1
00:00:00,880 --> 00:00:09,490
Let's see how we can create a basic malicious Windows executable using the MSF venom tool 64 bit Windows

2
00:00:09,490 --> 00:00:11,100
eight is the victim's system.

3
00:00:11,920 --> 00:00:14,890
Choose an executable to use as a template.

4
00:00:15,430 --> 00:00:19,070
The output malware will be the same size with this template file.

5
00:00:19,630 --> 00:00:22,990
I'm going to use Puti dot exec file as the template.

6
00:00:23,620 --> 00:00:26,410
Let's copy put exec to Calli to work on it.

7
00:00:26,980 --> 00:00:31,810
First, look at the IP address of the target machine here Kawi.

8
00:00:33,410 --> 00:00:41,480
You can use win SICP tool to transfer a file from a Windows system to a Linux system, SICP secure a

9
00:00:41,480 --> 00:00:48,110
copy as a means of securely transferring computer files between a localhost and a remote host or between

10
00:00:48,110 --> 00:00:49,250
two remote hosts.

11
00:00:49,430 --> 00:00:53,370
It's based on the S.H. Secure Shell protocol.

12
00:00:54,020 --> 00:01:00,950
Now, since when SICP uses SSL protocol, you'll be sure the S.H. Service is running on Calli.

13
00:01:01,640 --> 00:01:06,740
Check the status of the Sensage service using the service SSA Status Command.

14
00:01:08,810 --> 00:01:10,850
It's already active on Micheli.

15
00:01:11,780 --> 00:01:18,560
If it's not running, use service, S.H., start to start the SSA service in your county machine.

16
00:01:27,450 --> 00:01:34,470
If you try to log in when SICP using route user, you may see the access denied message, that means

17
00:01:34,470 --> 00:01:39,000
using S.H. service with route user is denied in your Calli machines.

18
00:01:39,000 --> 00:01:47,130
S.H. Service configurations either change the S.H. service config to be able to connect with route user

19
00:01:47,340 --> 00:01:50,910
or create a new user to use S.H. connections.

20
00:01:52,060 --> 00:02:00,280
I choose to create a new user you can use, add user or user, add commands on the terminal screen or

21
00:02:00,370 --> 00:02:02,890
users interface to add a new user.

22
00:02:03,460 --> 00:02:06,820
I've already added a user before S.H. user.

23
00:02:06,820 --> 00:02:10,630
For this purpose, you can add a similar user to your system.

24
00:02:17,340 --> 00:02:21,060
Connect with SICP using S.H. user credentials.

25
00:02:40,760 --> 00:02:48,380
Find the exact file at the Windows side in this example, it's on the desktop of a current user, copy

26
00:02:48,380 --> 00:02:57,620
it to the COWEY machine in here to the home folder of S.H. User in Calli use is command in the terminal

27
00:02:57,620 --> 00:03:00,350
screen to see if the file is transferred successfully.

28
00:03:09,660 --> 00:03:14,970
Now we're ready to create a malicious executable using the DOT exec file as a template.

29
00:03:18,630 --> 00:03:26,700
Prepare the appropriate MSF venom command, the first parameter is Dasch P, which specifies the payload

30
00:03:26,700 --> 00:03:31,010
used, you have to find a correct payload according to your target.

31
00:03:31,620 --> 00:03:38,130
Don't forget to choose a payload with the correct platform, correct architecture, correct connection,

32
00:03:38,130 --> 00:03:39,600
method, etc..

33
00:03:40,850 --> 00:03:45,920
You can see the available payload using MSF and El Payloads Command.

34
00:03:49,430 --> 00:03:56,120
There are a lot of payloads available, and since the target machine is 64 bit, we can filter the results

35
00:03:56,120 --> 00:03:58,040
using grep command with pipe.

36
00:04:09,290 --> 00:04:17,810
We use the windows for interpreter reverse, underscore TCP payload for this example.

37
00:04:20,990 --> 00:04:25,430
Let's have a pause here and have a small introduction to the world of Métis Voit.

