1
1

00:00:00,000  -->  00:00:01,448 line:15% 
<v ->(Instructor) So, in this lab we're going to go into a</v>
2

2

00:00:01,448  -->  00:00:03,501 line:15% 
couple of technics to cover your tracks and
3

3

00:00:03,501  -->  00:00:06,311 line:15% 
also to set up callbacks for those backdoors.
4

4

00:00:06,311  -->  00:00:08,088
So, again the first thing we're going to need to do
5

5

00:00:08,088  -->  00:00:12,255
is exploit the Windows machine to get back on the box.
6

6

00:00:13,631  -->  00:00:16,412
Now that I'm there, again I'm going to check my SID.
7

7

00:00:16,412  -->  00:00:18,774
I am sitting there as a system level user.
8

8

00:00:18,774  -->  00:00:21,354
Again, I want to switch over to a normal admin user.
9

9

00:00:21,354  -->  00:00:24,399
In our case, we're going to go ahead and switch back
10

10

00:00:24,399  -->  00:00:27,366
into John Sim at this point because we haven't a remote
11

11

00:00:27,366  -->  00:00:29,991
desktop connection to allow us to use that new
12

12

00:00:29,991  -->  00:00:31,834
support account that we've created.
13

13

00:00:31,834  -->  00:00:33,424
So, what we're gonna do is we're just gonna go ahead
14

14

00:00:33,424  -->  00:00:36,906
and migrate into Process 480 which is the explorer,
15

15

00:00:36,906  -->  00:00:40,586
and that will give us rights as if we are John Sim.
16

16

00:00:40,586  -->  00:00:43,970
And we'll do the get SID again and verify
17

17

00:00:43,970  -->  00:00:48,348
that we are John Sim. Now, again, everything I'm gonna
18

18

00:00:48,348  -->  00:00:50,538
do here is gonna be from the Windows prompt.
19

19

00:00:50,538  -->  00:00:52,682
So, we are going to go ahead and type in shell,
20

20

00:00:52,682  -->  00:00:56,050
and now we are back on that box as if we are John Sim.
21

21

00:00:56,050  -->  00:00:57,959
Now, the first thing I want to show you is
22

22

00:00:57,959  -->  00:01:00,599
how to set up a callback. So, in the last lesson we
23

23

00:01:00,599  -->  00:01:02,540
showed how to open up a port on the firewall.
24

24

00:01:02,540  -->  00:01:04,427
But, how do we get the machine to always start up
25

25

00:01:04,427  -->  00:01:07,168
that Netcat Listener for us so that it can
26

26

00:01:07,168  -->  00:01:09,576
callback to us whenever we want?
27

27

00:01:09,576  -->  00:01:11,502
Whether we can callback it whenever we want.
28

28

00:01:11,502  -->  00:01:14,182
Well, the way you do that is by using the AT command.
29

29

00:01:14,182  -->  00:01:16,518
And AT is just an automatic time scheduler.
30

30

00:01:16,518  -->  00:01:19,215
So, the way AT works is we can set-up any
31

31

00:01:19,215  -->  00:01:22,240
program to run whenever we want.
32

32

00:01:22,240  -->  00:01:24,620
And, we can do that based on every day, every week,
33

33

00:01:24,620  -->  00:01:27,592
every month or a specific day of the week at a certain time.
34

34

00:01:27,592  -->  00:01:30,793
So, what I'm gonna do is, I'm gonna set-up an AT command,
35

35

00:01:30,793  -->  00:01:34,183
and first I'm gonna check the time of the local system,
36

36

00:01:34,183  -->  00:01:35,916
because if I don't understand the time,
37

37

00:01:35,916  -->  00:01:37,465
everything is gonna be messed up,
38

38

00:01:37,465  -->  00:01:39,802
because I bet you the Windows machine is not
39

39

00:01:39,802  -->  00:01:43,351
showing 9:51 like my Callied machine is.
40

40

00:01:43,351  -->  00:01:46,110
So, let's type in time and you'll see that for them,
41

41

00:01:46,110  -->  00:01:49,803
it is four o'clock in the afternoon, 16:53.
42

42

00:01:49,803  -->  00:01:52,457
So, what I'm gonna do is, we're gonna set-up a time
43

