1
00:00:00,600 --> 00:00:03,210
Welcome back to Basic Exploit Development.

2
00:00:03,210 --> 00:00:09,030
And in this module, we're going to show you how to offensively pass the reverse shell between a cloud

3
00:00:09,030 --> 00:00:12,420
services listener to local Metasploit listeners.

4
00:00:13,170 --> 00:00:19,080
So Shell passing can be a useful technique to relieve strain on underpowered virtual private servers

5
00:00:19,320 --> 00:00:26,250
with low memory or ineffective CPU's like Mali, somebody using in this example is going to only have

6
00:00:27,030 --> 00:00:28,230
one gigabyte of RAM.

7
00:00:28,860 --> 00:00:32,790
It helps also in mitigating cost of getting a more expensive server.

8
00:00:33,150 --> 00:00:38,280
It is an extremely lightweight method to allow your metasploit or net cat listeners run in the full

9
00:00:38,280 --> 00:00:45,330
capacity on your local attacker machine by having the session travel through a TCP to reverse tunnel

10
00:00:45,600 --> 00:00:48,570
that points right back to your payload listener on your home machine.

11
00:00:48,960 --> 00:00:54,360
This technique is VPN compatible, so if the target was high tech kind of VPN, you will simply get

12
00:00:54,360 --> 00:00:56,790
connect back through that vpn's IP address.

13
00:00:59,080 --> 00:01:00,130
So how does this work?

14
00:01:00,520 --> 00:01:07,720
The victim executes a payload that connects to our $5 a month vulture e-comm jump server listing on

15
00:01:07,720 --> 00:01:08,950
port 443.

16
00:01:09,340 --> 00:01:14,830
The jump server is constructed of four connections from port for three to log a host port for four,

17
00:01:14,830 --> 00:01:18,400
four, four, which is the entry point of our reverse SD shuttle.

18
00:01:18,730 --> 00:01:21,040
When the jumps are redirect four, four, three, traffic.

19
00:01:21,040 --> 00:01:24,160
Two, four, four, four, it reaches our sponsor at home.

20
00:01:24,460 --> 00:01:30,490
This is a significant cost by not having to run a particularly powerful server for like, oh, say $3

21
00:01:30,490 --> 00:01:31,540
an hour or something.

22
00:01:32,080 --> 00:01:33,190
Let's look at a diagram.

23
00:01:35,400 --> 00:01:43,140
So our victim machine has this IP address and it executes a payload that connects back to our attacking

24
00:01:43,410 --> 00:01:44,190
jump server.

25
00:01:44,400 --> 00:01:48,330
6640 296, two, three, eight and 4443.

26
00:01:48,810 --> 00:01:51,300
We then have a so-called reverse TCP tunnel.

27
00:01:51,630 --> 00:01:58,140
Redirect that to localhost four, four, four, four, which then four performs that using this command

28
00:01:58,830 --> 00:02:03,930
to back to our attacking listening port on a port four, four, four on our local laptop.

29
00:02:04,530 --> 00:02:06,240
Let's try to put this in action.

30
00:02:09,919 --> 00:02:17,960
So first of all, we need to build the reverse TCP tunnel used as a stage in app route at waterdrop

31
00:02:17,960 --> 00:02:18,510
for server.

32
00:02:18,860 --> 00:02:27,950
Although your IP address will be different than mine dashcam ra for for for local host four.

33
00:02:27,960 --> 00:02:28,230
Four.

34
00:02:28,230 --> 00:02:28,910
Four for.

35
00:02:36,250 --> 00:02:39,280
Now we need to create our reverse TCP tunnel.

36
00:02:39,670 --> 00:02:42,250
First, logon to the jump server.

37
00:02:43,870 --> 00:02:46,600
Remember when I wrote, I assure you, vulture jump server.

38
00:02:46,870 --> 00:02:50,050
That's just the IP address that's located my host file.

