Thursday, April 24, 2014

Do you really trust that update process?

Hijacking updates with ISR–Evilgrade

Hijacking, the update process of many apps, including WindowsUpdate can be a lot eaiser than you may think, once you are able to get between the communication path.

There are currently a few ways this can be done. However, for this lab, ISR-Evilgrade with ettercap, msfpayload, msfcli and dnsspoof will be used to conduct person-in-the-middle attack. I’m sure this can be achieved with fewer of these tools. However, remember the purpose of this blog is “Learning By Practicing”. As a result, these other tools are included to understand their operation and how they may be used together.

As taken from the site “Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.”

Throughout this entire process, all traffic seen will be captured and an analysis will be done on this attack.

The victim (IP: – MAC: 08:00:27:AF:DA:7A) will be running Windows 2003 with NotePad++ v5.8.2. 
The gateway (IP: - MAC: 08:00:27:33:3B:10 )
The attacker (IP: - MAC: 08:00:27:14:56:63 )

Without further ado, let’s begin.
Setup the msfpayload

Setup the msfcli handler

Setup dnsspoof

Setup ettercap to spoof the ARP traffic between the gateway ( and the victim (

I think I may have missed something here as I should be able to use ettercap alone to spoof the DNS with the dns_spoof plugin. However, this is IT Security and if we can’t get one tool to work the way we would like, it is time to improvise. This is the reason for using both the dns_spoof plugin and the dnsspoof tool.

Let’s configure ISR Evilgrade to use the notepadplus module

Next, let’s install notepad++

Once notepad++ is installed and run it begins to look for updates. Once it finds available updates, it notifies us.

Once Yes is clicked on the above, you may get another notification to close notepad++. Click yes and close.

Once yes is clicked. We can now revisit the attacker’s machine to see what is going on.  

Let’s do that. As can be see below, evilgrade has successfully transferred the payload to client at

Let’s see what we get from msfcli.
A new session was opened. In addition, a hashdump and sysinfo was successfully done.

The moral of this post?
Most of us more than likely click “YES” or “Update” when we are prompted about updates being available. These can be for Java, Windows Update, Notepad++ or any other software, we do the lazy thing and just click. However, tools like ISR-evilgrade and others used above, gives us more reason to go directly to the vendor site and download these updates. While downloading these updates from the vendor site may be a good start, additional checks like verifying hashes, etc could reduce our exposure to malicious updates. If there is a MD5 and SHA1 or SHA256 hash available for the update, test all if possible. Tools such as md5sum or md5deep can be very helpful in these circumstances. A tool I also like to use on windows is the File Check Integrity Viewer from Microsoft (FCIV). Note, FCIV may not currently be available and thus, you can use built in tools such as Certutil or even Powershell's Get-FileHash.


No comments:

Post a Comment