Thursday, April 27, 2017
Home / Media / Hacking with Evilgrade

Hacking with Evilgrade

What is Evilgrade?

Evilgrade is a framework written in perl which makes attackers make benefit out of underprivileged upgrades by injecting fake updates in the sense tricking the victim and enticing him to download our malicious payload. For this rationale we can use combinations such as Man-in-the-middle (MITM) attack or DNS Spoofing. (There can be more attacks as well).

In this tutorial I will make the backdoor separately using msfvenom.(You can also make evilgrade to create the metasploit backdoor). Next I will launch evilgrade which is located at

/pentest/exploits/isr-evilgrade

As you will see evilgrade got several modules such as winzip, orbit, ccleaner, sunjava, etc. For this demonstration I will Use notepadplus. To load the module type ‘configure notepadplus’. Next we have to set the agent like this.

Set agent ‘[“<%OUT%>/root/backdoor.exe<%OUT%>”]’

In here the <%OUT%> tag points to the location where the output file should be located. Our dynamic fake update binary is in between double brackets ‘[]’. Make sure you entered correctly by typing show options. Once you see the options of this module you should see URL which the software retrieves the update from. Copy that because we are going to spoof it and perform a MITM attack. Well add that URL in the /usr/local/share/ettercap/etter.dns giving A record. So I won’t be explaining about DNS spoofing here, In short I will describe here in few lines. I will use ettercap for this.

Ettercap –T –Q -M arp –P dns_spoof /gatewayip/ /victimip/

-T for text mode, -Q for super quiet mode, -P for plugin, -M for performing a MITM attack.

After successfully running ettercap you can go ahead and use multi/handler exploit for handling the exploits outside the framework and start listening on the given payload with the local host and port. Make sure you enter ‘start’ in evilgrade. Once the user opens notepadplus and updates he should receive our malicious payload and a successful meterpreter should be created.

-Un0wn_X

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

How to Frankenscript

Features Spoof/fake the mac address for both the WiFi adapter and virtual interface monX. Frankenscript …