Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,280 --> 00:00:05,560 Okay, we are now going live. And 2 00:00:05,560 --> 00:00:08,800 today it's not just a test stream. It's 3 00:00:08,800 --> 00:00:10,320 a stream where we're going to do 4 00:00:10,320 --> 00:00:12,960 something more practical, I guess. And 5 00:00:12,960 --> 00:00:15,519 that is to write a bunch of uh pays and 6 00:00:15,519 --> 00:00:18,240 see. So, I want to test my system, how 7 00:00:18,240 --> 00:00:21,400 it behaves, uh how does it work, and so 8 00:00:21,400 --> 00:00:23,680 on. And yeah, I think we're going to 9 00:00:23,680 --> 00:00:25,880 have a little bit of fun. 10 00:00:25,880 --> 00:00:28,480 Now, first I want to make sure that all 11 00:00:28,480 --> 00:00:31,439 my adapters are the same. So, as you can 12 00:00:31,439 --> 00:00:34,960 see, we have brided adapter here. Bridge 13 00:00:34,960 --> 00:00:39,280 to specific name, which is uh W1 because 14 00:00:39,280 --> 00:00:41,840 I'm connected to the Wi-Fi. And 15 00:00:41,840 --> 00:00:43,280 essentially, we're going to need this to 16 00:00:43,280 --> 00:00:45,040 be bridged for both of the VMs, 17 00:00:45,040 --> 00:00:47,200 otherwise they will not be able to to 18 00:00:47,200 --> 00:00:50,719 talk to each other and pretty much uh do 19 00:00:50,719 --> 00:00:53,680 anything, right? So now we're going to 20 00:00:53,680 --> 00:00:55,879 open the 21 00:00:55,879 --> 00:00:58,079 KaliVM which we're going to actually use 22 00:00:58,079 --> 00:01:01,239 as a server. So I would not need that to 23 00:01:01,239 --> 00:01:05,240 be full screen but rather that. Yeah, 24 00:01:05,240 --> 00:01:09,760 exactly. Uh here if you find any issues 25 00:01:09,760 --> 00:01:13,200 at some point uh I'm also doing that on 26 00:01:13,200 --> 00:01:16,479 Discord my server. So make sure to join. 27 00:01:16,479 --> 00:01:18,000 Uh if you find any issues with the 28 00:01:18,000 --> 00:01:20,439 stream just make sure to hit me up. 29 00:01:20,439 --> 00:01:23,280 Yeah. So, I'm going to move that to here 30 00:01:23,280 --> 00:01:26,280 and that to there and that to here. 31 00:01:26,280 --> 00:01:29,400 Okay. What happened 32 00:01:29,400 --> 00:01:31,400 now? 33 00:01:31,400 --> 00:01:34,720 Okay. Okay. Now, I want to be that 34 00:01:34,720 --> 00:01:37,400 window to be here. That to be 35 00:01:37,400 --> 00:01:39,799 here. 36 00:01:39,799 --> 00:01:42,200 Now 37 00:01:42,200 --> 00:01:46,000 that. And here is the Cali. And here is 38 00:01:46,000 --> 00:01:48,119 going to 39 00:01:48,119 --> 00:01:51,439 be the windows. Come on. 40 00:01:51,439 --> 00:01:54,159 Yeah, there it is. And here is going to 41 00:01:54,159 --> 00:01:55,880 be the Windows 42 00:01:55,880 --> 00:01:58,240 VM. Again, I don't want I don't want 43 00:01:58,240 --> 00:02:02,040 full screen. That's fine. So, I 44 00:02:02,040 --> 00:02:06,200 can switch easily with from VMs and so 45 00:02:06,200 --> 00:02:10,120 on. Yeah, there it is. Boom. Boom. Boom. 46 00:02:10,120 --> 00:02:12,640 Boom. Okay, I think we can do something 47 00:02:12,640 --> 00:02:13,480 like 48 00:02:13,480 --> 00:02:18,599 that. Can we resize the window? 49 00:02:22,280 --> 00:02:25,480 Nope. Why that happens 50 00:02:25,480 --> 00:02:29,879 now? Is it because I deleted the ISO 51 00:02:29,879 --> 00:02:34,000 file? I think that's highly 52 00:02:38,760 --> 00:02:42,239 possible H. Even though the copy paste 53 00:02:42,239 --> 00:02:44,000 works. Oh, there it is. Okay. It needed 54 00:02:44,000 --> 00:02:46,160 some time. It needed some time. Okay, 55 00:02:46,160 --> 00:02:50,000 perfect. Uh 56 00:02:51,400 --> 00:02:53,680 here I did not change the default 57 00:02:53,680 --> 00:02:57,599 password so far. Ah I don't like 58 00:02:59,400 --> 00:03:02,959 that. There it is. See the wallpaper. 59 00:03:02,959 --> 00:03:05,120 The new kind wallpapers are nice chat. I 60 00:03:05,120 --> 00:03:06,560 really like them. What do you think 61 00:03:06,560 --> 00:03:09,680 about it? I enjoy them so much. 62 00:03:09,680 --> 00:03:13,519 Especially that one. Okay. So here we're 63 00:03:13,519 --> 00:03:16,159 going to use KI for our infrastructure. 64 00:03:16,159 --> 00:03:17,920 We're going to host things on it because 65 00:03:17,920 --> 00:03:21,360 right now it's uh empty. Nothing's 66 00:03:21,360 --> 00:03:24,640 there. So, first I'm going to do fast w 67 00:03:24,640 --> 00:03:26,680 to change my 68 00:03:26,680 --> 00:03:29,680 password. 69 00:03:34,280 --> 00:03:37,680 Okay. Yeah. 70 00:03:39,720 --> 00:03:42,120 Okay. 71 00:03:42,120 --> 00:03:45,280 Okay. I think everything is fine now. If 72 00:03:45,280 --> 00:03:46,640 you experience any, you should just let 73 00:03:46,640 --> 00:03:48,360 me know. 74 00:03:48,360 --> 00:03:52,560 Okay. Uh, now what we want to install is 75 00:03:52,560 --> 00:03:55,599 generally I think mic should be fine. 76 00:03:55,599 --> 00:03:57,360 Yeah, I think mic should be fine. I'm 77 00:03:57,360 --> 00:03:58,360 going to also 78 00:03:58,360 --> 00:04:03,519 do performance mode. Just why not? And I 79 00:04:03,519 --> 00:04:05,200 think doing my should be fine. What do 80 00:04:05,200 --> 00:04:07,879 you think, chat? Mythic or 81 00:04:07,879 --> 00:04:10,480 havoc? Let's do mythic. I think mythic 82 00:04:10,480 --> 00:04:13,319 is fine. I'm going to open a browser. go 83 00:04:13,319 --> 00:04:16,000 to Mix C2 and let's set up everything 84 00:04:16,000 --> 00:04:18,479 from scratch. I think that's that can be 85 00:04:18,479 --> 00:04:21,120 super useful for the stream and to see 86 00:04:21,120 --> 00:04:22,720 how everything is be set up from the 87 00:04:22,720 --> 00:04:26,479 very very bottom zero. So usually when 88 00:04:26,479 --> 00:04:29,040 you want to install myic you want to 89 00:04:29,040 --> 00:04:32,479 obviously clone the repo or sudo gone 90 00:04:32,479 --> 00:04:35,639 and paste. Now I'm going to 91 00:04:35,639 --> 00:04:39,400 use opt as a folder but 92 00:04:39,400 --> 00:04:42,800 uh it's not 100% needed. So, I don't 93 00:04:42,800 --> 00:04:46,520 mind if uh if the OP is not is not the 94 00:04:46,520 --> 00:04:49,280 option. It's it's definitely no problem 95 00:04:49,280 --> 00:04:51,400 at 96 00:04:51,400 --> 00:04:54,160 all. On the Windows side, I think on the 97 00:04:54,160 --> 00:04:56,000 Windows, we're good because in the 98 00:04:56,000 --> 00:04:59,360 Windows, we have Visual Studio. Uh I 99 00:04:59,360 --> 00:05:01,600 think yeah, we have So, with Visual 100 00:05:01,600 --> 00:05:03,280 Studio up and running, I don't think 101 00:05:03,280 --> 00:05:06,199 we're going to need anything else beside 102 00:05:06,199 --> 00:05:10,520 that. So, we can code on VS. We 103 00:05:10,520 --> 00:05:13,600 can pretty much do anything. We have C. 104 00:05:13,600 --> 00:05:16,800 I think we have C. Let's see. We have C. 105 00:05:16,800 --> 00:05:18,199 Let's 106 00:05:18,199 --> 00:05:22,520 see. Okay. Console app. That's C sharp. 