Create a Reverse Shell Using a Fake MP4 File [Tutorial]
Вставка
- Опубліковано 17 лис 2020
- Earn $$. Learn What You Need to Get Certified (90% Off): nulb.app/cwlshop
How to Pop a Shell Using a Video
Full Tutorial: nulb.app/x4k28
Subscribe to Null Byte: goo.gl/J6wEnH
Nick's Twitter: / nickgodshall
Cyber Weapons Lab, Episode 199
In our latest video, we're showing how hackers can take advantage of flaws in common Linux file system managers to modify a video to run malicious code, phoning back to a hacker's server and running commands. Big shout out to Tokyoneon ( / tokyoneon_ , whose article on Null Byte serves as the basis for this cybersecurity tutorial.
To learn more, check out Tokyoneon's article on Null Byte: nulb.app/x4k28
Follow Null Byte on:
Twitter: / nullbyte
Flipboard: flip.it/3.Gf_0
Website: null-byte.com
Weekly newsletter: eepurl.com/dE3Ovb
Vimeo: vimeo.com/channels/nullbyte - Навчання та стиль
Really very good tutorial. Got to learn something new about "sudo !!". Keep posting such awesome tutorials.
This must be from the future, considering that Mint is on v20.
Yeah I was confused by that as well.
Earthlings blink while none earthlings don't blink you know thy self , nice tut bro
Be cool to see this with a windows machine as the target as well. If something this simple works anyways...
Now there's a follow up video idea! Any takers? (If it were applicable, Microsoft will of already patched it)
Actually it doesn't work that easy. If you copy a link, which is what this is, to another computer, it will ask you if you want to trust it before running it. All he is doing here is click baiting you and others to his UA-cam video. It looks like he zipped the "fake" file on his virtual computer, because ALL links made in this fashion will ask you if you trust it for the FIRST run on THAT computer. It will NOT just run as he has shown. You copy it to a new computer, if it copies at all, because it is often refuses, and you have to allow it to be copied, and on the new computer it will ask for permission again, when run for the first time. There is something fishy going on here that he isn't telling you.
Windoze is easier. Have a batch file run something and load your payload into the directory that runs things when Windoze is booted. I once turned a screen upside down using this method. It took him an hour to fix it.
@@lesliesavage9229 ay bro can you explain more indepth on this?
@@lesliesavage9229 can we talk more u seem knowledgeable and i’m trying to learn
@@revelingg I am talking about two different things, so I am not sure what you are asking.
I just set it up again just for you on two Linux operating systems, and it still doesn't work. How many ways can this be explained that it will not work over the net on Linux Mint? He is dead at the link, and he needs one computer to be open to the net, which he never covers. He needs access to the target computer, which he doesn't have to set up netcat, and know which ports are open. It doesn't even work locally, which is all of his demonstration. He isn't showing something, because even links don't work like in this video. The first time you open a link it asks for permission, and his never does, he is lying by omission or using an outdated version of Linux Mint. No other way to put it.
That's quite scary, thank God for frequent security updates! Unfortunately there aren't many zero day exploits (hence the name) being published on UA-cam, but that in itself is even more scary!
U blinked 3 times under 10seconds. We cant accept you
Im sorry dont hack me lol
Maat wat doe jij?
🤣🤣🤣
too bad, now he's gonna hack you
yo buddy
Even blinked with just one eye a couple of times
Great tutorial, thanks
Wow, you're a real hacker! On 4:44 you enter the wrong ip address but it still worked!
Its the ip of the linux vm
@@sluvvr That does not make a lot of sense to me. The netcat listener is running outside of the vm, the code that is shown on 4:44 is running inside the vm. So that would mean that the vm is connecting to itself, which it isn't.
He also said "change this ip address to .162 as well", but he never set anything else to .162
@@thepianoaddictHe did it right, he set the IP X.X.X.162 for netcat to connect to the target && he got connected coz the VM is running on bridged mode.
@@abhishekrajput9434 "he set the IP X.X.X.162 for netcat to connect to the target" Yes, so he did it wrong, because the code is run on the target. I makes no sense to let the target connect to itself.
"he got connected coz the VM is running on bridged mode." That would explain why it still works even though he didn't do it right.
@@thepianoaddict That's what a reverse shell does? It connects FROM the target TO the host.
Thanks for this - looks interesting. Would there be a way to remove the other .mp4 file entirely? Seems a little obvious that there is something wrong if there's two mp4 files both pointing to the same one.
Maybe putting a . before it's name might work... As it will become hidden like the .ssh folder...
I'm not sure if you watched the video? From what I understand you're asking how to hide a file that doesn't need to be there in the first place. One only needs to send the fake file, not the video file.
@@MsHojat No, because the fake_video file just executes its code and then runs the real_video file. the video isn't embedded into the file
@@kylo8846 no it streams the video online, hence the python server
The tutorial mentions that Nemo is vulnerable to this attack, but at least the version on Arch Linux is NOT vulnerable (cause i tested it right now). I always have my file manager in list mode where i see the filesize though, so one would need to add a whole bunch of unnecessary data to the .desktop file to increase the filesize.