38
00:04:26,400 --> 00:04:31,080
Metastable project is the most used penetration testing framework in the world.

39
00:04:31,530 --> 00:04:37,200
It can be used to test the vulnerability of computer systems or to break into remote systems.

40
00:04:38,460 --> 00:04:42,720
It was created by HD Moore in 2003 using Perl.

41
00:04:43,290 --> 00:04:44,640
By 2007.

42
00:04:44,790 --> 00:04:50,860
The Métis Foyt framework had been completely rewritten in Ruby in 2009.

43
00:04:51,030 --> 00:04:53,660
The project was acquired by Rapide seven.

44
00:04:54,270 --> 00:05:00,540
Now they have a free and open source version metastable framework and a commercial version.

45
00:05:00,840 --> 00:05:02,340
Métis Boyd Pro.

46
00:05:03,310 --> 00:05:11,080
It's best known sub project is the open source metastable framework, a tool for developing and executing

47
00:05:11,080 --> 00:05:14,710
exploit code against a remote target machine?

48
00:05:15,780 --> 00:05:24,390
The mSv console is probably the most popular interface to the Métis Plate Framework MSF, it provides

49
00:05:24,390 --> 00:05:31,740
an all in one centralized console and allows you efficient access to virtually all of the options available

50
00:05:31,740 --> 00:05:32,760
in the MSF.

51
00:05:33,570 --> 00:05:40,530
MSF console may seem intimidating at first, but once you learn the syntax of the commands, you will

52
00:05:40,530 --> 00:05:44,100
learn to appreciate the power of utilizing this interface.

53
00:05:45,930 --> 00:05:51,880
Pitcher, short for the matter, interpreter is an advanced payload that is included in the Mideast

54
00:05:51,880 --> 00:05:52,650
Foyt framework.

55
00:05:53,520 --> 00:05:59,790
Its purpose is to provide complex and advanced features that would otherwise be tedious to implement

56
00:05:59,940 --> 00:06:01,110
purely in assembly.

57
00:06:01,980 --> 00:06:07,350
The way that it accomplishes this is by allowing developers to write their own extensions in the form

58
00:06:07,350 --> 00:06:15,480
of shared object DL files that can be uploaded and injected into a running process on a target computer

59
00:06:15,780 --> 00:06:24,360
after exploitation has occurred, masturbator and all of the extensions that it loads are executed entirely

60
00:06:24,360 --> 00:06:27,150
from memory and never touch the disk.

61
00:06:29,090 --> 00:06:33,990
Let's continue to create a malicious executable using the MSF venom tool.

62
00:06:34,670 --> 00:06:36,680
Now the first parameter was the payload.

63
00:06:37,130 --> 00:06:44,120
We can choose the platform here, Windows, but since we chose a Windows payload, the tool will already

64
00:06:44,120 --> 00:06:47,390
understand the platform, same as the platform.

65
00:06:47,390 --> 00:06:56,710
We can set the architecture x 64 using the dash arch parameter because we use a payload for X 64 architecture.

66
00:06:57,050 --> 00:07:03,470
The two already understand the architecture, so we don't need to use arch and platform parameters in

67
00:07:03,470 --> 00:07:04,240
this example.

68
00:07:05,310 --> 00:07:10,490
The next parameter is dash F to determine the format of the output file.

69
00:07:11,100 --> 00:07:16,410
You can use MSF venom, dash, help dash formats to see the available formats.

70
00:07:24,970 --> 00:07:27,880
We only use the exec in this example.

71
00:07:34,260 --> 00:07:39,030
Then specify the template file using a dashikis parameter with the template file.

72
00:07:46,330 --> 00:07:49,750
Name the output file with the dash o parameter.

73
00:08:00,450 --> 00:08:07,110
Now is the time to define the options of the payload, to see the options of the payload, you can use

74
00:08:07,110 --> 00:08:10,140
the dash payload dash options parameter with the payload.

75
00:08:16,200 --> 00:08:21,060
We have to design the host and the airport options of the payload here.