107 00:05:22,520 --> 00:05:25,919 Uh console 108 00:05:26,600 --> 00:05:29,759 app. That's a post. Yeah, there it is. 109 00:05:29,759 --> 00:05:32,320 There it is. We good. We fine, chat. We 110 00:05:32,320 --> 00:05:37,759 good. Okay, let's go back now from here. 111 00:05:37,759 --> 00:05:40,120 Let me check the 112 00:05:40,120 --> 00:05:45,720 pan. Okay, good. Now from 113 00:05:45,720 --> 00:05:48,960 there, yeah, we need make. Uh, do we 114 00:05:48,960 --> 00:05:52,720 have GCC? No. Yep, we have also make, 115 00:05:52,720 --> 00:05:54,800 which is fine. So, we're going to go to 116 00:05:54,800 --> 00:05:57,400 midic. And now here do 117 00:05:57,400 --> 00:06:03,039 sudo. Yeah, first we need to do sudo 118 00:06:05,960 --> 00:06:09,360 install docker kali and that's going to 119 00:06:09,360 --> 00:06:11,600 install docker and docker compos plugin 120 00:06:11,600 --> 00:06:14,000 because that's needed and I debug way 121 00:06:14,000 --> 00:06:16,880 too much time for uh knowing that we 122 00:06:16,880 --> 00:06:20,240 would need not only docker but uh docker 123 00:06:20,240 --> 00:06:22,759 compos also. So that's 124 00:06:22,759 --> 00:06:25,919 that's pretty much important on the 125 00:06:25,919 --> 00:06:27,440 windows. I don't think anything else 126 00:06:27,440 --> 00:06:29,680 we're going to need. So that's fine. So 127 00:06:29,680 --> 00:06:31,479 don't mind 128 00:06:31,479 --> 00:06:34,639 that here. Okay. If you have questions 129 00:06:34,639 --> 00:06:36,800 in the meanwhile, you can do it in the 130 00:06:36,800 --> 00:06:40,880 chat or hope that hop into the 20 131 00:06:40,880 --> 00:06:43,039 discord and ask it there. So that's 132 00:06:43,039 --> 00:06:46,400 that's the options. Yeah. So uh here 133 00:06:46,400 --> 00:06:48,280 we're going to looks like 134 00:06:48,280 --> 00:06:51,960 the update is now fixed 135 00:06:51,960 --> 00:06:55,120 because at the pa in the past this file 136 00:06:55,120 --> 00:06:58,080 was not working because I spoke with the 137 00:06:58,080 --> 00:07:01,199 mic creator one of them and uh he 138 00:07:01,199 --> 00:07:02,919 mentioned that it's 139 00:07:02,919 --> 00:07:05,919 actually Ki sometimes bug things out and 140 00:07:05,919 --> 00:07:07,840 they place a little bit a bunch of 141 00:07:07,840 --> 00:07:10,800 packets so document compose was not 142 00:07:10,800 --> 00:07:12,000 available at the time and you need to do 143 00:07:12,000 --> 00:07:13,840 some kind of a tweaks to get it but now 144 00:07:13,840 --> 00:07:16,319 I think it's So what we can do now is do 145 00:07:16,319 --> 00:07:20,240 sudo make and when doing sudo make it's 146 00:07:20,240 --> 00:07:22,479 going to pull everything and at the end 147 00:07:22,479 --> 00:07:26,080 we're going to have that uh mic thing 148 00:07:26,080 --> 00:07:28,800 where we can engage with mic. So we can 149 00:07:28,800 --> 00:07:33,160 do sudo and then do mic ci and it's 150 00:07:33,160 --> 00:07:36,160 fine. Now here we're going to need to to 151 00:07:36,160 --> 00:07:40,199 add C2 profiles. So, mitic c2 152 00:07:40,199 --> 00:07:43,759 profiles and this is pretty much how we 153 00:07:43,759 --> 00:07:47,360 want to communicate with mitic. Yeah, 154 00:07:47,360 --> 00:07:48,960 there's a bunch of documentation that's 155 00:07:48,960 --> 00:07:51,520 why I like so much mic and not only for 156 00:07:51,520 --> 00:07:54,000 that but uh that's one of the reasons. 157 00:07:54,000 --> 00:07:55,599 So, there's a good documentation that 158 00:07:55,599 --> 00:07:57,840 can help you with most of the stuff and 159 00:07:57,840 --> 00:08:00,879 here we can choose what type of 160 00:08:00,879 --> 00:08:04,000 connection we would need for the mx2. So 161 00:08:04,000 --> 00:08:06,879 when we start the agent from the Windows 162 00:08:06,879 --> 00:08:09,039 VM as soon as we start the agent here, 163 00:08:09,039 --> 00:08:11,360 how that agent is going to communicate 164 00:08:11,360 --> 00:08:15,520 with uh the via which protocol. Now 165 00:08:15,520 --> 00:08:18,800 usually I enjoy this course so much. We 166 00:08:18,800 --> 00:08:21,039 also did a workshop on in Sophia for 167 00:08:21,039 --> 00:08:24,520 besides and I showcase how OP that is 168 00:08:24,520 --> 00:08:27,919 and it's super hard to be traced because 169 00:08:27,919 --> 00:08:29,759 this court is doing its own wall 170 00:08:29,759 --> 00:08:31,759 balancing and things like that. So if 171 00:08:31,759 --> 00:08:33,919 you have discord allowed in your 172 00:08:33,919 --> 00:08:36,080 environment and organization, please 173 00:08:36,080 --> 00:08:38,800 remove it. You don't need it. Trust me, 174 00:08:38,800 --> 00:08:44,360 you don't need it. Then uh I didn't try 175 00:08:44,360 --> 00:08:48,240 DNS so far. There's also GitHub, but the 176 00:08:48,240 --> 00:08:50,800 GitHub and the Yeah. And the Discord are 177 00:08:50,800 --> 00:08:53,920 only for Atheina. And now I don't think 178 00:08:53,920 --> 00:08:56,440 we we want a tina because a tina is 179 00:08:56,440 --> 00:08:59,760 generally net core based and I think the 180 00:08:59,760 --> 00:09:01,360 whole execution part will be a little 181 00:09:01,360 --> 00:09:03,279 bit more complex there. So we want 182 00:09:03,279 --> 00:09:06,800 something like apple for now and let's 183 00:09:06,800 --> 00:09:11,360 go for the raw play good http. So copy 184 00:09:11,360 --> 00:09:13,839 the link go to the pseudo medics CLI 185 00:09:13,839 --> 00:09:16,880 install github and just paste. That's 186 00:09:16,880 --> 00:09:20,160 going to install the http container and 187 00:09:20,160 --> 00:09:22,720 it's fine. Then we're going to also need 188 00:09:22,720 --> 00:09:25,120 to have 189 00:09:25,800 --> 00:09:28,480 the the agent which in that case is 190 00:09:28,480 --> 00:09:30,200 going to be the 191 00:09:30,200 --> 00:09:32,800 apple. So here we pretty much do the 192 00:09:32,800 --> 00:09:34,959 same thing and just replace the URL with 193 00:09:34,959 --> 00:09:39,279 the one with apple. So the 194 00:09:46,680 --> 00:09:49,320 place here we can generate a 195 00:09:49,320 --> 00:09:53,519 simple go to C++ go to next and do let's 196 00:09:53,519 --> 00:09:54,600 call 197 00:09:54,600 --> 00:09:56,600 that 198 00:09:56,600 --> 00:09:59,120 stageless let's first do stages guys 199 00:09:59,120 --> 00:10:02,440 because I think it's more simple to do 200 00:10:02,440 --> 00:10:06,959 it. Yeah, create 201 00:10:07,959 --> 00:10:11,160 that. Okay, now 202 00:10:11,160 --> 00:10:14,000 here we have everything we need and we 203 00:10:14,000 --> 00:10:17,279 can do mic cli start which going to boot 204 00:10:17,279 --> 00:10:22,240 everything up. Yeah. Now generally what 205 00:10:22,240 --> 00:10:26,880 I mean by staged and stages payw is as 206 00:10:26,880 --> 00:10:29,079 follows. 