43

00:01:52,457  -->  00:01:56,192
to do something and the time we're gonna do it is gonna be
44

44

00:01:56,192  -->  00:01:58,898
four o'clock and 57 minutes. That will give us a couple
45

45

00:01:58,898  -->  00:02:00,829
of minutes to be ready and be there.
46

46

00:02:00,829  -->  00:02:03,029
So, what we're gonna do is type in AT and the time
47

47

00:02:03,029  -->  00:02:05,018
we want it to happen. So, in our case it will be
48

48

00:02:05,018  -->  00:02:09,185

49
16:57, and we're gonna tell it to do it every Sunday.
49

50

00:02:12,178  -->  00:02:13,658
And, then we're gonna give it the command we want.
50

51

00:02:13,658  -->  00:02:14,980
Now, what I'm gonna do, because I haven't set-up
51

52

00:02:14,980  -->  00:02:17,564
a listener yet, is I'm just gonna use something simple.
52

53

00:02:17,564  -->  00:02:19,673
I'm gonna have it bring up a command prompt,
53

54

00:02:19,673  -->  00:02:22,814
and in the command prompt I'm gonna have it run a
54

55

00:02:22,814  -->  00:02:26,981
system info command and pipe that to a file called
55

56

00:02:30,917  -->  00:02:35,641
info.txt in the "C" drive. That will work just fine for us.
56

57

00:02:35,641  -->  00:02:38,239
We can type and enter and there's now a new job.
57

58

00:02:38,239  -->  00:02:40,155
To show the job, we can just type in AT and
58

59

00:02:40,155  -->  00:02:42,408
you'll see that each Sunday at 4:57,
59

60

00:02:42,408  -->  00:02:45,460
that is what's gonna happen. Now,
60

61

00:02:45,460  -->  00:02:47,548
what will we see on the victim machine?
61

62

00:02:47,548  -->  00:02:49,350
Well, we're gonna go over to that box and we're gonna
62

63

00:02:49,350  -->  00:02:52,979
see what the victim's gonna see at 4:57.
63

64

00:02:52,979  -->  00:02:54,309
So, I'm gonna show you what we're gonna see.
64

65

00:02:54,309  -->  00:02:57,282
Right now there's nothing in the "C" drive as far as a file,
65

66

00:02:57,282  -->  00:02:58,532
and it is 4:56.
66

67

00:03:00,580  -->  00:03:03,208
Now, at 4:57, it's gonna run the command
67

68

00:03:03,208  -->  00:03:05,461
and basically just do a system info which is a very quick
68

69

00:03:05,461  -->  00:03:08,376
command and dump all that information to a text file.
69

70

00:03:08,376  -->  00:03:12,044
And, we should see a text file be created on our "C" drive.
70

71

00:03:12,044  -->  00:03:14,284
Now, that particular command takes a little bit to run,
71

72

00:03:14,284  -->  00:03:16,076
so while it runs, it takes a minute or two.
72

73

00:03:16,076  -->  00:03:18,497
You can see now that we finished and we have the info file
73

74

00:03:18,497  -->  00:03:20,515
and it has some data in it. So, if we open it up,
74

75

00:03:20,515  -->  00:03:24,113
you can see all the information that you would get
75

76

00:03:24,113  -->  00:03:26,878
from a system info command. Now, that's not necessarily
76

77

00:03:26,878  -->  00:03:30,113
very useful to us, but it does give us something
77

78

00:03:30,113  -->  00:03:32,070
and it shows up the capability of being able to run
78

79

00:03:32,070  -->  00:03:34,747
any program we want and again, if you open that firewall,
79

80

00:03:34,747  -->  00:03:36,632
it can be doing things like pinging back to you
80

81

00:03:36,632  -->  00:03:38,417
and telling you hey I'm still awake and
81

82

00:03:38,417  -->  00:03:40,915
I'm under your control or it can call you back
82

83

00:03:40,915  -->  00:03:44,591
so that every Thursday at 3am there's that callback
83

84

00:03:44,591  -->  00:03:46,133
to you and your machine can answer it,
84

85

00:03:46,133  -->  00:03:47,850
and then you can exploit that machine.
85

86

00:03:47,850  -->  00:03:51,688
So, maybe you've set-up password sniffers,
86

87

00:03:51,688  -->  00:03:53,012
maybe you've set-up network sniffers,
87

88

00:03:53,012  -->  00:03:54,706
maybe you've set-up key loggers,
88

89

00:03:54,706  -->  00:03:57,493
and every weekend you go back and get those files.
89

