Friday, April 11, 2014

Penetration Testing : Crash Windows 7 Using Metasploit and Remote Desktop Connection Vulnerability

Crashing Windows 7


Now while the story so far has been smooth and cozy, it gets a bit tough from here on. For modern operating systems like Windows 7, there aren't any magical exploits like the ones we had for unpatched Windows XP machines. We had been able to hack Windows XP and try some meterpreter features on the exploited XP machine. However, when it comes to Windows 7, there aren't any direct exploits for gaining access to the machine. We can try some client side attacks, etc. Social engineering toolkit would be great for stuff like that. However, there is still one vulnerability that waits to be exploited. In Windows 7, there is a hole in the RDP port (3389) which can work over LAN as well as over the internet. Over the internet stuff can get a bit tougher, however on the LAN, this should be a piece of cake (if you have successfully followed out pentest tutorials so far).



Requirements

Now you will require an attacker Kali machine, and a victim Windows machine, both running on Virtual machines. Windows 7 should be a fresh install, with no updates, as they can patch the vulnerability, making it unexploitable. Now when you have got all this setup, you can move on to further steps.

Information Gathering

Now we'll have to find out the IP of out victim. This would have been complicated in a real life scenario, but in our case, you just go to Windows 7, open command prompt, and type ipconfig. You should be looking for IPv4 address of Local Area Network.
In our case thats where the information Gathering Stops

Starting Metasploit

Now execute the following commands to start metasploit framework (on recent versions of Kali, run only the third command, skip the first two)
service postgresql start
service metasploit start
msfconsole
So now you have msf console opened up (note my codes will still display root@kali but you don't mind it).

Exploit

Now select the exploit that we are going to be using-
use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
Now do a show options, it will tell you that  it only requires two options, RHOST and RPORT. Rport is obviously 3389, the remote desktop port. The RHOST is the one you found out in the information gathering step. The use the following code to set the RHOST
set RHOST 192.168.---.---
Surprising as it may seem, we are done already. Just type
exploit
The target machine will get a Blue Screen Of Death and will reboot. You can do this as many times as you feel like, and in real life scenario, it can be really annoying, considering it can be done over the internet too.

Possible Problems





 If you get an error of this sort, then most probably your Windows 7 machine has firewall enabled, and is blocking your packets. An antivirus could do the same thing. There might be some issues with the LAN connection too. A good diagnosis test would be to ping the machine. Go to a kali terminal and execute
ping 192.168.---.---
After waiting for a while, press ctrl + c which will stop the pinging. Look at the result-
 If you get something like this (0 packets received), then there is absolutely no communication between the Kali and Windows machine (in effect, they are not on the same network, even though they are). That's why the exploit doesn't work.
Something like this means that the connection is just fine, and probably the Windows machine has become immune to the attack due to some patch. (see : https://technet.microsoft.com/en-us/library/security/ms12-020.aspx)
If its the former case, then you'll have to find a way to get the connection working, and if its the latter, then try disabling firewall, antivirus, and maybe setting the network as home instead of public. Then go to advanced sharing settings, and choose all the options that you think will make your computer easier to hack.
If possible, see if you can uninstall installed updates. The final thing to do is to get an early unpatched release of Windows 7. In some cases installing VMware tools might help.

Enable Remote Desktop

In many Windows releases, remote desktop is turned off by default. To enable it, follow these steps-
Go to System (Control Panel\System and Security\System). Click on Remote settings. Select the "Allow Remote Connections to this computer" button. Click ok.
Select the allow option. By default don't allow is selected in many Windows releases.

50 comments:

  1. after exploit it "shows rdp unreachable"

    ReplyDelete
    Replies
    1. Can you copy the complete error as well as the output of show options.

      Delete
    2. I also get that error! **.***.**.***:3389 RDP Service Unreachable
      Auxiliary module execution completed

      Delete
  2. msf auxiliary(ms12_020_maxchannelids) > exploit

    [-]192.168.1.10 - RDP service Unreachable
    [*] Auxiliary module execution completed

    ReplyDelete
  3. Man how i will exploit a windows 7 pc over the internet

    ReplyDelete
    Replies
    1. Have to find some way to find the victims ip address, some how,

      Delete
  4. How to find someones external ip adress and is it possible finding it on facebook.

    ReplyDelete
    Replies
    1. The easiest way is via email header. [You have to find a way to get the person to send you a mail]. Finding IP via skype is pretty easy too. There is no direct method as such for Facebook (that I'm aware of).

      Delete
  5. why is it that whenever go to the main page of this website, it redirects me to another website?

    ReplyDelete
    Replies
    1. Please elaborate . There is no redirect mechanism per se on this website. Any details would be appreciated.

      Delete
    2. Never mind. Found the issue. Solved it (hopefully).

      Delete
  6. this works fine for me the 2 services start maybe important cause before i only use msfconsole, and thanks, this really helps :)

    ReplyDelete
  7. may i request a tutorial? :D a tutorial on how i can open someones webcam :D in a lan network

    ReplyDelete
    Replies
    1. Meterpreter has something of that kind, if I remember correctly.

      Delete
    2. how about a tutorial in setting up your USB wireless adapter in kali VM? haha, just asking if possible

      Delete
    3. Setting up USB wireless adapter? Tutorial? I don't get it. You simply have to plug in the adapter, go to VM -> Removable Devices, choose your adapter. That'll be it.