Even if you didn't display file size in the FM, chances are whatever method was used to get the file in the first place would show it's size as well- probably even multiple times (once in the e-mail before downloading, then again in the download progress). For that matter the speed of the download would also be an indicator as well.
However perhaps most importantly, I presume that junk space can be added to the file to make it appear the proper size. So it would not be a reliable method of detection.
I think that the main flaw (which is quite minor) is that there will be major lag between running the file and the video playing. I think that the video doesn't stream, so it would download in full before playing, no? He did say "stream" once though so maybe I'm mistaken.
Great video. Thank you so much
I need to do this today.
Nano is not for noobs... Just use what suits you best. Nice presentation btw. 🤜
nano virgin
I like vim and Gedit
NULL BYTE IS BACK AFTER A LONG TIME....!!!!
does this work for a png file or any other image file type?
Great tutorial Nick!
Very select 'attack'. I wouldn't even call it one.
This is really basic and basically not working anywhere anymore, especially if you know how religiously linux desktop users update.
It's the equivalent of sending a windows shortcut file with a VB script / cmd exec.
It doesn't have to even be a video file, you can make it look like a PDF icon, or anything else.
The PDF is much more convincing and you can pad the .desktop file with garbage to give it some file size to fool more observant users.
Heck you can even make a little basic demo / game, pad your payload to the end of the launch script and send it over as part of a exclusive beta tester deal!
Works.
I agree, this heavily falls under social engineering. Hell, you could even send someone a straight sh script, if they believe you're tech support.
Why don't you make a video about that
Totally agreed Cyber Cat, when I was watching this video i felt like this guy was talking out of the context, which doesn't even match with the subject of this video, the explanation is not upto the mark, secondly, when you are explaining anything, explain the important points and don't stretch it more by talking some useless things which are not even closer to the actual subject, idea is good though, 👍
remember me old school times style
would it be possible to create a keygen from the same type of internet router for default passwords in a way of finding all passwords by mac adress or name? for example i have a router with a default password 10 more people have the same router and i have those passwords as well, can we generate more passwords for those routers ?
I think this is what comes out when you try doing everything in one take
To play the video file why do we need to host it? As we have sent real video files along with the payload, we can play them. Right?
Does it work on 20.3 the latest version All exerts here ?
you know you dont need file extensions in linux, also any good blue teamer will always run file "filename" to see what type of file this is, they will see it is not a mp4 file and rm that so fast
Is there a way to modify a mp4 file for android reverse shells? Staged right does some thing similar but unmodified it won't work for my practice target Android version(Oreo). Any thoughts?
KEEP GOING
how u get fake_video.mp4 file in when u unzip the file???...because as we can see when zip those file on that time it's .dekstop file and when u unzip that time its mp4 file...how???????????????? is it magic???
It is not mp4 file, right? But desktop file
He Blinked!
Thanks!
good tutorial
COMPRESSION
I usually wince when receiving video files (MP3's etc) in compressed file formats. Seems a humous way of sending files that are generally uncompressable by their nature. Unless the "DO NOT COMPRESS" switch is used during their creation - which is helpful when sending multiple files and or password protection.
p.s. And as you know, compressing a file that is already highly compressed can actually increase its size.... blaw blaw I'm done 🤗
GREAT VIDEO as always 👍😎
Thank you
💜💙💛💚
Good point! Including that was my mistake
Oh, yeah
Yessir Another upload.
Was that your router ip how will that work are you attacking an internal pc
only works on local networks not remotely ?
can you show me how to do it on a windows?
In Step 5 where you put in your own ip address, if i understand properly, the first time u input your ip the victims pc connects to the linux program to download the files. In the part where you put in your ip the second time, can i put in a different ip and port so that it connects to a different pc after downloading the files from your linux computer?
Of course, the commands are completely seperate. you can in fact even change everything in there as they are just batch commands
It's very creative but it has to be on same network?
I mean you could use a domain and the server behind it.
gr8 keep it up !!! hUge Fan
Crontabs are OP
Where is the code I don't see in the article
i had an issue when trying this when i tried to open the video file on another Linux computer i got this following error saying (Additional software is required. parole needs application/x-desktop decoder to play this file. it can be installed automatically.) but when i click install i just get an other error saying that Unable to install missing codes.. do you know what could cause this.
any help will be very much appreciated :)
Wait till you get to the netcat part and that doesn't work either because you have the firewall up.
Is this method allows me to have a control of an android phone ???
Hey. will this spook windows defender?
I'm a bit confused, when did you change the file extension?
yes i am also he save file name .desktop and he got mp4 file 7:05 i think they make fool of us XD :(
I'm pretty sure it was automatically done by the file manager using the metadata when it unzipped the file, which is probably why this exploit only works with specific file managers
Desktop files are links in Linux. The first time you run them, which he didn't show you, it gets rid of the .desktop extension, but it comes back when ran on a new computer.
so whats that laptop doing in jet propulsion ??
