1 00:00:00,420 --> 00:00:03,660 Now let's see the framework in action. 2 00:00:05,520 --> 00:00:09,450 Go to the veil folder and run Vayle Dot Prescript. 3 00:00:15,640 --> 00:00:18,670 Use list, command to list the available tools. 4 00:00:19,590 --> 00:00:24,690 We would like to use the evasion tool, so print use one and hit enter. 5 00:00:25,880 --> 00:00:31,700 Vale of Asian menu is opened, use the list common to see all available payloads. 6 00:00:32,270 --> 00:00:34,340 There are more than 40 different payloads. 7 00:00:34,470 --> 00:00:39,760 Let's use an interpreter payload, which is using a reverse https connection. 8 00:00:40,520 --> 00:00:42,790 Copy the file name of the full path. 9 00:00:42,800 --> 00:00:44,290 We'll use it on the next step. 10 00:00:45,300 --> 00:00:50,160 Print used 27 to use the payload we selected and hit enter. 11 00:00:51,620 --> 00:00:58,790 The options of the payload are listed change as many options as possible to make the payload more customized. 12 00:00:59,710 --> 00:01:07,330 The most important options here are the address and put number of the listener machine L host and L 13 00:01:07,330 --> 00:01:12,010 port options again listener will be our Caly machine. 14 00:01:12,220 --> 00:01:15,700 So assign the IP address of Calli as L host. 15 00:01:16,540 --> 00:01:19,960 Let the port remain as 44 or 44. 16 00:01:21,410 --> 00:01:26,640 To keep the example simple, I'm not going to change any other option at this point. 17 00:01:27,410 --> 00:01:29,270 Now we're ready to generate the payload. 18 00:01:30,640 --> 00:01:33,280 Used to generate command for this purpose. 19 00:01:35,000 --> 00:01:38,810 Give the base for the output files to be more meaningful. 20 00:01:39,170 --> 00:01:48,560 I'd like to use Conexion type reverse protocol HTTPS and the port number that uses 44 44 in the file 21 00:01:48,560 --> 00:01:48,920 name. 22 00:01:50,460 --> 00:01:57,630 And last, it's asking the method to create the executable file from the script code, choose the first 23 00:01:57,630 --> 00:01:57,930 one. 24 00:02:10,770 --> 00:02:19,050 Malware is ready as a code and as an executable file, plus an RC file, which is used to start an appropriate 25 00:02:19,050 --> 00:02:23,400 handler that uses the same options with the malware is prepared. 26 00:02:25,260 --> 00:02:30,160 Let's transfer the malware to our victim machine using the wind as tool. 27 00:02:30,730 --> 00:02:34,830 First, I copy the malware to the home folder of the S.H. user. 28 00:02:48,280 --> 00:02:52,300 You can examine the generated file using Linux file command. 29 00:02:57,990 --> 00:02:59,790 Yes, it's Windows executable. 30 00:03:01,610 --> 00:03:09,920 Now go to the victim machine, run win SICP and connect to the Calli machine with SSA Tuzer. 31 00:03:23,100 --> 00:03:29,460 Before copying the malware generated by Vayle, let's turn on Windows Defender. 32 00:03:38,430 --> 00:03:46,440 Now, while Windows Defender is running, copy the malware to the victim machine, no Windows Defender 33 00:03:46,440 --> 00:03:48,510 cannot recognize the malware. 34 00:03:49,200 --> 00:03:53,770 We successfully copied the malware into the Windows eight system. 35 00:03:54,840 --> 00:04:01,590 Now, at this point, as the attacker, we need to have a listener because the payload of the malware 36 00:04:01,590 --> 00:04:03,500 uses a reverse connection. 37 00:04:04,140 --> 00:04:13,110 So go to Calli, use Métis IT Arcy file, which is generated by Vayle to create a listener print MSF 38 00:04:13,110 --> 00:04:19,860 console Dasha and add the RC filename with its full path then hit enter. 39 00:04:33,270 --> 00:04:43,410 And HTP reverse handler starts on our machines 44 44 PT. as background job now go to the Windows machine 40 00:04:43,410 --> 00:04:44,610 and run the malware. 41 00:04:46,590 --> 00:04:47,940 A session is opened. 42 00:04:50,640 --> 00:04:58,680 Use the sessions dash command to see the open sessions and the sessions dash I one to enter the open 43 00:04:58,680 --> 00:04:59,220 session. 44 00:05:00,250 --> 00:05:07,630 Now we have a maturity session on the victim machine, even though the victim machine has a security 45 00:05:07,630 --> 00:05:11,770 solution, Windows Defender and Joy.