For me, one of the most interesting parts of the cyber security landscape is penetration testing, or pentesting. Breaking into into a network or system certainly carries plenty of legal risk and should only ever be done in an ethical manner, but I can’t imagine a cooler job than working to disrupt unethical hackers, rogue states, online criminal activity, etc.
With that in mind, below I present a method for using the incredible power of the Metasploit Framework and Kali Linux for breaking into an admittedly insecure Windows 10 system. This tutorial is in 3 parts and is more or less guaranteed to work! Enjoy and please leave your comments, questions and suggestions at the end.
Part 1 — Identifying a Target
Getting Started
- Kali Linux VM (attack system)
- Windows 10/11 VM or PC (target system)
- Both attack and target systems are on the same network
Goals
- Identify target PC on the local network
- Use Nmap to find valuable information about the target PC’s open ports and services
Process
First, with your Kali VM on the same network as the target PC, click the dropdown arrow by the terminal icon and open a root terminal emulator…
…and type the following to determine your IP address.
ip addrYou should see something like this:
We are interested in the IP address (listed as “inet”) of either eth0 (if you’re using an ethernet connection) or wlan0 (wireless connection).
We can now use Nmap to scan the entire local network by replacing the Kali VM IP with the entire subnet expressed as 192.168.0.0/24. This will allow Nmap to find all the active clients on the local network and will provide us with some important information about each.
nmap 192.168.0.0/24Once Nmap finishes, we get a nice overview of clients on the network. One of these clients appears to be a Windows PC, we know it’s IP address is 192.168.0.104, and we have a list of several open ports that we might try to exploit:
We can perform a more aggressive scan of just this IP address to try and get a little more information about the PC:
nmap -A 192.168.0.104Now Nmap shows us service versions, the specific OS, and a traceroute, among other bits of useful info. By the way, if Nmap doesn’t report open ports or says it thinks the host is down, try adding the “-Pn” modifier to your command.
OK, we’ve identified a target and found some detailed information on its open ports and services. Let’s ping its IP address from Kali to check on the state of its firewall. ensure that you can ping the target PC from Kali.
ping -c 4 192.168.0.104Ideally, this will be successful and will show four successful ping attempts of the target with 0% loss. If this doesn’t work, then the target has its firewall configured in such a way as to make our attack much more difficult and out of the scope of this series.
At this point, there are several attack avenues we might try. We can do some research (i.e., Google) on the open ports Nmap discovered and find likely Metasploit modules to try, but for the purposes of this tutorial series, I will assume that we’ve used a few social engineering techniques to assist in our process.
When you’re ready, check out Part 2 below for the next steps! ===>
Read this too:
Assumptions
OK, honestly Windows 10/11 is pretty well-defended out of the box at this point. In order to get these methods to work best, the target PC needs to have its firewalls disabled. This isn’t too likely on someone’s personal PC as Windows 10/11 creates firewalls for domain, private and public networks by default. On a (poorly) managed corporate network, this could be a more likely scenario for PC’s which have Microsoft’s security products permanently disabled and theoretically provide protections from 3rd-party software. But this won’t be a problem for us because we have set up our target PC or VM specifically to be hacked for educational purposes.
Legal-ish Stuff
All the techniques and instructions presented here are for educational purposes only. Do not use social engineering techniques in the wild and ensure that any network or machine you break into is either your personal equipment or that you have express, written permission to perform these actions. Be smart and don’t get yourself into trouble.