55

2
Then you will know the truth and the truth will set you free.
John 8:32

Introduction
If you are interested in and passionate about hacking then this FREE Ebook is definitely for you.
Because this EBook will make you understand what Real World Hacking is.
Simply put, Real World Hacking it is Hacking that work in Real World. If you have learnt
hacking or interested in hacking, you should have seen lots of tutorials on internet about hacking.
Although, most of them are awesome in their own sense, most of them will not work when
implemented in Real world. Take for example the Metasploit ms08_067 exploit module. (It works
in your lab but in Real world there are so many complexities to overcome. Let’s not forget about
Anti-Virus detecting the payload and Firewalls blocking the malicious connection altogether.
In Real world, there are many things to consider, like Firewalls blocking connections and Anti-
Malware waiting to detect the least possible malicious activity as soon as possible. That brings you to
the most important question. HOW DO HACKERS HACK IN REAL WORLD or HOW
REALWORLD HACKING WORKS?
That's where Hackercool Magazine comes in. Our Hackercool Magazine teaches readers "REAL
WORLD HACKING”. This includes as to how the latest hacking attacks work and the latest
techniques used by hackers to bypass Firewalls and evade Anti Malware. In this FREE Ebook, we
have given you two hacking tutorials, one including Metasploit and the other without Metasploit. As
you read through these tutorials, you will understand how Real World Hacking works.
Now, enough introduction. Enjoy reading your Free Ebook.

“THERE IS DEFINITELY A HUGE GAP BETWEEN SUPPLY AND DEMAND. AND THERE ARE
THREE ISSUES. FIRST, THERE AREN'T ENOUGH PEOPLE WHICH MEANS WE SHALL
REMAIN UNDEFENDED IF WE RELY ON PEOPLE TO PROTECT US. SECOND, OF THE
PEOPLE WE HAVE AVAILABLE, MORE THAN 60% WOULDN'T MEET COMPETENCY
REQUIREMENTS. I HAVE INTERVIEWED ABOUT 80 PEOPLE IN THE PAST 12 MONTHS
AND HAVE SHORTLISTED ONLY ONE PERSON. BUT AGAIN, I AM HIRING EXPERTS AND
NOT PEOPLE WHO JUST WRITE THINGS ON THEIR RESUMES. THIRD COMPANIES VIEW
EXISTING STAFF AS PEOPLE WHO ARE STUCK. NORMALIZING SALARIES IS NOT
ENCOURAGED BUT HIRING AT HIGHER RATES IS. THIS LEADS TO ATTRITION. IN
SUMMARY, CISOS HAVE QUITE A FIGHT,”
- AGNIDIPTA SARKAR, GROUP CISO, BIOCON IN AN INTERVIEW TO ECONOMIC TIMES
 3

Information provided in this Magazine is

strictly for educational purpose only.
Please don't misuse this knowledge
to hack into devices or networks without
taking permission. The Magazine will not
take any responsibility for misuse of this
information.
 4
Part 1- Bypassing Firewalls
BLACK HAT HACKING
Before I start this scenario, let me make clear to you what is Black Hat Hacking so that your exp-
ectations and this FREE ebook are on the same page. This is very important in order you don’t
get disa- ppointed in the end.
What is Black Hat Hacking? Black Hat Hacking or Real-world Hacking is the way of hacking pe-
rformed by Black Hat Hackers in Real World. Black Hat Hackers are the really bad guys of hacki-
ng which include Advanced Persistent Threats (APTs, mostly state sponsored), cybercriminal grou
-ps and individual Blackhat hackers like Phineas Fisher (the guy who hacked Hacking Team) etc.
Since I am now clear what this FREE ebook is about, let’s move to some practical tutorial. Here,
I will be showing you about exploitation of ms08_067 vulnerability. Why ms08_067? Because
most of the hacking courses explain about this vulnerability and hence, it is easy for you to unders
-tand. Even if you didn’t take a hacking course, ms08_067 exploitation is widely explained on
internet including my blog.
Here, I am not going to explain you what is ms08_067 vulnerability or its background or its histo
-ry. You will find plenty of these too on internet. I am going to just show you how to exploit it and
that too with Metasploit. My target system is as you expected Windows XP SP 2 with Firewall turn
-ed OFF.

and my attacker machine is Kali Linux. So, let’s do this quickly as we have lot of Black Hat stuff t-
o cover later in this article. Since my target is ready (I mean Firewall is turned OFF), I start Metas-
ploit and load the ms08_067 module.
In year 2022, CrowdStrike started tracking 33 new Advanced Persistent Threats
(APTs) taking the total APTs to 200.
 5

An advanced persistent threat (APT) is a stealthy threat actor, typically a state

or state-sponsored group, which gains unauthorized access to a computer network and
remains undetected for an extended period.
 6

Before I set the required options, let me explain you a simple concept in not just Black Hat Hack
-ing but in any type of hacking.
A VULNERABILITY is a weakness in a system or software and to take advantage of this vulnera-
bility we use a EXPLOIT. What we do after exploiting the vulnerability is decided by the PAYLO
-AD. ms08_067 is the vulnerability we are exploiting here and meterpreter is our payload here.

