1
1

00:00:01,891  -->  00:00:03,060
<v Instructor>In all of the scenarios</v>
2

2

00:00:03,060  -->  00:00:04,980
and videos we done so far,
3

3

00:00:04,980  -->  00:00:07,990
we would lose our connection to the target computer
4

4

00:00:07,990  -->  00:00:11,190
as soon as the target person restarts their computer
5

5

00:00:11,190  -->  00:00:13,840
because we used a normal backdoor.
6

6

00:00:13,840  -->  00:00:15,660
Once they restart their computer,
7

7

00:00:15,660  -->  00:00:17,570
our backdoor will be terminated,
8

8

00:00:17,570  -->  00:00:19,170
the process will be terminated,
9

9

00:00:19,170  -->  00:00:21,420
and we'll lose the connection.
10

10

00:00:21,420  -->  00:00:24,200
In today's lecture, we're going to talk about methods
11

11

00:00:24,200  -->  00:00:26,670
that will allow us to maintain our access
12

12

00:00:26,670  -->  00:00:28,420
to the target computer
13

13

00:00:28,420  -->  00:00:30,560
so that we can come back at any time
14

14

00:00:30,560  -->  00:00:34,333
and regain our full control over that computer.
15

15

00:00:35,400  -->  00:00:37,460
There's a number of methods to do that.
16

16

00:00:37,460  -->  00:00:39,873
The first one is using Veil-Evasion.
17

17

00:00:40,950  -->  00:00:43,090
We can use, instead of the normal backdoor,
18

18

00:00:43,090  -->  00:00:45,410
the HTTP backdoor that we created.
19

19

00:00:45,410  -->  00:00:48,943
You can use a HTTP service or a TCP service.
20

20

00:00:50,090  -->  00:00:51,950
I'll actually show you here.
21

21

00:00:51,950  -->  00:00:53,300
If I just run Veil-Evasion,
22

22

00:00:55,650  -->  00:00:57,203
and do a list,
23

23

00:00:58,460  -->  00:01:02,680
you see that we have, at number seven right here
24

24

00:01:03,950  -->  00:01:05,550
and at number five,
25

25

00:01:05,550  -->  00:01:07,420
we have service backdoors.
26

26

00:01:07,420  -->  00:01:09,070
You can use any of them.
27

27

00:01:09,070  -->  00:01:10,990
If I do use five,
28

28

00:01:10,990  -->  00:01:12,130
and we can see the info,
29

29

00:01:12,130  -->  00:01:13,983
all you have to do is just setup your lhost.
30

30

00:01:13,983  -->  00:01:17,050
Put the lhost and then generate the backdoor.
31

31

00:01:17,050  -->  00:01:18,810
Once you generate it, you can use it
32

32

00:01:18,810  -->  00:01:20,400
and combine it with other stuff
33

33

00:01:20,400  -->  00:01:22,820
and send it to the target person like we did,
34

34

00:01:22,820  -->  00:01:24,240
or you can upload it
35

35

00:01:24,240  -->  00:01:26,240
using the upload command that we learned,
36

36

00:01:26,240  -->  00:01:28,010
and then execute it.
37

37

00:01:28,010  -->  00:01:30,520
And that will install the backdoor as a service
38

38

00:01:30,520  -->  00:01:32,540
on the target computer.
39

39

00:01:32,540  -->  00:01:35,360
Then all you need to do is use the multi/handler,
40

40

00:01:35,360  -->  00:01:37,830
and any time their target computer starts
41

41

00:01:37,830  -->  00:01:40,730
it'll try to connect back to you
42

42

00:01:40,730  -->  00:01:42,773
because this is a reverse shell.
43

43

00:01:46,430  -->  00:01:48,020
Now, I'm not gonna be explaining this method
44

44

00:01:48,020  -->  00:01:50,850
because this method is very simple.
45

45

00:01:50,850  -->  00:01:52,810
We've done something very similar to it before.
46

46

00:01:52,810  -->  00:01:55,040
We created a backdoor using Veil-Evasion
47

47

00:01:55,040  -->  00:01:57,460
and we uploaded stuff to the target computer.
48

48

00:01:57,460  -->  00:01:58,960
All you have to do is create a backdoor,
49

49

00:01:58,960  -->  00:02:01,530
upload it, execute it, and you're done.
50

50

00:02:01,530  -->  00:02:03,130
Also, it doesn't always work,
51

51

00:02:03,130  -->  00:02:05,400
so that's why I'm not gonna be explaining it.
52

52

00:02:05,400  -->  00:02:07,890
The normal backdoors are much more reliable
53

53

00:02:07,890  -->  00:02:11,720
that's why I used a normal backdoor
54

54

00:02:11,720  -->  00:02:13,380
when I was combining it with stuff
55

55

00:02:13,380  -->  00:02:15,413
and changing its icon and all that.
56

56

00:02:16,780  -->  00:02:18,490
The other method is to use
57

57

00:02:18,490  -->  00:02:20,920
a module that come in with Meterpreter,
58

58

00:02:20,920  -->  00:02:23,020
which is called Persistence.
59

59

00:02:23,020  -->  00:02:24,730
Let me show you how you use that.
60

60

00:02:24,730  -->  00:02:28,160
If you wanted to use that, all you need to do is do run,
61

