Category: Hacking

Posted on by 2 Comments

HTA web server exploit for hacking Windows

Hello aspiring hackers. There’s been a loooong (forgive the grammatical error) gap in updating the blog. Well, blame it on 70% hectic schedule and 30% procrastination. But today we will learn how to use HTA web server exploit for hacking windows.

First things first. What is HTA web server? HTA stands for HTML application. So this server hosts a HTA file, which when opened will execute a payload via powershell. Ofcourse, the browser warns the user before executing the payload.

Now let’s see how this works. We will use this exploit to hack Windows 10. Start Metasploit and load the module as shown below.

Set the reverse meterpreter payload as it is a local exploit.

Type command “show options” to see the options we need to set for this exploit. Set the required options and type command “run” to start the exploit.

Image explaining about usage of hta web server exploit

As you can see, it has generated an url. We need to make the victim click on this particular url for our exploit to work. We have already seen in our previous howto’s, how to make that happen. When the victim clicks on the url we sent him as shown below

the browser prompts a warning about the payload as shown below.

When the user ignores the user and clicks on “run”, a meterpreter session is opened as shown below.

This session can be viewed and opened as shown below.

That’s all in HTA web server exploit. Learn how to hack windows with Hercules.

Posted on by

Windows Post exploitation recon with Metasploit

Hello aspiring hackers. Till now we have seen various ways of hacking Windows, elevating privileges and creating a persistent backdoor for later access. After we have successfully created a backdoor, it’s time to perform further reconnaissance. Windows post exploitation recon helps us in gathering further info about our target network. This can be helpful to us in finding more vulnerable systems to hack and pivot.

If you have observed carefully while starting Metasploit, it has number of modules specified as “post”. Some of these are useful in recon. For us to do post recon we need to first hack the system and get metertpreter session on it. Now let us see how to perform this recon with Metasploit.

The first module useful in reconnaissance in the arp scanner. Arp scanner helps us to identify any hidden devices in the network. Hidden devices are those devices which don’t respond to normal requests like ping etc. For example, some firewalls intentionally don’t respond to ping requests. ARP scanning can detect these devices.

The checkvm module helps us to find out if the machine we hacked is a virtual machine, which in this case is true.

The dumplinks module will parse .lnk files from a user’s Recent Documents folder and Microsoft Office’s Recent Documents folder, if present. Windows creates these link files automatically for many common file types. The .lnk files contain time stamps, file locations, including share names, volume serial numbers, and more.

In some cases, we need to know what are the applications installed in the system we hacked. For example, in a case where we cannot escalate privileges and maybe a vulnerable program installed in the target can help us in privilege escalation. The enum_applications module exactly does that.

We can see in this specific case, there are only two programs installed.

Image explaining about windows post exploitation reconnaissance

The enum_logged_on_users module helps us in finding out the users logged in. This may help us in knowing the usernames of the system.

In our case, we go to know the username as “admin”.

The enum_shares module will list the shares of both configured and recently used shares on the compromised system. My target doesn’t have any shares.

The enum_snmp module will enumerate the SNMP service on the target, if installed. It will also enumerate its community strings.

In our case, there’s no SNMP service installed.

The hashdump module does exactly what it says. It dumps the password hashes from the target system as shown below. May I remind you that meterpreter already has this hashdump function.

The usb_history module retrieves the history of usb devices connected to the target system. In my case, no USB devices were connected to the target.

The most interesting of all these is the lester script. The lester script suggests local exploits for the target system. This script automatically searches and lists exploits for the targeted system. Now you may question why do we need exploits for the system we already hacked. Well maybe to escalate privileges or find an exploit which gives us more power on the system.

That’s all for today folks. I will be back soon.

Posted on by

Arcanus Framework : Hacking Linux OS Part 1

Hello aspiring hackers, till now we have only seen hacking windows operating systems with customized payload generators. Today we will see hacking Linux OS with Arcanus framework.

Although not as great as Windows, people using Linux OS are growing day by day. In my opinion, Linux OS is a bit easy to hack with payload generators as there is a general myth that Linux is immune to malware. Some of my friends use Linux as dual boot to keep themselves safe from virus.

Ok, now let us see how to hack Linux OS with Arcanus Framework. Start and select the option 3 since we are generating a Linux payload. If you are new to Arcanus Framework, go here.

Hit Enter. Enter your IP address (Kali Linux in this case) and the listening port as shown below.

Hit Enter. It will generate the payload in the same directory start to automatically listen for a reverse shell as shown below.

Send the generated payload to our victim. When he runs it, we should get a shell on his system as shown below.

Image explaining about usage of Arcanus framework
Posted on by 1 Comment

Upgrade command shell to Meterpreter session

Hello friends.. I took a long break from the blog (actually I was channeling my energy on my monthly magazine Hackercool). But I am here now back with a bang or should I say hack. Ok, Most of the times we only get a command shell on our target while hacking, although we wish we got a meterpreter session .Today we will see how to upgrade the command shell to meterpreter.

First thing we need is to background the current command shell session. Hit on CTRL+C. Don’t abort the session altogether. If it happened by mistake ( like it happened to me below), select “no” when it asks whether to abort a session. Then hit CTRL+Z and select Yes. Your session has been sent to background. Remember the session number.

Load the command shell to meterpreter upgrade module. We need only one option, the session id we sent to background.

Image explaining about upgrading command shell to meterpreter

Specify the session id and run the exploit as shown below. We will get the meterpreter session.

Type command “sessions -l” to see all our sessions as shown below.

We can load the meterpreter session as shown below.

If you found that helpful. Please check out my monthly magazine Hackercool.

Posted on by

Windows hacking with Hercules Framework : Part1

Good afternoon friends. Recently our have learnt about windows hacking with Arcanus framework. Today we will learn about another payload generator that helps us in bypassing antivirus ( till date) during pentest of Windows machines. That is Hercules framework.

Let’s start by cloning Hercules framework from github as shown below.

After cloning, a new directory with name HERCULES will be created. Move into that directory and do a “ls”. We should see a file named “Setup”. First change the permissions of this file using chmod as shown below. Once we get execute permissions on the Setup file, execute the file using command “./Setup“.

The setup automatically installs Hercules as shown below and

successfully ends as shown below. You have successfully installed Hercules framework in Kali Linux.

Type command “HERCULES” to start the framework. It’s interface looks like below. In this part, let’s generate a payload. Enter option “1”.

Image explaining about the usage of Hercules Framework for Windows exploitation

Select what type of payload you want to create. There are four payloads as shown below. I am choosing the first one. You can choose appropriately.

After we select the type of payload we want to create, we need to enter some options. Let us see the options it provides. LHOST and LPORT are self explanatory. Choosing Persistence function adds our running binary to Windows startup registry so that we can have persistent access to the target. Since we have already know how to create a persistent backdoor we will not enable it here.

Migration function triggers a loop that tries to migrate to a remote process. UPX ( Ultimate Packer for executables ) is an open source executable packer. To those newbies who have no idea what packers are, they are used to compress the executables. Software vendors also use them to obfuscate the code. We will see more about packers in our future howtos.

Concerning this howto, remember that enabling migration, persistence and UPX functions may increase the chances of your payload being detected by Antivirus.

Here I have only enabled the UPX function so the packing process begins as shown below.

Once the packing process is over, your final binary file is stored with the name you have given to it. I named it as “res”.

Next start the listener on Metasploit as shown below and send the binary file to our target. Once he clicks on our executable file, we will get the meterpreter session as shown below.

In our part2 of this howto, we will see how to bind our payload to other executables.