207 00:10:29,079 --> 00:10:32,480 So, where is 208 00:10:34,839 --> 00:10:36,920 that? Where is 209 00:10:36,920 --> 00:10:39,200 that? I'm going to stop my screen share 210 00:10:39,200 --> 00:10:40,440 just for a 211 00:10:40,440 --> 00:10:43,920 second. Be right 212 00:10:49,160 --> 00:10:54,880 back. Okay, we are back now. 213 00:10:54,880 --> 00:10:58,079 And uh now what I mean by stage and 214 00:10:58,079 --> 00:11:01,519 stages now imagine the polling thing 215 00:11:01,519 --> 00:11:03,720 that's the kali machine right 216 00:11:03,720 --> 00:11:07,240 here that's the command do right 217 00:11:07,240 --> 00:11:12,480 there right now we go along that the 218 00:11:12,480 --> 00:11:15,120 payload is going to go http so the 219 00:11:15,120 --> 00:11:16,560 connection is going to become it's going 220 00:11:16,560 --> 00:11:19,120 to initiate from the commando to the 221 00:11:19,120 --> 00:11:21,760 kali so we're going to do a reverse 222 00:11:21,760 --> 00:11:24,560 connection to the kali itself 223 00:11:24,560 --> 00:11:27,839 Okay. But uh it's going to be over HTTP. 224 00:11:27,839 --> 00:11:30,160 Okay. And now the point is if it's 225 00:11:30,160 --> 00:11:33,519 staged or stageless. In a nutshell, what 226 00:11:33,519 --> 00:11:36,640 we want to do is uh staged because 227 00:11:36,640 --> 00:11:39,600 stages is the following. The connection 228 00:11:39,600 --> 00:11:41,200 is going to originate from a process, 229 00:11:41,200 --> 00:11:42,480 right? It's not going to come from the 230 00:11:42,480 --> 00:11:44,480 air. So the connection is going to come 231 00:11:44,480 --> 00:11:48,320 from a process. This can be a pole. 232 00:11:48,320 --> 00:11:51,320 Or it can be think something 233 00:11:51,320 --> 00:11:53,959 like maybe 234 00:11:53,959 --> 00:11:57,600 stageless.exe or DL side or anything in 235 00:11:57,600 --> 00:12:00,079 between doesn't really matter but the 236 00:12:00,079 --> 00:12:01,600 connection the connection is going to 237 00:12:01,600 --> 00:12:05,040 come from a process. So the commando or 238 00:12:05,040 --> 00:12:09,040 the victim would need to somehow start a 239 00:12:09,040 --> 00:12:11,360 process and then this process is going 240 00:12:11,360 --> 00:12:13,360 to connect directly to the cut machine 241 00:12:13,360 --> 00:12:16,639 giving us call back and from a time 242 00:12:16,639 --> 00:12:19,079 interval depending on 243 00:12:19,079 --> 00:12:23,120 the depending on the time set then it's 244 00:12:23,120 --> 00:12:26,079 going to connect more and give us the 245 00:12:26,079 --> 00:12:28,800 call back interval in seconds and whoop 246 00:12:28,800 --> 00:12:32,480 that thing. Okay, now that's a stage 247 00:12:32,480 --> 00:12:35,839 stages part and the thing here is that 248 00:12:35,839 --> 00:12:39,079 everything is is inside the pay wall 249 00:12:39,079 --> 00:12:42,279 itself. That's it. So the binary 250 00:12:42,279 --> 00:12:46,000 withdraw has the final payout. It can be 251 00:12:46,000 --> 00:12:49,600 encrypted and can be not but it has the 252 00:12:49,600 --> 00:12:52,800 full payout. So we execute the payout is 253 00:12:52,800 --> 00:12:54,720 there and we have just one connection 254 00:12:54,720 --> 00:12:57,760 which is the callback one and that's it. 255 00:12:57,760 --> 00:13:01,279 Whereas with stageless we have a 256 00:13:01,279 --> 00:13:05,279 slightly different scenario. Now here uh 257 00:13:05,279 --> 00:13:08,920 that's we mean by that to be direct 258 00:13:08,920 --> 00:13:11,519 callback. Now we have the same thing. We 259 00:13:11,519 --> 00:13:13,440 have the commando and some form for 260 00:13:13,440 --> 00:13:15,279 process because the connection must come 261 00:13:15,279 --> 00:13:19,360 from anywhere. And now the first request 262 00:13:19,360 --> 00:13:21,279 by the way first connection is not 263 00:13:21,279 --> 00:13:26,279 direct callback but we have one uh read 264 00:13:26,279 --> 00:13:28,360 the 265 00:13:28,360 --> 00:13:31,920 payw then the payload is going to be 266 00:13:31,920 --> 00:13:34,079 read from the remote server then it's 267 00:13:34,079 --> 00:13:35,760 going to be dynamically allocated into 268 00:13:35,760 --> 00:13:38,639 the memory and then we have connection 269 00:13:38,639 --> 00:13:41,639 two which is going to 270 00:13:41,639 --> 00:13:46,480 be call back. So here we have just one 271 00:13:46,480 --> 00:13:48,760 initial request which is the call back 272 00:13:48,760 --> 00:13:52,160 itself and here we have first reading 273 00:13:52,160 --> 00:13:54,639 the pay part and then doing the call 274 00:13:54,639 --> 00:13:59,079 back after the payout is read. Now 275 00:13:59,079 --> 00:14:02,399 generally always always we want to do 276 00:14:02,399 --> 00:14:05,920 something like a stageless communication 277 00:14:05,920 --> 00:14:08,279 uh staged sorry because when you do 278 00:14:08,279 --> 00:14:12,399 staged then just by staging the payload 279 00:14:12,399 --> 00:14:14,560 you increase the chance reduce the 280 00:14:14,560 --> 00:14:17,760 chance of it getting discarded by a lot 281 00:14:17,760 --> 00:14:20,600 of percents. Of course, this may vary on 282 00:14:20,600 --> 00:14:24,000 uh specific vendor and specific 283 00:14:24,000 --> 00:14:26,800 environment, but generally speaking, 284 00:14:26,800 --> 00:14:30,000 staged pays are always better than the 285 00:14:30,000 --> 00:14:34,000 stageless ones. That's always the case. 286 00:14:34,000 --> 00:14:36,959 Now, to make things first simple, I want 287 00:14:36,959 --> 00:14:39,680 to generate super simple payload. So, 288 00:14:39,680 --> 00:14:40,959 we're going to go to Kali. We're not 289 00:14:40,959 --> 00:14:43,760 going to dive into my yet. So here we're 290 00:14:43,760 --> 00:14:47,120 going to do I'm going to go to desktop 291 00:14:47,120 --> 00:14:51,480 and use MSF venom. So MSF venom minus P 292 00:14:51,480 --> 00:14:55,920 Windows x64 and here we have to define 293 00:14:55,920 --> 00:14:58,240 staged and stageless. So if you do 294 00:14:58,240 --> 00:15:02,440 things like let's do 295 00:15:02,440 --> 00:15:05,160 Windows actually what was 296 00:15:05,160 --> 00:15:07,720 it where was 297 00:15:07,720 --> 00:15:12,360 TCP nah Windows 298 00:15:12,360 --> 00:15:15,199 x64 what was I I I totally forgot the 299 00:15:15,199 --> 00:15:17,519 name of 300 00:15:33,279 --> 00:15:35,360 Windows. Yeah, that that that should be 301 00:15:35,360 --> 00:15:37,680 it. That should be it. Windows x64 302 00:15:37,680 --> 00:15:40,480 reverse 303 00:15:40,920 --> 00:15:44,920 TCP. Yeah. 304 00:15:52,079 --> 00:15:55,079 Oh yeah. Yeah. Windows shell reverse 305 00:15:55,079 --> 00:16:00,560 DP. Yeah, that's it. Shell reverse TP. 306 00:16:00,560 --> 00:16:03,199 Yeah. So now when you do it like that 307 00:16:03,199 --> 00:16:05,360 and of course set up your options host 308 00:16:05,360 --> 00:16:09,000 to be ETA airport, let's do 309 00:16:09,000 --> 00:16:12,880 444. Yeah, why not? and format let's do 310 00:16:12,880 --> 00:16:15,800 C and output to be 311 00:16:15,800 --> 00:16:18,959 stageless C that's how you generate a 312 00:16:18,959 --> 00:16:22,639 stageless pay in MSF venom so when you 313 00:16:22,639 --> 00:16:26,000 have the that underscore part the payout 314 00:16:26,000 --> 00:16:28,800 is stageless and as you can see 460 315 00:16:28,800 --> 00:16:32,519 bytes are allocated so I can 316 00:16:32,519 --> 00:16:35,600 cut pages and as you can see that's the 317 00:16:35,600 --> 00:16:39,120 full payload so if I use that in some 318 00:16:39,120 --> 00:16:42,639 form of a sh code exe execution then I 319 00:16:42,639 --> 00:16:45,360 would have I I can get the shell with 320 00:16:45,360 --> 00:16:48,079 netcat or with the MSF console because 321 00:16:48,079 --> 00:16:50,160 the full payout is there. So let me 322 00:16:50,160 --> 00:16:53,000 showcase that to you. Uh if I go 323 00:16:53,000 --> 00:16:56,720 here and do that's a stageless the same. 324 00:16:56,720 --> 00:16:59,120 Yeah the exactly the same one. We can 325 00:16:59,120 --> 00:17:01,920 first go to the solution explorer and 326 00:17:01,920 --> 00:17:04,640 make sure to rename that to C. So we 327 00:17:04,640 --> 00:17:09,839 name stages C TPP to C. Do it like that. 328 00:17:09,839 --> 00:17:13,199 Then on the main remove that then we 329 00:17:13,199 --> 00:17:16,480 also don't need that. Now here I can do 330 00:17:16,480 --> 00:17:19,000 include 331 00:17:19,000 --> 00:17:21,319 stdio.h 332 00:17:21,319 --> 00:17:23,319 include 333 