1
1

00:00:00,670  -->  00:00:03,010
<v Instructor>Okay, so if we look at the backdoor</v>
2

2

00:00:03,010  -->  00:00:06,030
or the trojan that we generated so far,
3

3

00:00:06,030  -->  00:00:08,380
we can see that it's very cool.
4

4

00:00:08,380  -->  00:00:12,040
First of all, it has an icon that represents a file
5

5

00:00:12,040  -->  00:00:15,200
that the target person is interested in.
6

6

00:00:15,200  -->  00:00:18,220
When it's executed, it shows a normal file
7

7

00:00:18,220  -->  00:00:21,180
that, again, the target person is interested in.
8

8

00:00:21,180  -->  00:00:23,510
It shows an image or a PDF,
9

9

00:00:23,510  -->  00:00:26,240
or anything that we want, really.
10

10

00:00:26,240  -->  00:00:27,520
At the same time,
11

11

00:00:27,520  -->  00:00:30,690
it's gonna execute our evil code in the background,
12

12

00:00:30,690  -->  00:00:33,200
which will allow us to hack the target computer
13

13

00:00:33,200  -->  00:00:34,853
or do whatever that we want.
14

14

00:00:36,780  -->  00:00:39,380
The only problem with this file is,
15

15

00:00:39,380  -->  00:00:41,710
if you look here at the end of the file,
16

16

00:00:41,710  -->  00:00:44,840
you can see that it's .exe.
17

17

00:00:44,840  -->  00:00:48,420
Now, in most cases, you probably want to see the .exe
18

18

00:00:48,420  -->  00:00:51,560
because Windows would be configured to hide it.
19

19

00:00:51,560  -->  00:00:53,290
But if it's not hiding it,
20

20

00:00:53,290  -->  00:00:56,360
then it's obvious that this file is an executable
21

21

00:00:56,360  -->  00:00:58,600
because it ends with a .exe.
22

22

00:01:00,130  -->  00:01:03,410
What I wanna show you today is how to spoof this
23

23

00:01:03,410  -->  00:01:07,410
and change this to something that corresponds to the file.
24

24

00:01:07,410  -->  00:01:10,540
If we're trying to make our backdoor look like a PDF,
25

25

00:01:10,540  -->  00:01:13,090
then you can make this look like a .pdf,
26

26

00:01:13,090  -->  00:01:16,160
if we're trying to make the file look like an image,
27

27

00:01:16,160  -->  00:01:20,440
then you wanna make this look like a .jpg or a .png,
28

28

00:01:20,440  -->  00:01:23,185
or an extension that represents the image.
29

29

00:01:23,185  -->  00:01:25,617
In our case, we're trying to make it look like an image,
30

30

00:01:25,617  -->  00:01:28,650
so I'm gonna try to make this end with a .jpg.
31

31

00:01:29,860  -->  00:01:31,400
To do that, we're gonna use
32

32

00:01:31,400  -->  00:01:34,380
a right to left override character.
33

33

00:01:34,380  -->  00:01:38,450
Before I show you how to do that, I'm just gonna rename this
34

34

00:01:38,450  -->  00:01:40,036
and just literally copy the name.
35

35

00:01:40,036  -->  00:01:41,860
I'm just gonna go on Rename,
36

36

00:01:41,860  -->  00:01:43,433
copy everything here,
37

37

00:01:44,500  -->  00:01:47,720
and I'm just gonna paste it in my text editor
38

38

00:01:47,720  -->  00:01:49,770
so that when I'm modifying things,
39

39

00:01:49,770  -->  00:01:51,463
it's clear to you what I'm doing.
40

40

00:01:54,020  -->  00:01:56,640
Now, the first thing that I'm gonna do is
41

41

00:01:56,640  -->  00:02:00,463
I'm just gonna type the new filename that I wanna use.
42

42

00:02:00,463  -->  00:02:03,330
For the new filename, I'm not gonna use GTR image,
43

43

00:02:03,330  -->  00:02:04,853
I'm just gonna use GTR.
44

44

00:02:06,850  -->  00:02:09,503
This is, obviously, gonna have to be .exe.
45

45

00:02:11,620  -->  00:02:14,350
Now, instead of this exe,
46

46

00:02:14,350  -->  00:02:17,960
I, actually, want to have a .jpg.
47

47

00:02:17,960  -->  00:02:20,490
But that's not possible because if I do that,
48

48

00:02:20,490  -->  00:02:23,640
the file is not gonna be an executable.
49

49

00:02:23,640  -->  00:02:25,990
To do this, I'm gonna try to get the text
50

50

00:02:25,990  -->  00:02:28,290
to be read from right to left
51

51

00:02:28,290  -->  00:02:30,873
using a right to left override character.
52

52

00:02:32,460  -->  00:02:35,570
Because the text is gonna be read from right to left,
53

53

00:02:35,570  -->  00:02:39,330
we're gonna type this extension after the filename,
54

