Understanding a DNS Spoofing Attack + Evilgrade

What does this type of attack consist of?

One of the most dangerous attacks that we can encounter is the self-downloading and execution of malicious software without user interaction. With an attack of these characteristics an intrusion can be made in any type of system, even if it is at its last version and completely patched, not presenting any type of vulnerability more than the one that represents in itself the ignorance of the own user.

Design of the attack and tools used

To demonstrate this attack we are going to use the “Evilgrade” framework. As a brief description of how it works, it is based on specific modules, and each of them has its own way of working to emulate fake updates of a specific application. After its configuration, it is necessary to manipulate the DNS traffic of the victim machine through a “DNS Spoofing” attack, so that it is redirected to the attacker’s server.

First, we will launch a MITM attack to intercept which software update websites the victim visits through the “remote_browser” plugin of “Ettercap”. With the information obtained, we will set up a targeted attack using “Evilgrade”, “Metasploit” and “Ettercap” as we will see below.

Information gathering and attack configuration

Obtaining information through Man In The Middle (MITM) attack

In order to set up a suitable attack scenario, we must first obtain the necessary information. In this case we are going to launch a Man In The Middle (MITM) attack through the use of “ettercap” (as we saw in our post “https://jaymonsecurity.es/conociendo-un-ataque-de-dns-spoofing-phishing”) and its plugin “remote_browser” as we see below, in order to capture data about the web services visited, either by the user himself or by background programs that automatically check for updates available on their official servers.

Capturing URLs visited by the victim machine.

As we can see, when capturing the packets of the victim’s connections, we can see that it has the “ccleaner” software installed, and when the program itself needs to be updated, it visits the addresses highlighted in red. With this information we can now move on to configuring the attack vector.

Creating our malware to obtain a reverse meterpreter shell

At this point we must create a malware that will return a “reverse meterpreter” type shell of the victim machine when executed by the “ccleaner” itself when it tries to acutalize itself. We will do this through the use of “msfvenom” as we can see below, and we will call it “update.exe”.

Creating “reverse meterpreter” binary for Windows.

Configuring Evilgrade

Once we have created our malware we can start “Evilgrade”, and configure the attack through the “ccleaner” module as follows:

Configuring Evilgrade.

Once we have configured all the variables of the “ccleaner” module, including the malware created (“update.exe”) to obtain the reverse meterpreter shell, we can launch it by means of the “start” command:

Launching the attack from Evilgrade.

As we can see, Evilgrade has set up a web server waiting for connections from “ccleaner”. When “ccleaner” tries to update, it will connect to our attacker server set up by Evilgrade, and download the fake update to install it. The moment it auto-runs the supposed “update”, we will get a “meterpreter shell” from the victim machine.

Configuring Metasploit

The next step is to start metasploit and listen to port 6000 to receive the reverse meterpreter shell from the victim machine, as we had specified in the msfvenom parameters for the creation of the “update.exe” malware.

Configuring the listener to receive the victim’s reverse meterpreter session.

At this point, we have the whole scenario ready to receive the meterpreter session from the victim machine. Finally we must launch the “DNS Spoofing” attack against our target.

Execution phase and intrusion into the victim machine

With the whole scenario prepared, the only thing left to do is to launch the “DNS Spoofing” attack against the machine we want to infect. We are going to do this by using “Ettercap”, after configuring it as we saw in the previous post of “Understanding a DNS Spoofing + Phishing Attack”.

Launch a “DNS Spoofing” attack.

Once the “DNS Spoofing” attack has been carried out, all that remains is to wait until the victim uses “ccleaner” and the software itself tries to update itself, or the victim wants to download an update from *.piriform.com, *.ccleaner.com or *.ccleanercloud.com, which are the three addresses we had to include in the “etter.dns” file, so that when they are visited they are redirected to the attacking server.

Updating “Ccleaner”.

Once the victim, or the software itself automatically, has tried to check for an update, it will be spoofed to our server that “Evilgrade” has created to simulate the correct “ccleaner” update, thus infecting the victim machine. Below we can see how the victim machine is redirected to the “Evilgrade” spoof server hosted on our attacking machine.

The victim is redirected to the attacking server.

Once the victim connects to the malicious server created by “Evilgrade”, the malicious “Update” of “ccleaner” is installed, and when it auto-runs, the new “ccleaner” opens as if the update had been successful. Our malware runs in the background, thus returning the “reverse shell meterpreter” of the victim machine.

Obtaining the meterpreter session from the victim machine.

Here we can already see how we have obtained a “meterpreter” session from the victim machine, and then basic information about it is displayed via the “sysinfo” command.

Obtaining information from the victim machine.


No puedes copiar el contenido