00:17:23,319 --> 00:17:25,360 windows.h and now here define the 334 00:17:25,360 --> 00:17:29,600 payload. So paste and that's it. And 335 00:17:29,600 --> 00:17:31,960 here we can do something like 336 00:17:31,960 --> 00:17:35,080 uh how was that 337 00:17:35,080 --> 00:17:37,000 pdr 338 00:17:37,000 --> 00:17:42,320 equals virtual walk let's 339 00:17:42,440 --> 00:17:47,440 do a address that's going to be no then 340 00:17:47,440 --> 00:17:51,360 we have size we do size of book then we 341 00:17:51,360 --> 00:17:54,760 have location type that want we want to 342 00:17:54,760 --> 00:17:59,720 be name commit and 343 00:17:59,720 --> 00:18:02,960 reserve. And we also want to have the 344 00:18:02,960 --> 00:18:04,880 protection settings which are going to 345 00:18:04,880 --> 00:18:09,440 be page and then 346 00:18:11,320 --> 00:18:14,320 uh 347 00:18:16,919 --> 00:18:19,440 page executive. Right? Yeah, we're going 348 00:18:19,440 --> 00:18:21,520 to do the full memory permissions. Not 349 00:18:21,520 --> 00:18:23,280 going to bother about doing object 350 00:18:23,280 --> 00:18:27,520 things. Now uh then we want to copy the 351 00:18:27,520 --> 00:18:30,799 the that payroll to the memory because 352 00:18:30,799 --> 00:18:33,760 now it's just a variable in our code but 353 00:18:33,760 --> 00:18:36,160 it's not written into the memory of the 354 00:18:36,160 --> 00:18:38,640 process itself right it's just a 355 00:18:38,640 --> 00:18:41,760 variable which is a hex string and now 356 00:18:41,760 --> 00:18:43,039 we need to write that to the memory 357 00:18:43,039 --> 00:18:45,039 because we want to execute it now 358 00:18:45,039 --> 00:18:48,080 generally speaking shell codes like that 359 00:18:48,080 --> 00:18:51,840 are machine instructions in hex so we 360 00:18:51,840 --> 00:18:53,919 have that instructions And in order for 361 00:18:53,919 --> 00:18:56,880 us to get it because that's at the end a 362 00:18:56,880 --> 00:18:59,520 machine language and for order in order 363 00:18:59,520 --> 00:19:02,400 for us to get it it's representing hex. 364 00:19:02,400 --> 00:19:05,200 So all that hex value must be written to 365 00:19:05,200 --> 00:19:07,520 the memory of the process ak of the 366 00:19:07,520 --> 00:19:10,080 machine and then it can be executed from 367 00:19:10,080 --> 00:19:12,480 there. So we can do something like main 368 00:19:12,480 --> 00:19:15,080 copy and do things 369 00:19:15,080 --> 00:19:17,240 like 370 00:19:17,240 --> 00:19:21,039 destination. So that's going to 371 00:19:21,400 --> 00:19:23,679 be source is going to be oh yeah 372 00:19:23,679 --> 00:19:26,080 destination is going to be a DDR then 373 00:19:26,080 --> 00:19:29,520 the source is going to be the pop and 374 00:19:29,520 --> 00:19:31,440 then the size is going to be size of the 375 00:19:31,440 --> 00:19:35,280 buff again okay and now at the last we 376 00:19:35,280 --> 00:19:37,600 can simply execute it because we already 377 00:19:37,600 --> 00:19:39,440 have all the permissions we need and 378 00:19:39,440 --> 00:19:41,440 here we can do something like uh I don't 379 00:19:41,440 --> 00:19:46,360 remember the syntax I need to hook it up 380 00:19:47,840 --> 00:19:50,640 So, more 381 00:19:51,720 --> 00:19:54,120 development. 382 00:19:54,120 --> 00:19:57,000 Uhhuh. That 383 00:19:57,000 --> 00:20:01,440 one and that one. There's no way I'm 384 00:20:01,440 --> 00:20:03,640 getting that one 385 00:20:03,640 --> 00:20:07,280 correct. So, here. Paste. And that 386 00:20:07,280 --> 00:20:09,600 should be 387 00:20:10,679 --> 00:20:14,799 it. Okay. Now, if I compile that, let's 388 00:20:14,799 --> 00:20:16,080 see if it's first going to compile 389 00:20:16,080 --> 00:20:18,320 without a problem. 390 00:20:18,320 --> 00:20:20,799 I'm going to save, switch to release and 391 00:20:20,799 --> 00:20:23,600 compile as 392 00:20:24,039 --> 00:20:27,440 64. Okay, now I can simply try to 393 00:20:27,440 --> 00:20:32,240 execute it. Do I have CMDR? I think so. 394 00:20:32,240 --> 00:20:33,799 So, open file 395 00:20:33,799 --> 00:20:36,110 location and from here pin 396 00:20:36,110 --> 00:20:38,760 [Music] 397 00:20:38,760 --> 00:20:42,960 to taskbar and do it like that and open 398 00:20:42,960 --> 00:20:44,559 CDR. 399 00:20:44,559 --> 00:20:45,880 There it 400 00:20:45,880 --> 00:20:48,720 is. Now I can do I can directly execute 401 00:20:48,720 --> 00:20:51,200 it like that. And now before executing 402 00:20:51,200 --> 00:20:52,400 it, I want to of course set up my 403 00:20:52,400 --> 00:20:54,760 listener. So I can do 404 00:20:54,760 --> 00:20:57,320 NCOP 405 00:20:57,320 --> 00:21:00,000 44 because that's the same port we 406 00:21:00,000 --> 00:21:02,320 defined in the beginning where generated 407 00:21:02,320 --> 00:21:05,919 the pay like here in this command. And 408 00:21:05,919 --> 00:21:09,960 now from there I can try to run this 409 00:21:09,960 --> 00:21:12,320 command. I have a defender on the 410 00:21:12,320 --> 00:21:14,720 commando 411 00:21:14,760 --> 00:21:19,039 gear. How's that even possible, 412 00:21:21,480 --> 00:21:24,559 guys? How's that even possible, chat? 413 00:21:24,559 --> 00:21:27,919 Hey, how you doing, 414 00:21:28,679 --> 00:21:33,720 mate? Isn't that in the GP settings? 415 00:21:53,280 --> 00:21:55,919 I don't get 416 00:21:56,280 --> 00:22:00,559 it. I also don't get it. But never mind. 417 00:22:00,559 --> 00:22:03,679 Now we stopped. So I can run it. And uh 418 00:22:03,679 --> 00:22:06,000 it was divided by the fender. So I can 419 00:22:06,000 --> 00:22:09,200 compile it again. And if we run it, the 420 00:22:09,200 --> 00:22:11,440 show hangs which is generated a good. 421 00:22:11,440 --> 00:22:14,240 And here we have a call back. Now the 422 00:22:14,240 --> 00:22:16,000 reason why we have a call back and why 423 00:22:16,000 --> 00:22:20,720 we can access the commando is simply 424 00:22:21,480 --> 00:22:23,919 because we need some payload for bypass 425 00:22:23,919 --> 00:22:25,919 window security. Yeah. Yeah. I know. But 426 00:22:25,919 --> 00:22:28,400 now the topic is slightly different. 427 00:22:28,400 --> 00:22:30,640 That's why I'm sticking to basic. And 428 00:22:30,640 --> 00:22:33,440 now here uh the reason why that work 429 00:22:33,440 --> 00:22:36,159 with with netcat is because as mentioned 430 00:22:36,159 --> 00:22:39,600 the whole payload itself was into the 431 00:22:39,600 --> 00:22:43,679 binary. So that show code you saw there 432 00:22:43,679 --> 00:22:46,240 that payload that's the full payload 433 00:22:46,240 --> 00:22:49,360 that show needs the footing and now the 434 00:22:49,360 --> 00:22:51,679 footing is inside the binary. Now of 435 00:22:51,679 --> 00:22:53,120 course if you want to evade it you can 436 00:22:53,120 --> 00:22:55,679 do things like encryption and staging 437 00:22:55,679 --> 00:22:58,360 because staging is one of the most I can 438 00:22:58,360 --> 00:23:02,799 say techniques. So I enjoy staging and 439 00:23:02,799 --> 00:23:04,559 now the whole the full buffer is here. 440 00:23:04,559 --> 00:23:06,320 the full payload is there and that's why 441 00:23:06,320 --> 00:23:08,799 we can catch the shell with netcat 442 00:23:08,799 --> 00:23:10,320 because it's compatible with netcat 443 00:23:10,320 --> 00:23:11,960 first the 444 00:23:11,960 --> 00:23:15,440 whole the whole shell pay which is 445 00:23:15,440 --> 00:23:18,559 windows x64 shp is compatible