1 1 00:00:01,460 --> 00:00:03,490 Okay, so in this video we're gonna be 2 2 00:00:03,490 --> 00:00:06,980 using Veil to create a backdoor. 3 3 00:00:06,980 --> 00:00:08,450 So the first thing I'm gonna do is 4 4 00:00:08,450 --> 00:00:09,423 I'm gonna do list, 5 5 00:00:10,320 --> 00:00:11,650 to list the available tools 6 6 00:00:11,650 --> 00:00:13,400 and I'm gonna use number one 7 7 00:00:13,400 --> 00:00:15,730 'cause we want to use evasion, 8 8 00:00:15,730 --> 00:00:17,623 and then I'm gonna list my payloads, 9 9 00:00:18,800 --> 00:00:20,660 and like I said in the previous lecture 10 10 00:00:20,660 --> 00:00:24,770 I want to use go/meterpreter, reverse H-T-T-P-S, 11 11 00:00:24,770 --> 00:00:26,360 so that's number 15. 12 12 00:00:26,360 --> 00:00:27,993 So I'm gonna do use 15, 13 13 00:00:30,670 --> 00:00:32,520 and that's gonna list the, 14 14 00:00:32,520 --> 00:00:33,820 first of all it's gonna show me 15 15 00:00:33,820 --> 00:00:37,040 information about this particular payload, 16 16 00:00:37,040 --> 00:00:39,440 and then it'll show me the options that I can 17 17 00:00:39,440 --> 00:00:40,683 set for this payload. 18 18 00:00:41,710 --> 00:00:44,020 So the main option that you wanna set 19 19 00:00:44,020 --> 00:00:47,240 and the most important one is the IP address. 20 20 00:00:47,240 --> 00:00:49,060 So this is the IP address 21 21 00:00:49,060 --> 00:00:52,190 which you're gonna be receiving the connections on. 22 22 00:00:52,190 --> 00:00:54,810 As we said, we're gonna have a reverse connection 23 23 00:00:54,810 --> 00:00:56,610 and we need to set the IP address 24 24 00:00:56,610 --> 00:00:58,920 which the payload or the backdoor 25 25 00:00:58,920 --> 00:01:01,510 will try to connect back to, 26 26 00:01:01,510 --> 00:01:03,160 and in our case we want to receive 27 27 00:01:03,160 --> 00:01:05,730 the connection back to this calimachine. 28 28 00:01:05,730 --> 00:01:08,100 So we're gonna set the IP LHOST 29 29 00:01:08,100 --> 00:01:10,943 to the IP address of the current calimachine. 30 30 00:01:12,160 --> 00:01:14,620 Now to get the IP of my calimachine, 31 31 00:01:14,620 --> 00:01:16,750 I have to run ifconfig. 32 32 00:01:16,750 --> 00:01:18,650 So I'm gonna split the screen by doing 33 33 00:01:18,650 --> 00:01:22,123 right + click and click on split horizontally, 34 34 00:01:24,120 --> 00:01:26,170 and I'm just gonna bring this down a bit, 35 35 00:01:27,360 --> 00:01:29,023 and we're gonna run ifconfig. 36 36 00:01:33,550 --> 00:01:35,840 Now you can see the IP address in here is 37 37 00:01:35,840 --> 00:01:38,910 10-20-14-213. 38 38 00:01:38,910 --> 00:01:40,920 This is the IP of my calimachine, 39 39 00:01:40,920 --> 00:01:42,880 this is the IP of the machine that 40 40 00:01:42,880 --> 00:01:44,600 I'm using as the attacking machine. 41 41 00:01:44,600 --> 00:01:47,260 So this is where I want the connection to come back to 42 42 00:01:47,260 --> 00:01:49,270 so I can hack the target computer 43 43 00:01:49,270 --> 00:01:51,083 once the backdoor is executed. 44 44 00:01:52,270 --> 00:01:53,600 So, I'm gonna set 45 45 00:01:55,190 --> 00:01:56,023 LHOST 46 46 00:01:57,601 --> 00:02:00,143 to 10-20-14-213. 47 47 00:02:01,930 --> 00:02:05,820 So you can set any of these options using the set command. 48 48 00:02:05,820 --> 00:02:08,610 So all you have to do is write set 49 49 00:02:08,610 --> 00:02:10,660 followed by the option that you want to change, 50 50 00:02:10,660 --> 00:02:13,090 so in this case, we want to change the LHOST, 51 51 00:02:13,090 --> 00:02:16,823 and we want to change that to 10-20-14-213. 52 52 00:02:19,250 --> 00:02:22,500 Now, the LPORT is set to 80, which is really good 53 53 00:02:22,500 --> 00:02:25,220 because that's the port that's used by web servers. 54 54 00:02:25,220 --> 00:02:27,090 So as I said, the connection will look 55 55 00:02:27,090 --> 00:02:29,860 as if the target person is connecting to a website 56 56 00:02:29,860 --> 00:02:31,940 and it's not gonna be suspicious. 