Spoofing ARP/DNS and injecting the payload

We're just about ready. Once we start Evilgrade, it will stand up a web server and wait for requests. That means we need the target to request the update from our Evilgrade server while thinking it's talking to one of the three domains we just noted previously. Simply put: we need to spoof DNS. We're also going to need to route local traffic through our interface, so let's use our trusty ARP poisoning attack for that purpose. So, we need to perform a targeted ARP and DNS attack against one host on the LAN and three specific domains on the internet – an ideal job for Ettercap while leveraging its DNS proxy module.

The DNS proxy module allows us to target domains by referencing its internal DNS mapping, found at /etc/ettercap/etter.dns. I fire up nano and configure the three domains I pulled out of the VirtualHosts entry in the Evilgrade mIRC configuration:

The format is simple: name, DNS record type, and the host where the name will be resolved to, separated by spaces. We don't need to get fancy with the record type – just the simplest mapping of a name to an IP address is all we need, so we use the A record type. This is all we need here, so let's save this file and configure Ettercap to start the ARP attack.

Our Ettercap attack is made up of two parts: the ARP poisoning attack to redirect traffic to our interface, and the DNS response spoofing to associate specific name queries with our IP address. First, we kick off Ettercap with a quick and dirty ARP attack command:

# ettercap -T -q -M arp:remote /192.168.108.80// /192.168.108.1//

-M arp:remote here specifies the type of man-in-the-middle attack, as Ettercap is capable of several; when we define ARP, we also let Ettercap know that we're spoofing remote connections too. remote here refers to connections leaving our network. We put the IP address of the victim running mIRC and the gateway addresses as the ARP targets. 

So, now Ettercap is running, let's hit the P key to pull up the Ettercap plugins menu. Type dns_spoof and hit Enter:

Now Ettercap is working on two tasks at once: our ARP attack continues, but now the DNS spoofer plugin is active, using the etter.dns file as a sort of remotely defined hosts file for the target. The network trap is now officially primed and ready, so switch back to the Terminal window where the Evilgrade mIRC module configuration prompt is waiting, and issue the start command.

Let's take a look at the victim PC as we open up mIRC and allow the software to check for updates: 

Oh look, an update is available! This looks no different than a legitimate response, but let's look at the attacker's screen:

The request is received by Evilgrade, which automatically forges a reply containing our payload binary. What the user experiences is nothing different than normal – no warning messages, no suspicious filenames.

I'm assuming you didn't forget to set up your reverse connection handler in Metasploit! As soon as the victim executes this program, the meterpreter session is established and we can get to work.

I know what the hacker in you is thinking now: wouldn't the user find it odd that nothing popped up when running the updater? You're right, that would be weird. This is an example of how pen testing is often a very active process; we would want to immediately disable Ettercap and Evilgrade upon confirmation of a successful injection and meterpreter session.  The user is likely to suppose some bug occurred and will simply try to update again. The second time around, there is no attack taking place and they will receive the legitimate installer. But let's be honest: this isn't good enough. When we take Metasploit and msfvenom to the next level later in the book, we'll work on injecting our payload into an existing, working program. The user sees normal behavior and we get our meterpreter session.