1 1 00:00:01,020 --> 00:00:03,440 Okay, now that we have Veil loaded, 2 2 00:00:03,440 --> 00:00:06,170 you can see it show us the main commands 3 3 00:00:06,170 --> 00:00:07,623 that you can use with Veil. 4 4 00:00:08,570 --> 00:00:12,120 So, the first command is, you can do exit to exit, 5 5 00:00:12,120 --> 00:00:16,080 you can do info to get information about a specific tool, 6 6 00:00:16,080 --> 00:00:19,170 you can do list, to list the available tools. 7 7 00:00:19,170 --> 00:00:21,210 You can do update, to update Veil, 8 8 00:00:21,210 --> 00:00:23,360 and this is very, very important 9 9 00:00:23,360 --> 00:00:25,860 because you always wanna be up to date 10 10 00:00:25,860 --> 00:00:29,440 when it comes to bypassing anti-virus programs, 11 11 00:00:29,440 --> 00:00:32,663 and then you can do use to use a tool. 12 12 00:00:33,830 --> 00:00:36,250 Now, let's start using Veil Evasion, 13 13 00:00:36,250 --> 00:00:39,320 and as we do it, it's gonna become so easy 14 14 00:00:39,320 --> 00:00:41,883 and you'll be able to understand it more. 15 15 00:00:42,890 --> 00:00:47,020 Now, Veil has two main tools and if we do list, 16 16 00:00:47,020 --> 00:00:48,370 you'll be able to see them. 17 17 00:00:49,210 --> 00:00:51,470 So, we have the first one which is 18 18 00:00:51,470 --> 00:00:54,540 the one that we're interested in, which is called evasion. 19 19 00:00:54,540 --> 00:00:57,150 And that's the one that generates 20 20 00:00:57,150 --> 00:00:59,530 undetectable backdoors for us. 21 21 00:00:59,530 --> 00:01:03,020 And then there's the second one, which is called ordnance, 22 22 00:01:03,020 --> 00:01:07,580 and this tool generates the payloads that's used by evasion, 23 23 00:01:07,580 --> 00:01:11,610 so you can look at this as a helper or a secondary tool. 24 24 00:01:11,610 --> 00:01:14,273 Now, what I mean by a payload is, 25 25 00:01:14,273 --> 00:01:17,870 a payload is the part of the code of the backdoor, 26 26 00:01:17,870 --> 00:01:19,500 that does the stuff that we want, 27 27 00:01:19,500 --> 00:01:22,350 that does the evil stuff if you wanna say. 28 28 00:01:22,350 --> 00:01:23,500 So, it's the part of the code 29 29 00:01:23,500 --> 00:01:25,163 that give us a reverse connection, 30 30 00:01:25,163 --> 00:01:26,530 it's the part of the code 31 31 00:01:26,530 --> 00:01:29,840 that download and execute something on the target computer, 32 32 00:01:29,840 --> 00:01:33,040 it's the part of the code that allow us 33 33 00:01:33,040 --> 00:01:37,323 to achieve what we want by executing that file. 34 34 00:01:38,280 --> 00:01:41,780 And this is gonna become more clear as we start using Veil. 35 35 00:01:41,780 --> 00:01:45,390 Now, for now we're interested into using evasion, 36 36 00:01:45,390 --> 00:01:50,390 so we're gonna do use 1, because that's the first tool, 37 37 00:01:50,690 --> 00:01:51,603 that's number one. 38 38 00:01:52,700 --> 00:01:56,430 And as you can see we have Veil Evasion loaded now, 39 39 00:01:56,430 --> 00:01:59,890 and as I said before, this used to be a standalone tool 40 40 00:01:59,890 --> 00:02:01,910 that you just downloaded on it's own. 41 41 00:02:01,910 --> 00:02:04,860 But now they have it all combined together. 42 42 00:02:04,860 --> 00:02:07,190 Now, as you can see, the first thing that we get 43 43 00:02:07,190 --> 00:02:09,540 when we load Veil Evasion is the commands 44 44 00:02:09,540 --> 00:02:12,280 that you can run on this tool. 45 45 00:02:12,280 --> 00:02:14,340 So, the first thing that we wanna do is 46 46 00:02:14,340 --> 00:02:17,283 we want to list to see all the available payloads. 47 47 00:02:18,570 --> 00:02:21,374 And as you can see, we have 41 different payloads 48 48 00:02:21,374 --> 00:02:26,090 and all of this payloads follow a certain naming pattern. 49 49 00:02:26,090 --> 00:02:27,880 And you can see for example, 50 50 00:02:27,880 --> 00:02:29,860 let's take this example right here 51 51 00:02:29,860 --> 00:02:32,290 because that's the payload that I'm gonna be using. 52 52 00:02:32,290 --> 00:02:35,623 You can see the payload is divided into three parts. 