HUUUUUUUU NEWWW VIDEO HUUUUUUU
nothing happened on the other end. everything tries to go to microsoft store to open
This guy can stare the sin out of you
On which os do this reverse shell works
Linux
Ths what I wait for
can run payload also on windows
Can we do this for android as target
Can I do this on android as well?
Well this is creative.
how can I download linux mint 19.2, i cant search it anywhere :((
new video 🍻🍾🎆
Its Great...👍
can this attack be perfomed on android
no, because it essentially requires that the target machine is pre-compromised. It's not a hack, it's just a file that does something while also playing a video. A cool thing to mess around with, maybe even useful, but not a hack by any means.
I don't think so because you need somesort of storage or more like sapce to accurate that and I don't think Android got that sort of access to memory to execute the code and I don't that kind of access can be found on Android at least on unrooted one
Will it work on Android os?
Damn, was gonna say first
but what about the network lag?
what os is this?
we accept him because he blinks
You have to be in the same network as the user ... and it only works with a specific Linux ... pretty cool but a little underwhelming tbh 😅 great video though !!
surprised so many others didnt notice🤦♂️👍
You can do port forwarding to seem like you're in the same network as the target, that's how backdoors work don't they?
@@prakharmishra3000 😂😂 I’ll give you points for effort but it’s not exactly right
@@PotaytoDestroyer well I don't know much about networking, can you explain why?
@@prakharmishra3000 rtfm...
Doesn't the script that you create have to bind to the original video though if you want it to be convincing?? How would you get the thumb nail to show up without having to make the victims computer unzip a 2 file download??
try empire, its basically the same thing but has that option to show the thumbnail so its a bit more convincing
I am getting a error when I use nautilus . it goes like this
** (org.gnome.Nautilus:5727): WARNING **: 12:53:45.087: Error on getting connection: Failed to load SPARQL backend: Cannot autolaunch D-Bus without X11 $DISPLAY
Unable to init server: Could not connect: Connection refused
(org.gnome.Nautilus:5727): Gtk-WARNING **: 12:53:45.088: cannot open display:
Can we do this with a jpeg file
This guy is less scary
Hey can someone send me a list of all vulnerable Linux?
Not working on internet using ng rock or cloudflared
29.2?
Can it work for .exe file or any other executable program
exe files are for Windows. This exploit is only specific distributions of linux.
What if you are on wan? How to specify the port?
you nicely ask target to open it
Someone could understand something I didn’t understand, does this exploit only works in linux computers ? doesn’t Windows have this vulnerability? And does this only work being in the same network ?
There are some related exploits that are comparable in Windows. However as far as I know they will always have the shortcut indicator on the icon which would require the user to be a bit dumber to run.
With a static public ip it can work everywhere (with Linux)
Does this work only on my network if so how can i put it to work outside my network?
It won't work at all with the firewall up.
does it work with windows?
Not based on example shown. This one is set to linux file mgmt + reverse shell /bin/bash
Does it work on android???
It work
Why do I need a reverse shell
what OS you used in this vedio ?
Kali Linux
Is this how websites with bootlegged streaming videos put those sites up in order to gain access to your machine? He was using Linux here. A hacker would need a specific exploit for each OS to make it ubiquitous so does that mean Hackers just honeypot the videos until a vulnerable machine pops up in the queue. This is probably a data mining problem as Im sure once access is gained the hacker will have a class of subroutines that will search for the juicy bits and provide a summary/report with the most promising leads. What a headache... does a hacker think like this? Im sure there is a different classes of hackers. Some for fun, some casual, the professionals and then the 0.01% geniuses u want to stay away from who could do a lot of damage if they cared to.
You just look like spider man homecoming actor Tom Holland 😍
Nick G what up
Yo
in bettercap bluetooth ,after typing command ble.recon on ,its telling ([err]no available device) even my bluetooth also turned on what can i do please help me anyone
Buy a Bluetooth adapter
@@hthbynaheem3689 like wifi adapter there is separate hardware for bluetooth ie; (adapter)??
who have fixed the apktool issues am stuck there ?
Its so interesting :)
Can i do it for android hack
can I use this for android 😐
So how to prevent this kind of attack? I'm a video editor by the way. I receive tons of footage from my clients on a regular basis.
It isn't going to work anyway. If somebody sends you a link in this manner, clicking on the link will put a dialog box asking you what to do with it. If they changed the dot address to, for example .MP4, it will try to open in your player that will show an error.
He also doesn't cover how to do a netcat over the net, which means everything here is local, or on your net work only.
It's just not workable in the real world.
What switches are you using on your keyboard
Cherry MX blue
Where’s Cody??
Yah, Where is he
Hacking
I have rolling ip-s! How do I put ip idress in mp4 file?
Google DynDNS or use a server
Work in windows to?
no
Does it work on Android devices?
no
"nothing to see here" HMMMMM
Amigo põe a legenda em português obrigado!!
Does this work on windows 10 or 11
he said linux exploit that only works on some linux distros.....
tried it and its showing as a .desktop file when zipped
so i got it but its still listening and cant find it
RIP DarkComet
not understand much part of it