with 446 00:23:18,559 --> 00:23:22,480 netcat and it stages okay if we generate 447 00:23:22,480 --> 00:23:24,640 a staged pay you would not be able to 448 00:23:24,640 --> 00:23:26,880 catch with netcat because if I want to 449 00:23:26,880 --> 00:23:30,480 try to do it so here I can do shell and 450 00:23:30,480 --> 00:23:31,720 here 451 00:23:31,720 --> 00:23:36,159 do/tp which is going to be stage 452 00:23:37,240 --> 00:23:39,840 pitched. Now if I try the same code with 453 00:23:39,840 --> 00:23:42,320 the stage payload, it's going to fail. 454 00:23:42,320 --> 00:23:45,480 And I can try 455 00:23:45,480 --> 00:23:47,840 stage.c. I don't know why reverse shell 456 00:23:47,840 --> 00:23:50,080 is bigger. Stage is bigger than stages, 457 00:23:50,080 --> 00:23:53,360 but I don't care. So if I paste the same 458 00:23:53,360 --> 00:23:56,720 code there the stage now and if I 459 00:23:56,720 --> 00:23:59,760 compile that and rerun the same binary 460 00:23:59,760 --> 00:24:03,440 while I have my listener running 461 00:24:03,559 --> 00:24:07,440 here now it's not going to 462 00:24:09,240 --> 00:24:11,559 work. See we have some kind of 463 00:24:11,559 --> 00:24:14,080 connection but in that case this 464 00:24:14,080 --> 00:24:17,679 connection is uh designed to read the 465 00:24:17,679 --> 00:24:19,600 binary and not to directly give us a 466 00:24:19,600 --> 00:24:22,400 shell. So it wants to see the payload as 467 00:24:22,400 --> 00:24:24,559 a result and then to execute it and give 468 00:24:24,559 --> 00:24:26,720 us a call back. And that's why in this 469 00:24:26,720 --> 00:24:29,760 case it fails. Now if we do the same 470 00:24:29,760 --> 00:24:32,640 thing via metasloit, metas-poit would 471 00:24:32,640 --> 00:24:35,440 know how to store the payload that the 472 00:24:35,440 --> 00:24:37,760 binary needs and then if it's read it's 473 00:24:37,760 --> 00:24:40,000 going to be executed. One cool thing we 474 00:24:40,000 --> 00:24:42,799 can do one uh cool trick is to set up a 475 00:24:42,799 --> 00:24:46,559 Python server. So Python 3 minus m http 476 00:24:46,559 --> 00:24:50,480 server and 44. And now from here execute 477 00:24:50,480 --> 00:24:53,200 exactly the same uh binary and see what 478 00:24:53,200 --> 00:24:55,600 it wants for. As you can see we have 479 00:24:55,600 --> 00:24:57,480 some kind of 480 00:24:57,480 --> 00:24:59,880 a strange 481 00:24:59,880 --> 00:25:02,159 requests. It's not even a request. It's 482 00:25:02,159 --> 00:25:05,440 an exception because looks like the 483 00:25:05,440 --> 00:25:09,039 reverse TCP is not requesting the B the 484 00:25:09,039 --> 00:25:12,000 shell code from uh HTTP but rather than 485 00:25:12,000 --> 00:25:15,640 from other TCP file communication 486 00:25:15,640 --> 00:25:18,480 process. Yeah. Yeah. So it's not HTTP. 487 00:25:18,480 --> 00:25:20,000 Now in that case the only way we can 488 00:25:20,000 --> 00:25:22,640 execute that is by using MSF MSF 489 00:25:22,640 --> 00:25:26,880 console. So do MSF 490 00:25:32,200 --> 00:25:36,039 console. Now here we can specify use 491 00:25:36,039 --> 00:25:38,960 exploit multi handle because at the end 492 00:25:38,960 --> 00:25:42,679 we want to receive communication. 493 00:25:54,080 --> 00:25:57,679 Now set payload to be exactly the same. 494 00:25:57,679 --> 00:26:02,400 So Windows x64 shell slash reverse PCP. 495 00:26:02,400 --> 00:26:05,200 So remember the slash is staged whereas 496 00:26:05,200 --> 00:26:08,480 this is stageless. So that's stage one. 497 00:26:08,480 --> 00:26:11,440 And now from there do set a host to be 498 00:26:11,440 --> 00:26:15,919 T0 set port to be 444. Run that. And now 499 00:26:15,919 --> 00:26:17,679 it's going to start a TCP listener. So 500 00:26:17,679 --> 00:26:20,559 it's not HTTP but it's a TCP listener. 501 00:26:20,559 --> 00:26:22,840 As you can see started the reverse TCP 502 00:26:22,840 --> 00:26:26,080 handler. So the payw uses some kind of a 503 00:26:26,080 --> 00:26:28,880 TCP communication to get the final bytes 504 00:26:28,880 --> 00:26:32,720 of the payw but uh I was expecting it to 505 00:26:32,720 --> 00:26:35,279 be HTTP but it's not. Never mind. Now 506 00:26:35,279 --> 00:26:39,159 when we execute it, we can first see 507 00:26:39,159 --> 00:26:43,200 that standing stage to the machine and 508 00:26:43,200 --> 00:26:47,120 then we have a session opened. So that's 509 00:26:47,120 --> 00:26:48,880 the difference between staged and 510 00:26:48,880 --> 00:26:51,600 stageless because in the stage we're 511 00:26:51,600 --> 00:26:54,320 going to directly get a connection back 512 00:26:54,320 --> 00:26:57,679 whereas in the staged the payload reach 513 00:26:57,679 --> 00:27:01,000 to us we give him something 514 00:27:01,000 --> 00:27:05,440 to add extra or to complete the final 515 00:27:05,440 --> 00:27:07,600 bytes and the final pays then they 516 00:27:07,600 --> 00:27:10,799 allocated to memory executed and then uh 517 00:27:10,799 --> 00:27:13,679 the final pay gives us a call back 518 00:27:13,679 --> 00:27:14,880 something if you if you want to 519 00:27:14,880 --> 00:27:17,200 graphically uh visual Otherwise that it 520 00:27:17,200 --> 00:27:19,360 happens something like that. So we first 521 00:27:19,360 --> 00:27:21,760 read the payload, we send the sending 522 00:27:21,760 --> 00:27:23,960 stage as as 523 00:27:23,960 --> 00:27:26,760 metasoid says and then we have the call 524 00:27:26,760 --> 00:27:30,080 back. That's cool. But now let's do that 525 00:27:30,080 --> 00:27:32,760 a little bit more manual so we know what 526 00:27:32,760 --> 00:27:36,039 happens. And now if you go to 527 00:27:36,039 --> 00:27:37,960 offensive 528 00:27:37,960 --> 00:27:41,679 cpp in my GitHub repo, you can see 529 00:27:41,679 --> 00:27:44,559 invasion staging techniques. You can see 530 00:27:44,559 --> 00:27:46,159 a bunch of them. 531 00:27:46,159 --> 00:27:48,799 So we have ads stage we going to which 532 00:27:48,799 --> 00:27:50,880 is going to actually going to use uh 533 00:27:50,880 --> 00:27:52,640 alternative data stream which is super 534 00:27:52,640 --> 00:27:55,600 nice and uh a little bit stealthier. 535 00:27:55,600 --> 00:27:58,399 Then we have uh three main options. We 536 00:27:58,399 --> 00:28:01,520 have vocal stage which is uh doing a 537 00:28:01,520 --> 00:28:03,919 pretty good job. Vocal stage means this 538 00:28:03,919 --> 00:28:06,320 going to be staged as in a file. So we 539 00:28:06,320 --> 00:28:07,919 need to send the paywalt and the local 540 00:28:07,919 --> 00:28:10,559 file and the payw would read the bytes 541 00:28:10,559 --> 00:28:13,520 from the local file or the payw can 542 00:28:13,520 --> 00:28:15,039 manually download the local file and 543 00:28:15,039 --> 00:28:17,799 then read the bytes from that's also 544 00:28:17,799 --> 00:28:22,640 thing. Uh then we have uh HTTP stage 545 00:28:22,640 --> 00:28:25,440 which is going to use HTTP swashes to 546 00:28:25,440 --> 00:28:28,279 perform the staging part via 547 00:28:28,279 --> 00:28:32,240 HTTP and we have also uh stock staging 548 00:28:32,240 --> 00:28:33,760 which going to perform the same thing 549 00:28:33,760 --> 00:28:37,919 via sockets. So, we have a bunch of 550 00:28:37,919 --> 00:28:42,320 options and I kind of enjoy the SMB one 551 00:28:48,600 --> 00:28:52,080 because there it is. I kind of enjoy the 552 00:28:52,080 --> 00:28:54,720 SMB one because usually