1
00:00:00,360 --> 00:00:01,380
Instructor: Welcome back

2
00:00:01,380 --> 00:00:03,810
and in this video I want to talk

3
00:00:03,810 --> 00:00:06,540
about something called persistence.

4
00:00:06,540 --> 00:00:08,220
And what is persistence?

5
00:00:08,220 --> 00:00:11,640
Well, persistence is a module that allows us to stay

6
00:00:11,640 --> 00:00:13,680
on the target machine even

7
00:00:13,680 --> 00:00:16,260
after the target machine gets rebooted.

8
00:00:16,260 --> 00:00:18,960
So it is essentially adding our payload

9
00:00:18,960 --> 00:00:21,630
to the start folders where it'll automatically

10
00:00:21,630 --> 00:00:26,160
get started as soon as the target system gets restarted.

11
00:00:26,160 --> 00:00:28,620
It is a part of maintaining access.

12
00:00:28,620 --> 00:00:31,320
So this is one of the things that we want to do as soon

13
00:00:31,320 --> 00:00:33,300
as we get on the target machine.

14
00:00:33,300 --> 00:00:35,730
So what I did right here is I established a

15
00:00:35,730 --> 00:00:38,550
a interpreter session with the target machine.

16
00:00:38,550 --> 00:00:42,240
I used this module to bypass UAC

17
00:00:42,240 --> 00:00:46,320
and get system privileges on my Windows 10 virtual machine.

18
00:00:46,320 --> 00:00:47,970
And the reason why I'm testing this

19
00:00:47,970 --> 00:00:49,920
on a virtual machine is because

20
00:00:49,920 --> 00:00:52,800
in this video I will have to restart this machine to see

21
00:00:52,800 --> 00:00:55,110
whether the persistence is working

22
00:00:55,110 --> 00:00:58,440
and how I transferred this shell.exe to the Windows 10.

23
00:00:58,440 --> 00:00:59,730
Well, I use the cool way

24
00:00:59,730 --> 00:01:03,270
of transferring it using the Apache 2 web server.

25
00:01:03,270 --> 00:01:07,200
And to do that you can simply just type system CTL

26
00:01:07,200 --> 00:01:12,200
and then start and then type Apache two.

27
00:01:12,930 --> 00:01:14,640
This will ask you for your password.

28
00:01:14,640 --> 00:01:15,570
Input it right here

29
00:01:15,570 --> 00:01:18,060
and this will start the Apache 2 web server.

30
00:01:18,060 --> 00:01:19,890
Now what you can do is you can open

31
00:01:19,890 --> 00:01:22,650
up Internet Explorer on the target machine and type

32
00:01:22,650 --> 00:01:25,500
in the IP address of your Cal Linux, which will lead you

33
00:01:25,500 --> 00:01:28,410
to the web page of our Cal Linux machine.

34
00:01:28,410 --> 00:01:31,110
Now you will not see this shell.exe right there.

35
00:01:31,110 --> 00:01:33,810
It is there because I put the payload inside

36
00:01:33,810 --> 00:01:35,430
of the web server directory.

37
00:01:35,430 --> 00:01:38,130
And to do that inside your Cal Linux

38
00:01:38,130 --> 00:01:40,140
after you create the payload, you can navigate

39
00:01:40,140 --> 00:01:41,845
to the slash bar slash www

40
00:01:41,845 --> 00:01:45,840
and slash html directory where you should have

41
00:01:45,840 --> 00:01:49,500
two files called index and then dot something.

42
00:01:49,500 --> 00:01:52,201
You can delete those files and you can copy your payload

43
00:01:52,201 --> 00:01:56,250
to this HTML directory right here.

44
00:01:56,250 --> 00:01:59,700
Then if you go to your Windows 10 machine, refresh the page

45
00:01:59,700 --> 00:02:02,820
you will have your shell.exe available to download

46
00:02:02,820 --> 00:02:04,170
on your Windows 10 machine.

47
00:02:05,040 --> 00:02:08,009
Just make sure that you disable the Windows Defender

48
00:02:08,009 --> 00:02:09,539
on your Windows 10 machine

49
00:02:09,539 --> 00:02:13,740
because we are using a regular Meterpreter reverse TCP shell

50
00:02:13,740 --> 00:02:16,140
and it gets detected by Windows Defender.

51
00:02:16,140 --> 00:02:19,440
So after you do all of that and establish the connection

52
00:02:19,440 --> 00:02:21,180
you can then gain system privileges

53
00:02:21,180 --> 00:02:22,980
and we already know how to do that.

54
00:02:22,980 --> 00:02:24,240
We simply just test bunch

55
00:02:24,240 --> 00:02:27,000
of those modules that are used to bypass USC

56
00:02:27,000 --> 00:02:30,450
and then we become the system level account.

