Windows

Hello aspiring hackers. The exploit we will see today is a POST exploitation Metasploit exploit that performs Powershell enumeration in Windows. Windows PowerShell is a task automation and configuration management framework designed by Microsoft which consists of a command line shell and associated scripting language built on the .NET Framework and .NET Core.

PowerShell provides full access to COM and WMI, enabling administrators to perform administrative tasks on both local and remote Windows systems. Its same as a command line shell but powershell is more powerful than CMD. It is a very helpful tool for network asministrators. If used properly, it can also be used by hackers to the full potential.

But we need to know about the Powershell settings installed on the target system for this. This powershell enumeration module exactly does that for us. Let us see how this module works. Just like any Metasploit POST module, we need to have a valid meterpreter session to run this module. Background the current meterpreter session and load the powershell environment enumeration module as shown below. Type command “info” to view the information about this module as shown below.

Type command “show options” to view the options to be configured. Set the session ID of the meterpreter session we just sent to background and execute the module using command “run”.

As you can see in the image above, our module successfully completed powershell enumeration of the target machine. Powershell version 2.0 is installed on our target system an there are no powershell snap-ins are installed. It seems none of the users have powershell profiles.

Hello aspiring hackers. The module we will learn about today is the Git Submodule Command Execution Exploit. If you are a developer, cyber security enthusiast or at least a computer user, you should have definitely used (or heard about) Github. Git is an open source version control system developed by none other than the awesome Linus Trovalds (yes the same guy who created Linux).

It is a system designed to keep in touch with constant changes made to the code of software by developers. GitHub is a popular hub where developers store their projects and network with like minded people. Github stores information in a data structure called a repository. The particular module exploits a vulnerability in Git submodule.

Git submodules allow users to attach an external repository inside another repository at a specific path.This vulnerability in the Git submodule can be exploited by an attacker who can change the URL of a sub- module in a repository. This URL in the submodule can be changed to point towards a malicious link.

This module is a local exploit and works on Git versions 2.7.5 and lower. Now let us see how this module works. Start Metasploit and load the exploit as shown below. Type command “show options” to see all the options we need for this module to run.

First, we need to configure the malicious Git server. Set the options : LHOST, git_uri and Iport options as shown below. The git_uri option sets the malicious git submodule. Use command “run” to start our Git server. As the user git clones from our URL, we will get a command session on the target.

Now we need to send this malicious Git url to our intended victims. Probably it should be set as a software to convince the users to clone into their machine. Here we are testing this on KaIi Linux 2016 machine which has the vulnerable version of Git installed. We need to instruct the user to update the submodule just cloned. Let us see what happens on the victim machine.

As this happens in our victim system, we will already get a command shell on our attacker system as shown below.

We can see the active sessions using the command “sessions”.

 

Recently, we saw the Windows Fodhelper Privilege escalation exploit. Today we will learn about another Windows privilege escalation exploit that works on machines from Windows 7 to Windows 10. This exploit bypasses the User Account Control of the Windows and gives us system privileges. Its called Windows BypassUAC COMhijack exploit. How does it do this? Let us see.

COM stands for Component Object Model. It acts as a binary interface between various processes of different programming languages. In Windows, is is the basis for several other Microsoft technologies like OLE, OLE Automation, Browser Helper Object, ActiveX, COM+, DCOM, Windows shell, DirectX and Windows Runtime.

This module will bypass Windows UAC by creating COM handler registry entries in the Hive Key Current User hive. These created registry entries are referenced when certain high integrity processes are loaded which eventually results in the process of loading user controlled DLLs (as you already know DLLs are Dynamic Link Libraries).

These DLLs the exploit loads contain the payloads that result in elevated sessions. After the payload is invocated, registry key modifications this module makes are cleaned up. This module invokes the target binary via cmd.exe on the target. Therefore if cmd.exe access is restricted, this module will not run correctly.

Now let us see how this exploit works. As for every privilege escalation exploit, we need to already have a meterpreter session like the one we have here, here and here.  Background the current meterpreter session and remember the session id. Search for the bypassuac_comhijack module as shown below.

Load the bypassuac_comhijack module as shown below and check its options by using the “show options” command as shown below.

Set the session id as shown below and execute the exploit using “run” command as shown below. If everything went right, we will have another meterpreter session as shown below.