when it comes to 553 00:28:54,720 --> 00:28:57,039 internal networks and not only uh 554 00:28:57,039 --> 00:28:59,279 there's an SMB traffic going on and if 555 00:28:59,279 --> 00:29:02,159 you find the external SMB traffic which 556 00:29:02,159 --> 00:29:04,159 is not that uncommon by the way you can 557 00:29:04,159 --> 00:29:06,640 also use this kind of staging because 558 00:29:06,640 --> 00:29:08,720 usually all the measurements are about 559 00:29:08,720 --> 00:29:12,799 HTTP and what happens over it but if you 560 00:29:12,799 --> 00:29:14,960 can go over different protocol like SMB 561 00:29:14,960 --> 00:29:17,919 it's even better. So uh staging via SMB 562 00:29:17,919 --> 00:29:22,159 is I can say uh super nice. Yeah. Now 563 00:29:22,159 --> 00:29:24,399 this code is fairly simple. It has one 564 00:29:24,399 --> 00:29:26,320 function which is read bin and this 565 00:29:26,320 --> 00:29:29,120 function actually reads a file from 566 00:29:29,120 --> 00:29:31,039 remote share which is going to actually 567 00:29:31,039 --> 00:29:33,279 perform the staging because this we're 568 00:29:33,279 --> 00:29:35,279 going to create a request to the server 569 00:29:35,279 --> 00:29:38,000 reading the file from its uh share and 570 00:29:38,000 --> 00:29:41,520 then executing that that uh and after 571 00:29:41,520 --> 00:29:43,440 this one a new connection is going to be 572 00:29:43,440 --> 00:29:47,120 made. So we can test that with midic and 573 00:29:47,120 --> 00:29:48,799 let me first generate a payroll. So I 574 00:29:48,799 --> 00:29:53,679 can exit that. I can go to 575 00:29:54,600 --> 00:29:56,840 https 576 00:29:56,840 --> 00:29:59,240 7443. Accept 577 00:29:59,240 --> 00:30:03,000 that. Now do mic 578 00:30:03,000 --> 00:30:08,399 admin cdop cd mic and cat env. Get my 579 00:30:08,399 --> 00:30:10,399 password. I don't mind leaking that on 580 00:30:10,399 --> 00:30:13,159 stream because it's walk either way. So 581 00:30:13,159 --> 00:30:16,240 paste and now we're here. Now on the 582 00:30:16,240 --> 00:30:19,120 mitx C2 we can go to the payloads and 583 00:30:19,120 --> 00:30:20,640 now first let me check if everything 584 00:30:20,640 --> 00:30:23,760 works. It is now by default the HTTP 585 00:30:23,760 --> 00:30:26,880 profile uses port 80 for communication 586 00:30:26,880 --> 00:30:29,279 and all HTTP. If you want to change that 587 00:30:29,279 --> 00:30:32,000 you can go to CD installed services then 588 00:30:32,000 --> 00:30:36,240 HTTP then HTTP again then C2 code and 589 00:30:36,240 --> 00:30:37,640 here we have a 590 00:30:37,640 --> 00:30:39,919 config.json. In this config.json JSON 591 00:30:39,919 --> 00:30:43,440 you can do change the port you can 592 00:30:43,440 --> 00:30:46,080 change US use SSL and essentially you 593 00:30:46,080 --> 00:30:49,120 can uh uh even specify the key and 594 00:30:49,120 --> 00:30:51,120 theert path also you can change the 595 00:30:51,120 --> 00:30:53,799 server headers so of course if you have 596 00:30:53,799 --> 00:30:58,240 a mic exported and to the external web 597 00:30:58,240 --> 00:31:02,159 always change that just a nice 598 00:31:03,399 --> 00:31:06,480 advice yeah so I'm not going to do it 599 00:31:06,480 --> 00:31:10,159 now because I don't need to But the 600 00:31:10,159 --> 00:31:11,440 whole thing is super simple as 601 00:31:11,440 --> 00:31:13,559 mentioned. Change the port, change the 602 00:31:13,559 --> 00:31:16,320 USSL and maybe the server headers and 603 00:31:16,320 --> 00:31:18,559 that's it. So we don't need that for 604 00:31:18,559 --> 00:31:21,200 now. Now the profile works. I think you 605 00:31:21,200 --> 00:31:23,120 can also do it from there. So we can 606 00:31:23,120 --> 00:31:25,640 click here and 607 00:31:25,640 --> 00:31:29,679 maybe nah not here. Maybe here I don't 608 00:31:29,679 --> 00:31:32,320 know. Yeah, never mind. I also like to 609 00:31:32,320 --> 00:31:35,760 ch to have a saved instances so I can uh 610 00:31:35,760 --> 00:31:38,200 do things like 611 00:31:38,200 --> 00:31:40,960 http oh instance name wait that's going 612 00:31:40,960 --> 00:31:43,360 to be 613 00:31:47,559 --> 00:31:50,000 80 like that because I would know if I 614 00:31:50,000 --> 00:31:51,919 see that instance I would know it's 615 00:31:51,919 --> 00:31:53,679 going to be on that IP which I have now 616 00:31:53,679 --> 00:31:56,720 and the port 80 now I can pretty much 617 00:31:56,720 --> 00:31:58,559 copy the IP which is going to be here 618 00:31:58,559 --> 00:32:00,559 remove the s change the callback 619 00:32:00,559 --> 00:32:03,360 interval because I want that to be 620 00:32:03,360 --> 00:32:06,000 shorter. The callback port is fine. I 621 00:32:06,000 --> 00:32:07,440 don't want this to be modified for now. 622 00:32:07,440 --> 00:32:09,720 We don't need it. And I can do click 623 00:32:09,720 --> 00:32:12,000 create. Now let's generate the payload. 624 00:32:12,000 --> 00:32:14,720 I can go to actions and new payout. Then 625 00:32:14,720 --> 00:32:17,840 next, then apple. Then the default are 626 00:32:17,840 --> 00:32:20,480 pretty much fine. Then I can for now 627 00:32:20,480 --> 00:32:22,679 exclude all the commands rather 628 00:32:22,679 --> 00:32:26,240 than the word 629 00:32:26,440 --> 00:32:31,200 command like that. Next. Then I want to 630 00:32:31,200 --> 00:32:33,360 go to my saved instance like that. See 631 00:32:33,360 --> 00:32:36,039 how easy it is. Boom. And I can 632 00:32:36,039 --> 00:32:38,360 click next. 633 00:32:38,360 --> 00:32:39,880 Wait. 634 00:32:39,880 --> 00:32:41,399 Windows 635 00:32:41,399 --> 00:32:44,159 Apple. And we need a show code. Yeah, 636 00:32:44,159 --> 00:32:48,000 that was super important because if we 637 00:32:48,000 --> 00:32:50,880 wanted to be a .exz download to get it 638 00:32:50,880 --> 00:32:52,399 to show code, but now it's going to be 639 00:32:52,399 --> 00:32:54,320 done automatically. So shell code is 640 00:32:54,320 --> 00:32:57,679 fine. Then everything stays the stays 641 00:32:57,679 --> 00:33:00,960 the same like that. Go next. And here we 642 00:33:00,960 --> 00:33:03,640 need to change the apple exit to 643 00:33:03,640 --> 00:33:07,200 B. Wait 644 00:33:07,799 --> 00:33:09,910 what? And that's 645 00:33:09,910 --> 00:33:12,039 [Music] 646 00:33:12,039 --> 00:33:14,559 it. Now we have to wait a little bit for 647 00:33:14,559 --> 00:33:17,679 the table to be finished. And while that 648 00:33:17,679 --> 00:33:20,480 happens, uh, we're going to go to the 649 00:33:20,480 --> 00:33:23,360 offensive C++ and copy the staging part, 650 00:33:23,360 --> 00:33:26,000 the whole code. So I'm going to go to my 651 00:33:26,000 --> 00:33:29,640 commander here. Go here. Let's open 652 00:33:29,640 --> 00:33:33,519 the Let me remove that. Yeah, the same 653 00:33:33,519 --> 00:33:35,519 old payload. And I'll do new project 654 00:33:35,519 --> 00:33:38,240 which is going to be staged. So uh 655 00:33:38,240 --> 00:33:42,279 console app staged 656 00:33:42,279 --> 00:33:44,240 create because it's good to stay 657 00:33:44,240 --> 00:33:46,240 organized. I think that's super super 658 00:33:46,240 --> 00:33:49,399 [Music] 659 00:33:49,399 --> 00:33:54,399 important. Did I click create? I didn't. 660 00:33:54,399 --> 00:33:57,440 Okay, there it is. Now here again, 661 00:33:57,440 --> 00:33:59,799 change that to 662 00:33:59,799 --> 00:34:02,440 C. Now 663 00:34:02,440 --> 00:34:06,159 