How to hack Windows 7 SP1 64-bit with Social Engineer Toolkit (SET)

This post is a follow up to my previous one Don't click that file! How to hack Windows XP SP3 with an msfvenom payload, where I successfully hacked Windows XP SP 3 by using a custom exploit.

This time, we're going to hack Windows 7 64 bit SP1. For this purpose, I used a Kali Linux v.2 64 bit virtual machine (attacker machine) and a Windows 7 SP 1 64-bit virtual machine (victim machine).

We're gonna build an exploit by using the Social Engineer Toolkit, developed by my boss, Dave Kennedy, who founded the company I'm currently working with (cheers, man, hope to see you soon).
Steps
The Social Engineer Toolkit is found in the Exploitation folder, under All Apps.
When we launch it, it will open up a shell.
In the program menu, we're going to choose number 1 (Social Engineering attacks). 

Then, we'll select number 4 (Create a payload and a listener).

In the next menu, we'll select number 5 (meterpreter 64 bit). 
We'll be asked for the IP address of the listener, that is the IP of the Kali Linux machine. Then we'll indicate a port to be opened; here I'm using the default one.
SET will create now a payload file, which we'll have to send to our victim.

This file will trigger the attack, allowing to open up an invisible shell on the victim's machine.

For us to start the exploit, we can enter "yes", which automatically starts Metasploit, and launches our exploit. After a while, you'll notice the message "Meterpreter Session 1 open". However, the session wasn't actually opened.  Metasploit gets stuck here, unlike our previous Windows XP exploitation.

You'll have, therefore, to run sessions -i 1 command for you to open a meterpreter session.

Now we can do pretty much whatever we want on the victim machine (check the embedded video tutorial for more details).

We can sniff keystrokes on the victim machine by starting the keylogger.

I typed a bunch of gibberish in Notepad on the victim machine, just to show how the keylogger works.

If we now analyze the logged keystrokes on Kali, we'll see all the text I've typed in the Windows machine has been recorded by our keylogger.

The only case where my exploitation was unsuccessful was related to dumping usernames and passwords stored on the victim machine.

Some researches showed the reason for it is lack of privileges. In fact, my user account, though being administrator, isn't the default system administrator account, i.e. the one named as NT\Windows\Authority.

In fact, the security identifier of my account, has its last part (called Registered ID, or RID) equal to 1001. Accounts having an RID from 1000 on have been created after Windows installation, while the default administrator account's (i.e. NT\Windows\Authority) RID is 500.

Privilege escalation through getsystem command doesn't normally work at all in Windows 7.

However, in a coming post, I'll show how I could get a privilege escalation by using another specific exploit, which allowed me to make it work.

Wrap-up

Though Windows 7 is much more secure and hardened than XP, no system is immune from social engineering attacks.

In fact, the Social Engineer Toolkit allowed me to exploit my Windows 7 virtual machine in a surprisingly short amount of time.

Thanks to SET, I could repeat on Windows 7 the same steps I performed during my Windows XP exploitation.

My exploitation wasn't totally successful in this stage, but I've built on this result and I could achieve a privilege escalation, too, which will be analyzed in the coming post.

Thanks for your time.

Comments

Related Posts Plugin for WordPress, Blogger...

Popular Posts

Contact Form

Name

Email *

Message *