Check the privileges using the “getuid” command. If you still don’t have system privileges, run command “getsystem” and even if it results in an error, check your privileges once again using command “getuid“. You should definitely have system privileges by now.

Hello aspiring hackers. Today we will learn about Windows applications enumeration exploit. This is a POST exploit in Metasploit which means this exploit is only available when we get a meterpreter session on the target system. Once a Windows system is hacked, privilege escalation is the next step. One of the ways to escalate privileges in a Windows system would be to find vulnerabilities in the programs installed in our target Windows system. We can do this manually but Metasploit has a post module to do exactly this. Let us see how to use it.

Send the current meterpreter session to background and load the enum_applications module as shown below. Just like any other POST module, it needs only one option, the session id of the meterpreter session we just sent to background.

Set the session Id and execute the module as shown below.

As you can see, the module successfully gave us the programs installed on our victim’s system. Now we can search for any vulnerabilities in those programs which we could be used in privilege escalation

Hello aspiring hackers. Today we are going to learn about a remote code execution exploit in Microsoft Windows. Its called Microsoft Windows Lnk CVE_2017_8464_lnk_rce exploit. Earlier also we have seen some LNK vulnerabilities in Microsoft Windows but this one is special. You know why? A victim need not even click on the file we are creating as part of this exploit. We can host this file on a web server and direct our victim to that site. Otherwise we can save the file to a USB drive and insert it in our target’s system. Both require a bit of social engineering.

This exploit works due to a vulnerability in Microsoft Windows that could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. Let us see how this exploit works.

Load the exploit as shown below and check the options it requires. using “show options” command.

Type command “info” to see more information about the module.

Set the windows/meterpreter/reverse_tcp payload and configure its options as shown below.

Set the LHOST address and run the exploit. It will create a file in the folder as shown below.

Now send the file to our victim using any one of the methods discussed above. We will get a meterpreter session as shown below.

If the exploit got interrupted as shown below, type command “sessions -l” to see the available meterpreter sessions as shown below.

 

Hello aspiring hackers. Today we will see an exploit  which helps us in Windows 10 Privilege escalation. Till now, there was no exploit for privilege escalation in Windows 10. Recently we got one. This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched.

Once the UAC flag is turned off, this module will spawn a second shell with system privileges. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS.

Imagine we have a scenario where we got meterpreter access to a Windows 10 system ( See how to hack Windows 10 with Hercules and see how to hack Windows 10 with hta exploit).

To use the fodhelper module to escalate privileges, we need to background the current session.

Search for fodhelper module using the search command.

Load the module and set the session ID as shown below.

Run the module as shown below.

As you can see, we successfully got a meterpreter session. When I check privileges, its still user privileges but when I run “getsystem” command, I get system privileges on Windows 10.

Happy HAcking.

HOW TO STAY SAFE: 

Microsoft had already released patches. Just make sure your system is updated.

During a pen test, it  sometimes becomes necessary to change Windows password. Although we have a hashdump feature to dump the password hashes of all users in a remote Windows system, this exploit directly changes the password of the user we want in the registry. Thus it saves the trouble of cracking the password hashes altogether.

This works on a local user account. This can be pretty useful if we need credentials but can’t crack the hashes. Mind that you need to have system privileges on the remote system to use this exploit (See how to escalate privileges). Let’s see how this exploit works.

First acquire system privileges on the system. Background the session (note the meterpreter session id) and load the hashcarver exploit as shown below.

 Type command  “show options” to see the options required. Session is the meterpreter session id, user is the user in the remote system whose password you want to change and “pass” is the password you want to set for the user.

My session id is 2, Kanishka is the username for which I want to change the pasword and I want the new password to be “hacked”.

When all the options are set, execute the exploit using command “run.  The exploit runs as shown and successfully changes the password. Happy hacking.

Here I bring you a fictional account of a Real Time Hacking Scenario originally published in Hackercool Magazine Feb 2017 Issue. This knowledge is strictly for education purposes and should be used only in pen testing.

Hi,everyone. I’m hackercool, allegedly a black hat hacker for some people but I still consider myself a script kiddie. The month of February was jampacked with parties for me. Most important of them was a get together with my scho- ol friends (none of my friends know about my hacker identity). With the ubiquitous smart phones nowadays, many photographs were taken. It was a very good opportunity to test my new digital camera.

