1
00:00:00,060 --> 00:00:00,720
Oh, everyone.

2
00:00:00,940 --> 00:00:03,420
Welcome to another video of our man in the middle attacks.

3
00:00:04,590 --> 00:00:07,110
Today, we're going to use a tool called Show Cloke.

4
00:00:07,740 --> 00:00:09,180
I wrote this to myself.

5
00:00:09,180 --> 00:00:11,250
You can download it from my GitHub channel.

6
00:00:14,190 --> 00:00:15,150
I just copied.

7
00:00:18,710 --> 00:00:19,420
And download.

8
00:00:33,370 --> 00:00:39,210
Channel Cloke is a new in a new technique to beat antivirus by making the browser to download our show

9
00:00:39,210 --> 00:00:41,520
code to its history database.

10
00:00:42,270 --> 00:00:50,190
When when we put our base64 zip code in our HTML file and split it in three parts, then we use a series

11
00:00:50,640 --> 00:00:53,890
of free directions using JavaScript between each one of them.

12
00:00:54,810 --> 00:01:01,310
The browser will store each part as a visitor material in its history ESKIL database.

13
00:01:02,370 --> 00:01:07,440
Then when the target download the payload or the file and open it, it will combine the three parts

14
00:01:07,440 --> 00:01:12,480
of the shell code from the browser history and execute it using power shell.

15
00:01:13,530 --> 00:01:16,520
First thing we need to do is to install mint.

16
00:01:17,060 --> 00:01:17,750
Mean W.

17
00:01:23,910 --> 00:01:32,340
It's reinstalled second opinions to use is to do the copy base64 ruby file to the user Sheremeta Support

18
00:01:32,340 --> 00:01:35,600
Framework Module's encoders base64.

19
00:01:35,610 --> 00:01:42,570
If you don't have the best 64 directory, just create it and copy this file to it, OK?

20
00:01:44,560 --> 00:02:00,520
Once you're done, go to show Cloke and then make sure it has executable permission and execute it before

21
00:02:00,520 --> 00:02:08,860
we do anything, let's go here and open a massive console when our IP address port four four four four.

22
00:02:09,340 --> 00:02:13,150
And listen, using the payload, when does the interpreter reverse GCP?

23
00:02:13,810 --> 00:02:17,530
Because this is the one we are going to use in our show Cook.

24
00:02:33,520 --> 00:02:36,190
Once it's done, you will ask you to enter the first pattern.

25
00:02:36,250 --> 00:02:45,700
You can just enter anything like p0 you, G.H. anything, enter the second one third.

26
00:02:48,330 --> 00:02:49,140
Cotinine.

27
00:02:53,880 --> 00:02:54,230
Good.

28
00:02:55,110 --> 00:03:08,940
Now, if you go to a bar w w w dot, um, Strachwitz Temel, let's open the free and exciting e-mail.

29
00:03:10,530 --> 00:03:14,640
This will load the cyber address open to cyber dodgiest.

30
00:03:16,140 --> 00:03:21,180
You will find the first part of our base64 shall code and.

31
00:03:22,720 --> 00:03:24,340
If you go to the very end of it.

32
00:03:28,240 --> 00:03:36,640
You should see the first pattern that we entered you, I, uh, you.

33
00:03:37,570 --> 00:03:38,420
H g.

34
00:03:40,690 --> 00:03:48,340
Now let's go here when our Windows box and try to browse the IP address of this box, which it has the

35
00:03:48,340 --> 00:03:48,940
web server.

36
00:03:54,750 --> 00:04:00,690
If you didn't notice a series of redirections happened, but it was very fast, eventually it gave you

37
00:04:00,690 --> 00:04:03,750
this page so it will detect the browser.

38
00:04:03,750 --> 00:04:09,810
Also this download C is for Chrome and just download H.M.S. for Firefox.

39
00:04:10,440 --> 00:04:11,700
Now let's download this one.

40
00:04:13,840 --> 00:04:24,580
Good, if we go to you and you can tell me which it helps with no distribute, we can also try and scandals.