57 57 00:02:31,940 --> 00:02:33,880 But I don't want to use that port because 58 58 00:02:33,880 --> 00:02:35,880 I'll have a web server running on this 59 59 00:02:35,880 --> 00:02:37,640 and we'll talk about that later. 60 60 00:02:37,640 --> 00:02:40,680 So, I'm gonna change that to 8080. 61 61 00:02:40,680 --> 00:02:43,600 8080 is another port that's used by web servers 62 62 00:02:43,600 --> 00:02:45,320 so it's still not suspicious 63 63 00:02:45,320 --> 00:02:47,343 and it should still bypass firewalls. 64 64 00:02:48,360 --> 00:02:50,433 So, I'm just gonna do set, 65 65 00:02:51,400 --> 00:02:53,700 same way that we did it before with the LHOST, 66 66 00:02:53,700 --> 00:02:54,910 we're gonna do LPORT 67 67 00:02:56,840 --> 00:02:59,190 to the value that we want to set this option to, 68 68 00:02:59,190 --> 00:03:00,740 and we're gonna set it to 8080. 69 69 00:03:03,250 --> 00:03:04,900 Now if I do options again 70 70 00:03:06,820 --> 00:03:08,283 to list all the options, 71 71 00:03:09,750 --> 00:03:13,920 you'll see that the LHOST changed to 10-20-14-213 72 72 00:03:13,920 --> 00:03:16,183 and the LPORT changed to 8080. 73 73 00:03:17,840 --> 00:03:20,860 Now, if you generate the backdoor like this, 74 74 00:03:20,860 --> 00:03:24,357 you will bypass all antivirus programs except AVG. 75 75 00:03:26,660 --> 00:03:29,140 I've already tried this, that's how I know this, 76 76 00:03:29,140 --> 00:03:30,710 and that's not good enough because 77 77 00:03:30,710 --> 00:03:32,313 we want to bypass everything. 78 78 00:03:33,280 --> 00:03:35,830 Now, the way antivirus programs work 79 79 00:03:35,830 --> 00:03:39,823 is they have a very large database of signatures. 80 80 00:03:40,770 --> 00:03:42,960 These signatures correspond to files 81 81 00:03:42,960 --> 00:03:45,370 that contain harmful code. 82 82 00:03:45,370 --> 00:03:48,010 So what they do is they compare the signature 83 83 00:03:48,010 --> 00:03:50,060 of your file, of your backdoor, 84 84 00:03:50,060 --> 00:03:53,220 to all the files in this huge database. 85 85 00:03:53,220 --> 00:03:55,860 If your file matches any of these files, 86 86 00:03:55,860 --> 00:03:59,420 then they'll flag it as a virus or as malware. 87 87 00:03:59,420 --> 00:04:02,410 If it doesn't, then they'll think that it's a normal file 88 88 00:04:02,410 --> 00:04:04,053 and it's not malware. 89 89 00:04:05,340 --> 00:04:08,540 So, the main point in here is we're gonna try 90 90 00:04:08,540 --> 00:04:12,000 to modify the file, our backdoor, as much as possible 91 91 00:04:12,000 --> 00:04:14,980 to make it more unique so that it bypasses 92 92 00:04:14,980 --> 00:04:17,060 the signature database and we'll be able 93 93 00:04:17,060 --> 00:04:19,690 to bypass antivirus programs. 94 94 00:04:19,690 --> 00:04:22,170 Now as I said, Veil is already doing that for us, 95 95 00:04:22,170 --> 00:04:25,270 it's encrypting the backdoor, it's orchestrating it, 96 96 00:04:25,270 --> 00:04:27,260 it's injecting it in the memory 97 97 00:04:27,260 --> 00:04:28,830 so that it doesn't get detected, 98 98 00:04:28,830 --> 00:04:30,260 and it's doing a good job at it, 99 99 00:04:30,260 --> 00:04:31,870 it's bypassing pretty much everything 100 100 00:04:31,870 --> 00:04:34,520 except for only one antivirus program. 101 101 00:04:34,520 --> 00:04:37,560 So just to bypass this last antivirus program, 102 102 00:04:37,560 --> 00:04:39,370 I'm gonna set some optional options 103 103 00:04:39,370 --> 00:04:41,740 that really won't do much of a difference, 104 104 00:04:41,740 --> 00:04:45,120 they'll just make the backdoor look a bit different. 105 105 00:04:45,120 --> 00:04:48,343 So the first thing that I'm gonna modify is PROCESSORS, 106 106 00:04:49,380 --> 00:04:51,540 and that's the minimum number of processors 107 107 00:04:51,540 --> 00:04:53,660 to be used by the backdoor. 