Posted on Leave a comment

ms08-067 exploitation to hack Windows XP

Hello aspiring ethical hackers. In this article, we will see how to exploit ms08-067 vulnerability to hack Windows XP. As our readers may already know by now, ms08-067 is a vulnerability in Windows 2000, Windows Server 2003 and Windows XP.  It is a critical vulnerability that allows remote code execution on the target Windows system by sending a specially crafted RPC request to it.

This vulnerability doesn’t require any authentication or even user interaction on the target side. That’s the reason why it is ubiquitous in any ethical hacking course. We have exploited this vulnerability recently in our February 2021 Issue. But that was done using without Metasploit.

In this article, we will do this with Metasploit. For this, we have chosen our target as Windows XP SP2 and our Attacker system as Kali Linux. Most of the Antivirus ended their support to Windows XP SP2 (Windows XP SP3 is the minimum supported version. Even Real world systems running Windows XP SP2 are running without Anti Virus.)

So Nmap scan revealed a Windows target as shown below.

Start Metasploit and load the ms08_067 module.

Set all the required options and use check command to see if the target is indeed vulnerable.

The target is indeed vulnerable. Now, execute the module as shown below.

As readers can see, we successfully got a meterpreter session with SYSTEM privileges.

Posted on Leave a comment

Shellcode Injection with Metasploit

Shellcode Injection Module is a Metasploit module which as its name suggests, injects shellcode into the target Windows system on which we already have access. In our previous article, we have learnt what is shellcode and how it is created. Shellcode is a bit assembly code or machine language and it plays a very important role in cyber security. Typically shellcode is used in offensive penetration testing.

Let’ s see how this module works. Get a meterpreter session on a Windows system. Background the current session and load the post windows shellcode inject module as shown below.

We will use Donut tool to create a shellcode of the mimikatz program. Mimikatz is a tool used to experiment with Windows security. Its known to extract plaintext passwords and kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket or build Golden tickets.

Set the SESSION ID and other options given below.

Set the interactive option to TRUE . We need to do this so that we are not taken directly to the mimikatz shell. We also need to set the correct target architecture.

After all the options are set, we need to just execute the module as shown below.

That’s all about the Metasploit Shellcode Injection Module.

If you liked this article you can Learn advanced ethical hacking tutorials in our Monthly Magazine. Enjoy Free for 3 months.

Posted on Leave a comment

Windows Powershell Enumeration POST Exploit

Hello aspiring hackers. The exploit we will see today is a POST exploitation Metasploit exploit that performs Powershell enumeration in Windows. Windows PowerShell is a task automation and configuration management framework designed by Microsoft which consists of a command line shell and associated scripting language built on the .NET Framework and .NET Core.

PowerShell provides full access to COM and WMI, enabling administrators to perform administrative tasks on both local and remote Windows systems. Its same as a command line shell but powershell is more powerful than CMD. It is a very helpful tool for network asministrators. If used properly, it can also be used by hackers to the full potential.

But we need to know about the Powershell settings installed on the target system for this. This powershell enumeration module exactly does that for us. Let us see how this module works. Just like any Metasploit POST module, we need to have a valid meterpreter session to run this module. Background the current meterpreter session and load the powershell environment enumeration module as shown below. Type command “info” to view the information about this module as shown below.

Type command “show options” to view the options to be configured. Set the session ID of the meterpreter session we just sent to background and execute the module using command “run”.

As you can see in the image above, our module successfully completed powershell enumeration of the target machine. Powershell version 2.0 is installed on our target system an there are no powershell snap-ins are installed. It seems none of the users have powershell profiles.

Liked this article? Learn advanced ethical hacking tutorials in our Monthly Magazine. Enjoy Free for 3 months.

Posted on 1 Comment

Hack Remote PC with Git Submodule

Hello aspiring hackers. In this howto, we will learn how to hack remote PC with Git Submodule. If you are a developer, cyber security enthusiast or at least a computer user, you should have definitely used (or heard about) Github. Git is an open source version control system developed by none other than the awesome Linus Trovalds (yes the same guy who created Linux).

It is a system designed to keep in touch with constant changes made to the code of software by developers. GitHub is a popular hub where developers store their projects and network with like minded people. Github stores information in a data structure called a repository. The particular module exploits a vulnerability in Git submodule.

Git submodules allow users to attach an external repository inside another repository at a specific path. This vulnerability in the Git submodule can be exploited by an attacker who can change the URL of a sub- module in a repository. This URL in the submodule can be changed to point towards a malicious link.

This module is a local exploit and works on Git versions 2.7.5 and lower. Now let us see how this module works. Start Metasploit and load the exploit as shown below. Type command “show options” to see all the options we need for this module to run.

First, we need to configure the malicious Git server. Set the options : LHOST, git_uri and Iport options as shown below. The git_uri option sets the malicious git submodule. Use command “run” to start our Git server. As the user git clones from our URL, we will get a command session on the target.

Now we need to send this malicious Git url to our intended victims. Probably it should be set as a software to convince the users to clone into their machine. Here we are testing this on KaIi Linux 2016 machine which has the vulnerable version of Git installed. We need to instruct the user to update the submodule just cloned. Let us see what happens on the victim machine.

As this happens in our victim system, we will already get a command shell on our attacker system as shown below.

We can see the active sessions using the command “sessions”.

That is how we hack remote pc with Git Submodule.

Liked this article? Learn advanced ethical hacking tutorials in our Monthly Magazine. Enjoy Free for 3 months.

Posted on 1 Comment

LNK CVE 2017 8464 lnk RCE Exploit

Hello aspiring hackers. Today we are going to learn about a remote code execution exploit in Microsoft Windows. Its called Microsoft Windows Lnk CVE 2017 8464 lnk rce exploit. Earlier also we have seen some LNK vulnerabilities in Microsoft Windows but this one is special. You know why? A victim need not even click on the file we are creating as part of this exploit. We can host this file on a web server and direct our victim to that site. Otherwise we can save the file to a USB drive and insert it in our target’s system. Both require a bit of social engineering.

This exploit works due to a vulnerability in Microsoft Windows that could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. Let us see how this exploit works.

Load the exploit as shown below and check the options it requires. using “show options” command.

Type command “info” to see more information about the module.

Set the windows/meterpreter/reverse_tcp payload and configure its options as shown below.

Set the LHOST address and run the exploit. It will create a file in the folder as shown below.

Now send the file to our victim using any one of the methods discussed above. We will get a meterpreter session as shown below.

If the exploit got interrupted as shown below, type command “sessions -l” to see the available meterpreter sessions as shown below. 

That’s all in LNK CVE 2017 8464 lnk RCE Exploit. How to hack a system without any vulnerabilities? Learn about Hercules Framework.