1
00:00:00,930 --> 00:00:07,770
Previously we learned how to create an undetectable backdoor which is great but we delivered this backdoor

2
00:00:07,800 --> 00:00:11,580
by simply downloading it at the target computer.

3
00:00:11,580 --> 00:00:14,040
Now this will probably not work in real life.

4
00:00:14,040 --> 00:00:17,420
Your target will never just download an executable and run it.

5
00:00:17,640 --> 00:00:20,130
If you ask them to do that.

6
00:00:20,370 --> 00:00:26,640
Therefore in this lecture I want to show you a smarter delivery method where we will spoof an update.

7
00:00:27,270 --> 00:00:33,420
So when a specific program at the target computer checks for updates it will say that there is an update

8
00:00:33,720 --> 00:00:39,480
and when they install that update they will actually be installing a backdoor.

9
00:00:39,480 --> 00:00:44,250
The only limitation to this method is you need to be the man in the middle.

10
00:00:44,250 --> 00:00:49,740
It doesn't matter how but you need to be able to intercept the connections so you can do this using

11
00:00:49,770 --> 00:00:53,400
a piece spoofing or using a fake access point.

12
00:00:53,400 --> 00:01:01,550
As I showed you before or using any other method that'll allow you to intercept the connections usually

13
00:01:01,580 --> 00:01:06,580
programs have a specific domain that they use to check for updates.

14
00:01:06,620 --> 00:01:12,350
So let's say we have the user here that has a specific program it wants to update something it'll send

15
00:01:12,410 --> 00:01:15,940
a request to a specific domain and let's say this domain.

16
00:01:15,950 --> 00:01:19,330
In this case it's update server dot com.

17
00:01:19,370 --> 00:01:21,830
This will be sent to the DNS server.

18
00:01:21,980 --> 00:01:29,480
The DNS server will respond with the IP of the Update server which we have right here and then the user

19
00:01:29,630 --> 00:01:34,160
will send a direct request to the update server looking for updates.

20
00:01:34,310 --> 00:01:39,400
If there are updates then the updates server will respond with the updates.

21
00:01:39,440 --> 00:01:45,830
Now if we are the man in the middle if we're able to intercept all the requests and the responses then

22
00:01:46,040 --> 00:01:53,960
when we get a request for updates server dot com instead of given the IP of the updates server we can

23
00:01:53,960 --> 00:01:57,530
actually give the IP of a hacker server.

24
00:01:57,530 --> 00:02:03,830
The server is running a special program called evil grade and evil great will tell the user that yes

25
00:02:03,860 --> 00:02:10,880
there is an update and instead of serving them an actual update it'll serve them a backdoor so when

26
00:02:10,880 --> 00:02:18,100
the user agrees to install this update we'll actually be installing a backdoor on their system let's

27
00:02:18,140 --> 00:02:21,450
do this practically and it'll become even clearer.

28
00:02:21,560 --> 00:02:23,780
Right here I have my Kelly machine.

29
00:02:23,780 --> 00:02:27,590
This is the custom image that I made for this course.

30
00:02:27,590 --> 00:02:32,090
Therefore it has evil grade pre installed in it.

31
00:02:32,090 --> 00:02:37,640
So first we'll need to navigate to the location where it's installed.

32
00:02:37,640 --> 00:02:48,420
We're going to use the C D command to do that and it is installed in o Petey evil grade and then to

33
00:02:48,420 --> 00:02:51,230
run the binary the program itself.

34
00:02:51,270 --> 00:02:54,450
We're going to do the forward slash eval grade

35
00:02:57,530 --> 00:03:02,470
now using evil grade is very simple and very similar to me to exploit.

36
00:03:02,840 --> 00:03:11,080
So to get a list of all the programs that we can hijack their updates we're gonna do show modules and

37
00:03:11,080 --> 00:03:21,000
as you can see you have a lot of famous programs such as when zip VM where Skype safari and so on.

38
00:03:21,040 --> 00:03:26,200
Now we're going to be doing this on a program called DAB download accelerator plus.

39
00:03:26,680 --> 00:03:37,700
So we have it here so to configure a specific module all we have to do is just type configure module

40
00:03:37,700 --> 00:03:44,660
name which is DAP so you can replace stuff with any module that you want to configure with any program

41
00:03:44,810 --> 00:03:46,100
that you want to hijack.

42
00:03:46,940 --> 00:03:48,150
So I'm going to hit enter.

43
00:03:48,350 --> 00:03:49,640
And as you can see it's seen.

44
00:03:49,670 --> 00:03:58,500
Now I'm inside the DART module and I'm going to do show options to see all of the options that I can

45
00:03:58,500 --> 00:03:59,950
set.

46
00:03:59,970 --> 00:04:03,670
So as you can see we get a list of all the options that we can set.

47
00:04:03,930 --> 00:04:08,040
And the main option that we want to change is the agent.

48
00:04:08,040 --> 00:04:13,800
This is the path to the program that will be installed as an update.