61

00:02:28,160  -->  00:02:30,420
and the name of the module is persistence,
62

62

00:02:30,420  -->  00:02:31,923
so we're gonna type that down.
63

63

00:02:34,630  -->  00:02:37,700
Then I'm gonna put minus H to see the help menu
64

64

00:02:37,700  -->  00:02:40,003
to show me all the options that I can setup.
65

65

00:02:41,640  -->  00:02:44,510
You can use the A to start a
66

66

00:02:45,460  -->  00:02:46,890
multi/handler (mumbles).
67

67

00:02:46,890  -->  00:02:49,090
You don't really need to do that.
68

68

00:02:49,090  -->  00:02:50,910
You don't really need to change the location
69

69

00:02:50,910  -->  00:02:52,760
where the backdoor will be installed.
70

70

00:02:54,541  -->  00:02:58,170
The minus P option will specify the payload.
71

71

00:02:58,170  -->  00:03:00,100
Again, windows/meterpreter/reverse_tcp
72

72

00:03:00,100  -->  00:03:01,160
is a really good payload,
73

73

00:03:01,160  -->  00:03:03,820
so you don't really need to mess with that.
74

74

00:03:03,820  -->  00:03:07,630
S is to get it to start using system privileges.
75

75

00:03:07,630  -->  00:03:10,070
Now, as you've seen before, we don't have system privileges,
76

76

00:03:10,070  -->  00:03:12,120
we have normal user privileges.
77

77

00:03:12,120  -->  00:03:14,573
So, what you should be using is minus U.
78

78

00:03:16,000  -->  00:03:19,860
Then you can use the minus i to setup
79

79

00:03:19,860  -->  00:03:21,290
the amount of time
80

80

00:03:21,290  -->  00:03:24,200
that the backdoor will try to connect back to you.
81

81

00:03:24,200  -->  00:03:25,860
It'll try to connect every 10 seconds,
82

82

00:03:25,860  -->  00:03:27,700
or 20 seconds, or 15 seconds,
83

83

00:03:27,700  -->  00:03:29,093
whatever you specify.
84

84

00:03:30,390  -->  00:03:32,310
p to specify the port,
85

85

00:03:32,310  -->  00:03:37,040
and r to specify your computer, the IP of your computer.
86

86

00:03:37,040  -->  00:03:39,370
To run this, all you have to do is just do run
87

87

00:03:40,710  -->  00:03:41,683
persistence,
88

88

00:03:43,860  -->  00:03:47,070
use minus U to start it under user privileges.
89

89

00:03:47,070  -->  00:03:52,070
I'd use the interval, I probably put it to 20 seconds.
90

90

00:03:52,240  -->  00:03:55,400
It'll try to connect back to me every 20 seconds.
91

91

00:03:55,400  -->  00:03:59,910
Then I use the minus p, and I'll probably put 80
92

92

00:03:59,910  -->  00:04:03,170
because, as I said, the port 80 doesn't look suspicious.
93

93

00:04:03,170  -->  00:04:04,370
The target person will see
94

94

00:04:04,370  -->  00:04:07,160
that our connection's trying to come out at port 80,
95

95

00:04:07,160  -->  00:04:10,090
which is cool, it's not really suspicious.
96

96

00:04:10,090  -->  00:04:13,890
Then I'd use minus r to specify my IP,
97

97

00:04:13,890  -->  00:04:17,107
which is 10.20.14.203.
98

98

00:04:18,570  -->  00:04:19,403
Very simple.
99

99

00:04:19,403  -->  00:04:22,040
Persistence is the module that you're gonna be using,
100

100

00:04:22,040  -->  00:04:25,720
U to run it under user privileges,
101

101

00:04:25,720  -->  00:04:27,180
i, the amount of seconds
102

102

00:04:27,180  -->  00:04:30,430
for each time it tries to connect to you,
103

103

00:04:30,430  -->  00:04:33,660
p to specify the port that you'll be listening on,
104

104

00:04:33,660  -->  00:04:38,480
and r to specify your IP.
105

105

00:04:38,480  -->  00:04:40,280
Now, obviously, once you run this,
106

106

00:04:40,280  -->  00:04:42,110
if you want it to receive a connection,
107

107

00:04:42,110  -->  00:04:44,130
you have to start multi/handler
108

108

00:04:44,130  -->  00:04:46,630
on port 80 or on the selected port
109

109

00:04:46,630  -->  00:04:48,393
and use in the selected payload.
110

110

00:04:49,920  -->  00:04:51,500
The problem with this methods is that
111

111

00:04:51,500  -->  00:04:53,970
it's detectable by antivirus programs.
112

112

00:04:53,970  -->  00:04:56,094
Therefore, I'm not gonna be explaining (audio cuts off).
113

113

00:04:56,094  -->  00:04:57,320
I'm gonna be explaining
114

114

00:04:57,320  -->  00:04:59,790
is a combination of both of these methods
115

115

00:04:59,790  -->  00:05:02,470
which will not be detectable by antiviruses
116

116

00:05:02,470  -->  00:05:04,820
and it's much more robust
117

117

00:05:04,820  -->  00:05:07,033
than the first method using Veil-Evasion.