Now since the basic concept of any hack is clear, let's move forward. I set the required options i.e
the target IP (192.168.249.148) and use check command to see if the target is indeed vulnerable.

The target is of course vulnerable. Now, let’s execute the module.

MS08_067 vulnerability affected other Windows operating systems apart for
WIndows XP. They were Windows 2000, Windows Server 2003, Windows Vista, and
Windows Server 2008.
 7

Voila! I have a meterpreter session on the target system and that too with SYSTEM privileges. E-
ureka! Eureka! Eureka! Yah! Yeah! Yah! I can see you asking what the big deal in this or maybe y
-ou are thinking I have gone mad or may be thinking about why is this article titled Black Hat Ha-
cking etc.

To be frank, I had a similar question while taking a Ethical hacking course. The question runnin-
g in my mind was who will disable the Firewall on his operating system. Nowadays, did you ever
see even a noob user will disable his Firewall while using Windows OS. I haven’t seen even one p
-erson in my life doing this.
So we will do one thing. To simulate Real World, I will turn ON the Firewall on the target mach
-ine and run this module again and see what happens.
 8

Since all the options are already set, I execute the Metasploit module again. This is the result.

As you can see, this time module didn’t stand the test of the Firewall. The connection got refuse-
 9
So in Real World, the systems are safe with ms.08_067 vulnerability just by turning ON the firew
-all.
Wait a second. Back in 2008-09, millions of computers got hacked due to exploitation of this
vulnerability. So, the owners of all these systems turned OFF their Firewalls back then? Why woul-
d anyone do that? Actually, the secret (rather open one) lies in the service that is vulnerable.
ms08_067 vulnerability exists in the server service which is widely used. This service runs by
default in all Windows systems. Even when we turned ON the Firewall, this service is running but
Firewall is blocking our connection to it. This Nmap scan should reveal that.

It would be very nice if we can just tuck all our services behind Firewall. It would be a SAFE W-
ORLD out there. But there is a problem. What about genuine users who need this service? Let m-
e give you a simple example. Imagine you opened a brand-new website trying to sell an amazing
product you designed. The website is LIVE but being afraid of hackers you placed it behind a Fir-
ewall. No hacker can access it but what about your customers? Even they can’t access your websit-
e, right.
You need to allow your website access to get customers. We can do this by adding an exception
to the Firewall. Just like your website, server service is one of the essential services and many genu
-ine users (of the same network) needed access to it. Didn’t I tell you the secret is in the service wh
-ich is vulnerable.
To be able to use that service in your network and other apps, you just need to enable an
exception for it to pass things through Firewall as shown below. So, on the target system, I open
Windows Firewall and add an exception to the File and Printer service as shown below.
 10
Now, let’s check if the target is vulnerable or not. It is vulnerable now. Let’s execute the module
again.

This time, the module finds the port open, the target is vulnerable, the vulnerability is triggered
(exploited) but still failed to get a meterpreter session. But this exploit seems to be working. What
happened now? Don’t you worry.
Let’s just change the payload from windows/meterpreter/bind_tcp to windows/meterpreter/
reverse_tcp and try again. This may bring me some luck. So, I set the meterpreter/reverse_tcp
payload instead of meterpreter/bind_tcp payload and execute the module again.

The WIndows Server service of Windows systems handles file and print sharing on
Windows systems and allows communication between network devices.
 11

This time we successfully got a meterpreter session. Note that we got this session in spite of
Firewall turned ON. So Real world. But what just happened here? Why initially we didn’t get a
session but got it later.
To understand this, you need a basic lesson on types of payloads. We have learnt in the beginnin
-g that payload decides what you want to do after exploiting the vulnerability. There are different
types of payloads. For this tutorial set, let’s just learn about two types of payloads.

They are,
1)Bind Payload 2)Reverse Payload
Bind payloads initiate the connection from the attacker machine to the target system while
Reverse payloads initiate the connection from the target system to the attacker system. See the ima
-ge below.
 12

Initially, when the Firewall was turned OFF on the target system, we got a successful meterpreter
session because there was no firewall blocking incoming connections. All ports were available,
When we turned ON the Firewall and gave an exception to just port 445, all other ports were bl-
ocked by the Firewall. You can see below that our handler tried to bind to port 4444 of target syst
-em but failed as this port is being blocked by Firewall.

