Looking for:
How To Hack Windows 10 Using Metasploit And Kali Linux - Monday 14 August 2017Metasploit windows 10. Get Metasploit
The Metasploit Framework is the most commonly-used framework for hackers worldwide. It allows hackers to set up listeners that create a conducive environment referred to as a Meterpreter to manipulate compromised machines. We will do this through a malicious executable file, using Shellter. This article assumes the installation of Kali Linux has been done and is reachable through a bridged connection from a Windows machine on VirtualBox.
To create the executable, you would use msfvenom as shown in the command below:. The command instructs msfvenom to generate a bit Windows executable file that implements a reverse TCP connection for the payload. The format must be specified as being type. To obtain our IP address, we use the ifconfig command within Kali, specifying the interface as eth0 since we are on Ethernet :. The screenshot below shows the output of the command on successful. Antivirus solutions work by detecting malicious signatures within executables.
Our file will thus be flagged as malicious once within the Windows environment. We have to figure out a way to modify it to bypass antivirus detection. We will encode it to make it fully undetectable, or FUD.
Note that antiviruses also check the behavior of executables and employ techniques such as heuristics scanning, so they are not just limited to checking for signatures. During our lab tests, we discovered that Windows Defender which ships by default with Windows 10 flagged the executable six out of the ten times we used Shellter to perform the encoding. This is despite Windows 10 being a fresh download with latest patches applied! You will be better off purchasing Shellter Pro or any pro crypter or writing your own crypter to avoid antivirus flagging your executables.
Also note that when writing your own, disable automatic submissions. Otherwise, whatever you write if detected as potentially-unwanted software will be uploaded by your antivirus for analysis … And we both know how that will end.
On your Kali Linux, download Shellter with the command below:. You will be required to enter the absolute path to the executable to make FUD. Shellter will then initialize and run some checks. It will then prompt you whether to run in stealth mode. The next prompt will require you to enter the payload, either a custom or a listed one.
Select the index position of the payload to use. Shellter will run to completion and request you to press Enter. At this point, the executable you provided will have been made undetectable to antivirus solutions. Again, note that you are better off writing your own or purchasing a crypter that is constantly being revised. Otherwise, most of your encoding will be flagged as malicious or potentially unwanted software.
We now need to set up a listener on the port we determined within the executable. We do this by launching Metasploit, using the command msfconsole on the Kali Linux terminal. The screenshot below shows what commands to issue within Metasploit. The screenshot below displays the output. The reverse TCP handler should begin waiting for a connection.
The next step is to execute it from a Windows perspective. In a real-world practical situation, this will require social engineering skills. Nevertheless, copy the something32 to a Windows system within the same network as the Kali system.
On copying the file to our target Windows machine, we have the screenshot below. Execute the file. The executable causes the payload to be executed and connect back to the attacking machine Kali Linux. Immediately, we receive a Meterpreter session on our Kali Linux. This can be confirmed by running the getuid command, which tells us that we are running as user l3s7r0z.
In order to gain sufficient rights, we need to perform a UAC bypass. Privilege escalation allows us to elevate privileges from our less privileged user l3s7r0z to a more privileged one — preferably the SYSTEM user, which has all administrative rights. Metasploit by default provides us with some methods that allow us to elevate our privileges. On the Meterpreter prompt, we use the getsystem command, as shown below:. Since the methods used by getsystem all fail, we need an alternative method of elevating privileges.
We will use the comhijack exploit module to bypass User Access Control. We then run the exploit. We successfully receive a Meterpreter session. Typing sysinfo shows us the information of our target. We can see that elevation was successful and can confirm this by issuing getuid again. With these privileges, we can do quite a lot on our compromised target. We can even obtain credentials from browsers, key managers, the domain controller, perform keylogging, capture screenshots and even stream from the webcam.
This will not work on VM, It will need an actual native Windows install target. Now that we are within the target machine, why not perform some persistence to stay there? Persistence allows us to gain access back to the machine whenever we need to even when the target decides to patch the vulnerability. There are many ways of performing persistence. For example, we can code a malicious virus to always connect back to us whenever the target turns on their machine this is called a backdoor , or even have our own user accounts within the compromised target machine.
Metasploit also provides its method of persistence, discussed here. Remember the NTLM hashes we were able to obtain above using the hashdump command from the mimikatz module?
We can even log into any account within the target machine using any password hashes, impersonate legitimate users and download, alter or upload files.
On the Meterpreter session, we type the command shell to drop into a Windows shell on the Windows 10 target. This lists all the users within the windows machine. As we can see, there are only two users, the Administrator and the l3s7r0z user. We then add Jaime to the administrators group so that the account can perform admin functions.
The command used is:. We then add him to the RDP group. This will allow us to log in through RDP to the target machine, even after it has been patched to have firewall and antivirus on. In some cases, RDP is not enabled at the target machine.
As long as we are within the shell, we can enable it by adding a registry key. If you would like to disable RDP for whatever purpose, you can do so by typing the following command:. From the Kali Linux machine, we can use the remmina remote connection client.
If it is not installed within Kali, you can install it by typing the following command:. Start remmina by typing remmina on the command prompt.
And connect to the target using its IP address. You will be required to accept a certificate. Do so and use the username and password used to register the Jaime account. That is:. By default, in Windows 10, the logged-in user using Windows 10 will be required to allow you to connect. However, if they do not respond within 30 seconds, they are automatically logged out. In this article, we have seen how the Metasploit framework can be used to compromise a Windows 10 machine to gain a Meterpreter session.
We have used Shellter to FUD our malicious executable to bypass the Windows 10 antivirus and performed privilege escalation to gain more rights on our compromised machine. Hackers are not limited in what they can use the framework for. For instance, it can also be used to perform information gathering and pivoting through compromised networks. A new tab for your requested boot camp pricing will open in 5 seconds.
If it doesn't open, click here. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations. Your email address will not be published. Topics Penetration testing How to attack Windows 10 machine with metasploit on Kali Linux [updated ] Penetration testing How to attack Windows 10 machine with metasploit on Kali Linux [updated ].
Posted: February 10, We've encountered a new and totally unexpected error. Get instant boot camp pricing. Thank you! In this Series. How to attack Windows 10 machine with metasploit on Kali Linux [updated ] How ethical hacking and pentesting is changing in Ransomware penetration testing: Verifying your ransomware readiness Red Teaming: Main tools for wireless penetration tests Fundamentals of IoT firmware reverse engineering Red Teaming: Top tools and gadgets for physical assessments Red teaming: Initial access and foothold Top tools for red teaming What is penetration testing, anyway?
Related Bootcamps. Incident Response. October 24, at am.
No comments:
Post a Comment