90

00:03:57,493  -->  00:03:59,607
It can set-up that connection and send those back to you.
90

91

00:03:59,607  -->  00:04:00,917
It all depends on what you want to do
91

92

00:04:00,917  -->  00:04:02,925
and what program you want it to run.
92

93

00:04:02,925  -->  00:04:04,957
And, that's just a little bit of how you can use AT
93

94

00:04:04,957  -->  00:04:07,997
as a way to create that backdoor and help set-up
94

95

00:04:07,997  -->  00:04:10,727
ways to send things back to you as you need.
95

96

00:04:10,727  -->  00:04:14,077
Now, let's talk about how we're gonna hid some information.
96

97

00:04:14,077  -->  00:04:15,664
Well, we have this info file,
97

98

00:04:15,664  -->  00:04:17,685
so we'll use that as our information file,
98

99

00:04:17,685  -->  00:04:19,573
and you have this hacked file.
99

100

00:04:19,573  -->  00:04:21,565
Now, I'm gonna do this on John Sim's machine.
100

101

00:04:21,565  -->  00:04:24,338
You can do this from the command prompt on the
101

102

00:04:24,338  -->  00:04:25,834
interpreter box as well, but we're gonna use it
102

103

00:04:25,834  -->  00:04:27,669
over here so you can see what the effect
103

104

00:04:27,669  -->  00:04:30,344
is of us doing this. So, first I'm gonna open up a
104

105

00:04:30,344  -->  00:04:32,550
command prompt, and what we're gonna do is we're gonna use
105

106

00:04:32,550  -->  00:04:36,335
what's called an alternate data stream, an ADS.
106

107

00:04:36,335  -->  00:04:37,557
And, we've talked about this in the lecture,
107

108

00:04:37,557  -->  00:04:39,328
but now we're gonna use it in practice.
108

109

00:04:39,328  -->  00:04:42,957
So, let's say I wanted to hid this info file inside this
109

110

00:04:42,957  -->  00:04:45,539
hacked file on the desktop. Now, instead of this being
110

111

00:04:45,539  -->  00:04:49,174
the hacked file, maybe this is the person's word
111

112

00:04:49,174  -->  00:04:51,163
document, or something like that.
112

113

00:04:51,163  -->  00:04:53,346
Alternate data streams work any type of file you want,
113

114

00:04:53,346  -->  00:04:57,272
executable or not. So, what we're gonna do here is
114

115

00:04:57,272  -->  00:05:00,452
we are going to do, we're gonna get to the
115

116

00:05:00,452  -->  00:05:03,827
route directory first. So, we're gonna go to the "C" drive,
116

117

00:05:03,827  -->  00:05:07,265
and from the "C" drive we can see that info file.
117

118

00:05:07,265  -->  00:05:09,395
Now, on the desktop we have the hack file.
118

119

00:05:09,395  -->  00:05:11,504
So, what we're gonna do is we're gonna go ahead and move
119

120

00:05:11,504  -->  00:05:15,421
into the John Sim desktop
120

121

00:05:18,686  -->  00:05:20,080
and from the desktop you can see
121

122

00:05:20,080  -->  00:05:21,632
he has one file called hacked and
122

123

00:05:21,632  -->  00:05:24,523
it is 37 bytes, very small file.
123

124

00:05:24,523  -->  00:05:27,311
So, what am I gonna do? Well, what I'm gonna do is I'm gonna
124

125

00:05:27,311  -->  00:05:31,730
type the c:/info.txt
125

126

00:05:31,730  -->  00:05:33,257
which is my info file,
126

127

00:05:33,257  -->  00:05:35,290
and that's the one I want to hid.
127

128

00:05:35,290  -->  00:05:37,597
So, in my case it could be malware or anything else.
128

129

00:05:37,597  -->  00:05:40,304
In our case, we're just gonna hid text inside other text.
129