Normally, firewalls block all incoming traffic except some services but allow outgoing traffic sinc-
e this is considered to be safe. Why? Because it is being initiated by insiders of an organization an-
d they can be trusted.
 13
Just imagine you have some amount of money. You will save it in your house in a locker that’s
present in your Bedroom (safest room), lock it and keep the keys at a safe place which all or at lea
-st most of the family members know. There is a minute chance that one of your family members
may take the keys, open the lock, take money outside and give it to someone else. But you trust th
-em. Our Firewall does the same here.So, once we used a reverse payload, the connection got
initiated from the target system to the Attacker system as shown below.

All goody. Goody. You finally know how to successfully hack a target system behind Firewall. A
-ll’s well that ends well. But have you observed the IP addresses of our target machine and attacke
-r machine. No problem if you didn’t observe them. Here they are. The IP address of attacker sys-
tem is 192.168.249.148 and that of target system is 192.168.249.158. They both belong to the netw-
ork 192.168.249.XXX. I mean they are on the same network. Somewhat like this.
 14
You know I just now told you that it is very difficult to find a target system with Firewall
turned OFF. Maybe there is chance however miniscule to somehow convince the victims to turn
OFF the Firewall using Social Engineering. But how in the world will you convince victims to join
the same network as you. I imagine a scenario here. The Hacker calls or texts the victims and asks
him to come join his network as he has detected a vulnerability in his system and he wants to
exploit it. Nice and clean.
Ok. That was not as funny as I had expected. What I wanted to tell you is this. Social Engineerin
-g is very powerful (as you will see very soon in one of the FREE Ebooks you will receive). Yes, it
is. But in my opinion no amount of social engineering can bring victims to the same network as th
-at of the hackers. In fact, hacking in real world is something like this.

Before I explain you how to hack in real world networks like these, there is another basic concept
you need to understand, FIREWALLS. A Firewall is a software or hardware application that bloc-
ks connections and there are two types of firewalls. They are,
1) Host-based Firewall
2) Network Firewall
According to CrowdStrike's global threat report 2023, Threat actors around the world
are increasingly using malware-free techniques to gain initial access.
 15

Host based Firewall is the one installed on a Host system. For example, Windows Firewall is
installed on Windows operating system.
Network Firewalls are hardware devices placed at the gateway of the networks. Examples of Har
-dware Firewalls are Bitdefender Box, Cisco ASA 5500-X, Sophos XG Firewall etc. Most organiza-
tions use a network Firewall. Their network is as shown below.

Why organization’s network? Even your home network might be the same. If my assumption is c
-orrect, you are connected to the internet though a wireless or wired router. Note that the Router a
-lso acts as a default Firewall.
When you are connected like this, you will have two types of IP addresses. The External and Int
-ernal IP address. To view the internal IP of your Windows OS, open cmd window (Terminal for
Linux) and type command ipconfig (ip a for Linux systems). This will reveal your internal IP addr
-ess. To view your external IP address, go to website whatismyip.com and check it. These two will
be different.
 16
The external IP address will be assigned to your router (Firewall in organization and the router/
firewall assigns the internal IP addresses to systems. That was a nice baby networking course. But
how do you exploit a vulnerability when the target system is behind a Network Firewall.
To simulate this scenario, I installed a PFsense in VMware and placed the target system behind t
-his Firewall. PFsense is a software Firewall called the most popular open source Firewall. Now, th-
e target system’s IP address changes as shown below.

The target IP is 192.168.223.6, The External IP of the Firewall is 192.168.249.159.

When a vulnerability is revealed or disclosed, the first thing hackers do is to scan for devices on
the internet with ports belonging to the vulnerable service. In our example, it is port 445. Here, I
am scanning 50 systems from IP address 192.168.249.150 to 192.168.249.200 with open port 445.
Why do you think companies ask you to patch the vulnerability as soon as possible?

Malware free attacks by threat actors have risen to 71 % of all the attacks in year 2022
compatred to 62% in year 2021 . This can be attributed to disocvery of various zero-
day vulnerabilities and making them operational by Threat Actors.
 17

Out of 50 systems I scanned, there is one target (192.168.249.159) with 445 open.
Next, they further probe this system to gather more information about it. Like a good verbose sc-
an of Nmap.

