1
00:00:00,720 --> 00:00:05,690
In this lecture I want to show you another backdoor delivery method and this method.

2
00:00:05,790 --> 00:00:13,740
We're going to wait for our target to download an executable and we will backdoor this executable as

3
00:00:13,830 --> 00:00:15,360
it's being downloaded.

4
00:00:15,360 --> 00:00:19,770
So when they run their executable they will get the file that they're expecting.

5
00:00:19,770 --> 00:00:26,720
But at the same time a backdoor will run at the background given us full access to their computer.

6
00:00:26,760 --> 00:00:31,270
The only limitation to this is you need to be the man in the middle.

7
00:00:31,320 --> 00:00:37,620
It doesn't matter how you managed to achieve this position but you need to be able to intercept connections

8
00:00:37,800 --> 00:00:40,680
so you can backdoor the downloads on the fly.

9
00:00:41,980 --> 00:00:47,000
Now to do this we're going to be using a tool called backdoor factory proxy.

10
00:00:47,200 --> 00:00:53,050
I already installed this tool for you in the Custom Image that I made for this course.

11
00:00:53,050 --> 00:01:00,700
So all we have to do is go to our Kelly machine right here and navigate to the location where I installed

12
00:01:00,700 --> 00:01:03,880
it to navigate to a specific location.

13
00:01:03,880 --> 00:01:10,300
You can either just click in here and press the forward slash from your keyboard to open the path bar

14
00:01:10,690 --> 00:01:16,410
or you can press control and El from your keyboard again to open the path bar.

15
00:01:16,960 --> 00:01:24,670
Once this is open we need to go to the path where this tool is installed and it's installed in all Piti

16
00:01:25,510 --> 00:01:25,970
B.

17
00:01:25,980 --> 00:01:29,910
The F proxy in here.

18
00:01:29,910 --> 00:01:37,060
You have the actual executable of the program and you have the configuration file.

19
00:01:37,260 --> 00:01:42,990
So I'm going to double click the configuration file to change the config and the main thing that you

20
00:01:42,990 --> 00:01:47,990
want to change in here is the proxy mode which we have right here.

21
00:01:48,000 --> 00:01:50,700
It will be set to regular by default.

22
00:01:50,880 --> 00:01:55,270
And you want to change that to transparent.

23
00:01:55,640 --> 00:02:02,780
The next thing that we want to modify is the IP of my current computer because like I said this tool

24
00:02:02,960 --> 00:02:06,080
will backdoor every file the target downloads.

25
00:02:06,080 --> 00:02:12,440
So we need to tell this tool my IP so that when the backdoor gets executed on the target computer it

26
00:02:12,440 --> 00:02:14,500
knows where to connect to.

27
00:02:14,570 --> 00:02:19,040
So you can get your IP by running if config as I showed you before.

28
00:02:19,170 --> 00:02:23,230
I've already done this and I know my IP is 10 0 to 15.

29
00:02:23,540 --> 00:02:26,670
So I'm going to look for where it says windows in here.

30
00:02:26,690 --> 00:02:29,710
This is the configuration for the Linux targets.

31
00:02:29,720 --> 00:02:35,060
If you're targeting Linux then you also want to modify the IP here but I'm only going to be targeting

32
00:02:35,060 --> 00:02:35,900
Windows.

33
00:02:35,900 --> 00:02:37,930
So I'm going to look to where it says windows.

34
00:02:37,940 --> 00:02:48,040
As you can see in here and I'm going to change the host to my IP which is 10 0 to 15 and I'm also going

35
00:02:48,040 --> 00:02:51,450
to scroll down to change it for Windows 64.

36
00:02:51,650 --> 00:02:57,490
And again in here you want to set it to 10 zero to 15.

37
00:02:57,530 --> 00:02:59,810
And we're good to go.

38
00:02:59,810 --> 00:03:05,900
So I'm going to control as to save and control q to quit and we are ready to use the tool.

39
00:03:06,680 --> 00:03:13,460
So keep in mind the tool is installed in OPEC with the F proxy and the program that runs the tool is

40
00:03:13,460 --> 00:03:17,150
this file right here BD f proxy dot P Y.

41
00:03:17,150 --> 00:03:19,910
Therefore we're going to go to our terminal.

42
00:03:19,910 --> 00:03:23,140
We're going to navigate to where the tool is installed.