57
00:02:30,450 --> 00:02:31,470
Once you do all of that

58
00:02:31,470 --> 00:02:34,380
it is time to run the persistence module.

59
00:02:34,380 --> 00:02:35,550
So how can we do that?

60
00:02:35,550 --> 00:02:36,383
Well, first of all

61
00:02:36,383 --> 00:02:39,160
I will background this session and if we type sessions

62
00:02:40,020 --> 00:02:42,360
you can see I have two sessions available.

63
00:02:42,360 --> 00:02:46,050
The one is on the regular user account and one is

64
00:02:46,050 --> 00:02:50,400
that I elevated, which is this system level account.

65
00:02:50,400 --> 00:02:53,400
So what they want to do to run the persistence

66
00:02:53,400 --> 00:02:57,330
is I can type this search persistence

67
00:02:57,330 --> 00:02:59,460
inside of my Meterpreter framework.

68
00:02:59,460 --> 00:03:02,430
This will output me with bunch of different modules

69
00:03:02,430 --> 00:03:04,260
and the one that we are going to cover

70
00:03:04,260 --> 00:03:08,250
in this video is going to be this one right here

71
00:03:08,250 --> 00:03:13,020
exploit Windows Local and then Persistence Service.

72
00:03:13,020 --> 00:03:15,240
If I copy the module name

73
00:03:15,240 --> 00:03:20,240
go down here and type use paste the module, press Enter

74
00:03:22,830 --> 00:03:26,100
it'll set my payload to Windows Reverse TCP

75
00:03:26,100 --> 00:03:28,650
and if I type show info here

76
00:03:28,650 --> 00:03:30,630
we can see that this module will generate

77
00:03:30,630 --> 00:03:33,990
and upload and executable to our remote host.

78
00:03:33,990 --> 00:03:36,690
Next, it'll make a persistent service.

79
00:03:36,690 --> 00:03:38,910
It'll create a new service which will start the

80
00:03:38,910 --> 00:03:41,340
payload whenever the service is running.

81
00:03:41,340 --> 00:03:43,710
Admin or system privilege is required

82
00:03:43,710 --> 00:03:45,390
for this module to run.

83
00:03:45,390 --> 00:03:47,670
That is why we created a second session

84
00:03:47,670 --> 00:03:50,220
with the system privileges.

85
00:03:50,220 --> 00:03:53,790
So what we need to specify right here if I show options

86
00:03:53,790 --> 00:03:55,380
is we need to set the session

87
00:03:55,380 --> 00:03:57,510
and here we are going to set the session

88
00:03:57,510 --> 00:03:58,830
with the system level account.

89
00:03:58,830 --> 00:04:02,430
In my case, I believe it is session two, that is correct.

90
00:04:02,430 --> 00:04:06,540
And right here we want to set our payload options.

91
00:04:06,540 --> 00:04:07,500
Of course, if you want to

92
00:04:07,500 --> 00:04:09,390
you can set these other options as well

93
00:04:09,390 --> 00:04:12,360
such as retry time and retry time is simply just

94
00:04:12,360 --> 00:04:14,940
the time that Shell will retry to connect to.

95
00:04:14,940 --> 00:04:18,540
If the connection fails, five seconds is default.

96
00:04:18,540 --> 00:04:22,230
Now we can set that to be, for example, 10 seconds.

97
00:04:22,230 --> 00:04:23,520
It doesn't have to be five.

98
00:04:23,520 --> 00:04:24,720
That would be too quick.

99
00:04:24,720 --> 00:04:29,100
And after we do all of that, we can run this module

100
00:04:29,100 --> 00:04:33,420
press run, and this will open the session three.

101
00:04:33,420 --> 00:04:36,960
If I type get user id, we will be the system level account.

102
00:04:36,960 --> 00:04:39,780
But what is special about the session is that it'll

103
00:04:39,780 --> 00:04:42,720
automatically connect back to us even after the

104
00:04:42,720 --> 00:04:45,210
target machine is rebooted.

105
00:04:45,210 --> 00:04:48,900
So the target won't need to run this, shell.exe.

106
00:04:48,900 --> 00:04:51,780
After the system is restarted, it'll automatically connect

107
00:04:51,780 --> 00:04:56,070
back to us again because we run this persistence module.

108
00:04:56,070 --> 00:04:57,720
Let me show you what they mean.

109
00:04:57,720 --> 00:05:01,500
If in my interpreter session I run the reboot comment

110
00:05:01,500 --> 00:05:05,100
press Enter, this will start restarting the Windows

111
00:05:05,100 --> 00:05:06,180
10 machine.

