Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,090 --> 00:00:07,080 Before we could start the cool exploitation phase we have to first define a couple things. 2 00:00:07,170 --> 00:00:11,400 So we're going to quickly define different shell types we're going to see and then we're going to define 3 00:00:11,400 --> 00:00:12,600 different types of payloads. 4 00:00:12,600 --> 00:00:13,760 We're gonna see. 5 00:00:13,800 --> 00:00:15,840 So let's first start with the shells. 6 00:00:15,990 --> 00:00:21,440 The most common shell you're going to see is what is called a reverse shell. 7 00:00:21,450 --> 00:00:28,620 Now in this example it is using a tool called Net cat which you're going to see here shortly and a shell 8 00:00:28,650 --> 00:00:31,730 all the shell is is access to a machine. 9 00:00:31,740 --> 00:00:35,530 So when we say we pop a shell that means we get access to a machine. 10 00:00:35,580 --> 00:00:41,040 Now reverse shell or reverse shell means that a victim connects to us. 11 00:00:41,100 --> 00:00:46,980 Here you see it says Target connecting to attack box and you may get asked this question about shells 12 00:00:47,010 --> 00:00:48,100 in an interview. 13 00:00:48,150 --> 00:00:49,170 What is a reverse shell. 14 00:00:49,170 --> 00:00:50,460 What is a buying shell. 15 00:00:50,520 --> 00:00:52,090 So a reverse shell means again. 16 00:00:52,110 --> 00:00:53,840 A victim connects to us. 17 00:00:53,850 --> 00:00:58,440 You see that it says Target is connecting attack box is listening. 18 00:00:58,440 --> 00:01:03,860 So what's happening here is that on the attack box you can see that we have net cat. 19 00:01:03,870 --> 00:01:12,230 This is NC and we're just listening on a port here LDP means listening verbose part so we're listening 20 00:01:12,240 --> 00:01:14,280 on port four four four four. 21 00:01:14,280 --> 00:01:19,950 That means on our machine we're opening up that port when we use net cat on this machine. 22 00:01:20,050 --> 00:01:25,120 It's going to say hey net cat I want to connect to this IP address here. 23 00:01:25,360 --> 00:01:28,730 I want to connect to it on port for four four four. 24 00:01:28,840 --> 00:01:35,950 And when I do that I'm going to establish this bean shell here some and execute bean shell which is 25 00:01:35,950 --> 00:01:36,910 a Linux machine. 26 00:01:36,910 --> 00:01:40,800 If this was Windows it would be command EMC. 27 00:01:41,080 --> 00:01:45,790 So what we're going to do is we're gonna say hey let's connect over here and this is going to connect. 28 00:01:45,910 --> 00:01:51,790 So all we're going to do with reverse Shell is we're going to listen now with the bind shell a little 29 00:01:51,790 --> 00:01:53,200 bit different. 30 00:01:53,320 --> 00:01:57,070 We have our attack box and then our target. 31 00:01:57,100 --> 00:02:03,020 So with the bind shell we actually open up a port on the machine then we connect to it. 32 00:02:03,100 --> 00:02:09,580 So we fire off and exploit that exploit goes in and it opens up at Port and then it's listening for 33 00:02:09,580 --> 00:02:10,260 us to connect. 34 00:02:10,300 --> 00:02:16,330 When we connect on that specific port to that specific machine with net cat then we're gonna go ahead 35 00:02:16,360 --> 00:02:17,370 and get that shell. 36 00:02:17,380 --> 00:02:22,480 And on this side it's going to execute for us that been sdh. 37 00:02:22,480 --> 00:02:23,410 Now if we go back. 38 00:02:23,440 --> 00:02:25,100 Same thing here. 39 00:02:25,150 --> 00:02:32,230 We're going to send some sort of exploit that's going to talk back and say hey I want to when you exploit 40 00:02:32,230 --> 00:02:36,070 this go ahead and just connect to 4 4 4 4 on this machine. 41 00:02:36,070 --> 00:02:42,340 Now this is going to come together very clearly when we get into our exploit development part here in 42 00:02:42,340 --> 00:02:43,500 just a little bit. 43 00:02:43,600 --> 00:02:49,180 But all you need to know right now is that a reverse shell means the target can expect to us a bind 44 00:02:49,180 --> 00:02:51,580 shell means we connect to the target. 45 00:02:51,580 --> 00:02:55,620 Now a little bit more about reverse shells you're going to use reverse shells. 46 00:02:55,630 --> 00:03:01,980 Ninety five percent of the time there are instances where you're going to use buying shells buying shells 47 00:03:01,980 --> 00:03:05,520 most likely are going to be on an external assessment. 48 00:03:05,610 --> 00:03:11,790 If you think about it a reverse shell you're sitting in your home network and you are sitting on a VM 49 00:03:12,030 --> 00:03:16,040 in that VM is using an internal IP address is talking out through net. 50 00:03:16,200 --> 00:03:19,850 It's going through your public IP address and you're attacking a target. 51 00:03:20,340 --> 00:03:27,870 Well how are you going to connect that public IP address of the target back to yourself on an internal 52 00:03:27,870 --> 00:03:28,740 IP. 53 00:03:28,800 --> 00:03:34,800 You're going to have to set a port for it or port trigger on your firewall to talk into that specific 54 00:03:34,800 --> 00:03:36,030 machine. 