Echo Mirage: Walkthrough
In this article, we will learn about Echo Mirage, a freeware tool that hooks into an application’s process and enables us to monitor the network interactions being done. This process can be done with a running process, or it can run the application on the user’s behalf. This type of security testing falls under Thick Client Application Security Testing.
Thick Clients Applications can be further divided into two parts:
- Proxy-aware Thick Clients
- Proxy-Unaware Thick Clients
Proxy-aware thick clients
If a Thick Client can set up a proxy server, then it is known as a Proxy-aware Thick Client. Examples of Proxy-aware Thick Clients are Microsoft Outlook, Google Talk, Yahoo Messenger, etc. Such applications typically require the user to install them on their systems, thus making them run completely on the user’s system and utilizing the system’s resources and making them reliant on the security of the local system. Tools such as Burp Suite can be used to test such clients.
Proxy-unaware thick clients
If a Thick Client does not have the ability to set up a proxy server, then it is known as a Proxy-Unaware Thick Client. Such clients are therefore difficult to test because of the problems faced while setting up a proxy. This is where Echo Mirage comes into play.
Echo Mirage allows us to see and edit the data being exchanged be it encrypted or unencrypted session. In the event wherein a user’s system has been compromised by an exploit/payload, Echo Mirage can be used to hook into the compromised process, and the communication between the attacker’s machine and the victim’s machine can be intercepted. This can give insight to what kind of information the attacker is looking for on the victim’s machine.
Let’s take a closer look at how it works. Echo Mirage can be downloaded from the following link: https://sourceforge.net/projects/echomirage.oldbutgold.p/
Once downloaded, follow the step-by-step instructions shown on the screen to install and then run the software.
This is how the software looks when opened. At this point of time, it has no hook attached to any running process.
For us to hook it into an application, we are provided with two ways.
- Hook into an existing process/Inject (Ctrl + I): This option allows us to tap into an existing running process on the user. We can also use the Task Manager to find any malicious process that’s running on the system. Once we do that, the following window opens which allows us to choose the process we want to tap into.
- Execute/Launch an application (Ctrl + E): This option allows us to select an executable, .exe file, and tap into it. These options take two parameters:
- Executable: The .exe file is selected using the select option denoted by … on the right-hand side as a button.
- Parameters: Parameters are entered uniquely depending on the application you are dealing with. If you are not sure about it, it is best to leave it blank.
- Once the fields are filled, click on OK and you will be ready to intercept the data.
Once the application had been Executed/Injected, the following screen appears indicating that the application has started the exchange of the data. In this case, I have injected the victim’s machine with an exploit of my making.
As you can see, Echo Mirage shows us the end point from where the data is being exchanged and that it is intercepting the data while that takes place.
From my attacking machine, I would request some information from the victim’s machine, and Echo Mirage should show us what the requested information was.
As you can see that ipconfig, a command used to list all the available network adapters, was requested from the attacker’s machine and using Echo Mirage, we can intercept the communication. Though this tool does not allow us to prevent the attack, however, it does helps us to gain insight into the attacker’s motives. Such as, this command tells us that the attacker is trying to figure out whether the victim’s machine is connected to a network or not. To further analyze, by pressing Ok we can move forward and see what the attacker is doing next.
Few more features of Echo Mirage:
- Traffic Log: Traffic log, as the name suggests, keeps a detailed history of the entire communication that took place. We can, at any given point of time, go back to the logs and re-check any data that we might’ve missed.
- Rules: Echo Mirage has another feature called rules. This feature enables us to make custom rules that would intercept certain calls made by the application. Rules can be created to intercept only the inbound traffic or outbound traffic, or both made to a certain address on a particular port. Rules can also be made to define pre-defined actions and search for certain keywords based on muti-lined, case sensitivity, single-lined, extended or anchored. New rules can be made by clicking on the Green Plus Icon on the top. Echo Mirage also gives us the ability to export the user defined rules or import new rules.
In conclusion, Echo Mirage is an effective tool to test Proxy-Unware Thick Client Applications. Other tools such as Burp Suite can be configured to some extent to do the same job. However, they may not present the same results as Echo Mirage.