112
00:05:06,180 --> 00:05:08,580
All of the other sessions will die out because

113
00:05:08,580 --> 00:05:10,200
the connection has been closed.

114
00:05:10,200 --> 00:05:13,549
If I control see this exit out of this type sessions

115
00:05:13,549 --> 00:05:17,340
we will have no active sessions anymore.

116
00:05:17,340 --> 00:05:21,060
So what we can do right now is we can type use

117
00:05:21,060 --> 00:05:25,830
exploit multi handler, set the correct payload

118
00:05:25,830 --> 00:05:28,380
and inside of the show options, we want to set

119
00:05:28,380 --> 00:05:30,810
the correct options that we used inside of our

120
00:05:30,810 --> 00:05:32,220
persistence module.

121
00:05:32,220 --> 00:05:36,930
And that is the Port 4444 and the IP address

122
00:05:36,930 --> 00:05:38,880
of our Cal Linux machine.

123
00:05:38,880 --> 00:05:42,040
So all I need to do right now is type run

124
00:05:45,150 --> 00:05:47,760
and here we get the session open because this machine

125
00:05:47,760 --> 00:05:49,800
hasn't yet shut down.

126
00:05:49,800 --> 00:05:52,290
So we're just going to close this because this is not the

127
00:05:52,290 --> 00:05:56,580
session that we wanted to, and I'm going to manually exit

128
00:05:56,580 --> 00:06:01,580
out this machine and go and start it once again.

129
00:06:02,400 --> 00:06:04,230
Now that the machine is getting started up

130
00:06:04,230 --> 00:06:08,850
I will run our listener and if everything worked correctly

131
00:06:08,850 --> 00:06:11,760
we should get a interpreter session opened as soon

132
00:06:11,760 --> 00:06:14,730
as the machine puts up without a target having to

133
00:06:14,730 --> 00:06:18,090
do anything but start their machine.

134
00:06:18,090 --> 00:06:20,010
So let's see whether it'll work.

135
00:06:20,010 --> 00:06:23,160
The machine is currently starting up

136
00:06:23,160 --> 00:06:28,160
and let's give it a few seconds and here it is.

137
00:06:29,100 --> 00:06:33,180
Our Meterpreter session five opened on its own and notice

138
00:06:33,180 --> 00:06:36,780
that it didn't even log in to the user yet.

139
00:06:36,780 --> 00:06:41,190
And the best part about this is that if I type get user id

140
00:06:41,190 --> 00:06:44,250
I will already be system level account so I

141
00:06:44,250 --> 00:06:47,010
don't have to go through the privileges escalation process

142
00:06:47,010 --> 00:06:50,603
again, this interpreter session opened without

143
00:06:50,603 --> 00:06:52,980
anyone clicking on anything

144
00:06:52,980 --> 00:06:55,230
and that is the good part about persistence.

145
00:06:55,230 --> 00:06:58,140
Now, even if the target shut down this PC once

146
00:06:58,140 --> 00:07:01,320
again and started it in a week or two

147
00:07:01,320 --> 00:07:04,110
our persistence will still work and our payload

148
00:07:04,110 --> 00:07:07,350
will automatically connect back to our Cal Linux machine

149
00:07:07,350 --> 00:07:09,030
if the IP address of the Cal Linux machine

150
00:07:09,030 --> 00:07:11,670
hasn't changed of course, one more thing to keep

151
00:07:11,670 --> 00:07:14,400
in mind is that sometimes persistence can be buggy

152
00:07:14,400 --> 00:07:17,160
so it knows not to work sometimes

153
00:07:17,160 --> 00:07:20,520
but in most cases it should work, and if it doesn't

154
00:07:20,520 --> 00:07:22,920
there are other modules for persistence as well.

155
00:07:22,920 --> 00:07:26,650
If a type background and search persistence

156
00:07:28,110 --> 00:07:30,510
I used this module right here

157
00:07:30,510 --> 00:07:32,880
but you can see there are other modules as well.

158
00:07:32,880 --> 00:07:34,860
You can check them out if you want to.

159
00:07:34,860 --> 00:07:36,420
Maybe they will work better.

160
00:07:36,420 --> 00:07:38,730
Maybe they will suit your needs more

161
00:07:38,730 --> 00:07:41,370
but whichever one you find to work, just use it

162
00:07:41,370 --> 00:07:44,910
and you will maintain access on the target system.

163
00:07:44,910 --> 00:07:47,100
Great. Now that we covered persistence

164
00:07:47,100 --> 00:07:49,530
in the next video we're going to cover the usage

165
00:07:49,530 --> 00:07:52,380
of post exploitation modules and a few more

166
00:07:52,380 --> 00:07:56,010
useful commands that we can do after exploiting the target.

167
00:07:56,010 --> 00:07:57,310
See you in the next video.