43
00:03:23,240 --> 00:03:29,100
So we're going to do c d o p t BD f proxy.

44
00:03:29,200 --> 00:03:30,280
Gonna hit enter.

45
00:03:30,380 --> 00:03:35,530
And if I do a quick ELAs you'll see we have the program file in here.

46
00:03:36,200 --> 00:03:42,440
And because you see this in green it means it's an executable so we can run it by doing dot forward

47
00:03:42,440 --> 00:03:49,470
slash followed by the file name which is BD of proxy dot P Y.

48
00:03:49,850 --> 00:03:52,840
I'm going to hit enter and this will run with no errors.

49
00:03:52,910 --> 00:03:54,800
So it's perfect.

50
00:03:54,830 --> 00:03:57,860
So this program right now is running on its own.

51
00:03:57,860 --> 00:04:04,970
And as soon as it receives a request for an E XY it's going to backdoor that executable.

52
00:04:05,120 --> 00:04:09,210
But the way it is right now it's not going to receive any requests.

53
00:04:09,260 --> 00:04:14,000
Therefore we need to redirect requests to it to do that.

54
00:04:14,000 --> 00:04:16,560
We need to first become the man in the middle.

55
00:04:16,580 --> 00:04:23,390
And like I said you can do this using a R P spoofing you can do it by using a fake access point and

56
00:04:23,390 --> 00:04:29,180
targeting the clients that connect you or you can use this tool whenever you manage to become the man

57
00:04:29,180 --> 00:04:29,870
in the middle.

58
00:04:29,960 --> 00:04:36,500
Regardless of how you manage to do this I'm going to do it with a R P spoofing because it's the easiest.

59
00:04:37,100 --> 00:04:42,050
So we're going to use Buttercup exactly the same way that we've been using it before.

60
00:04:42,050 --> 00:04:50,000
So we're giving it the interface which is 88 0 and then I'm giving it my ERP spoofing couplet so that

61
00:04:50,030 --> 00:04:56,900
it puts me in the middle of the connections allowing me to intercept data and modify it on the fly.

62
00:04:56,900 --> 00:05:00,560
So I'm going to hit enter this one with no issues.

63
00:05:00,560 --> 00:05:01,640
So it's perfect.

64
00:05:02,210 --> 00:05:08,600
So now I'm intercepting the data any time this Windows machine right here which is the target tries

65
00:05:08,600 --> 00:05:17,480
to download something it's going to be intercepted in here in better cap but BGF proxy is still not

66
00:05:17,510 --> 00:05:22,420
able to see that there is a download because these are two separate programs.

67
00:05:22,460 --> 00:05:29,450
So what we want to do is we need to link all the data that this program sees to this program right here

68
00:05:30,560 --> 00:05:36,800
and to do that we're going to use a firewall that comes pre installed in most Linux systems called IP

69
00:05:36,800 --> 00:05:44,240
tables and using IP tables we can specify rules that packets have to follow.

70
00:05:44,240 --> 00:05:54,110
So I'm going to clear my screen here and I'm going to use IP tables to modify a table called knot and

71
00:05:54,200 --> 00:06:09,280
append a pre routing rule that will apply for TGP packets that's going to add destination port 80 and

72
00:06:09,280 --> 00:06:21,930
we want to redirect this to port 1880 where we have BD f proxy running and waiting to backdoor the downloads

73
00:06:23,300 --> 00:06:25,010
so very simple command.

74
00:06:25,070 --> 00:06:33,230
We're using a program called IP tables to modify a table called not Morgana append a pre routing rule

75
00:06:33,530 --> 00:06:36,110
that will apply for DCP packets.

76
00:06:36,180 --> 00:06:44,420
That's going to destination port 80 and we're going to redirect them to Port 1880 where we have this

77
00:06:44,420 --> 00:06:49,560
program BDA proxy running waiting to backdoor our files for me.

78
00:06:50,030 --> 00:06:54,560
So I'm going to hit enter and a misspelled port in here.

79
00:06:54,560 --> 00:06:58,160
There's an R and this runs with no errors.

80
00:06:58,160 --> 00:06:59,330
So that's perfect.

81
00:07:00,020 --> 00:07:03,490
So now we're using better cap to intercept data.