      Delete
  8. anyways :3 happy new year! i've learned so much from here, thank you very much <3

    ReplyDelete
  9. Hi
    A emergency questions:(i 'm not found answer in internet and youtube)::
    please note :i have compete complete(full) access to the victim ADSL rouer web interface,,..

    1- How can i hack(have shell to) the pc behind the router??
    3-Is it possible that i do man in the middle attack ??
    2-How can i sniff data that pass through victim router ??
    4-what other things or attack can i do with this acccess to the router ???

    **all quetions situation is when i have full access to victim router web interface**
    (i found a solution by change DNS to my ip and fake update with "evilgrade" on kali linux....but i don't want to wait until victim open the program and if i be lucky update it).
    my OS=kali linux
    plz answer completely and assum victim router is tp-link or d-link and tell where of router must be changed
    plz answer full and compete (with pictures if possible) plz

    my email : lordhadi20@gmail.com
    my email : lordhadi20@gmail.com

    SPECIAL TNX




    ReplyDelete
  10. a hole thru that rdp... just wondering, how can i (the attacker) possibly enable the target's rdp if its rdp service is not up?... then, how could the target know what really happened to him, like can he trace my IP add, the commands that were thrown at him (payload)?...

    ReplyDelete
    Replies
    1. I can't think of a simple way for the attacker to enable RDP if it's not running (that sort of change requires administrator privileges, and if we had that in first place the crash exploit would be a joke).

      Also, I think tracing IP won't be hard. Depending on the method of attack, even a wireshark capture can give the victim your IP. I'm not into forensics at all, but if you make no efforts to hide your ass, it won't take the victim much efforts to find you ass :p . I have no idea how easily (if at all) the victim can find you once you've removed the payload, i.e.whether the clean removal of payload still leaves behind traces in the system logs,etc.

      Delete
  11. Why should both(win7 and kali linux) be running on virtual machines????

    ReplyDelete
  12. how to run it or start it in mac os x yosemite

    ReplyDelete
  13. how do you know which exploit to use?

    ReplyDelete
  14. msf auxiliary (ms12_020_maxchannelids) > exploit
    [*] 192.168.2.108:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
    [*].....210 bytes sent
    [*].....Checking RDP status...
    [*]..... RDP Service Unreachable

    I've disabled the Windows Firewall, activated Remote Desktop and allowed connections from computers running any version of Remote Desktop (less secure)

    Target system:

    Windows 7 Ult x64 SP1

    Any suggestions?

    ReplyDelete
    Replies
    1. That last line from terminal is actually [-]...

      Delete
  15. Could you tell me how to solve the above erro
    rdp unreacable

    ReplyDelete
  16. you guys are probabby doing it in a different network
    ,you must make sure u are on the same network but if u want to do it in a WAN u should make sure or find a way
    to make the victims 3389 port is open thankx

    ReplyDelete
  17. you must make sure u are on the same network Thzone

    ReplyDelete
  18. im on the same network
    RDP port is open
    still getting error Host unreachable..
    is it because of firewall protecting the network?

    ReplyDelete
  19. it will only work when firewell is turned off

    ReplyDelete
  20. Hi are using Wordpress for your site platform? I'm new to the blog world but I'm trying to get started and create my own. Do you require any coding expertise to make your own blog? Any help would be really appreciated! facebook login in

    ReplyDelete
  21. At that point, think about the material. The fundamental reason in checking the material is ensuring that this specific furniture can hold your computer framework securely. Read This buying guide

    ReplyDelete
  22. Great article Lot's of information to Read...Great Man Keep Posting and update to People..Thanks curved monitor gaming

    ReplyDelete
  23. Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. cheap rdp

    ReplyDelete
  24. Great tips and very easy to understand. This will definitely be very useful for me when I get a chance to start my blog. cheap rdp

    ReplyDelete
  25. It was a very good post indeed. I thoroughly enjoyed reading it in my lunch time. Will surely come and visit this blog more often. Thanks for sharing. free instagram likes uk

    ReplyDelete
  26. We will be getting a reverse TCP connection from the victim machine by using a small backdoor hack windows 7 using metasploit.

    ReplyDelete
  27. 토토 Can add up your article, believe that there is something you can add, visit the site

    ReplyDelete
  28. 토토 Your blog posts are more interesting and impressive. I think there are many people like and visit it regularly, including me.I actually appreciate your own position and I will be sure to come back here

    ReplyDelete
  29. This one is perfect. I really got a lot of good ideas from this blog. I love your work. This blog is very interesting and valuable. Thanks for sharing this blog with us. Now it's time to avail HALFCASTE CREAM SET for more information.

    ReplyDelete
  30. What a great numerological explanation. According to numerology, the 911 angel number symbolizes great accomplishments. Also, the 5050 angel number is said to bring positive news. Last but not least, seeing the 96 angel number is a positive sign of prosperity.

    ReplyDelete
  31. They didn't waste a moment – the work was done in record time. junk removal

    ReplyDelete
  32. I found your blog post both informative and engaging. Your detailed explanation of exploiting Windows 7 vulnerabilities is truly fascinating. Driving Without A License In New Jersey You've made a complex topic accessible and interesting for readers. Keep up the great work, and I look forward to more insightful content from you! New Jersey Domestic Violence Registry

    ReplyDelete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC