Hello aspiring hackers. There’s been a loooong (forgive the grammatical error) gap in updating the blog. Well, blame it on 70% hectic schedule and 30% procrastination. But today we will learn how to use HTA web server exploit for hacking windows.
First things first. What is HTA web server? HTA stands for HTML application. So this server hosts a HTA file, which when opened will execute a payload via powershell. Ofcourse, the browser warns the user before executing the payload.
Now let’s see how this works. We will use this exploit to hack Windows 10. Start Metasploit and load the module as shown below.
Set the reverse meterpreter payload as it is a local exploit.
Type command “show options” to see the options we need to set for this exploit. Set the required options and type command “run” to start the exploit.
As you can see, it has generated an url. We need to make the victim click on this particular url for our exploit to work. We have already seen in our previous howto’s, how to make that happen. When the victim clicks on the url we sent him as shown below
the browser prompts a warning about the payload as shown below.
When the user ignores the user and clicks on “run”, a meterpreter session is opened as shown below.
This session can be viewed and opened as shown below.
Good afternoon friends. Recently our have learnt about windows hacking with Arcanus framework. Today we will learn about another payload generator that helps us in bypassing antivirus ( till date) during pentest of Windows machines. That is Hercules framework.
Let’s start by cloning Hercules framework from github as shown below.
After cloning, a new directory with name HERCULES will be created. Move into that directory and do a “ls”. We should see a file named “Setup”. First change the permissions of this file using chmod as shown below. Once we get execute permissions on the Setup file, execute the file using command “./Setup“.
The setup automatically installs Hercules as shown below and
successfully ends as shown below. You have successfully installed Hercules framework in Kali Linux.
Type command “HERCULES” to start the framework. It’s interface looks like below. In this part, let’s generate a payload. Enter option “1”.
Select what type of payload you want to create. There are four payloads as shown below. I am choosing the first one. You can choose appropriately.
After we select the type of payload we want to create, we need to enter some options. Let us see the options it provides. LHOST and LPORT are self explanatory. Choosing Persistence function adds our running binary to Windows startup registry so that we can have persistent access to the target. Since we have already know how to create a persistent backdoor we will not enable it here.
Migration function triggers a loop that tries to migrate to a remote process. UPX ( Ultimate Packer for executables ) is an open source executable packer. To those newbies who have no idea what packers are, they are used to compress the executables. Software vendors also use them to obfuscate the code. We will see more about packers in our future howtos.
Concerning this howto, remember that enabling migration, persistence and UPX functions may increase the chances of your payload being detected by Antivirus.
Here I have only enabled the UPX function so the packing process begins as shown below.
Once the packing process is over, your final binary file is stored with the name you have given to it. I named it as “res”.
Next start the listener on Metasploit as shown below and send the binary file to our target. Once he clicks on our executable file, we will get the meterpreter session as shown below.
In our part2 of this howto, we will see how to bind our payload to other executables.
Good morning aspiring hackers. Today we will see how to create a persistent windows backdoor with Metasploit. As soon as we get meterpreter shell on the target system, it is a good practice for a hacker ( pen tester ) to create a backdoor. Coming to that, what exactly is a backdoor? A backdoor is something which gives us continuous access to our target system.
Next question that comes to our mind is why we need to create a backdoor? Most of the methods we used to take control of our target systems are based on the vulnerabilities our target has. So once the vulnerabilities are patched, access to the target is lost. That’ why we need to create a backdoor.
This backdoor also answers a question many people ask like, once we get a meterpreter shell, can we shut down our machine? If we restart, will the connection be gone or still intact? .This backdoor needs only one one condition to be fulfilled. The target system should be out of its safest mode. i.e it shouldn’t be turned off .
Now let us see how to create a persistent windows backdoor with Metasploit. In the meterpreter session we acquired on the target system, run the command “run persistence -h“. It will show you all the options we can set for our backdoor. All the options are self explanatory.
Now I want my backdoor to start as soon as the system starts. So I chose ‘X’ option. After starting, I want it to make connection attempt to my attacker system every three seconds, so I kept the interval(i) as 3. The port on which connection should be made is 443. The option (r) is remote system’s IP address i.e the IP of the system to which the connection should be made.
Remember this script will be installed on the target system. Run the script. As you can see, the file is installed in the autorun.
Now it’s time to start a listener on our attacker system. We have done it many times as shown below.
Change the options accordingly as we set in the persistence script and start the handler. If the system is live, we will get the meterpreter shell as shown below.
Hello aspiring hackers. Today we will learn how to do Windows hacking with Arcanus Framework. Arcanus is a customized payload generator that can generate payloads which are undetectable by almost all of the antiviruses (till date ). This could be very useful in penetration testing.
Today we will see how to get a shell on a remote Windows system with this tool. Before we do anything, we need to install golang. Install Golang and then clone the Arcanus git as shown below.
Navigate to the ARCANUS directory created and view its contents. We should see a file ARCANUS_x86. We will generate a x_86 payload. First change its permissions as shown below.
Next run this file. You should see an ARCANUS logo as shown below.
You will see five options as shown below. Since we are about to hack windows, we will generate a windows payload by choosing option 2.
It will prompt you for the attacker IP address ( in our case the address of Kali Linux ) and a port on which you to listen for the reverse shell. Enter the values and hit “Enter”.
It will generate the payload and automatically start a listener as shown below.
The payload will be generated with the name “payload.exe” as shown below in the ARCANUS directory.
Next we need to send this payload to the victim. When the victim clicks on the payload we sent, we will get a shell of the victim as shown below.
Good morning aspiring hackers. Today we will see Windows hacking with Cypher. Cypher is a simple tool to automatically add shellcode to PE files. PE files means portable executable files.
But what is shellcode? It is a list of carefully crafted instructions that can be executed once the code is injected into a running application. So in simple terms, Cypher allows us to add shellcode to portable executable files like…. well it can be any Windows executable. Usually we use shellcode to get a remote shell or create a backdoor shell on our target system. Cypher even allows us to get the powerful meterpreter shell.
Now let us see how to perform Windows hacking with this tool. First, let us git clone this tool into Kali Linux using commands as shown below.
Make sure you are in the same directory where cypher is cloned. It gives information on how to create different types of payloads. Let us add a reverse meterpreter shell using the command shown below.
Now let us see all the options we specified.
addShell.py : syntax of Cypher
-f : the ‘f’ option stands for file. This is to specify the portable executable into which we want to create our backdoor. Remember that some executables are packed and don’t allow writing shell code. Test and use accordingly. Here, I’m using plink.exe located on my Desktop.
-t : the target OS for which you want to create this backdoor for. These include four options: 0,1,2,3. These are for Windows 7 32bit, Windows 7 64 bit, Windows 8.1 64bit and Windows 10 64bit respectively. Here I have specified it as 1 since I’m testing it on Windows 7 64bit OS.
-d : offset. This is nothing but distance between the point where we are trying to enter our shellcode to the point where we are exactly placing our shellcode. Even if you don’t understand that sentence above, let me tell you why it’s important. The success of injecting our shellcode into an executable is that the executable should work fine even after we inject our backdoor. The exe shouldn’t crash. By default, this value is set to four. But if your exe is crashing, set it to a greater value( I set it to 10) as I did above.
-H : attacker’s IP address. In our case, IP address of Kali Linux.
-P : the port on which we want our shell back.
-p : Mind the lowercase. This stands for payload we want to set. ‘1’ stands for Windows/meterpreter/reverse_http. The other options are,
After setting all the options, hit on Enter. The payload will be created with the same name but end with _evil as shown below. I leave sending the package to our intended victim to you but remember almost every antivirus can detect our file as malicious.
Since my blog is committed to make hacking as close to reality as possible, I have a solution. Google for “making Finfisher undetectable”. Open the first link Google search finds and follow some of the steps shown there. Trust me this works. Now send the package to the victim.
Now to listen to our reverse shell, we need a listener. Open Metasploit and create a reverse_http listener as shown below.
Set the required options like IP address and port. Note that they should be same as we specified while we added shell code to the file. Type run command. The exploit should hang on as shown below.
Now when our victim clicks on the file we sent, we should get a meterpreter reverse shell as shown below.