1
00:00:00,330 --> 00:00:01,560
Welcome back everyone.

2
00:00:01,620 --> 00:00:05,910
And we are only left to do one more thing before our backdoor project is over.

3
00:00:07,230 --> 00:00:12,540
So the last option that we're left to do is the persistence with the target machine.

4
00:00:12,540 --> 00:00:17,090
We want to make sure that we can connect to the target machine whenever it is on.

5
00:00:17,100 --> 00:00:22,050
So what we're going to do is we're going to create the persistence option that will allow us to create

6
00:00:22,050 --> 00:00:27,330
the registry key and let our backdoor run every time that the target restarts their machine.

7
00:00:27,980 --> 00:00:28,260
OK.

8
00:00:28,290 --> 00:00:29,860
So let's get straight into it.

9
00:00:29,940 --> 00:00:37,080
Let's add an LS If option just as we did with everything else so the else if option will be equal to

10
00:00:38,000 --> 00:00:38,850
persistence.

11
00:00:38,850 --> 00:00:43,460
So elusive command equals to persistence.

12
00:00:44,250 --> 00:00:49,500
Then we're going to ask for the user of this program to input the registry key name and the name for

13
00:00:49,500 --> 00:00:52,780
the file that we're going to copy our backdoor into.

14
00:00:52,800 --> 00:00:55,420
Now if you're confused as to what they mean.

15
00:00:55,500 --> 00:00:56,340
Let me just show you.

16
00:00:56,340 --> 00:01:01,880
So we are going to add right here Rick underscore name comma.

17
00:01:01,920 --> 00:01:07,680
Copy underscore name is going to be equal to the command.

18
00:01:07,720 --> 00:01:12,300
And then we're going to St. Paul first 12 characters which will be the persistence and then the empty

19
00:01:12,400 --> 00:01:13,650
space.

20
00:01:13,750 --> 00:01:21,980
And I'm going to split them with an empty space right now right here in the LCR statement.

21
00:01:22,000 --> 00:01:24,170
We need to add first 11 characters.

22
00:01:24,310 --> 00:01:30,260
So if the first 11 characters are equal to persistence then we are going to proceed with these two comments.

23
00:01:30,310 --> 00:01:36,130
We're going to store the big name as a first part of the rest of the command and the copy name as the

24
00:01:36,130 --> 00:01:40,450
name of the file that we are creating and copying our back door in.

25
00:01:41,290 --> 00:01:46,390
And then with the copy of our backdoor that we're going to create we're going to use direct name in

26
00:01:46,390 --> 00:01:50,500
order to create the persistence and registry key onto that copy.

27
00:01:50,500 --> 00:01:55,880
So even in case the target deletes our backdoor we're still going to be able to connect to their machine.

28
00:01:56,260 --> 00:01:57,180
OK.

29
00:01:57,370 --> 00:02:02,320
All we're left to do right now in the else statement is to call the persist function that we're about

30
00:02:02,320 --> 00:02:07,750
to call right now and put in these two arguments which are the name and the copy name.

31
00:02:08,380 --> 00:02:09,520
All right.

32
00:02:09,520 --> 00:02:15,910
So now let's go all the way up and above the target communication.

33
00:02:15,910 --> 00:02:18,220
We're going to define the persist function

34
00:02:21,730 --> 00:02:24,700
it will take rect name and coping it

35
00:02:29,930 --> 00:02:30,440
first.

36
00:02:30,470 --> 00:02:36,380
We need to create the location or the path to where we want to create our copy of backdoor now deathbed

37
00:02:36,410 --> 00:02:42,650
can be the same as we used in our key logger which DPP data that is a hidden directory and most likely

38
00:02:42,780 --> 00:02:44,420
the targets will never find that file.

39
00:02:44,690 --> 00:02:55,770
So let's create file underscored path or more better far underscore location equals always dot environment.

40
00:02:55,780 --> 00:02:58,040
We are searching for HBP data.

41
00:02:58,040 --> 00:03:00,020
This is all already familiar to us.

42
00:03:00,020 --> 00:03:02,040
So nothing really to explain here.

43
00:03:02,360 --> 00:03:09,990
And then we will add the two slashes which indicated very in the windows and then concrete decode B

44
00:03:10,040 --> 00:03:17,420
name which is the name of the file that we are creating and keeping our backdoor in all right.

45
00:03:17,430 --> 00:03:23,070
Now what we want to do is we want to check whether that file already exists because if we run these

46
00:03:23,070 --> 00:03:25,410
two times within three we want to create the registry.

47
00:03:25,420 --> 00:03:30,270
Keith Weiss we only want to do it one time so we're going to check whether this file already exists.