I took numerous photographs of my friends in various poses but I didn’t pose for even a single photograph. None of my friends even took note of my absence but it’s a wonderful feeling to get lost in the crowd. You don’t know it. When I began to forget about the party, some of my friends requested me for the photos I took with my digital camera. They asked me to whatsapp them but I informed them I would send them my USB.

By now, my hacker instinct became active. I decided to hack my friends (or atleast try to hack them). I wanted to test how many would fall for it. Stage set. Plan in motion. Most of my friends (or for that matter many computer users in India) prefer Windows as their operating system. So I started my attack assuming my friends are using a Windows OS.

The channel of my attack was sending a USB drive to them which would have not only the party photos but also a specific  malware to hack them. There was one problem though. Even normal computer users would have both Windows Firewall ON and antivirus installed (I’m assuming all my targets are latest Windows 10). So I can’t use any renown malware or RATS since their signatures would be easily detected by many Antivirus.

So I decided to create a customised payload that would bypass most antivirus. Many people just assume antivirus cannot be bypassed but as you will see now, it’s a reality only hackers know about. For this attack, I decided to use Hercules customized payload generator.(More about this payload generator was discussed in Dec 2016 issue of Hackercool magazine and also on this blog). I have used this program a couple of times before and I am loving it.

It almost bypasses all antivirus, ofcourse until now. There’s a reason why I say that. Remember that the battle between malware and anti-malware is like that of between Newt and Garter snake, they continuously evolve. Hercules can be installed in Kali Linux which is my attacker system. (As already told, its installation is given in Dec 2016 issue of Hackercool magazine).

Open Hercules as shown below. It has three options : generate payload, bind payload and update. The first option will just generate a payload we want while the second option will bind the payload with another program’s executabl -e. The second option would have been excellent to me but Hercules seems to be under revamp and this op-tion is not added yet now. So I had no other option but to generate just a payload now. So I chose option 1.

Next, I need to select the type of payload. I had four payloads to select ; meterpreter reverse tcp, meterpreter reverse http, meterpreter reverse https and a Hercules reverse shell. I was not in the mood to try something new. Since I am well accustomed with the meterpreter reverse tcp payload, I decided to choose that option.

Next, I entered some options required for the hack to work.

LHOST= IP of my attacker machine

LPORT= the local port on which the reverse connection is to be sent.

persistence, migration and UPX functions are explained in the NOT JUST ANOTHER TOOL in the Dec 2016 issue of Hackercool magazine. I have not enabled all these options as it would attract the attention of anti-malware.

I named the payload “sunny_leone_unseen”. I hope you already know why but if you don’t know, you will know soon. The payload is saved at the location shown below.

Generating the payload is the easiest part of the hack. Now begins the difficult part. Convincing our victims to click on our payload. I just can’t ask them to click on the payload although that has worked for me sometimes. First I checked the payload if it was indeed undetectable by antivirus. Success there.

After thinking for sometime, I decided to do it in two ways. First one, by binding. Binding is a process of combining two exe files or other files into one. It is the age old way of sending the virus to victims. I chose love calculator as the other program to bind my payload to. Since most of my victims were on the younger side I expect that this will have more probability of being clicked on. The Love calculator is shown below.

Come on, the love between us is only 58.5%.

We have many binders available. A quick Google search should give you enough options. But I used Rakabulle binder for my job. Just add the files to compile as shown below and click on “Build Raka”. That will bind the two programs into one.

But there is a problem with binding. As I already told you, binding has been there for a long time. So even if we bind two genuine programs together, antivirus may flag it off as malware. I wanted to play smart. I also used the second method as backup.

Second method is a bit popular on the internet. It’s changing the icon of the exe file we generated. First, I created a shortcut for my file and changed the icon of the shortcut as shown below. Then I hid the payloa d. Now let me tell you about the name of my payload. My intention is to maximise the chances of my victim’s clicking on my payload. So I gave that name (Just Google sunny leone for more info).

All done. Now before I passed mu USB drive to my friends, I started a listener on Metasploit as shown below.

I have set the required options and typed command “run” to start the listener as shown below.