paste. Boom. And there it is. Now we 664 00:34:06,159 --> 00:34:07,760 need to tweak a bunch of things. We need 665 00:34:07,760 --> 00:34:09,480 to tweak the buffer 666 00:34:09,480 --> 00:34:11,599 size. And the buffer size can be 667 00:34:11,599 --> 00:34:14,639 retrieved from the uh payload itself. So 668 00:34:14,639 --> 00:34:16,560 I can download the payload. You can see 669 00:34:16,560 --> 00:34:19,839 it's 2 megabytes. But how exactly uh fed 670 00:34:19,839 --> 00:34:22,240 it is? We can go to downloads and do 671 00:34:22,240 --> 00:34:24,200 this minus la. And that's the final 672 00:34:24,200 --> 00:34:26,960 size. So we can get the final size and 673 00:34:26,960 --> 00:34:29,359 paste it there. And I always like to 674 00:34:29,359 --> 00:34:32,480 have one up. So it's a 49 at the end. We 675 00:34:32,480 --> 00:34:35,839 can do 50 because I always want to have 676 00:34:35,839 --> 00:34:39,520 one bite extra in agencies because in 677 00:34:39,520 --> 00:34:42,399 the past uh sometimes some techniques 678 00:34:42,399 --> 00:34:44,079 failed because of that bite. At least 679 00:34:44,079 --> 00:34:46,639 that's what I think. Now we have the 680 00:34:46,639 --> 00:34:50,480 buffer. We adjusted the the size of it. 681 00:34:50,480 --> 00:34:53,440 Now it's empty. Ideally, you want to you 682 00:34:53,440 --> 00:34:57,280 want to do it uh dynamic. So without 683 00:34:57,280 --> 00:34:59,680 static allocation, you can do dynamic 684 00:34:59,680 --> 00:35:03,119 allocation with uh mok and then rewoke 685 00:35:03,119 --> 00:35:05,440 if you need to reallocate more memory. 686 00:35:05,440 --> 00:35:07,119 But that's ideally now it's not the 687 00:35:07,119 --> 00:35:09,920 ideal case. Then we have the read beam 688 00:35:09,920 --> 00:35:12,160 uh file the function which essentially 689 00:35:12,160 --> 00:35:15,359 is going to do a create file Windows API 690 00:35:15,359 --> 00:35:19,440 call against a specific path and then 691 00:35:19,440 --> 00:35:22,480 this path is going to be just a remote 692 00:35:22,480 --> 00:35:24,880 share and since we we can pass a remote 693 00:35:24,880 --> 00:35:26,960 share the same Windows API is going to 694 00:35:26,960 --> 00:35:29,839 be used as a reading local file and it's 695 00:35:29,839 --> 00:35:32,079 going to work just like that. So the 696 00:35:32,079 --> 00:35:34,079 same file that the same API that reads 697 00:35:34,079 --> 00:35:37,839 local files can be used into reading uh 698 00:35:37,839 --> 00:35:41,359 files from remote chairs. Nice, right? 699 00:35:41,359 --> 00:35:43,839 Then we can call file read the handle 700 00:35:43,839 --> 00:35:46,000 and pretty much that's it. So here we 701 00:35:46,000 --> 00:35:49,520 need to also modify the ties and paste 702 00:35:49,520 --> 00:35:51,520 it here. I think I need to do it better 703 00:35:51,520 --> 00:35:54,160 here. I need I need I can I can automate 704 00:35:54,160 --> 00:35:56,480 the whole thing, but I'm not going to do 705 00:35:56,480 --> 00:35:57,560 it 706 00:35:57,560 --> 00:36:01,440 now. Oh. Oh, see how smooth that is. I 707 00:36:01,440 --> 00:36:03,520 can just scroll through the panes which 708 00:36:03,520 --> 00:36:04,920 is so easy. 709 00:36:04,920 --> 00:36:08,839 Boom. Okay. I didn't know that. Thanks, 710 00:36:08,839 --> 00:36:11,079 Ubuntu. 711 00:36:11,079 --> 00:36:14,520 Okay. Ah, now I 712 00:36:14,520 --> 00:36:17,400 cannot. Oh, there it is. There it is. 713 00:36:17,400 --> 00:36:22,160 Okay, there it is. Okay. Now, uh here we 714 00:36:22,160 --> 00:36:23,760 use pretty much the same thing virtual 715 00:36:23,760 --> 00:36:26,720 walk and we allocate the memory. We do a 716 00:36:26,720 --> 00:36:30,640 read bin so we can read the file inside 717 00:36:30,640 --> 00:36:32,560 this buffer variable. Then we write this 718 00:36:32,560 --> 00:36:34,320 buffer variable to the memory and then 719 00:36:34,320 --> 00:36:37,359 execute it via direct pointer. If you if 720 00:36:37,359 --> 00:36:39,119 you don't know what direct pointer is, I 721 00:36:39,119 --> 00:36:41,040 highly recommend you guys read the blog 722 00:36:41,040 --> 00:36:43,440 post I've done a while ago which 723 00:36:43,440 --> 00:36:46,079 explains what's a DP or direct pointer 724 00:36:46,079 --> 00:36:48,800 and why it's so OP. So I highly 725 00:36:48,800 --> 00:36:51,920 recommend to to check this one out. 726 00:36:51,920 --> 00:36:55,440 Yeah. Uh now here we need to first make 727 00:36:55,440 --> 00:36:57,200 sure we have the SMB server and the 728 00:36:57,200 --> 00:36:59,440 right IP and the right share and the 729 00:36:59,440 --> 00:37:01,440 right path. So in our case that's going 730 00:37:01,440 --> 00:37:05,599 to be upload.bin. Then we have sh and we 731 00:37:05,599 --> 00:37:08,960 have the IP of 185 at least I believe. 732 00:37:08,960 --> 00:37:12,240 Yep it's 185. Now here we can do things 733 00:37:12,240 --> 00:37:15,599 like we need to set up the whole uh SMB 734 00:37:15,599 --> 00:37:21,440 server. So we can do impact SMB server. 735 00:37:21,440 --> 00:37:23,280 It wants the share name and the share 736 00:37:23,280 --> 00:37:26,720 path. So we have uh share the pad is 737 00:37:26,720 --> 00:37:29,920 here. We have ts debug for time stamps 738 00:37:29,920 --> 00:37:32,720 and debug messages and of course SMB2 739 00:37:32,720 --> 00:37:34,599 support because it's super duper 740 00:37:34,599 --> 00:37:37,599 important. Run that. And now I guess 741 00:37:37,599 --> 00:37:39,920 we're fine guys. I think we we we are 742 00:37:39,920 --> 00:37:42,880 now set up. So what that's going to do 743 00:37:42,880 --> 00:37:45,119 is it's going to first uh allocate 744 00:37:45,119 --> 00:37:47,680 memory then do one request to our 745 00:37:47,680 --> 00:37:51,040 machine but via SMB and not via HTTP. 746 00:37:51,040 --> 00:37:52,880 It's going to read the file. It's going 747 00:37:52,880 --> 00:37:55,280 to allocate that into the buffer 748 00:37:55,280 --> 00:37:57,359 variable where then it's going to be 749 00:37:57,359 --> 00:37:59,359 written to the memory executed and the 750 00:37:59,359 --> 00:38:00,640 first call back is going to come from 751 00:38:00,640 --> 00:38:04,079 here. So in our case, if that works, 752 00:38:04,079 --> 00:38:06,160 we're going to do that. So first we're 753 00:38:06,160 --> 00:38:08,320 going to read the payload but this case 754 00:38:08,320 --> 00:38:12,400 from SMB. Let's do it like that via SMB. 755 00:38:12,400 --> 00:38:14,079 We're going to read the payw. the 756 00:38:14,079 --> 00:38:16,000 payload is going to be back and then 757 00:38:16,000 --> 00:38:17,680 it's going to be allocated written to 758 00:38:17,680 --> 00:38:19,359 the memory and then the callback is 759 00:38:19,359 --> 00:38:21,440 going to come from executing the payload 760 00:38:21,440 --> 00:38:25,520 in memory. Why that's nice? Because now 761 00:38:25,520 --> 00:38:29,920 if we scan this file I doubt not 762 00:38:29,920 --> 00:38:32,240 something's going to detect it. I highly 763 00:38:32,240 --> 00:38:34,640 doubt it. I can save and compile and we 764 00:38:34,640 --> 00:38:36,800 can test that guys. I can save and 765 00:38:36,800 --> 00:38:38,839 compile. Now we can go 766 00:38:38,839 --> 00:38:43,200 to the folder itself like that. Go here. 767 00:38:43,200 --> 00:38:45,440 Let's start defender now and let's scan 768 00:38:45,440 --> 00:38:47,880 the file. So turn 769 