Malicious Update
Last updated
Last updated
Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it's own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.
Internal scenery:
Internal DNS access
ARP spoofing
DNS Cache Poisoning
DHCP spoofing
TCP hijacking
Wi-Fi Access Point impersonation
External scenery:
Internal DNS access
DNS Cache Poisoning
VirtualHost field contains the domains that our webserver is going to emulate for us.
agent: This is our fake update binary, we have to set the path to where it's located or implement a dynamic fake update binary generation (see ADVANCED).
we'll look at manipulating the update process of the popular text editor Notepad++. First, we'll use Ettercap to create a MitM attack position and impersonate the notepad-plus.sourceforge.net server used to check for update availability and to deliver the updated software.
Ettercap includes support for manipulating DNS responses, spoofing the DNS response for any hostname you specify in the etter.dns file. On the top of this slide we append to the etter.dns file an A record for "notepad- plus.sourceforge.net," pointing to the attacker at 10.10.10.10
Next we invoke Ettercap using ARP spoofing to create a MitM attack using the arguments we examined earlier. After Ettercap starts, press "p" to list the available plugins (the list shown on this slide has been trimmed for space). To load the dns_spoof plugin, which will leverage the etter.dns file to obtain the list of hosts to impersonate, enter the plugin name "dns_spoof" and press Enter.
Evilgrade delivers malicious code with local web server
The LHOST argument used by the attacker can be set to a specific IP address to launch the listener on a specific interface, or it can be set to 0.0.0.0 to listen and accept connections on all interfaces. In this example, we take advantage of the msfconsole "-x" argument, which allows us to specify all the arguments on the command line, separated by semicolons. Be sure to include quotes around these arguments, as shown in the example on this page, to prevent the shell from interpreting the semicolons as additional shell commands.
we invoke the "evilgrade" executable to invoke the handler for the Notepad++ software update process. At the "evilgrade>" prompt, enter "conf notepadplus" to invoke the Notepad++ handler. For any Evilgrade module, running "show options" will display configuration information and options that can be manipulated using the "set" command, such as the filename to an alternative executable to deliver to the attacker. Finally, launch the module by issuing the "start" command, which will invoke the Evilgrade web server.
Evilgrade will log to standard output the status of client requests for updates, as shown on this slide. The first log entry indicates that the Notepad++ client requested the getDownLoadUrl.php page, which checks for an available update. The second entry indicates the client's request for the executable file to download and install, followed by the delivery of the agent/agent.exe file to the victim.
Xerosploit is a penetration testing toolkit whose goal is to perform man in the middle attacks for testing purposes. It brings various modules that allow to realise efficient attacks, and also allows to carry out denial of service attacks and port scanning.
Port scanning
Network mapping
Dos attack
Html code injection
Javascript code injection
Download intercaption and replacement
Sniffing
Dns spoofing
Background audio reproduction
Images replacement
Drifnet
Webpage defacement and more ...