108 108 00:04:53,660 --> 00:04:55,210 I'm not gonna set a huge number 109 109 00:04:55,210 --> 00:04:57,920 because that will just make my backdoor not work. 110 110 00:04:57,920 --> 00:04:59,350 I'm just gonna set it to one, 111 111 00:04:59,350 --> 00:05:01,930 which is pretty much nothing really, 112 112 00:05:01,930 --> 00:05:03,840 but I'm just gonna set this option to make 113 113 00:05:03,840 --> 00:05:06,030 the code look a bit different. 114 114 00:05:06,030 --> 00:05:07,900 So I'm gonna do set, 115 115 00:05:07,900 --> 00:05:08,890 again the same way that 116 116 00:05:08,890 --> 00:05:10,940 we were setting the LPORT and the LHOST, 117 117 00:05:10,940 --> 00:05:12,260 we're just gonna put the option name, 118 118 00:05:12,260 --> 00:05:13,340 which is PROCESSORS 119 119 00:05:15,110 --> 00:05:17,060 and we're gonna set that to number one. 120 120 00:05:19,070 --> 00:05:21,100 And I'm also gonna set another option, 121 121 00:05:21,100 --> 00:05:23,330 which is the SLEEP option, 122 122 00:05:23,330 --> 00:05:26,440 and that basically lets the backdoor sleep 123 123 00:05:26,440 --> 00:05:28,730 for a number of seconds that you set 124 124 00:05:28,730 --> 00:05:31,750 before it executes the evil code that you have in there, 125 125 00:05:31,750 --> 00:05:34,060 before it executes the payload. 126 126 00:05:34,060 --> 00:05:35,890 So I'm gonna set this to six. 127 127 00:05:35,890 --> 00:05:38,210 Again, no real reason for this, 128 128 00:05:38,210 --> 00:05:39,910 I'm only doing this to make the backdoor 129 129 00:05:39,910 --> 00:05:41,390 look a bit different. 130 130 00:05:41,390 --> 00:05:45,053 So I'm gonna do set, SLEEP to six. 131 131 00:05:45,960 --> 00:05:49,460 So I'm gonna hit enter and I'm gonna do options again 132 132 00:05:49,460 --> 00:05:51,310 to make sure that all the options are set 133 133 00:05:51,310 --> 00:05:53,120 the way I want them to be. 134 134 00:05:53,120 --> 00:05:55,030 So I have 135 135 00:05:55,030 --> 00:05:57,850 my IP address set properly, 136 136 00:05:57,850 --> 00:06:00,810 I have my LPORT, I have my PROCESSORS, 137 137 00:06:00,810 --> 00:06:02,610 and I have my SLEEP. 138 138 00:06:02,610 --> 00:06:04,360 So I'm gonna generate the backdoor, 139 139 00:06:07,276 --> 00:06:10,760 and now it's asking me to name this backdoor something. 140 140 00:06:10,760 --> 00:06:12,462 So, I'm gonna name this backdoor 141 141 00:06:12,462 --> 00:06:15,820 rev_https_8080 142 142 00:06:18,060 --> 00:06:20,830 just so that we can remember which payload 143 143 00:06:20,830 --> 00:06:23,530 and which port to use for this backdoor in the future. 144 144 00:06:25,200 --> 00:06:27,310 Now the backdoor is generated 145 145 00:06:27,310 --> 00:06:30,560 and you can see it's just telling us the module that's used 146 146 00:06:30,560 --> 00:06:33,460 and it's telling us where the backdoor is stored. 147 147 00:06:33,460 --> 00:06:36,780 So the backdoor is stored in this path right here, 148 148 00:06:36,780 --> 00:06:38,023 so I'm gonna copy that. 149 149 00:06:40,780 --> 00:06:43,870 Let's go ahead and check to see if the backdoor 150 150 00:06:43,870 --> 00:06:47,150 is detected by any antivirus programs. 151 151 00:06:47,150 --> 00:06:50,530 Now you can use the built-in feature by Veil 152 152 00:06:50,530 --> 00:06:52,600 using the check VT command, 153 153 00:06:52,600 --> 00:06:56,240 but this feature only uses the signature of the file 154 154 00:06:56,240 --> 00:06:58,190 and it's not 100% accurate. 155 155 00:06:58,190 --> 00:07:00,030 Sometimes it tells you that the file 156 156 00:07:00,030 --> 00:07:01,840 will bypass all antiviruses, 157 157 00:07:01,840 --> 00:07:04,070 but it will actually be detected. 158 158 00:07:04,070 --> 00:07:07,770 You can also use VirusTotal, but I don't recommend that 159 159 00:07:07,770 --> 00:07:10,440 and please don't do that because if you do that, 160 160 00:07:10,440 --> 00:07:13,210 your backdoor will become less effective 161 161 00:07:13,210 --> 00:07:16,080 because VirusTotal share the results 162 162 00:07:16,080 --> 00:07:18,820 of their scans with antivirus programs. 163 163 00:07:18,820 --> 00:07:20,650 What we're gonna do is we're gonna use 164 164 00:07:20,650 --> 00:07:22,770 a website called NoDistribute. 165 165 00:07:22,770 --> 00:07:24,170 So we're gonna go to it now. 166 166 00:07:27,810 --> 00:07:30,297 So I'm just gonna google for NoDistribute, 167 167 00:07:32,400 --> 00:07:33,580 and what this is gonna do, 168 168 00:07:33,580 --> 00:07:35,410 it's similar to VirusTotal, 169 169 00:07:35,410 --> 00:07:38,160 the only difference is it's not going to share 170 170 00:07:38,160 --> 00:07:40,740 the scan results with antivirus programs, 171 171 00:07:40,740 --> 00:07:43,340 so it won't affect your backdoor. 172 172 00:07:43,340 --> 00:07:46,810 So I'm gonna click on Browse to navigate to my file 173 173 00:07:46,810 --> 00:07:49,160 and I'm just gonna copy where the file is stored, 174 174 00:07:49,160 --> 00:07:52,000 so Veil is telling me now, it's stored in this location 175 175 00:07:52,000 --> 00:07:55,230 in usr/share/veil-output/compiled 176 176 00:07:55,230 --> 00:07:56,400 so I'm gonna copy this 177 177 00:07:58,090 --> 00:07:59,900 and I'm gonna come here, 178 178 00:07:59,900 --> 00:08:02,380 I'm gonna click on the pen 179 179 00:08:02,380 --> 00:08:04,173 and I'm gonna paste the location. 180 180 00:08:05,870 --> 00:08:07,110 I'm gonna click on Open 181 181 00:08:08,650 --> 00:08:10,093 and scan the file. 182 182 00:08:14,210 --> 00:08:16,700 Now as you can see, I've already scanned this file 183 183 00:08:16,700 --> 00:08:19,370 and it's telling me that this file has been scanned before, 184 184 00:08:19,370 --> 00:08:22,083 so I'm just gonna click on View Previous Results, 185 185 00:08:24,160 --> 00:08:27,660 and as you can see, the file is actually scanned 186 186 00:08:27,660 --> 00:08:32,490 on the same day as today, which is the 29th of March, 2017, 187 187 00:08:32,490 --> 00:08:36,120 and as you can see, the file is bypassing 188 188 00:08:36,120 --> 00:08:37,743 all antivirus programs. 189 189 00:08:39,150 --> 00:08:42,660 So, we can use this backdoor against any device 190 190 00:08:42,660 --> 00:08:45,600 and we'll be sure that the device or the computer 191 191 00:08:45,600 --> 00:08:50,370 will not be able to detect this file as a virus. 192 192 00:08:50,370 --> 00:08:52,800 Now, there's a few things to keep in mind. 193 193 00:08:52,800 --> 00:08:55,660 Antivirus programs always update their database 194 194 00:08:55,660 --> 00:08:58,510 and Veil always updates their code as well, 195 195 00:08:58,510 --> 00:09:02,520 so you want to always make Veil up-to-date. 196 196 00:09:02,520 --> 00:09:06,350 Also, sometimes, with the same exact backdoor, 197 197 00:09:06,350 --> 00:09:09,160 it might get detected and it might not get detected 198 198 00:09:09,160 --> 00:09:11,740 because depending on the way the backdoor 199 199 00:09:11,740 --> 00:09:14,530 is getting encrypted and is getting generated. 200 200 00:09:14,530 --> 00:09:17,330 I've actually generated this backdoor before 201 201 00:09:19,611 --> 00:09:21,782 with no SLEEP and as I said, 202 202 00:09:21,782 --> 00:09:24,350 it got detected by one antivirus program. 203 203 00:09:24,350 --> 00:09:27,710 I generated with 10 seconds and it still got detected, 204 204 00:09:27,710 --> 00:09:30,780 and then with six, it was able to bypass it. 205 205 00:09:30,780 --> 00:09:33,470 So you wanna keep playing around with the options, 206 206 00:09:33,470 --> 00:09:35,900 you wanna keep playing around with the payloads 207 207 00:09:35,900 --> 00:09:39,210 until you manage to achieve the best results 208 208 00:09:39,210 --> 00:09:42,060 so that you can bypass as much antivirus programs 209 209 00:09:42,060 --> 00:09:42,893 as possible.