54

00:02:39,330  -->  00:02:42,470
but we're gonna spell it from right to left.
55

55

00:02:42,470  -->  00:02:46,490
We're gonna spell it as G-P-J in here.
56

56

00:02:46,490  -->  00:02:47,737
So, we're gonna put GPJ.
57

57

00:02:50,790  -->  00:02:54,780
Again, this is just the extension that we want to use,
58

58

00:02:54,780  -->  00:02:57,730
but we're spelling it from right to left.
59

59

00:02:57,730  -->  00:03:00,527
We're spelling it G-P-J instead of JPG.
60

60

00:03:03,530  -->  00:03:05,100
Now what I wanna do is
61

61

00:03:05,100  -->  00:03:09,020
I wanna put a right to left character in here.
62

62

00:03:09,020  -->  00:03:11,590
Basically, when I put that character in here,
63

63

00:03:11,590  -->  00:03:15,170
the text, anything that comes in after that character,
64

64

00:03:15,170  -->  00:03:16,983
will be read from right to left.
65

65

00:03:17,890  -->  00:03:19,380
All this is gonna be flipped,
66

66

00:03:19,380  -->  00:03:22,270
and, basically, the filename is gonna be called gtrexe.,
67

67

00:03:24,470  -->  00:03:26,590
and this is gonna be read from right to left,
68

68

00:03:26,590  -->  00:03:31,500
so it's gonna be .jpg.
69

69

00:03:31,500  -->  00:03:33,950
Let me do it, and you'll see what I mean by that.
70

70

00:03:35,040  -->  00:03:36,030
To get that character,
71

71

00:03:36,030  -->  00:03:38,560
we're gonna go on all applications here
72

72

00:03:38,560  -->  00:03:40,360
and we're gonna look for characters.
73

73

00:03:44,500  -->  00:03:46,030
You can see that it's already showing me
74

74

00:03:46,030  -->  00:03:48,670
the right to left override here in the Recents,
75

75

00:03:48,670  -->  00:03:50,510
but for you it won't show it.
76

76

00:03:50,510  -->  00:03:53,100
So, you wanna go here on the search,
77

77

00:03:53,100  -->  00:03:56,043
and you just wanna search for right to left override.
78

78

00:03:58,490  -->  00:04:00,313
And you can see we have it in here.
79

79

00:04:02,070  -->  00:04:03,770
If you click on it,
80

80

00:04:03,770  -->  00:04:05,450
you'll just see a button
81

81

00:04:05,450  -->  00:04:08,450
that'll allow you to copy that character.
82

82

00:04:08,450  -->  00:04:10,330
I'm just gonna click on Copy,
83

83

00:04:10,330  -->  00:04:13,253
and that'll, basically, just copy the character for me.
84

84

00:04:14,230  -->  00:04:16,190
Now, I'm gonna come in here,
85

85

00:04:16,190  -->  00:04:18,810
and, again, once I paste it in here,
86

86

00:04:18,810  -->  00:04:21,700
anything that comes after that character
87

87

00:04:21,700  -->  00:04:23,620
will be read from right to left.
88

88

00:04:23,620  -->  00:04:25,970
So, we're gonna start in here,
89

89

00:04:25,970  -->  00:04:28,423
and it's gonna be read as exe.jpg.
90

90

00:04:30,960  -->  00:04:32,800
I'm gonna put the cursor here,
91

91

00:04:32,800  -->  00:04:34,123
and I'm gonna paste,
92

92

00:04:35,870  -->  00:04:40,387
and as you can see, now the filename is called gtrexe.jpg.
93

93

00:04:43,430  -->  00:04:45,580
Now, again, I'm gonna remove the character.
94

94

00:04:46,910  -->  00:04:48,200
Back to normal.
95

95

00:04:48,200  -->  00:04:49,363
If I paste it,
96

96

00:04:50,290  -->  00:04:52,710
everything is being read from right to left,
97

97

00:04:52,710  -->  00:04:57,523
and the filename is gonna be called gtrexe.jpg.
98

98

00:04:58,630  -->  00:05:01,420
Now, when you're using a filename like this,
99

99

00:05:01,420  -->  00:05:02,900
in my case, it looks fine
100

100

00:05:02,900  -->  00:05:07,060
because I'm already using a name of car which is called GTR.
101

101

00:05:07,060  -->  00:05:10,330
If you send them to a person, they might think the exe
102

102

00:05:10,330  -->  00:05:12,513
is just a special edition of this car.
103

103

00:05:13,360  -->  00:05:16,150
If you are using this as a book or as something else,
104

104

00:05:16,150  -->  00:05:19,888
you wanna think of a name that ends with ex.
105

105

00:05:19,888  -->  00:05:21,960
For example, there's a lot of names,
106

106

00:05:21,960  -->  00:05:26,910
so you can think of reflex, hex, sex, and so on.
107

107

00:05:26,910  -->  00:05:29,100
Anything that ends up with an ex
108

108

00:05:29,100  -->  00:05:31,123
will be a good name to use in here.
109

109

00:05:32,550  -->  00:05:33,920
I have my name now.
110

110

00:05:33,920  -->  00:05:35,263
I'm just gonna copy this.
111

111

00:05:38,140  -->  00:05:39,723
Then I'm gonna rename this.
112

112

00:05:45,610  -->  00:05:46,733
And that's it.
113

113

00:05:47,670  -->  00:05:51,323
As you can see, now my file is called gtrexe.jpg.
114