48
00:03:30,270 --> 00:03:36,140
If it already exists that means that the persistence command has already been rendered.

49
00:03:36,230 --> 00:03:37,470
So how can we do that.

50
00:03:37,550 --> 00:03:42,310
But we can use an actual library that exists in python which is called shuttle library.

51
00:03:42,320 --> 00:03:48,770
So import important right here import shuttle it is a standard library no need to install it.

52
00:03:48,770 --> 00:03:58,580
And right here in the tri statement we can say if not always dot path dot exists which will check for

53
00:03:58,580 --> 00:04:01,920
this file location whether it exists or not.

54
00:04:02,300 --> 00:04:09,980
In case it doesn't exist we want to copy this executable or these backdoor into that file location and

55
00:04:09,980 --> 00:04:13,430
with paid to using the shuttle library so shattered that copy file

56
00:04:19,260 --> 00:04:24,240
the first argument is what we are coping in our case we are keeping our own executable which we can

57
00:04:24,240 --> 00:04:31,400
specify by SIS dot executable and to use this dot executable we need to import this.

58
00:04:31,470 --> 00:04:33,420
So let's go and import this right here

59
00:04:40,680 --> 00:04:47,310
and the second parameter is where we are coping it in our case we're coping it inside of the file location

60
00:04:49,650 --> 00:04:55,110
then way to call the command which will add registry key for this file location and how we can do that

61
00:04:55,170 --> 00:04:58,060
what we can do that with the help of the sub process library.

62
00:04:58,170 --> 00:05:09,700
So we'll call some process that called loops sub process that call and I just now notice that we are

63
00:05:09,700 --> 00:05:14,830
actually coding this inside of a server so make sure that you would not make the same mistake as I do

64
00:05:14,830 --> 00:05:22,780
so I'm just going to copy all of this and paste it into our backdoor right here above the shell function.

65
00:05:22,780 --> 00:05:30,400
We can pasty persist function and also make sure you delete it from here and also make sure you copy

66
00:05:30,460 --> 00:05:32,540
the part with else if statement.

67
00:05:32,800 --> 00:05:40,080
So first of all copy then we can delete it from here as we don't need it in our server.

68
00:05:40,080 --> 00:05:42,140
We only need it inside of our backdoor.

69
00:05:45,310 --> 00:05:50,010
Go all the way down find the last safe statement and then copy right here.

70
00:05:52,630 --> 00:05:57,280
Well let's make everything tapped in properly.

71
00:05:57,280 --> 00:06:04,090
And for some reason we got this printed twice so I'm just going to delete the last one.

72
00:06:07,740 --> 00:06:09,830
And now we should be good to go.

73
00:06:09,870 --> 00:06:16,290
We got the elusive statement and we also got the function right here but we don't have these two libraries

74
00:06:16,290 --> 00:06:20,250
since we imported them inside of our server where we can remove them.

75
00:06:24,080 --> 00:06:27,010
And we can move them straight into our backdoor.

76
00:06:28,430 --> 00:06:28,790
OK.

77
00:06:28,940 --> 00:06:31,550
So now we got everything ready.

78
00:06:31,550 --> 00:06:35,720
We fixed our mistake and we're ready to continue with the perceived function.

79
00:06:35,720 --> 00:06:40,720
We stopped at the calling of the command which will add the registry key for this file location so let's

80
00:06:40,740 --> 00:06:41,820
stop it right here.

81
00:06:41,870 --> 00:06:49,760
The first parameter will be the command itself which will be registry ad HK C you see this is the part

82
00:06:49,760 --> 00:07:01,720
of registry where we want to add our backdoor backslash software backslash Microsoft backslash windows

83
00:07:01,990 --> 00:07:04,000
backslash current

84
00:07:06,760 --> 00:07:19,230
version and backslash run then we want to add space flash the space and the single quote after it.

85
00:07:19,230 --> 00:07:25,050
We want to conquer the wreck underscore name which is the parameter to our function that will specify

86
00:07:25,090 --> 00:07:32,070
which comment from the server and a few more options so let's add and open single quotes and in between

87
00:07:32,070 --> 00:07:41,330
the single quotes we specify space slash deep space rig underscore as ze all in capital letters and

88
00:07:41,330 --> 00:07:43,410
space slash D.

89
00:07:44,390 --> 00:07:59,320
Then specified space then space w quotes exit the single quotes and add plus file location plus open

90
00:07:59,320 --> 00:08:03,980
single quotes and in those single quotes we specify double quotes.

91
00:08:04,020 --> 00:08:07,410
OK so this should be the entire comment.