After starting the listener, I passed on the USB drive to my first victim. I was not expecting very quick results as all of them were employees. To quicken my chances, I gave it to my first victim on Friday evening. I thought the weekend would give them enough time to become my victim. My system was continuously on. It was a horrendous wait but it finally happened.  One victim fell for the trap. I got one meterpreter session. I quickly checked the OS info. It was a Windows 7. I was encouraged.

I was expecting atleast three connection on the same day. So I quickly backgrounded the session and started the handler again to rece- ive more connections. Very soon I got the second meterpreter session.

I sent even that session to background and waited, but there was no third connection. I waited for some more time and went out to do some errand. Even after returning, I had only two connections. So I thik I would have to be  content with them.

 

Hello aspiring hackers. There’s been a loooong (forgive the grammatical error) gap  in updating the blog. Well, blame it on 70% hectic schedule and 30% procrastination. But today we will see how to hack windows with HTA web server.

First things first. What is HTA web server? HTA stands for HTML application. So this server hosts a HTA file, which when opened will execute a payload via powershell. Ofcourse, the browser warns the user before executing the payload.

Now let’s see how this works. We will use this exploit to hack Windows 10. Start Metasploit and load the module as shown below.

Set the reverse meterpreter payload as it is a local exploit.

Type command “show options” to see the options we need to set for this exploit. Set the required options and type command “run” to start the exploit.

As you can see, it has generated an url. We need to make the victim click on this particular url for our exploit to work. We have already seen in our previous howto’s, how to make that happen. When the victim clicks on the url we sent him as shown below

the browser prompts a warning about the payload as shown below.

When the user ignores the user and clicks on “run”,  a meterpreter session is opened as shown below.

This session can be viewed and opened as shown below.

Hello aspiring hackers. Till now we have seen various ways of hacking windows, escalating privileges and creating a persistent backdoor for later access. After we have successfully created a backdoor, it’s time to perform further reconnaissance. Windows post exploitation recon helps us in gathering further info about our target network. This can be helpful to us in finding more vulnerable systems to hack and pivot.

If you have observed carefully while starting Metasploit, it has number of modules specified as “post”. Some of these are useful in recon. For us to do post recon we need to first hack the system and get metertpreter session on it. Now let us see how to perform this recon with Metasploit.

The first module useful in reconnaissance in the arp scanner. Arp scanner helps us to identify any hidden devices in the network. Hidden devices are those devices which don’t respond to normal requests like ping etc. For example, some firewalls intentionally don’t respond to ping requests. ARP scanning can detect these devices.

winpostexrc1

The checkvm module helps us to find out if the machine we hacked is a virtual machine, which in this case is true.

winpostexrc2

The dumplinks module will parse .lnk files from a user’s Recent Documents folder and Microsoft Office’s Recent Documents folder, if present. Windows creates these link files automatically for many common file types. The .lnk files contain time stamps, file locations, including share names, volume serial numbers, and more.

winpostexrc4

In some cases, we need to know what are the applications installed in the system we hacked. For example, in a case where we cannot escalate privileges and maybe a vulnerable program installed in the target can help us in privilege escalation. The enum_applications module exactly does that.

We can see in this specific case, there are only two programs installed.

winpostexrc5

The enum_logged_on_users module helps us in finding out the users logged in.  This may help us in knowing the usernames of the system.

In our case, we go to know the username as “admin”.

winpostexrc6

The enum_shares module will list the shares of both configured and recently used shares on the compromised system. My target doesn’t have any shares.

winpostexrc7

The enum_snmp module will enumerate the SNMP service on the target, if installed. It will also enumerate its community strings.

In our case, there’s no SNMP service installed.

winpostexrc8

The hashdump module does exactly what it says. It dumps the password hashes from the target system as shown below. May I remind you that meterpreter already has this hashdump function.

winpostexrc9

The usb_history module retrieves the history of usb devices connected to the target system. In my case, no USB devices were connected to the target.

winpostexrc10

The most interesting of all these is the lester script. The lester script suggests local exploits for the target system. This script automatically searches and lists exploits for the targeted system. Now you may question why do we need exploits for the system we already hacked. Well maybe to escalate privileges or find an exploit which gives us more power on the system.

winpostexrc11

That’s all for today folks. I will be back soon.