TSC Summit #4 - Howto get browser persitence and remote execution (JS)
- 1. Howto get browser persistence and remote execution
- 2. Goals: ● Infect web browsers ● Be able to execute javascript in victim(s) browser ● Intercept user traffic (“keylogger”) ● Create a botnet ● Don’t fuck up for anyone (at least good people) Security Challenge: First off, how to get access?
- 3. Option #1: Physical access ● Hassle to spread ● Expensive with many USBs ● Risky ● Requires a lot of traveling ● Or social engineering How to infect, and run javascript?
- 4. Option #2: Hack a server ● Everyone is doing it ● You have to work with PHP ● Looking for exploits and weakspots in PHP software is lame ● Web sites with great visitor numbers are more secured How to infect, and run javascript?
- 5. Option #3: Pishing ● It just sounds lame ● Trick stupid people isn’t funny ● Lot of heat for little gain ● The need of fake websites ● The need to distribute a shitload of spam How to infect, and run javascript?
- 6. Option #3.1: Man in the middle attacks: Local LAN ● Works great when you’re on the <LAN> ● Hassle to get into private LAN’s ● You need access to a lot of LAN’s ● Can’t start with fake certificates, too risky ● Don’t scale How to infect, and run javascript?
- 7. Option #3.2: Man in the middle attacks: Tor exit node ● Again,everyone does it.. ● Short lived fun, automatic scans of modified content ● You need to switch IP quite often to avoid ban ● Tor Browsers have NoScript on per default ● Don’t give Tor a worse name than it got, it’s our last hope :) How to infect, and run javascript?
- 8. Option #3.3: Man in the middle attacks: Ads ● Visiting ads company sites is fun for your javascript engine ● Less options on most sites (bbcodes and “IDEs”) ● Pay for browser minutes is actually an industry ● Lame to pay for servers, and ads How to infect, and run javascript?
- 9. Option #3.4: Man in the middle attacks: Http proxy ● It’s built upon MITM architecture ● It’s a lot of proxy lists out there, which copies each others ● Less to hassle with, perfect when lazy ● Apparently still quite popular ● Often chained, so the user can feel “safe” ● At least 80% of all users are bad people How to infect, and run javascript?
- 10. Interesting facts about http proxies ● Access to edit or remove the following security headers • Cross-Origin Resource Sharing (CORS) • Same-Origin Policy • X-Frame-Options ● TLS/SSL traffic often leak info at the start of connection • URL • POST body How to infect, and run javascript?
- 11. So how do we do it then, where to start? ● Write a TOS/Privacy policy warn good people ● The TOS is quite similar to US gov’s TOS, should be legal ● Then, find countries with no deal with Norway/EU ● Preferably a countries without internet laws at all (to be safe) ● Use Tor for registration with a fake name and for ssh How to infect, and run javascript?
- 12. So how do we do it then, technical speaking? ● Setup a proxy chain where all non TLS/SSL traffic is checked ● Inject minimal javascript code (2-3lines) into all .js fetched ● Fallback on html inject if no .js fetched ● Pass through all other traffic as normal How to infect, and run javascript?
- 13. So, what about this javascript code? ● Don’t use Beef (The Browser Exploitation Framework) loaders ● Or any other well known loader for that matter ● Pain, but just ECMA 5 written without any babel/webpack ● Build your own “webpack” if needed ● Use workers if available How to infect, and run javascript?
- 14. Why strict javascript rules? ● Beef and common loaders get picked up by AV and similar ● It need to load and run fast, undetected ● Support old browsers without big third party libraries ● Being detected often tend to make the proxy marked bad ● The script needs to adjust to all kinds of environments How to infect, and run javascript?
- 15. So, how about the persistence part? ● This is the tricky and fun part, it’s no good way ● However, you can make your code load quite often • Specially target small CDN’s delivering jquery or whatever • Set cache time to 2070 on CDN’s javascript file or something • Runs on each website that uses the lib and the CDN • Bonus: no evidence on victim computer if wished (Drop cache) How to infect, and run javascript?
- 16. Did it work? ● Too good ● A botnet is archived ● No legitimate traffic found (out of ~1Tb of traffic) ● Nothing done to victim computers, content & bots removed ● Data deleted ● No, Knowit didn’t have anything at all to do with this test How to infect, and run javascript?
- 17. What did we learn? ● Again, Knowit didn’t have anything at all to do with this test ● You can archive a botnet quite easy ● Could perform quite massive DDoS attacks (lame) ● Could control victim’s browser “tab” after proxy usage ● Can be updated over internet, “unlimited possibilities” How to infect, and run javascript?
- 18. Mikal Villa [email protected], @mikalv 2017-08-21 TSC Summit #4 Thanks