39
00:02:52,430 --> 00:03:02,390
So we're going to use so cat dash V for verbose TCP for Dash L capital and so forth.

40
00:03:02,390 --> 00:03:09,860
Three We use address fork TCP for loco host.

41
00:03:12,080 --> 00:03:13,580
Four, four, four, four.

42
00:03:16,650 --> 00:03:17,250
Oh, sorry.

43
00:03:17,270 --> 00:03:19,200
I already use this in the previous sample.

44
00:03:25,910 --> 00:03:26,480
All right.

45
00:03:26,900 --> 00:03:31,200
Now let's go back and fray our Rochelle surge type payloads.

46
00:03:32,000 --> 00:03:32,480
Bash.

47
00:03:35,040 --> 00:03:35,430
Hello.

48
00:03:38,950 --> 00:03:41,110
We're going to use this one.

49
00:03:43,960 --> 00:03:51,970
Set a whole host to yourself, 000 to handler, and then we have to create our payload.

50
00:03:52,540 --> 00:03:57,100
Remember to set our host to your attacking VP's IP address.

51
00:03:59,250 --> 00:03:59,700
Set.

52
00:04:00,000 --> 00:04:03,660
Four, four, four, three, generate talk afro.

53
00:04:05,160 --> 00:04:05,640
All right.

54
00:04:05,640 --> 00:04:08,220
And now when I put the file to root.

55
00:04:09,730 --> 00:04:11,680
Tests show.

56
00:04:14,390 --> 00:04:17,660
Now let's deliver this to our victim machine.

57
00:04:18,230 --> 00:04:20,839
There are tests that show.

58
00:04:22,120 --> 00:04:23,450
C.J. Lister at.

59
00:04:34,170 --> 00:04:35,490
And now as the victim.

60
00:04:40,660 --> 00:04:44,110
We're going to do a zero dash test to show.

61
00:04:47,860 --> 00:04:49,450
Go back to our Metasploit listener.

62
00:04:51,640 --> 00:04:54,100
And we open a command shell on our victim.

63
00:04:54,550 --> 00:05:01,060
Now, here is where Shell passing is going to have a flaw because it's going to show you local host

64
00:05:01,060 --> 00:05:04,570
to local host because of the TCP reverse message tunnel.

65
00:05:05,230 --> 00:05:09,580
But you can validate that you actually hacked the host.

66
00:05:13,280 --> 00:05:13,790
You named?

67
00:05:18,110 --> 00:05:18,860
Who am I?

68
00:05:21,400 --> 00:05:21,700
I'd.

69
00:05:25,630 --> 00:05:32,050
So the only quirk that we have is that because of how Metasploit works, it always assumes that of getting

70
00:05:32,050 --> 00:05:34,150
a connection from local host.

71
00:05:34,450 --> 00:05:37,600
But as you can see, Perl can have IP token.

72
00:05:41,990 --> 00:05:47,180
We successfully attacked the target through my second VPN, which is a bar guard.

73
00:05:48,470 --> 00:05:55,520
So this shows you a lot about how to pass offensive shells and how to cut costs on your penetration

74
00:05:55,520 --> 00:05:57,800
test by using a public IP address.

75
00:05:57,830 --> 00:06:00,170
Forward the shell back to your home.

76
00:06:00,530 --> 00:06:01,430
Metasploit Listener.

77
00:06:01,790 --> 00:06:04,670
Remember these VP yesterday you ran for $5 a month.

78
00:06:05,030 --> 00:06:12,320
They're probably only going to have one single core CPU and they're really, really slow and they don't

79
00:06:12,320 --> 00:06:13,640
have much RAM to work with.

80
00:06:13,940 --> 00:06:17,680
So you can't just run Metasploit reliably on those remote PCs.

81
00:06:17,990 --> 00:06:23,660
You can just use this technique to pass it to a more capable machine, which is this kind of Linux VM

82
00:06:23,660 --> 00:06:24,140
at home.

83
00:06:24,710 --> 00:06:25,070
Thank you.