53 53 00:02:36,950 --> 00:02:40,700 The first part right here refers to the programmer language 54 54 00:02:40,700 --> 00:02:43,730 that's the payload is gonna be wrapped in. 55 55 00:02:43,730 --> 00:02:46,670 So, we have the evil code, and then the evil code 56 56 00:02:46,670 --> 00:02:49,560 is gonna be wrapped into a certain programming language 57 57 00:02:49,560 --> 00:02:52,070 that the target computer understands. 58 58 00:02:52,070 --> 00:02:55,100 And right here you can see that this payload uses 59 59 00:02:55,100 --> 00:02:58,440 go programmer language, we can see this one uses c, 60 60 00:02:58,440 --> 00:03:00,510 we can see these ones use cs, 61 61 00:03:00,510 --> 00:03:02,450 we have python, we have powershell, 62 62 00:03:02,450 --> 00:03:04,343 and we have ruby if we scroll down. 63 63 00:03:06,470 --> 00:03:09,503 The second part of the payload is really important. 64 64 00:03:10,500 --> 00:03:14,360 This is the type of the payload, the type of the code 65 65 00:03:14,360 --> 00:03:17,563 that's going to be executed on the target computer. 66 66 00:03:19,340 --> 00:03:21,930 In this example, we're using Meterpreter 67 67 00:03:21,930 --> 00:03:25,160 which is a payload designed by Metasploit. 68 68 00:03:25,160 --> 00:03:27,710 Metasploit is a huge framework for hacking 69 69 00:03:27,710 --> 00:03:29,830 and it allows you to do a lot of things. 70 70 00:03:29,830 --> 00:03:31,730 But in this lecture we're focusing 71 71 00:03:31,730 --> 00:03:34,570 on creating a payload called Meterpreter, 72 72 00:03:34,570 --> 00:03:37,560 and what's really cool about Meterpreter is 73 73 00:03:37,560 --> 00:03:39,450 it runs in the memory and it allow us 74 74 00:03:39,450 --> 00:03:41,990 to migrate between system processes, 75 75 00:03:41,990 --> 00:03:45,110 so we can have the payload or the backdoor 76 76 00:03:45,110 --> 00:03:49,310 running from a normal process like Explorer for example, 77 77 00:03:49,310 --> 00:03:52,360 and this payload will allow us to gain full control 78 78 00:03:52,360 --> 00:03:53,770 over the target computer, 79 79 00:03:53,770 --> 00:03:56,170 so we'll be able to navigate through the file system, 80 80 00:03:56,170 --> 00:03:58,780 download, upload files, turn on the mike, 81 81 00:03:58,780 --> 00:04:01,410 turn on the webcam, even use that computer 82 82 00:04:01,410 --> 00:04:04,370 to hack other computers, install a key logger, 83 83 00:04:04,370 --> 00:04:06,900 you can literally do anything you can think of. 84 84 00:04:06,900 --> 00:04:09,080 And all of this will be running from the memory 85 85 00:04:09,080 --> 00:04:11,430 from a normal process on the system. 86 86 00:04:11,430 --> 00:04:13,030 So, it's very hard to detect 87 87 00:04:13,030 --> 00:04:15,710 and it doesn't leave a lot of footprints. 88 88 00:04:15,710 --> 00:04:17,800 That's why it's a really, really cool payload 89 89 00:04:17,800 --> 00:04:19,203 and we'll be using it a lot. 90 90 00:04:21,130 --> 00:04:23,430 The third part of the name is the method 91 91 00:04:23,430 --> 00:04:26,500 that's gonna be used to establish the connection. 92 92 00:04:26,500 --> 00:04:31,000 So, and here we can see that this is called rev https. 93 93 00:04:31,000 --> 00:04:36,000 So, rev stands for reverse, and https is the protocol 94 94 00:04:36,510 --> 00:04:38,900 that's gonna be used to establish the connection. 95 95 00:04:38,900 --> 00:04:41,500 So we can see that this payload will create 96 96 00:04:41,500 --> 00:04:44,233 a reverse https connection. 97 97 00:04:45,470 --> 00:04:47,530 You can see this one right here for example, 98 98 00:04:47,530 --> 00:04:50,093 it creates a reverse http connection. 99 99 00:04:50,970 --> 00:04:52,860 And we have this one in here 100 100 00:04:52,860 --> 00:04:55,363 that creates a reverse tcp connection. 101 101 00:04:56,580 --> 00:05:00,810 Now, what I mean by reverse is the connection is gonna come 102 102 00:05:00,810 --> 00:05:04,330 from the target computer to my own computer. 