114

00:05:52,820  -->  00:05:55,350
Now, you can send this file the way it is to the target,
115

115

00:05:55,350  -->  00:05:57,330
but I don't wanna send it like this
116

116

00:05:57,330  -->  00:05:59,240
because some recent browsers
117

117

00:05:59,240  -->  00:06:01,350
are removing the right to left override
118

118

00:06:01,350  -->  00:06:02,660
when downloading the file.
119

119

00:06:02,660  -->  00:06:06,900
What I'm gonna do is I'm gonna add this to an archive.
120

120

00:06:06,900  -->  00:06:10,093
I'm gonna right-click it, and compress,
121

121

00:06:11,460  -->  00:06:14,913
and we'll just add this to an archive called gtrjpg.
122

122

00:06:16,570  -->  00:06:19,180
And we have our archive here.
123

123

00:06:19,180  -->  00:06:21,720
This way, when the file is downloaded,
124

124

00:06:21,720  -->  00:06:24,793
the browser will not replace the right to left override.
125

125

00:06:26,110  -->  00:06:27,350
We're all done now.
126

126

00:06:27,350  -->  00:06:28,533
I'm gonna copy this,
127

127

00:06:29,930  -->  00:06:31,683
paste it in my evil files,
128

128

00:06:34,260  -->  00:06:36,110
and then we're gonna go and download it
129

129

00:06:36,110  -->  00:06:37,920
from the Windows machine.
130

130

00:06:37,920  -->  00:06:39,780
Now, I'm, actually, already listening
131

131

00:06:39,780  -->  00:06:41,770
for incoming connections here.
132

132

00:06:41,770  -->  00:06:43,720
I've showed you how to do this before.
133

133

00:06:43,720  -->  00:06:46,800
If you don't remember, please go back to that lecture.
134

134

00:06:46,800  -->  00:06:49,020
I'm gonna go to the Windows machine,
135

135

00:06:49,020  -->  00:06:50,963
I'm gonna go on my Firefox,
136

136

00:06:52,600  -->  00:06:54,040
and we're gonna download the file,
137

137

00:06:54,040  -->  00:06:59,040
which is at HTTP 10.20.14.213,
138

138

00:06:59,340  -->  00:07:03,943
and the filename is gtrexe.zip.
139

139

00:07:06,750  -->  00:07:07,893
I'm gonna save this.
140

140

00:07:09,820  -->  00:07:13,100
And in here, in our downloads, we see the archive.
141

141

00:07:13,100  -->  00:07:15,583
Now we're just gonna uncompress it here.
142

142

00:07:19,090  -->  00:07:22,890
As you can see now, if you compare this file to this one,
143

143

00:07:22,890  -->  00:07:26,310
you'll see that this one has an exe format,
144

144

00:07:26,310  -->  00:07:29,260
this one has a .jpg format.
145

145

00:07:29,260  -->  00:07:31,290
It has an image icon,
146

146

00:07:31,290  -->  00:07:32,933
and if we double-click it,
147

147

00:07:34,004  -->  00:07:36,750
it'll, actually, show us an image, as you can see.
148

148

00:07:36,750  -->  00:07:38,010
But, at the same time,
149

149

00:07:38,010  -->  00:07:41,090
it's gonna execute my backdoor in the background.
150

150

00:07:41,090  -->  00:07:43,240
If I go to the Kali machine,
151

151

00:07:43,240  -->  00:07:46,800
you'll see that I get a session from that computer.
152

152

00:07:46,800  -->  00:07:49,573
And just to confirm this, I'm gonna do sysinfo.
153

153

00:07:50,930  -->  00:07:53,730
As you can see, now I'm inside that computer
154

154

00:07:53,730  -->  00:07:55,863
and I have full control over it.
155

155

00:07:56,770  -->  00:07:59,370
We managed to do this using a file that looks
156

156

00:07:59,370  -->  00:08:02,630
and functions exactly like an image.
157

157

00:08:02,630  -->  00:08:04,670
And just like I said before,
158

158

00:08:04,670  -->  00:08:07,410
this method can be used to make the file
159

159

00:08:07,410  -->  00:08:09,570
look like any other file type,
160

160

00:08:09,570  -->  00:08:11,700
so you don't have to make it look like an image.
161

161

00:08:11,700  -->  00:08:14,610
You can use this method to make it look like a PDF,
162

162

00:08:14,610  -->  00:08:18,230
a song, a video, or anything that you want at all.
163

163

00:08:18,230  -->  00:08:20,820
You can use the download and execute payload
164

164

00:08:20,820  -->  00:08:23,390
to combine the backdoor with any file,
165

165

00:08:23,390  -->  00:08:26,760
and then use this method to change the file extension
166

166

00:08:26,760  -->  00:08:28,593
to any file extension you want.