92
00:08:07,480 --> 00:08:12,280
Now if you also run this command inside of your command prompt it will perform the exact same thing

93
00:08:12,400 --> 00:08:16,480
by adding the registry for the specified program.

94
00:08:16,480 --> 00:08:20,220
Now I know that the comment is rather long but we had to write it down

95
00:08:23,850 --> 00:08:29,990
and what we forgot to do is add a second parameter to this call function which is the shell equals true.

96
00:08:30,600 --> 00:08:38,580
So make sure you go all the way back and at the end of this single code at comma and add shell equals

97
00:08:38,670 --> 00:08:39,600
true.

98
00:08:39,600 --> 00:08:45,820
Once we do that we want to reliable send to our server that we successfully created persistence.

99
00:08:45,840 --> 00:08:54,110
So let's add it like this and type created persistence with rags key

100
00:08:56,880 --> 00:09:02,390
and then let's call Kat Dereck underscore named variable.

101
00:09:03,160 --> 00:09:08,770
And that was the part of the if not statement that is in case that this file location does not exist

102
00:09:09,520 --> 00:09:10,680
in case it does exist.

103
00:09:10,690 --> 00:09:17,890
We want to specify in the else statement reliable sent and we want to prompt to the user of the server

104
00:09:18,820 --> 00:09:21,060
that persistence already exists.

105
00:09:21,130 --> 00:09:34,010
So we'll specify persistence already exists and in the last statement in the accept part we want to

106
00:09:34,010 --> 00:09:34,970
reliable send

107
00:09:38,100 --> 00:09:40,000
in case none of this works.

108
00:09:40,020 --> 00:09:48,540
We want to reliable send error creating persistence with the target

109
00:09:51,610 --> 00:09:52,200
machine.

110
00:09:52,740 --> 00:09:53,030
OK.

111
00:09:53,060 --> 00:09:58,960
So this should all be good in case we didn't create some syntax error or something else.

112
00:09:59,040 --> 00:10:00,500
This should all work.

113
00:10:00,660 --> 00:10:01,620
So let's give it a try.

114
00:10:02,670 --> 00:10:10,310
We need to import our USP drive our copy the programs real fast so we don't waste time transferring

115
00:10:10,320 --> 00:10:12,490
these files.

116
00:10:12,660 --> 00:10:15,200
OK so here are the two files they copy them both.

117
00:10:15,210 --> 00:10:16,780
Don't forget the key logger.

118
00:10:16,800 --> 00:10:19,380
Otherwise the compilation will not work.

119
00:10:19,380 --> 00:10:21,590
And now let's compile the back door.

120
00:10:22,980 --> 00:10:29,460
But before I do that I need to delete the previous directories that we used in the compilation and compile

121
00:10:29,460 --> 00:10:31,410
it once again.

122
00:10:31,410 --> 00:10:35,730
Let's also start our server inside of our PI charm.

123
00:10:36,090 --> 00:10:39,130
Open terminal Python 3.

124
00:10:39,690 --> 00:10:46,710
Server not be y let's open the registry so we can see whether this will work correctly.

125
00:10:50,260 --> 00:10:54,580
It will ask you for the administrator privileges in case you have a password you will input it right

126
00:10:54,580 --> 00:11:01,160
here and click on yes here is the place where we are going to create our registry.

127
00:11:01,230 --> 00:11:06,510
It is in the HQ current user backslash software backslash Microsoft Windows.

128
00:11:06,510 --> 00:11:10,140
Current version and in the front directory.

129
00:11:10,530 --> 00:11:16,560
Once we specify the command for the persistence hopefully right here the registry key will be created

130
00:11:16,650 --> 00:11:23,700
for the copied backdoor that will be located inside of the AP data slash roaming folder which we already

131
00:11:23,700 --> 00:11:24,770
know how to access.

132
00:11:24,810 --> 00:11:30,180
If we go in our command prompt and change directory to see slash user slash the name of your account

133
00:11:30,270 --> 00:11:35,100
and then see the APB data and see the roaming if I type there.

134
00:11:35,130 --> 00:11:38,610
Here is where our copied backdoor should be located.

135
00:11:38,610 --> 00:11:40,770
So let's give it a try.

136
00:11:40,770 --> 00:11:48,830
We need to run our backdoor which hopefully compiles successfully run it right here we get no errors.

137
00:11:48,850 --> 00:11:51,100
So let's go to Kelly Linux.

138
00:11:51,100 --> 00:11:53,450
Wait for the incoming connection.

139
00:11:53,620 --> 00:11:54,790
Here it is.

140
00:11:54,790 --> 00:11:57,150
Let's run some random commands.