103 103 00:05:04,330 --> 00:05:06,423 So, I won't be connecting to the computer 104 104 00:05:06,423 --> 00:05:09,330 that I want to hack, what's gonna happen is 105 105 00:05:09,330 --> 00:05:11,890 once the person double clicks the backdoor, 106 106 00:05:11,890 --> 00:05:13,940 the backdoor will connect back to me 107 107 00:05:13,940 --> 00:05:15,533 from the target computer. 108 108 00:05:17,200 --> 00:05:18,940 What's cool about this is, 109 109 00:05:18,940 --> 00:05:21,340 I'll be able to bypass anti-virus programs 110 110 00:05:21,340 --> 00:05:24,593 because the connection is not going to the target computer, 111 111 00:05:24,593 --> 00:05:26,650 it's coming back to my computer, 112 112 00:05:26,650 --> 00:05:28,650 so it's literally as if the target person 113 113 00:05:28,650 --> 00:05:30,920 is just connecting to a normal website. 114 114 00:05:30,920 --> 00:05:34,820 I'm gonna use a port that websites use which is 80 or 8080, 115 115 00:05:34,820 --> 00:05:37,510 so again, if the person analyzes the connection, 116 116 00:05:37,510 --> 00:05:39,410 it will look as if they're literally 117 117 00:05:39,410 --> 00:05:41,890 just connecting to a normal website. 118 118 00:05:41,890 --> 00:05:45,080 Also, if the target computer is hidden behind a router, 119 119 00:05:45,080 --> 00:05:48,320 or behind a network, again this is gonna work, 120 120 00:05:48,320 --> 00:05:50,030 because the connection is coming 121 121 00:05:50,030 --> 00:05:52,240 from the target computer to me, 122 122 00:05:52,240 --> 00:05:55,200 instead of me connecting to the target computer. 123 123 00:05:55,200 --> 00:05:57,670 So, using a reverse connection is really, 124 124 00:05:57,670 --> 00:05:59,670 really handy and I think this is really 125 125 00:05:59,670 --> 00:06:03,400 the only practical way of gaining access to a computer 126 126 00:06:03,400 --> 00:06:05,840 because there is a lot of things that can stop you 127 127 00:06:05,840 --> 00:06:07,853 from connecting to a certain computer. 128 128 00:06:09,520 --> 00:06:12,230 Now, this is the general naming pattern. 129 129 00:06:12,230 --> 00:06:14,930 You'll see some payloads like this one right here 130 130 00:06:14,930 --> 00:06:17,890 which doesn't follow that general naming pattern. 131 131 00:06:17,890 --> 00:06:20,650 And basically, what these payloads do for example 132 132 00:06:20,650 --> 00:06:24,180 you can see this one is called shellcode inject, 133 133 00:06:24,180 --> 00:06:27,940 so what it's going to do is, it's going to create a payload 134 134 00:06:27,940 --> 00:06:30,050 that injects your other payload. 135 135 00:06:30,050 --> 00:06:32,350 So, it's gonna create a normal payload, 136 136 00:06:32,350 --> 00:06:34,170 and that normal payload injects 137 137 00:06:34,170 --> 00:06:36,430 a Meterpreter payload for example. 138 138 00:06:36,430 --> 00:06:39,470 Now, it does this to try to bypass more security 139 139 00:06:39,470 --> 00:06:43,310 but usually they won't bypass more things 140 140 00:06:43,310 --> 00:06:45,350 than the normals payloads would bypass, 141 141 00:06:45,350 --> 00:06:47,100 so that's why I usually just use 142 142 00:06:47,100 --> 00:06:49,253 one of the normal payloads in here. 143 143 00:06:50,750 --> 00:06:54,320 So, this is it, this is all about the payloads, 144 144 00:06:54,320 --> 00:06:56,820 sorry I took a bit of time, but I wanted to make sure 145 145 00:06:56,820 --> 00:06:59,040 that you guys understand the naming pattern, 146 146 00:06:59,040 --> 00:07:01,590 I wanted you to understand what a payload is, 147 147 00:07:01,590 --> 00:07:03,230 and the difference between a reverse 148 148 00:07:03,230 --> 00:07:05,251 and a bind, and a tcp payload, 149 149 00:07:05,251 --> 00:07:07,620 this way the rest of the course 150 150 00:07:07,620 --> 00:07:08,910 will become more clear to you 151 151 00:07:08,910 --> 00:07:10,960 and I can just use the payload that I want 152 152 00:07:10,960 --> 00:07:13,120 without explaining what it is. 153 153 00:07:13,120 --> 00:07:14,510 Now, in the next lecture we're gonna be 154 154 00:07:14,510 --> 00:07:17,080 generating a payload, and we'll be testing it 155 155 00:07:17,080 --> 00:07:18,713 against anti-virus programs.