82
00:07:03,620 --> 00:07:10,520
All this data is going to be redirected using this rule to be IDF proxy which will wait and see if there

83
00:07:10,520 --> 00:07:17,960
is an X being downloaded it will backdoor it and then serve it back to the target when the target executes

84
00:07:17,960 --> 00:07:22,700
the X. It will execute a backdoor that will send the connection back to me.

85
00:07:23,390 --> 00:07:29,530
So all I have to do right now here is to listen for income and connections and you can do this using

86
00:07:29,540 --> 00:07:34,920
the multi handler as I showed you before or if you're lazy.

87
00:07:34,920 --> 00:07:40,320
You can actually use the resource file that the backdoor factory creates for us.

88
00:07:41,160 --> 00:07:48,420
So this file right here will automatically start the multi handler and listen for income and connections

89
00:07:48,660 --> 00:07:55,780
for all of the payloads that we sow in the configuration file of BDA of proxy to run this.

90
00:07:56,070 --> 00:08:03,090
All we have to do is first of all run MSF console as usual and we're gonna say I want to give you a

91
00:08:03,090 --> 00:08:09,060
resource file and then give it the full path for this resource file.

92
00:08:09,060 --> 00:08:16,120
Now keep in mind this file was created by BD proxy that is stored in O.P. TBD a proxy.

93
00:08:16,260 --> 00:08:26,490
Therefore the location of this file is going to be in OPEC with the EFF proxy followed by the file name.

94
00:08:26,490 --> 00:08:33,600
So if I hit enter now MSF console will run and it'll load all the code that is stored in the resource

95
00:08:33,600 --> 00:08:40,320
file which will automatically start the multi handler and configure it with the eyepiece that we specified

96
00:08:40,410 --> 00:08:44,490
when we configured BD f proxy.

97
00:08:44,510 --> 00:08:48,420
So now everything is running and we are ready to go.

98
00:08:48,470 --> 00:08:53,260
So let's go to the target computer and let's keep it simple when testing.

99
00:08:53,480 --> 00:08:57,650
So I'm going to try to download something from a hash TTP Web site.

100
00:08:58,340 --> 00:09:05,810
So we're gonna go to speed bit dot com and we're just going to click on Download.

101
00:09:05,810 --> 00:09:11,960
This will actually download the DAP which I showed you how to hijack its updates you would get a normal

102
00:09:11,960 --> 00:09:14,990
download we're gonna save it to our downloads.

103
00:09:15,110 --> 00:09:20,210
This will automatically go to downloads so I have that already open in here.

104
00:09:20,210 --> 00:09:23,810
As you can see it has an actual proper icon for the program.

105
00:09:23,810 --> 00:09:27,670
This is the normal icon that you'll get if you download speed.

106
00:09:28,340 --> 00:09:36,260
And if you double click it and run it it's just an executable you will actually get the normal installer.

107
00:09:36,260 --> 00:09:41,570
So if this was an actual person then you want to really get suspicious because they're installing the

108
00:09:41,570 --> 00:09:43,460
program that they wanted.

109
00:09:43,460 --> 00:09:49,940
But what they don't know is this program got backdoor it on the fly as it was being downloaded.

110
00:09:49,940 --> 00:09:56,180
So if we go back to our Candy Machine you'll see that meta exploit is saying that there is a new session

111
00:09:56,210 --> 00:09:56,830
opened.

112
00:09:57,830 --> 00:10:05,690
So all I have to do now is press enter on my keyboard then I'm going to do sessions L to list all of

113
00:10:05,690 --> 00:10:07,510
the available sessions.

114
00:10:07,910 --> 00:10:14,060
And as you can see we have a new session in here and to enter into this session to interact with it

115
00:10:14,440 --> 00:10:24,080
I'm going to do sessions I followed by the idea of this session which is number one and I'm inside my

116
00:10:24,080 --> 00:10:28,520
meter prettier session right now inside the target computer.

117
00:10:28,520 --> 00:10:31,920
So to verify this I'm going to do this info.

118
00:10:32,180 --> 00:10:39,080
And as you can see inside the M.S. edge right now and I can control this machine and do anything the

119
00:10:39,110 --> 00:10:41,940
normal user can do on their computer.

120
00:10:42,050 --> 00:10:48,590
And like I said I will show you how to control this computer remotely in the post exploitation section.

121
00:10:48,770 --> 00:10:55,610
But for now we have full access to that computer and we managed to do this by backdoor in a file that

122
00:10:55,610 --> 00:11:00,740
the normal user requested to download as that file was being downloaded.