Hi, I am Rafay Baloch, a security researcher, author and a public speaker.

Pentesting Windows 7 And Bypassing Antivirus

Ever tried to hack a windows 7?, Ever tired of bypassing antivirus?, Then this is the tutorial for you. Ok, so you want to know how to attack a fully secured and protected windows 7 sp1 x64 with all security defenses working and running ( UAC,DEP,ASLR,EMET,etc.)

Note: This tutorial is strongly based for educational purposes only and there must be no intend to use it for malicious purposes.

Not just that but also there is Kaspersky internet security 2012 activated and updated till this moment and running with default options like (firewall, application control, proactive defense, etc.)

As we know that windows 7 sp1 doesn’t have any remote exploits like (ms08-067) for xp and (MS09-050) for vista/ Because windows 7 is more secured and exploitation (exploit development) is very hard (good job Microsoft). Most internet users have Firefox, chrome and internet explorer not all of them but one for two of them (I am using all of them at once J )

And they have flash player from adobe and java from oracle so they watch online clips/movies from YouTube and enjoy online games and applications that requires java and flash payer. Most of them have anti-virus with firewall enabled by default, they use
( eset,avira,avast,Kaspersky,bitdefender,etc.)

Let’s take a look at the best anti-virus in the world "Real World" Protection Test - chart updated!

And download

We can see that Kaspersky internet security 2012 and bit defender are the best

But Kaspersky is the best one from my point of view J
Let’s imagine this scenario:
I am working as a penetration tester in a big security company; they asked me to conduct a penetration testing (client side/social engineering) no web penetration testing, network/wireless penetration testing just client side for a big customer

I said ok let’s do it.

We finished all paper work and other legal stuff then I am thinking now how I can penetrate this company???
My big company told me that the big customer web site URL is (http://www.bigx.com)
I made a quick search using Google

Then I used another tool called (the harvester), you can find it in backtrack 5 r2 or download it from http://www.edge-security.com/theHarvester.php
 I found many emails:

That is good, now I have a starting point to target and attack all emails I found
Now I know that this is a big customer and a big company so they must use a big security as well
And they have anti-virus and modern and secured operating systems like (windows 7 sp1)
So public exploits against IE,Firefox,flash,adobe and other local programs will not work and I will got detected using Anti-virus that will detect my exploits that I will send to my targets and remove it
So the best chance I have is to use an evil java applet to trick the victim to open it
But the victim must have java installed on his system
Ok this is good as many internet users have java installed including me J

Ok, time to hunt them all ….
I searched in pipl.com

I entered all emails I have and found many interesting information like:

Note: this is FAKE I cannot disclose sensitive information about the big Company J

As you can see ( name,age,location,gender) and also Facebook account

I added this [email protected] as a friend in Facebook and we are now friends

I chatted with him about his company and some general talk

After some time we have a small trust with each other (I can send him images or links)

Now I will start my backtrack 5 r2 machine and run this cool program

(Social engineering toolkit) AKA (SET)

Now time to attack my target

I will create an evil java applet
I will choose
2) Website Attack Vectors
 1) Java Applet Attack Method

After that
1)      Web Templates

And then
4. Facebook

Now the most important part, we must use a payload that is not detected by any security products like ( AV,IPS)

I know that my victim is using Kaspersky internet security 2012 and windows 7 sp1, I asked him in our facebook chat “what is the best anti-virus you recommended?”

He replied “Oh, the best one is Kaspersky internet security 2012, we are using it in our company and I personally use it installed on windows 7”

I tried in my penetration testing lab many of payloads and most of them detected by Kaspersky L
But the payload number 11

  11) SE Toolkit Interactive Shell            Custom interactive reverse toolkit designed for SET

Is working like charm and no AV detects it J

Then I choose it and choose port 443 to b my local port that payload will connect to me

Note:  I opened two ports in my router ( 443,80) , so the victim can connect to me when payload is successfully executed

Now we are good and ready

Now we must send our external ip to victim, we can use this website


And you will find your external ip like this

And we can hide our external ip by using bit.ly website to shorten and conceal it

You can see that my external ip is hidden now!

Now I can send him this link and when he click on it he will see facebook.com loaded with your java applet exploit. Note that Kaspersky is running

And he will click run (he is secured and don’t fear from anything  J )

Now he clicked run and I can see

Kaspersky is running and java is running and everything is secure J

But I have a remote shell on my target machine

Now I can do many things like:

Just press 1 to start interacting with the opened session

And then type help to view all supported commands

I always like a pure windows command shell

I will type “shell “

And I will type “tasklist” to view all running process and services


OMG “Kaspersky is running :)”

This is time to view files and download /upload and do some Real World Windows Post exploitation
And we owned our victim and found many sensitive Bigx.com files like usernames and passwords and some private docs and photos J and found filezilla ftp username and passwords and connect with those ftp credentials and you know the rest …… 

“Man , WE Defeated Them all !!”

Now it is time to write a nice report

I hope you enjoyed this (FAKE) Real World scenario. 

But again, this tutorial is for educational purposes only. Do not use it for malicious purposes. 

About The Author

Mohamed Ramadan is a security researcher from Egypt. He is interested in Penetration Testing, Malware Reverse Engineering, Securing Websites and Servers and Forensics. He also teaches Penetration Testing at Ninja-Sec.com.

No comments:

© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form


Email *

Message *

Powered by Blogger.