49
00:04:13,890 --> 00:04:19,590
So in our case we're gonna be replacing this with the backdoor that we created in the previous lecture.

50
00:04:19,710 --> 00:04:27,150
So to change this option we're going to do said agent the option name to the location where I have my

51
00:04:27,150 --> 00:04:34,750
backdoor and my backdoor is in var w w w hasty M0 backdoor.

52
00:04:34,800 --> 00:04:35,180
Do it.

53
00:04:35,200 --> 00:04:43,290
E E so as you can see the format of change in options is very similar to Buttercup admits Floyd.

54
00:04:43,350 --> 00:04:47,970
We do set followed by the option that we want to change followed by the value.

55
00:04:49,020 --> 00:04:51,790
So I'm going to hit enter and that's done.

56
00:04:51,960 --> 00:04:58,830
The next thing that I want to modify is the end site which is the Web site that will be loaded once

57
00:04:58,830 --> 00:05:01,140
the update is successful.

58
00:05:01,140 --> 00:05:04,130
Now I know this will return not found error.

59
00:05:04,140 --> 00:05:05,390
That's why I'm going to change it.

60
00:05:05,400 --> 00:05:07,590
You don't have to change it with every module.

61
00:05:08,130 --> 00:05:14,350
So again to change this we're just going to do said and site and I'm just going to sell it to the.

62
00:05:14,580 --> 00:05:21,780
Just the basic domain which is Pete with dot com and finally before we run everything I'm going to do

63
00:05:21,780 --> 00:05:26,770
show options one last time to make sure that everything is set as I want it.

64
00:05:26,820 --> 00:05:32,560
So I have the agent said to var W WW hasty AML backdoor dirty exit.

65
00:05:32,580 --> 00:05:34,110
That's perfect.

66
00:05:34,260 --> 00:05:37,230
And I have the inside set to the way I wanted.

67
00:05:37,590 --> 00:05:39,080
So I'm ready to go.

68
00:05:39,300 --> 00:05:44,620
And all we need to do now is just type start to start eval grade.

69
00:05:44,670 --> 00:05:51,390
So right now if eval grade gets a request for an update it will say yes there is an update and it will

70
00:05:51,390 --> 00:05:55,710
serve the backdoor dirty XP as the update.

71
00:05:55,710 --> 00:06:02,600
The only problem is it will never get any requests right now because I am not intercepting connections.

72
00:06:02,610 --> 00:06:04,830
I'm still not the man in the middle.

73
00:06:05,010 --> 00:06:08,940
Therefore we're going to become the man in the middle using Buttercup.

74
00:06:09,000 --> 00:06:13,620
Like I said you can use any method you want to become the man in the middle but we're just going to

75
00:06:13,620 --> 00:06:16,290
do with using AARP spoofing right now.

76
00:06:16,500 --> 00:06:22,340
So I'm gonna use better cap using the exact same command that we've been using before.

77
00:06:22,560 --> 00:06:28,470
So we're just doing better cap given at the interface connected to the network and given it this poof

78
00:06:28,470 --> 00:06:35,230
couplet so that it runs in our piece spoofing attack putting me in the middle of the connections I'm

79
00:06:35,240 --> 00:06:37,910
going to hit enter and this all run with no errors.

80
00:06:37,940 --> 00:06:39,740
So that's perfect.

81
00:06:39,740 --> 00:06:47,100
We also need to use better cap to run a DNS spoofing attack and spoof and you request to update that

82
00:06:47,120 --> 00:06:48,410
speed with dot com.

83
00:06:48,410 --> 00:06:55,160
This is the domain that the target program uses to check for updates and we want to spoof DNS requests

84
00:06:55,160 --> 00:06:55,950
to this.

85
00:06:56,030 --> 00:07:01,450
So they return the IP of the Kelly machine right here which is running evil grade.

86
00:07:01,460 --> 00:07:03,680
So evil grade gives them the fake update.

87
00:07:05,280 --> 00:07:09,550
Now I covered how to do DNS spoofing in details and a full lecture before.

88
00:07:09,570 --> 00:07:11,420
So if you don't remember how this works.

89
00:07:11,430 --> 00:07:17,210
Please go back and revise this lecture because I'm going to do it a little bit quickly right now.

90
00:07:17,640 --> 00:07:25,830
So I'm going to copy this domain and I'm going to clear the screen here and we're going to set the DNS

91
00:07:25,860 --> 00:07:38,020
spoof all too true and we'll also set the DNS prove the DOT domains to the domain that we want to spoof.

92
00:07:38,050 --> 00:07:44,080
Finally we're going to start the DNS pilfered by doing DNS spoof on and perfect.

93
00:07:44,080 --> 00:07:50,200
Now it's working and it's telling us that it's going to spoof a new request to update that speed with

94
00:07:50,200 --> 00:07:54,090
dot com to the IP of my Kelly machine.

95
00:07:54,460 --> 00:07:57,030
The IP of my Kelly machine is really an evil grade.

96
00:07:57,100 --> 00:08:02,620
It will grade will say yes there is a new update and it'll serve them the backdoor that we have right

97
00:08:02,620 --> 00:08:03,280
here.

98
00:08:03,280 --> 00:08:09,230
And that way the back door will be automatically executed on the target computer.

99
00:08:09,250 --> 00:08:12,490
The only problem is the backdoor will get executed.

100
00:08:12,490 --> 00:08:17,770
But we're not listening for income and connections here so we won't really get access.

101
00:08:17,860 --> 00:08:23,640
Therefore we need to listen for income and connections using me to exploit as I showed you before.

102
00:08:23,650 --> 00:08:28,780
Now I've already configured my multi handler again I covered this in detail so if you don't remember

103
00:08:28,780 --> 00:08:29,570
how to do it.

104
00:08:29,710 --> 00:08:31,670
Please go back to that lecture.

105
00:08:31,870 --> 00:08:38,650
Right now I'm just going to do show options to show you the options that I set right here and you can

106
00:08:38,650 --> 00:08:46,240
see that I am using a Windows meter operator reverse hash TPP here because I'm actually using a different

107
00:08:46,240 --> 00:08:48,550
backdoor in my evil grade.

108
00:08:48,580 --> 00:08:53,780
This backdoor right here it's not very very safe TTP as as shown in previous lectures.

109
00:08:53,890 --> 00:09:01,240
It's actually a reverse hash TTP backdoor because for some reason I noticed the TTP s back doors are

110
00:09:01,240 --> 00:09:03,310
not working with evil grade.

111
00:09:03,310 --> 00:09:12,160
That's why I created a reverse hash TTP backdoor specifically for this lecture so set in my payload

112
00:09:12,160 --> 00:09:18,610
to the same payload that's used in my backdoor I'm set in my IP and here I'm setting the airport to

113
00:09:18,640 --> 00:09:21,510
80 80 so everything is perfect.

114
00:09:21,940 --> 00:09:26,350
I'm going to run exploit to listen for income and connections.

115
00:09:26,350 --> 00:09:28,480
And now we're ready to go.

116
00:09:28,480 --> 00:09:30,820
So now let's go over this one more time.

117
00:09:30,820 --> 00:09:34,220
When we go to the target computer and check for updates.

118
00:09:34,480 --> 00:09:40,840
Right now this computer is intercepting connections because of buttercup and it's also gonna spoof a

119
00:09:40,840 --> 00:09:45,220
new request for updated speed with dot com to this IP.

120
00:09:45,220 --> 00:09:48,000
This is the IP where evil grade is working.

121
00:09:48,040 --> 00:09:54,670
Evil grade is gonna say yes there is a new update the update is this executable the target's computer

122
00:09:54,760 --> 00:10:01,490
will take this executable it will run it because it thinks it's an update when this gets executed it

123
00:10:01,500 --> 00:10:06,880
will send a connection to us in here in our multi handler.

124
00:10:07,330 --> 00:10:13,900
So let's go to the target's computer and see if this will actually work as we expected.

125
00:10:13,900 --> 00:10:18,830
So I've already downloaded download accelerator plus the program that we're trying to hijack.

126
00:10:18,830 --> 00:10:21,130
It's updates and installed it.

127
00:10:21,220 --> 00:10:24,910
So I'm just gonna double click it to start the program.

128
00:10:24,910 --> 00:10:28,210
Now it's just asking me to set it as the default download manager.

129
00:10:28,210 --> 00:10:34,730
I'm going to say no and I'm going to go to help and I'm going to click on update.

130
00:10:34,720 --> 00:10:39,830
Now we're going to say yes check for updates please.

131
00:10:39,850 --> 00:10:48,170
I'm just going to uncheck this click on Next is checking for updates now and it's telling us that there

132
00:10:48,170 --> 00:10:49,750
is a new update.

133
00:10:49,880 --> 00:10:51,610
So we're going to say next.

134
00:10:51,970 --> 00:10:54,560
And it's telling us right here it's a critical update.

135
00:10:54,560 --> 00:10:57,470
So I'll be like Yeah I want to install this.

136
00:10:57,470 --> 00:11:03,380
This will download the update for me and install it and it still notes that it's done everything is

137
00:11:03,380 --> 00:11:04,610
done we're going to say next.

138
00:11:04,610 --> 00:11:06,650
Thank you very much.

139
00:11:06,710 --> 00:11:14,270
And finish now if we go back to the Kelly machine you can see we got a reverse connection here from

140
00:11:14,270 --> 00:11:17,090
the target just to confirm this.

141
00:11:17,090 --> 00:11:24,870
We can do this info to see more information and perfect as you can see we're inside the target computer.

142
00:11:25,270 --> 00:11:33,820
And now we have full access to that computer and can do whatever the normal user can do on their system.

143
00:11:33,850 --> 00:11:40,150
Now I will talk more about post exploitation and how to control the computer using this matter operator

144
00:11:40,210 --> 00:11:43,120
access in the post exploitation section.

145
00:11:43,120 --> 00:11:48,490
But right now we managed to hack into a computer using a fake update.