00:38:47,880 --> 00:38:51,520 on. Yeah, there it is. Now it's on. And 770 00:38:51,520 --> 00:38:53,160 now let's 771 00:38:53,160 --> 00:38:54,920 do 772 00:38:54,920 --> 00:38:58,320 can no found. That's the magic of 773 00:38:58,320 --> 00:39:00,800 staging. Whereas if I scan the previous 774 00:39:00,800 --> 00:39:03,040 file because the payload is there is 775 00:39:03,040 --> 00:39:04,640 going to be detected right off the bat. 776 00:39:04,640 --> 00:39:07,320 Trust me on that. So just because it's 777 00:39:07,320 --> 00:39:10,079 staged we avoid the signature detections 778 00:39:10,079 --> 00:39:13,839 which have not less and our file is 779 00:39:13,839 --> 00:39:17,040 generally behaving more stable. So I 780 00:39:17,040 --> 00:39:20,960 generally recommend staging by any mean. 781 00:39:20,960 --> 00:39:23,040 Uh now we can try to execute it. Now the 782 00:39:23,040 --> 00:39:25,520 fender of course might uh focus on the 783 00:39:25,520 --> 00:39:28,040 runtime because the apple is known 784 00:39:28,040 --> 00:39:31,359 uh pay but let's just try it right. I 785 00:39:31,359 --> 00:39:34,079 mean we have to try it to know. So, uh, 786 00:39:34,079 --> 00:39:37,400 I can open CDR, go to here, and 787 00:39:37,400 --> 00:39:40,240 do stage.exe, even though the name is 788 00:39:40,240 --> 00:39:43,680 super suspicious. Now, let me make sure 789 00:39:43,680 --> 00:39:46,240 the SMB is running. It is. I'm going to 790 00:39:46,240 --> 00:39:48,800 go to callbacks tab, and I'm going to 791 00:39:48,800 --> 00:39:51,160 start it. 792 00:39:51,160 --> 00:39:54,359 Boom. And there it 793 00:39:54,359 --> 00:39:58,160 is. There it is. Defender is running. No 794 00:39:58,160 --> 00:40:00,240 threads are found. And that's how you 795 00:40:00,240 --> 00:40:03,640 bypass the fender with a simple SMB 796 00:40:03,640 --> 00:40:06,560 staging. Wow. And we also have the NTMB 797 00:40:06,560 --> 00:40:10,400 hash which is super crazy. That's why I 798 00:40:10,400 --> 00:40:12,560 I'm telling you guys to always go 799 00:40:12,560 --> 00:40:15,040 staging. That's the reason. I mean this 800 00:40:15,040 --> 00:40:18,320 not going to be enough for complex CDRs 801 00:40:18,320 --> 00:40:20,480 and things like that. But as you can 802 00:40:20,480 --> 00:40:23,560 see, just one technique, just one set of 803 00:40:23,560 --> 00:40:26,079 technique was able to get our Apple 804 00:40:26,079 --> 00:40:28,640 beacon out of the defender's way and we 805 00:40:28,640 --> 00:40:31,040 bypassed it right off the bat. So we can 806 00:40:31,040 --> 00:40:33,040 now issue commands and work with it. We 807 00:40:33,040 --> 00:40:34,800 can do what? Who am I? And things like 808 00:40:34,800 --> 00:40:36,920 that. And now enjoy our 809 00:40:36,920 --> 00:40:39,400 beacon. Oh, they 810 00:40:39,400 --> 00:40:41,400 also updated 811 00:40:41,400 --> 00:40:44,359 it. Nice. Okay, 812 00:40:44,359 --> 00:40:49,480 perfect. Where am I? And there it is. 813 00:40:49,839 --> 00:40:52,480 There it is. And the funny part is 814 00:40:52,480 --> 00:40:54,320 defender is running. I to be honest, I 815 00:40:54,320 --> 00:40:56,560 didn't expect that. I expected Defender 816 00:40:56,560 --> 00:40:58,400 to catch that on runtime because Appo is 817 00:40:58,400 --> 00:41:00,400 a known agent. But as you can see, 818 00:41:00,400 --> 00:41:02,359 staging is not to be 819 00:41:02,359 --> 00:41:05,760 underestimated. There it 820 00:41:09,319 --> 00:41:11,880 is. There it 821 00:41:11,880 --> 00:41:15,760 is. That's crazy. So that was the the 822 00:41:15,760 --> 00:41:17,680 whole idea of the stream to first test 823 00:41:17,680 --> 00:41:19,920 my system how it behaves and to showcase 824 00:41:19,920 --> 00:41:21,760 some practical things about staging and 825 00:41:21,760 --> 00:41:25,119 stage vest. So the moral of the story is 826 00:41:25,119 --> 00:41:29,400 that when possible always use payroll 827 00:41:29,400 --> 00:41:32,319 staging no matter if it's a via SMB, if 828 00:41:32,319 --> 00:41:35,920 it's an HTTP via local file or via 829 00:41:35,920 --> 00:41:38,720 anything else. Just avoid placing the 830 00:41:38,720 --> 00:41:41,200 payload directly into the file. always 831 00:41:41,200 --> 00:41:43,440 stage it in some form by some third 832 00:41:43,440 --> 00:41:46,480 party protocol or third party solutions. 833 00:41:46,480 --> 00:41:49,599 So imagine the whole development part 834 00:41:49,599 --> 00:41:52,640 not as a single OP technique that 835 00:41:52,640 --> 00:41:55,200 bypasses all the vendors but rather it's 836 00:41:55,200 --> 00:41:56,880 a setting combination of multiple 837 00:41:56,880 --> 00:41:59,920 techniques then when working together 838 00:41:59,920 --> 00:42:02,800 that can make our payout evasive and 839 00:42:02,800 --> 00:42:06,560 effective. So now we can add maybe uh 840 00:42:06,560 --> 00:42:09,920 encryption to the payw. We can also do 841 00:42:09,920 --> 00:42:12,720 sandbox evasion, do a domain sandbox 842 00:42:12,720 --> 00:42:14,480 evasion and things like that which can 843 00:42:14,480 --> 00:42:17,520 boost the the the evasiveness of the 844 00:42:17,520 --> 00:42:19,520 payw. But essentially the point is to 845 00:42:19,520 --> 00:42:21,359 add many techniques combine them 846 00:42:21,359 --> 00:42:22,520 together 847 00:42:22,520 --> 00:42:27,599 and test a lot. So uh with that that's a 848 00:42:27,599 --> 00:42:30,480 practical Windows defender bypass with 849 00:42:30,480 --> 00:42:33,040 mic 2. So, I hope you enjoy guys the 850 00:42:33,040 --> 00:42:36,480 video and uh that was it. If you have 851 00:42:36,480 --> 00:42:38,319 any questions, you have just arrived. 852 00:42:38,319 --> 00:42:39,880 What technique did you use for bypassing 853 00:42:39,880 --> 00:42:42,720 defender? Yeah. Um SMB staging. Just 854 00:42:42,720 --> 00:42:45,200 that. Just that. I was I didn't think 855 00:42:45,200 --> 00:42:47,839 that would work to be honest. Uh I 856 00:42:47,839 --> 00:42:50,880 expected some defender to catch us in 857 00:42:50,880 --> 00:42:53,520 runtime when the payload is executed. 858 00:42:53,520 --> 00:42:55,599 But just that code, see how simple it 859 00:42:55,599 --> 00:42:58,240 is. I didn't do any D side loading. I 860 00:42:58,240 --> 00:43:00,319 didn't do anything crazy. just a simple 861 00:43:00,319 --> 00:43:02,640 exe with SMB staging and the staging 862 00:43:02,640 --> 00:43:05,920 work perfectly. So that's why I always 863 00:43:05,920 --> 00:43:08,079 say that this technique is my favorite 864 00:43:08,079 --> 00:43:10,079 for M development because it's super 865 00:43:10,079 --> 00:43:12,720 super OP. Trust me, if you have the 866 00:43:12,720 --> 00:43:14,760 payload in the file, it's going to be 867 00:43:14,760 --> 00:43:18,280 detected. So uh yeah, sorry for being 868 00:43:18,280 --> 00:43:20,400 late. You missed it, but I'm going to 869 00:43:20,400 --> 00:43:23,119 put this to YouTube either way. So uh 870 00:43:23,119 --> 00:43:25,200 appreciate your time and I hope you 871 00:43:25,200 --> 00:43:27,200 learn something new. If that's the case, 872 00:43:27,200 --> 00:43:29,839 always subscribe. Yeah. Uh, thanks so 873 00:43:29,839 --> 00:43:31,119 much. And yeah, you're going to be you 874 00:43:31,119 --> 00:43:33,119 can watch that on YouTube. So, thanks so 875 00:43:33,119 --> 00:43:35,200 much for sticking by and yeah, see you 876 00:43:35,200 --> 00:43:37,280 guys.60739