Pivoting with Evilgrade


Even five years Evilgrade was first released some vendors haven't fixed their products yet. I don't know why.

One of the early development decisions (besides it's modular design) was to
write Evilgrade in Perl, so it should be easy to port it to other platforms.

Finally, after some effort evilgrade is now available for Windows. Now it's
possible to start an attack from a Windows host.

Have you heard about pivoting attacks ? Well, I have recorded a screencast that
demonstrates how you can pivot with evilgrade in order to attack our desired
target.

The scenario is a LAN with 3 hosts running on virtual machines using bridged
interfaces.
  • Attacker (10.0.1.109)
  • Pivot (10.0.1.120)
  • Victim (10.0.1.121)
In the demo the attacker is running Backtrack Linux. The Pivot and the Victim  hosts are running Windows 7 x64 (guess who has the lovely koala in the background).


Tools of the trade:
  • Metasploit (msfpayload, meterpreter, etc) - http://www.metasploit.com/
  • TarTool - https://tartool.codeplex.com/
  • Strawberry Perl (portable zip version) - http://strawberryperl.com/
  • Evilgrade (of course)
Some notes:
  • I have skipped the DNS/ARP spoofing attack to each host to make the screencast shorter. So the DNS addresses are fixed to the needed IP numbers.
  • When running Evilgrade from a meterpreter shell, Evilgrade won't be interactive, that's why you have to modify Evilgrade's code to hardcode the 'start' command instead of waiting for user input.
  • Moving symbolic links from Linux to Windows using tar archives doesn't work, I had to remove the symbolic link 'javaws.exe' and copy the linked file in its place. Evilgrade won't be able to start the webserver otherwise.
  • The evilgrade console is executed from a meterpreter shell, that means the attack is a squared pivot :P
Download the last version of evilgrade from:
https://github.com/infobyte/evilgrade

Post a Comment
Thanks for your comment