141
00:11:57,280 --> 00:11:59,040
Make sure that everything works.

142
00:11:59,140 --> 00:12:07,620
And if I type persistence go to our help command to see what is the syntax for this persistence command.

143
00:12:07,640 --> 00:12:16,820
So we need to specify first the registry name let's call it hacked with capital H and then space and

144
00:12:16,820 --> 00:12:20,330
then the file name that we want to copy the backdoor in.

145
00:12:20,330 --> 00:12:24,290
Let's call it task manager.

146
00:12:24,380 --> 00:12:26,550
The AKC.

147
00:12:26,870 --> 00:12:32,590
Click on enter and it will tell us that the persistence already exists.

148
00:12:32,750 --> 00:12:38,900
Weird if I refresh this something doesn't seem to work.

149
00:12:39,200 --> 00:12:45,650
Let's take a look at the back door and see where the problem is inside of the persistence command.

150
00:12:45,650 --> 00:12:47,540
Not really sure why we'd get this.

151
00:12:47,540 --> 00:12:48,500
Let's try it again.

152
00:12:48,500 --> 00:12:56,430
Persistence hacked let's call it test of the XY.

153
00:12:56,570 --> 00:12:59,720
It tells us that persistence already exists.

154
00:12:59,720 --> 00:13:05,270
Okay so there is definitely some error inside of our code because we can't see the file and the persistence

155
00:13:05,270 --> 00:13:07,910
is down there inside of our registry.

156
00:13:08,000 --> 00:13:09,910
So let's see what's wrong with the program.

157
00:13:10,880 --> 00:13:14,910
Okay so this was probably the error right here instead of the command.

158
00:13:14,940 --> 00:13:20,940
And then first 12 characters we want to specify from the twelve characters till the end.

159
00:13:21,270 --> 00:13:26,880
Novel do the process of compilation all over by myself and I will get back to you with the newly compiled

160
00:13:26,880 --> 00:13:30,360
file.

161
00:13:30,500 --> 00:13:36,920
OK so here we are inside of operatives directory I have the newly compiled backdoor with the fixed letter

162
00:13:37,080 --> 00:13:44,200
and now if I run my server inside of my PI charm let's go and run it.

163
00:13:44,290 --> 00:13:50,000
So Python free server that P Y and then I go and run my back door.

164
00:13:50,230 --> 00:13:51,490
No error has occurred.

165
00:13:51,490 --> 00:13:57,880
Let's go back to clinics run some random command to make sure everything works and then run the persistence

166
00:13:58,000 --> 00:14:06,160
So persistence hacked and then test that the AKC press enter and it will tell us created persistence

167
00:14:06,340 --> 00:14:08,150
with registry key hacked.

168
00:14:08,290 --> 00:14:15,160
If we go to registry and refresh using the F5 button we will see that there is a hacked registry key

169
00:14:15,400 --> 00:14:22,210
that is newly added free to the path to this file right here which is stored inside of the AP data slash

170
00:14:22,210 --> 00:14:23,000
roaming.

171
00:14:23,020 --> 00:14:29,670
It is called the test of the AKC and this is the copy of our backdoor okay.

172
00:14:29,810 --> 00:14:35,510
If we go to command prompt and type there once again to the roaming directory we will see the test of

173
00:14:35,510 --> 00:14:41,780
the AKC file or our backdoor successfully copied and hidden inside of this directory.

174
00:14:42,020 --> 00:14:44,440
Okay so our persistence successfully works.

175
00:14:44,570 --> 00:14:52,190
Now even if the target for example closes this program and deletes this backdoor they will still run

176
00:14:52,190 --> 00:14:55,340
the backdoor which is hidden inside of the AP data.

177
00:14:55,340 --> 00:15:02,870
Next time they restart their seat and it will happen every time they restart until that file is deleted

178
00:15:03,080 --> 00:15:05,660
from their AP data slash roaming folder.

179
00:15:06,590 --> 00:15:10,640
So that means we will have the access forever to that target machine.

180
00:15:11,210 --> 00:15:17,480
And with this we finish with the last option for our backdoor and in the next two lectures I will give

181
00:15:17,480 --> 00:15:23,780
you two bonus videos one in which we will add another option to this backdoor rather short one and the

182
00:15:23,780 --> 00:15:26,000
last video or second video from now.

183
00:15:26,180 --> 00:15:32,610
In that video I will show you how you can make your backdoor look like an image as well as open an image.

184
00:15:32,800 --> 00:15:33,280
Okay.

185
00:15:33,410 --> 00:15:38,150
So thank you for watching this lecture and I will see you in the next material by.