41
00:04:37,960 --> 00:04:45,120
As you can see, only one out of twenty six detected, despite everything else is clean.

42
00:04:47,330 --> 00:04:58,010
If we go to our default, the user at local Google Chrome user data default and then open the history

43
00:04:58,340 --> 00:04:58,850
file.

44
00:05:01,810 --> 00:05:02,930
Notepad or something.

45
00:05:04,690 --> 00:05:06,300
Let's look for the first pattern.

46
00:05:11,330 --> 00:05:16,610
It's there, our show is inside the history database, read it.

47
00:05:17,160 --> 00:05:20,720
You also will find the other two parts of the show.

48
00:05:21,020 --> 00:05:22,190
This is just the first part.

49
00:05:23,090 --> 00:05:24,400
Each one has a pattern.

50
00:05:28,640 --> 00:05:29,540
Let's open the file.

51
00:05:38,680 --> 00:05:40,270
Very good that our interpreter.

52
00:05:43,190 --> 00:05:49,190
Once we are done with this and the history database is infected with our Chalco, we can still combine

53
00:05:49,190 --> 00:05:54,950
this tool with beef exports if we go back to our server here.

54
00:05:57,860 --> 00:05:58,880
And entered the main.

55
00:06:08,840 --> 00:06:10,820
The main file of the chrome, which is.

56
00:06:12,770 --> 00:06:19,160
Download the e-mail, we can inject the JavaScript here, since this is the last page the user will

57
00:06:19,160 --> 00:06:19,550
visit.

58
00:06:20,450 --> 00:06:21,140
Let's do it.

59
00:06:22,940 --> 00:06:27,200
Let's go here and put our JavaScript.

60
00:06:33,650 --> 00:06:34,720
He looks good.

61
00:06:38,060 --> 00:06:38,540
Now.

62
00:06:40,280 --> 00:06:41,360
Supination.

63
00:06:55,920 --> 00:07:03,590
It's to be under control, panel, when this metamorphosis from now.

64
00:07:04,400 --> 00:07:07,720
OK, so let's visit the same page again.

65
00:07:10,990 --> 00:07:15,220
Assuming this is the first time the user is visiting our website over.

66
00:07:19,040 --> 00:07:20,060
Same thing happened.

67
00:07:23,190 --> 00:07:23,890
It's not you.

68
00:07:24,100 --> 00:07:30,000
I just don't see that Schimel, because I missed double quotes there with Schreibman.

69
00:07:34,230 --> 00:07:35,250
We got her Hertog.

70
00:07:38,680 --> 00:07:46,300
So this time of using social engineering and we go to something like fake notification bar and chrome

71
00:07:47,020 --> 00:07:51,220
at this time, we want to give it the euro, our web server.

72
00:08:04,440 --> 00:08:06,060
Now, if he execute this.

73
00:08:08,940 --> 00:08:17,540
First, let's make sure type the name is correct, Rev shall not be executed.

74
00:08:19,750 --> 00:08:25,210
Now, here, the user can see this console missing plugins.

75
00:08:31,130 --> 00:08:36,500
And he will download the report, shall, of course, be downloaded before this is the second time using

76
00:08:36,500 --> 00:08:43,730
beef exports US and if his Kanzaki will be undetected and we already infected the database, the history

77
00:08:43,730 --> 00:08:46,050
database with our base64 show code.

78
00:08:46,910 --> 00:08:47,990
So this should work.

79
00:08:48,230 --> 00:08:49,130
We try again.

80
00:08:53,760 --> 00:08:56,700
Here executer again.

81
00:09:03,150 --> 00:09:07,580
Just start more and they're running again.

82
00:09:09,190 --> 00:09:17,330
We got our interpreter session, so this was a quick demo on how to use your cloak and how to combine

83
00:09:17,330 --> 00:09:18,850
it with exercise.

84
00:09:20,270 --> 00:09:22,690
Thank you for watching and see you in our next video.