55 00:03:36,060 --> 00:03:40,290 It's a little bit of extra work you're opening some stuff up on your side. 56 00:03:40,290 --> 00:03:47,790 The other idea is to say hey buying shell why don't I just go ahead and open a port up on that target. 57 00:03:47,790 --> 00:03:51,860 All that my way through my public IP address and I'll just connect to that port. 58 00:03:52,020 --> 00:03:55,950 It doesn't care what IP address you're coming from U.S. is just listening. 59 00:03:56,010 --> 00:04:00,060 So we can come from any IP address and connect that port on that machine. 60 00:04:00,060 --> 00:04:04,950 So this is where buying shares are useful when we have to bypass some sort of firewall or just make 61 00:04:04,950 --> 00:04:08,400 sense sometimes a reversal just doesn't work. 62 00:04:08,400 --> 00:04:10,620 And we have to use a buying shell anyway. 63 00:04:10,620 --> 00:04:14,120 So we have to think about the connection and how it's getting to and from us. 64 00:04:14,250 --> 00:04:18,930 Most of the time especially because you're going to practice a lot in labs and you going to do internal 65 00:04:18,930 --> 00:04:20,580 assessments as well. 66 00:04:20,670 --> 00:04:26,100 Most of your shells are going to come in the form of reverse shell however buying shells do exist and 67 00:04:26,100 --> 00:04:27,850 you should know what they are as well. 68 00:04:27,870 --> 00:04:30,840 And again for an interview you should know the difference. 69 00:04:30,840 --> 00:04:37,320 So before we finish here let's go ahead and take a look at what these look like and I'm going to log 70 00:04:37,320 --> 00:04:44,060 back into my machine and I've got two things open here I've got one into. 71 00:04:44,070 --> 00:04:50,130 We're going to play victim and we're going to play target right or attacker. 72 00:04:50,130 --> 00:04:56,010 So on the attacker if we have a reverse Shell we're going to say next that I want to listen and I like 73 00:04:56,010 --> 00:04:59,980 to do envy LP but you can do LV P as well. 74 00:04:59,980 --> 00:05:01,280 The LP it doesn't matter what order. 75 00:05:01,290 --> 00:05:04,460 I just do the MVP and all fours. 76 00:05:04,470 --> 00:05:08,720 So now we're listening on any on all fours right. 77 00:05:09,620 --> 00:05:16,430 So here we're gonna say on the victim's screen we're gonna say Hey net cat I want to connect and this 78 00:05:16,430 --> 00:05:20,200 is a self connection but still I want to connect to the victim machine. 79 00:05:20,420 --> 00:05:26,240 I want to connect to my attacker from the victim machine and our attacker's IP addresses one thirty 80 00:05:26,240 --> 00:05:32,030 nine they've got four four four four open let's establish that connection and we're going to offer them 81 00:05:32,030 --> 00:05:36,820 bin bash only do and here's that connection. 82 00:05:36,920 --> 00:05:38,170 So this is a reverse shell. 83 00:05:38,210 --> 00:05:42,940 We were listening as the attacker and then the victim connected to us and then we could say something 84 00:05:42,940 --> 00:05:43,940 like where am I. 85 00:05:43,940 --> 00:05:50,600 And you could see root and then hostname Calleigh and we have a connection and we offered up that bin 86 00:05:50,600 --> 00:05:51,710 bash here. 87 00:05:51,740 --> 00:05:53,070 So that works. 88 00:05:53,090 --> 00:05:57,150 So that is an example of a reverse shell. 89 00:05:57,170 --> 00:05:59,530 So on the control see this connection kill it. 90 00:05:59,570 --> 00:06:01,400 It dies over here. 91 00:06:01,400 --> 00:06:04,790 Now let's say we wanted to flip the script do we want to bind shell. 92 00:06:05,150 --> 00:06:08,190 Well now guess who needs to be listening. 93 00:06:08,480 --> 00:06:15,590 Now in this instance we're gonna be listening and we're going to be offering up the bin bash because 94 00:06:15,590 --> 00:06:16,510 we are the victim. 95 00:06:17,350 --> 00:06:17,770 OK. 96 00:06:17,780 --> 00:06:22,870 So we still have to offer up whatever command line we are going to have here. 97 00:06:22,940 --> 00:06:29,270 Now all we have to do as the attacker is connect to our victim 98 00:06:32,060 --> 00:06:33,230 and we have the same connection. 99 00:06:33,230 --> 00:06:39,280 You see the connection happens here where my root hostname Colby. 100 00:06:39,470 --> 00:06:46,430 So that is the difference between a find shell and a reverse shell remember reverse shells are most 101 00:06:46,430 --> 00:06:48,770 commonly used but buying shells are important. 102 00:06:48,770 --> 00:06:54,200 Again just to hammer home reverse shell means the victim connects to us by and shell means we connect 103 00:06:54,200 --> 00:06:55,340 to a victim. 104 00:06:55,340 --> 00:06:59,420 So I'll catch you over in the next video when we talk about stage versus non stage payloads. 10442