This system fits the bill to be vulnerable to ms08_067. Next, the exploit is loaded and checked fo
-r its vulnerability. It’s confirmed. If its vulnerable, the exploit is executed.
 18

Once again, the exploit triggered the vulnerability but failed to create a session. Note that this is
a reverse payload so the connection is bound to come from the target system. What happened no-
w?
Many organizations apart from blocking all incoming connections also block unusual
outgoing connections from their network. That may be the case here. By default, Metasploit uses
port 4444 for its handler. Go to Google and search “port 4444 default service” and you will know
that this now is popular. This is by itself suspicious. Actually, it’s screaming SUSPICIOUS.
No wonder Firewall blocks this connection. Have we hit another wall here. No. Did you notice
that I just said firewalls block unusual connections. That actually means they allow USUAL conne-
ctions. So we just have to make the connection look usual and we are good to go. What’s more us
-ual than the HTTP port 80. This one port that is usually always kept open.
Why? Port 80 belongs to Hyper Text Transfer Protocol (HTTP). Yah. You got it. You use it to
view all the websites on your favorite browser. This port is usually kept open otherwise users of
this network can’t view websites. By default, lport of metasploit listener is 4444. Let’s change it to
80 and try again.

CheckPoint Research reported attempts by Russian cybercriminals to bypass OpenAI's

restrictions, to use ChatGPT for malicious purposes. In underground hacking forums,
hackers are discussing how to circumvent IP addresses, payment cards and phone
number controls, all of which are needed to gain access to ChatGPT from Russia.
 19

There you go, Black Hat Hacker. You have bypassed both Host Firewall and Network Firewall a
-nd gained access to a target system. What more do you want? Did I forget something? Or do
you feel I forgot something that’s present in Real World and am not showing here?

While successfully bypassing Firewalls, we missed one factor which plays an important role in R-
eal world hacking.
Just like we can’t find systems with firewalls turned OFF, you will rarely find systems with no
Anti-virus nowadays. Even ignorant users nowadays use at least the Basic form of an Antivirus.
AV Evasion or Bypassing Antivirus needs a deeper explanation and we will definitely deal with it
in the series of FREE Ebooks you will receive from me. For starters, let me give you a touch and g
-o introduction in this Ebook.
I always tell my readers of my magazine that popularity has a cost in the field of cybersecurity. T
-he more popular anything is, the more scrutiny it receives. Look at meterpreter payload. Metaspl-
oit is almost the topmost pen testing tool used by penetrati- on testers around the world. Although
 20
there are always some techniques that can be used to make meterpreter fully undetectable (FUD),
my bet is that out of 100, 99 times it will be easily detected by Anti-Virus.
For that reason, Black Hat Hackers rarely use meterpreter payloads in Real world Attacks.
Note that Metasploit is mostly used for pen testing. Then, what do Black Hat Hackers do to bypas
-s Ant- ivirus. 100 out of 100 times they will use a custom payload, a payload they themselves
generate to bypass AV’s and to decrease detection rate.
You may get a question now. Is Metasploit waste them? No not entirely. There are cases where
Metasploit was used by Black Hat Hacker groups. As I already told you in the beginning, the mo-
dule exploits the vulnerability, the payload decides what we do after exploitation. So, most hacker
groups can still use Metasploit But, with a custom payload. Is it possible? Let’s see.
Let’s generate a custom payload first. Although tools used by Black Hat hackers to generate a pa
-yload are completely different, let’s use msfvenom to generate a custom payload for this tutorial.
Just imagine that this payload is FUD (Fully undetectable) by AV’s. So, I name this payload
“assumed_FUD_payload”. That’s appropriate, right.

For the same ms08_067 exploit this time. I set a different payload named “generic/custom”.

"I was hooked in before hacking was even illegal. "

-Kevin Mitnick
 21

You can set the payload as a file on string. Since I already have a payload, I set it as “payload file”
option.

I start a netcat listener on port 80 (The port should be same as you set it while creating the payloa-
d).

Then all we have to do is execute the module.

 22
Nothing happened here. But on my netcat listener I have a shell.

This is a real voila, voila. Eureka, Eureka etc. don’t you agree?
That’s all in Black Hat Hacking Part 1. In this FREE Ebook, you learnt how to bypass different
types of Firewalls and still exploit a vulnerability and gain access. Until I send you the next FREE
Ebook, I have an advice for you. Just don’t be in a hurry and try to grasp the concepts of these
Ebook skowly but perfectly. I insist you try the concepts of this book practically too. when you are
done, hang on for Part 2 of this Ebook.

USEFUL RESOURCES
https://haveibeenpwned.com
Follow Hackercool Magazine For Latest Updates