'm a system level,
05:15
uh, shell access. Right now, I'm allowed to make those changes to the victim's system.
05:20
Also, it specifies a cleanup script.
05:24
This cleanup script the least the last portion here will get generated
05:29
each time you you run, get gooey, so make sure your copy and paste this exact
05:34
text when you want to do your cleanup.
05:39
All right, So in the meantime,
05:42
what I want to do is,
05:43
uh, open a
05:46
a new command shell
05:47
shift control T.
05:49
And from here, I can run our desktop, which is the built in Cali Lennox tool for
05:57
remote desktop connections.
05:59
User name is victim, too.
06:00
Password is password, too.
06:03
And then I specified in the I P. Address.
06:13
So one thing to be aware of this is a Window seven client. So that means that I can only connect a single user to the console at one time. If I was running a server or less like server 8 36,012 perhaps
06:28
then I would be able to get multiple connections. So it's gonna give me a message saying, If I continue, I will disconnect that that user
06:38
from the system.
06:39
So let's go ahead and do that
06:49
now, on the victim's system,
06:51
this is kind of tricky, right? Are you going to allow someone to connect your machine up with unexpected
07:00
session? Maybe, maybe not. Maybe someone's just
07:03
just see some hop up and just clicks, OK, absent mindedly. So this part of it could be a little bit tricky. You probably would have to combine this with some social engineering
07:13
to convince the, uh
07:15
the person that you're trying to connect that rather to convince the victim that the person who's trying to connect is
07:23
helps it hope to ask or tech support.
07:26
And there we go. There is my
07:29
remote desktop on the victim's system.
07:33
It's giving me a message about CeCe internals,
07:38
but this is the same system I was just launched into
07:44
pretty cool.
07:46
And as we can see, if I run,
07:49
come in a show.
07:53
I am indeed, uh,
07:56
victim, too,
07:57
as we saw before that victim to identity or that log in is part of the administrators group.
08:05
All right, I'm gonna go ahead and long off.
08:13
Now, back on my
08:16
interpreter show, you noticed I'm still connected. Everything's fine. Nothing's changed there
08:20
cause this is a using a different ports, not using the same courts. That remote desktop would you? So it's completely separate.
08:26
But if you wantto be careful about covering their tracks, as I've mentioned several times before, we really should run
08:33
the cleanup script.
08:37
You make an error message when you run this,
08:39
Uh, can I found the file specified? I think it's it's, uh, probably a problem with this registry key. The way it's it's detailed in the script,
08:50
but I'm pretty sure it's still helping to clean up some tracks.
08:54
In fact, what we could do
08:58
is log in and just do a search for victim, too,
09:01
and see if it's ah
09:05
if it's in the registry. Still,
09:07
that would be a good
09:09
test.
09:13
So run, run at it.
09:16
Registry editor
09:18
and I could just do a control. F.
09:20
Here's the registry key that we put in for the Net Cat listener
09:26
that was doing a search for Net Cat to make sure that worked.
09:30
And I will do a search for victim, too.
09:35
Okay, Looks like it did not do the clean up proper. So that's the cleanup script. May I have a bug in it?
09:39
Or it's possible that it's got some compatibility issues with Windows 7 32 bit.
09:46
Either way,
09:48
that is there. That doesn't leave behind a little bit of evidence. If you were trying Thio cover your tracks
09:54
but still pretty powerful technique, regardless, because having a remote desktop allows youto interact completely with that victim systems at as if you were sitting right in front of it.
10:05
All right, that's it for this section. We'll see you in the next one. Thank you

Up Next

Metasploit

This Metasploit tutorial will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor