May 23, 2010

Hacking Software Updates with EvilGrade

Evilgrade is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates. It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of the victim dns traffic and uses either of DNS cache poisoning, ARP spoofing, DHCP spoofing or Internal DNS access to accomplish this. Once EvilGrade has inserted itself as the man-in-the-middle it intercepts automatic update requests for the softwares it supports and injects the malicious payload as the "update". This payload can be configured to whichever binary the hacker wants. Once the victim downloads this malicious "update" and runs it, the hacker has full control of his system
Currently, EvilGrade Supports the interception of the following upgrade mechanisms:

- Java plugin
- OpenOffices
- iTunes
- Linkedin Toolbar
- DAP [Download Accelerator]
- notepad++
- speedbit

We had covered EvilGrade a while back. In this demo, g0tmi1k shows us a demo of EvilGrade using Notepad Plus. The underlying hack uses an ARP MITM and DNS Poisoning to redirect all software upgrade request checks to the attacker's server. This server serves a metasploit payload to Notepad Plus instead of the actual payload. Once the update gets exectuted a reverse connect shell provides full access to the victim's computer.

# ITS™
# 2009 - 2010

Twitter based Botnet Command and Control

In this video from Symantec, we look at a demo of the Trojan.Twetbot trojan. As the name suggests, the builder is closely linked to Twitter, using a Twitter account to issue command-and-control instructions to the Trojans created by the builder. When building Trojan.Twebot, the user is able to supply a public Twitter account for Trojan.Twebot to follow. Because Trojan.Twebot does not try to obfuscate commands on Twitter, it will not be difficult for Twitter security staff to find and close accounts abusing their service in this way.

# ITS™
# 2009 - 2010

Null Session Hacking on Windows

Practical Exploitation - Null Session Enum from .

A NULL session connection is an unauthenticated connection to an Windows machine. Gaining NULL session access to a Windows system is the number one method for hackers to enumerating information about the machine. From a NULL session hackers can call APIs and use Remote Procedure calls to enumerate information. These techniques can, and will provide information on passwords, groups, services, users and even active processors. NULL session access can also even be used for escalating privileges and perform DoS attacks.

# ITS™
# 2009 - 2010

===[ ADS ]===
Microsoft Windows XP Home Edition UPGRADE with SP2
Microsoft Windows XP Professional Full Version with SP2

Root Shell via Metasploit and MySQL Client on Metasploitable

In this video, redmeat_uk demonstrates how to obtain a root shell from Metasploitable, a VMware machine of vulnerable applications and services. This example will demonstrate how to obtain a root shell via Metasploit auxiliary modules and the MySQL client

# ITS™
# 2009 - 2010