130

00:05:40,304  -->  00:05:43,304
And, we're gonna hid that inside the
130

131

00:05:44,262  -->  00:05:46,223
file that we have here on the desktop
131

132

00:05:46,223  -->  00:05:48,306
which is the hacked file.
132

133

00:05:49,160  -->  00:05:52,243
And, the way we do that is type hacked.txt:
133

134

00:05:52,243  -->  00:05:55,223
and then the name of the file, in our case info.
134

135

00:05:55,223  -->  00:05:58,563
And, it's done. So, let's see how large that file is.
135

136

00:05:58,563  -->  00:06:02,173
It's still 37 bytes and can I still open the hacked file?
136

137

00:06:02,173  -->  00:06:04,611
Yes, it still looks the same. How do I get that
137

138

00:06:04,611  -->  00:06:07,790
info file out? Well, the way we're gonna do that,
138

139

00:06:07,790  -->  00:06:10,536
we're gonna read it. You delete that, so I'll show you
139

140

00:06:10,536  -->  00:06:13,995
that it's no longer there. Well, if I just typed
140

141

00:06:13,995  -->  00:06:17,302
to the screen hack.txt you'll see that's all I have
141

142

00:06:17,302  -->  00:06:20,842
is that one line. Now, how do I, if I open it using
142

143

00:06:20,842  -->  00:06:23,842
notepad, well, if I open it I can do
143

144

00:06:25,416  -->  00:06:30,239
notepadhacked.txt it opens up and I get the hacked file.
144

145

00:06:30,239  -->  00:06:33,322
Now, if instead I want the info file,
145

146

00:06:34,346  -->  00:06:38,113
I have to do start and then do notepad, then do
146

147

00:06:38,113  -->  00:06:42,315
hacked.txt:info.txt and hit enter.
147

148

00:06:42,315  -->  00:06:45,170
And, what do you see? The information we that we hid.
148

149

00:06:45,170  -->  00:06:47,245
Now, is that information still in the original file?
149

150

00:06:47,245  -->  00:06:49,377
No, because we deleted it, right?
150

151

00:06:49,377  -->  00:06:51,379
And, you can see here that file doesn't exsist.
151

152

00:06:51,379  -->  00:06:53,648
So, there's really no hint that I've hidden a file
152

153

00:06:53,648  -->  00:06:55,747
inside this hacked file. If I open it,
153

154

00:06:55,747  -->  00:06:58,286
as the user, I just see the normal file.
154

155

00:06:58,286  -->  00:06:59,983
I don't see the hidden information.
155

156

00:06:59,983  -->  00:07:02,044
That's what an alternate data stream allows you to do.
156

157

00:07:02,044  -->  00:07:03,912
It just hides it and even from the operating system
157

158

00:07:03,912  -->  00:07:06,870
again, you see that that file size has not changed.
158

159

00:07:06,870  -->  00:07:11,140
It's still 37 bytes. Now, in reality, it's larger.
159

160

00:07:11,140  -->  00:07:14,611
But, that data is hidden inside this alternate data stream.
160

161

00:07:14,611  -->  00:07:17,648
And, this is a function of the way NTFS file systems work.
161

162

00:07:17,648  -->  00:07:19,507
Now, why is this useful to us?
162

163

00:07:19,507  -->  00:07:22,572
Well, inside of hiding text, I could be hiding malware.
163

164

00:07:22,572  -->  00:07:26,428
And, then I can call that malware using the AT program.
164

165

00:07:26,428  -->  00:07:29,331
So, I can actually hid things very cleverly inside
165

166

00:07:29,331  -->  00:07:31,786
the file system. No one's gonna ever see 'em because
166

167

00:07:31,786  -->  00:07:33,365
they are that alternate data stream,
167

168

00:07:33,365  -->  00:07:35,733
but then I can actually start them using the AT
168

169

00:07:35,733  -->  00:07:38,758
command every night at midnight or every night at 3am.
169

170

00:07:38,758  -->  00:07:41,679
And, that malware will make that callback to me.
170

171

00:07:41,679  -->  00:07:43,517 line:15% 
This is how attackers maintain their access.
171

172

00:07:43,517  -->  00:07:46,357 line:15% 
They dig in, they hid and they cover their tracks.
172

173

00:07:46,357  -->  00:07:48,186 line:15% 
And, that's what we're doing with the AT command
173

174

00:07:48,186  -->  00:07:50,276 line:15% 
and the alternate data streams.