JavaScript Pentest Powerhouse (WFP1)

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

JavaScript Pentest Powerhouse

The source code for this project can be found on Gitlab!

Introduction

The goal of this project is to create an automated penetration testing platform capable of executing various attack methods, with a specific focus on man-in-the-middle attacks targeting the HTTP protocol. The main objective is to inject malicious JavaScript code into legitimate HTTP responses. Traditionally, performing such attacks has been a cumbersome process. However, our software streamlines these tasks by automating them, requiring users to input critical environmental variables (stored in a .env file).

To achieve this, we have developed a Python-based framework that utilizes additional libraries such as nmap and scapy. Notably, scapy plays an essential role in crafting customized packets to optimize the effectiveness of the attacks. Our project places a strong emphasis on performance and user convenience, relieving users from labor-intensive tasks by seamlessly handling complex aspects. We intend to continue working on this project beyond the current semester.

Specifically, the attack is designed to function in the following manner: - Establish MITM via ARP spoofing or rogue DHCP server - Intercept HTTP responses meant for legitimate clients and forward them to the proxy server using mitmproxy. The response can be modified by inserting (malicious) JavaScript into the HTTP head, causing the target browser to execute our chosen JavaScript - Alternatively, you can load the Beef framework (https://beefproject.com/) to take control of target browsers.

illustration image
illustration image

Dependencies/libraries used by Powerhouse:

  • python-dotenv -> for loading the .env variables
  • netifaces -> for enumerating network interfaces
  • netaddr -> network address manipulation library
  • python-nmap -> network scanning, host detection and monitoring
  • scapy -> packet crafting
  • dhcpkit -> dhcp
  • mitmproxy -> intercepts HTTP responses and modifies them according to user parameters
  • sslsplitter -> intercept HTTPS traffic
  • beef -> a framework that offers an intuitive web GUI, enabling users to trigger events on a target browser through the injection of a hook.js file.
  • pm2 -> a very useful process management tool within npm, we use it to start/stop processes


Setup guide (based on Kali Linux running on a Raspberry Pi)

  1. Install Kali Linux for Raspberry Pi.
  2. Run: sudo apt update
  3. Run: sudo apt upgrade (optional)
  4. Run: sudo apt install npm
  5. Run: npm install pm2 -g -> needs to be installed globally (-g)
  6. Run: sudo apt install mitmproxy (if not already pre-installed with Kali Linux)
  7. Run: sudo apt install beef-xss
  8. Run: sudo apt install sslsplit
  9. Run: cd
  10. Run: wget http://standards-oui.ieee.org/oui.txt (for DHCP leasing record)
  11. Run: sudo mv oui.txt /usr/local/etc (folder can only be modified with sudo rights / file has “644” rights)
  12. Switch to the “Code” directory
  13. Run: sudo apt install python3.11-venv (may not be necessary)
  14. Run: python -m venv venv
  15. Run: source venv/bin/activate
  16. Run: venv/bin/pip install -r requirements.txt
  17. To run the program: sudo venv/bin/python main.py
  18. Press Ctrl + C to exit the program
  19. Run: deactivate

The program assumes the username is “kali”. If your username is different, you might need to change that in the code. Refer to the error message logged to the console during the execution of the program!

Every system is different, therefore refer to any possible error messages/logging if something doesn’t work!

The .env file

Here is where things get interesting. In the .env file, you can change various settings related to the execution of the program.

General Settings:

  • METHOD: Here, you can specify which modules of the program shall be used.
    • Examples:
      • dhcp;webserver;proxy (use rogue DHCP server, web server to host all relevant files, (mitm)proxy to edit incoming HTTP responses)
      • arp;webserver;proxy (use ARP spoofing instead of rogue DHCP)
      • arp;webserver;beef (launch the BeEF framework -> this injects the hook.js needed to connect a target browser to the framework)
  • IGNORE_GATEWAY: When set to “YES”, the program will ignore the gateway (not spoof it).
  • IGNORE_IPS: In this variable, you can list any IPs you don’t want to spoof.
    • Example: IGNORE_IPS="192.168.1.1;192.168.1.2"
  • IFACE: In case you need to tell the program which specific network interface to use, you can specify it here. Under Kali Linux running on a Raspberry Pi, the default interface is eth0.
  • RESET_IPTABLES_RULES: Can be useful if any errors/problems arise regarding iptables.

METHOD options

  • arp: Causes the program to use ARP spoofing as the MITM method, ARP spoofing is the most reliable option - if that doesn't work, try DHCP spoofing
  • dhcp: Causes the program to launch a rogue DHCP server, giving clients IP addresses after exhausting the actual DHCP servers resources, this enables the MITM attack
  • webserver: Launch a webserver that is used to for example host the JS files we want to insert into HTTP responses
  • ssl: Launches an SSLSPLIT attack and also facilitates creating new certificates
  • proxy: This determines if mitmproxy is started (mitmproxy handles the injection of code into the HTTP responses)
  • beef: This launches the beef framework, which can be a helpful tool

Proxy Settings:

  • INJECT_FILE: Here you can choose which JavaScript code you want to insert into HTTP responses intercepted by the program. These JavaScript files can be found in WFP1/Code/res_changer_www. If you have any custom JavaScript you want to sneak into other hosts’ HTTP responses, feel free to add JavaScript files to this directory and reference them in this parameter of the .env file.

SSL Settings:

Here you can find some settings related to the SSL certificate creation process.

  • NEW_CERTIFICATE: if set to YES a new ssl certificate is created, used and stored in the certs folder. if set to NO a existing cert is read. Use the CERTIFICATE variable to define the certificate. Use latest or %Y_%m_%d__%H_%M_%S

Web Server Settings:

These parameters can be used in case you need to modify anything related to the webserver.

(In our Git repository, you can also find example .env files with some extra explanations.)

Contact

If you have any questions regarding this project, feel free to email us at: timothy.nicholson@stud.fh-campuswien.ac.at or valentin.kogard@stud.fh-campuswien.ac.at.

Retrieved from "https://wiki.elvis.science/index.php?title=JavaScript_Pentest_Powerhouse_(WFP1)&oldid=11729"