76
00:08:26,080 --> 00:08:29,650
Complete the command again, output file format.

77
00:08:40,980 --> 00:08:42,630
And output file name.

78
00:08:58,270 --> 00:09:05,500
Now, a sign host, an airport, options of the payload el hostas, the IP address of the listener machine.

79
00:09:05,800 --> 00:09:12,190
In this example, our Calli machine, El Port is the port which will be open to listen to the sessions.

80
00:09:16,330 --> 00:09:18,220
Hit enter to create the malware.

81
00:09:27,310 --> 00:09:35,800
As you see, no watch has selected the tools selected x 64 from the payload and no platform is selected,

82
00:09:36,070 --> 00:09:39,370
the tool automatically selected windows from the payload.

83
00:09:39,370 --> 00:09:44,680
Again, to be sure, go to the folder and see the created malware.

84
00:09:46,700 --> 00:09:52,340
The attackers should find a way to make the victim accept and run the malware, let's just copy the

85
00:09:52,340 --> 00:09:58,190
malware to the victim's machine at the moment and suppose that we send it as an attachment to a phishing

86
00:09:58,190 --> 00:09:58,660
email.

87
00:09:59,760 --> 00:10:04,350
First, let's try to copy the files of the Windows machine while Windows Defender is running.

88
00:10:16,130 --> 00:10:19,970
As you can see, Windows Defender recognized the malware.

89
00:10:38,380 --> 00:10:40,150
And deleted it in seconds.

90
00:10:41,310 --> 00:10:42,400
Can you guess why?

91
00:10:43,140 --> 00:10:49,560
Because we use the standard medicinally payload, which is very well known, and Windows Defender recognized

92
00:10:49,560 --> 00:10:50,280
it easily.

93
00:10:51,520 --> 00:10:58,470
To see the payload in action, let's turn Windows Defender off and send the malware again.

94
00:11:14,640 --> 00:11:20,670
As an attacker, we need to listen to capture the sessions of the victims who run the malware.

95
00:11:22,120 --> 00:11:23,980
Start MSF console.

96
00:11:28,000 --> 00:11:29,950
You'll have a metal support framework show.

97
00:11:31,520 --> 00:11:32,960
Search for the handlers.

98
00:11:38,990 --> 00:11:43,190
Use, exploit, slash, multi handler for this example.

99
00:11:50,870 --> 00:11:55,130
In handler, we have to use the same payload that we use in the malware.

100
00:12:06,300 --> 00:12:09,270
List the options with Show Options command.

101
00:12:10,540 --> 00:12:12,490
Set the listener address in port.

102
00:12:17,290 --> 00:12:24,130
Since the default port is the same with the port we assigned in the malware, we can leave it as is.

103
00:12:25,070 --> 00:12:29,090
And run the handler, it starts to listen at that moment.

104
00:12:30,270 --> 00:12:33,630
Now go back to the victim machine and run the malware.

105
00:12:38,580 --> 00:12:46,500
Voila, we got the session from the victim machine, look at the system info using this info interpreter

106
00:12:46,500 --> 00:12:46,940
command.

107
00:12:47,640 --> 00:12:50,000
It's a 64 bit Windows machine.

108
00:12:50,670 --> 00:12:57,380
Look at the user ID interpreter has a lot of excellent commands to compromise the victim's machine,

109
00:12:58,170 --> 00:13:00,600
use help command to see some of them.

110
00:13:10,810 --> 00:13:13,770
Let's take a screenshot of the victim machine.

111
00:13:32,390 --> 00:13:38,600
When we list the currently running processes using task list command and the victim machine, we see

112
00:13:38,600 --> 00:13:39,770
the malware running.

113
00:13:40,490 --> 00:13:46,520
You can kill it using the task kill command with rapid parameter.

114
00:13:52,870 --> 00:13:56,290
Use the F parameter to force it to be killed.

115
00:14:01,370 --> 00:14:07,120
As soon as the malware process is killed, the interpreter session dies as well.